Privacy Bulletin: Issue No. 30

In the News
Massachusetts Publishes Final Data Security Regulations: On November 4, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) published its final regulations governing the protection of personal information of Massachusetts residents. The final regulations, first released in 2007, require businesses who use and obtain personal information of Massachusetts residents to implement comprehensive security plans to ensure that information is not compromised. The regulations were amended in 2009 to allow greater flexibility with compliance. The final, amended, regulations will take effect on March 1, 2010.

Two Key Privacy Bills Ready for Senate Vote: In early November, the Senate Judiciary Committee voted in favor of two key privacy bills, clearing them for a full Senate vote. The Data Breach Notification Act (S.139) (Feinstein, D-Ca.) authorizes the attorney general to bring civil actions against entities that fail to notify individuals whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act (S.1490) (Leahy, D-Vt.) also sets notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and requires businesses to implement preventive security standards to guard against threats to their databases.

EU Telco Reform Includes Privacy Issues: As part of sweeping telecom reform, the Council of the European Union has passed two key amendments that strengthen and improve consumer protection and user rights in the electronic communications sector and enhance the protection of individuals’ privacy and personal data. One amendment requires telecom companies to notify their customers if data is lost or compromised. A second amendment requires consumers to provide affirmative consent before cookies may be stored on their personal computers. Currently, the use of cookies is permitted if notice is provided to the user and the user consents. The law does provide an exception for occurrences where use of a cookie is "strictly necessary." The amendments are expected to be signed within the next 18 months and are part of broader telecom reform efforts.

Tagged.com Settles with State Attorney Generals Over Deceptive Practices: On November 9, 2009, Attorney Generals of New York and Texas announced a settlement with Tagged, Inc., the operator of Tagged.com for its alleged deceptive marketing practices and invasion of customer privacy. Tagged used personal email addresses provided by new customers to sent thousands of spam messages on behalf of Tagged.com members, without permission. Tagged agreed to pay $750,000 and completely overhaul its customer information collection and disclosure process and email privacy policies.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.