BLOGS: Privacy and Data Protection

Tuesday, August 18, 2009, 3:07 PM

Privacy Bulletin: Issue No. 25

In the News


UPDATES TO MASSACHUSETTS ID THEFT REGULATIONS EFFECTIVE MARCH 1, 2010: On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) announced adjustments to the ID Theft regulations, which will now take effect March 1, 2010. The updated regulations are technology neutral and foster a risk-based approach that takes into account a business’ size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations. The changes were made to balance consumer protections with the needs of small businesses. A public hearing on the changes will take place on September 22, 2009.
Maine Law Restricting Marketing to Minors Effective September 12, 2009: On September 12, 2009, Maine’s Act to Prevent Predatory Marketing Practices Against Minors (LD 1183, Conway) will take effect. The Act prohibits knowing collection of receiving, selling or otherwise transferring health-related information or personal information for marketing purposes from a minor without obtaining verifiable parental consent. The statute also allows for a private right of action to recover damages and civil penalties for each violation.

German Marketing Opt-in to Take Effect September 1, 2009: A German law, passed by the Legislature in July 2009, requiring retailers to obtain permission (opt-in) from consumers prior to using personal data for marketing purposes, will take effect on September 1, 2009. A transitional period will extend through August 31, 2012, for data collected prior to September 2009. The law requires businesses to obtain consumers’ permission to use their address data unless a preexisting relationship exists or if the source of the third party data is clearly stated on the direct mail envelope. The new rules make it much harder to engage in direct mail marketing in Germany and do not apply to email communications, which already require consumer opt-in.

Search Engines Held Liable in Argentine Court for Posting Third Party Content: On July 29, 2009, Argentine National Civil Court No. 75 in Buenos Aires held Google and Yahoo! liable for posting links to risqué pictures of a model, posted without her consent, on a third party website. The Court found that without participation from the search engines, access to the material on the sites would not have been possible and the search engines boosted the site’s exposure. Google and Yahoo! will each pay approximately $26,000 in damages plus interest.

California Adopts Data Disposal Law: On August 6, 2009, the California Assembly passed AB 1094 (Conway) requiring businesses to dispose of individuals’, and employees’ records with as much care as those records of consumers. The existing law requires that a business take all reasonable steps to destroy, or arrange for the destruction of, any customer’s records within its custody or control that it no longer intends to retain. Destruction can be achieved by shredding or erasing the information, or otherwise making it unreadable or undecipherable. The bill also modifies the remedy available. Previously, only “specified civil remedies” were available such that violations would be punishable by misdemeanor.

Acting White House Cybersecurity Coordinator Resigns: On August 3, 2009, Melissa Hathaway, the acting cybersecurity czar resigned and withdrew her name for contention for the newly created position of White House cybersecurity coordinator. The coordinator’s position was created by President Obama in May 2009 to oversee the development and implementation of a government-wide cybersecurity strategy. Hathaway’s resignation will become effective August 24, 2009.

Upcoming Events –

  • Join us for our 3rd Wednesdays with Winston "brown bag" lunchtime program presented by the Family Online Safety Institute (FOSI) and Womble Carlyle (August 26th, 12-1:30 pm in Womble Carlyle's DC Office). We’ll focus on what's happening with online safety at the Federal Trade Commission (FTC) and what these developments may mean for your business. Attendees will hear from a panel of industry experts on updates to COPPA, behavioral advertising and other issues affecting online safety and privacy, followed by an interactive roundtable discussion. Panelists include: Peder Magee, Federal Trade Commission; Frank Torres, Microsoft; Jules Polonetsky, The Future of Privacy Forum; Jennifer Kashatus, Womble Carlyle; and moderator, Stephen Balkam, FOSI. There is no cost to attend, but space is limited. To register, click here.
  • Visit Womble Carlyle’s Privacy Team in the Exhibit Hall at the IAPP Privacy Academy in Boston, September 16-18.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Tuesday, August 4, 2009, 1:42 PM

Privacy Bulletin: Issue No. 24

In the News

FTC Delays Enforcement of Red Flag Rules: On July 29, 2009, the Federal Trade Commission (FTC) announced that it will delay enforcement of its "Red Flags" Rule, for a third time, until November 1, 2009. This delay applies only to enforcement of the Identity Theft Red Flags Rule and does not extend to the rule regarding discrepancies in addresses applicable to users of consumer information, or to the rule regarding changes of address applicable to card issuers. The FTC again delayed its rules in an effort to assist, in particular, small businesses and other entities that may not be clear as to whether the rules apply to them and amidst criticism from the American Bar Association, the American Medical Association, among others, regarding the expansive application of the Rule. The FTC also has stated that it is providing additional guidance to entities so that they may determine the extent of their obligations under the Rules.

North Carolina Tightens Data Breach Statute: On July 27, 2009, North Carolina Governor Beverly Perdue signed into law a stricter version of North Carolina’s existing security breach statute. Session Law 2009-355, SB 1017, amends G.S. § 75-65, which governs data security breaches. Businesses should note that the law the updates notice requirements to include toll free numbers to consumer reporting agencies and government identity theft education resources and mandatory reporting to the Consumer Protection Division of the Attorney General's Office.

HIPAA Security Rule to Be Enforced By Civil Rights Office: On August 3, 2009, the Department of Health & Human Services (HHS) released a memo transferring authority to enforce provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) from the Center for Medicare and Medicaid Services (CMS) to the Civil Rights Office at HHS. The reason for the move was to consolidate enforcement to one area of the Agency.

Payment Card Industry Releases Wireless Security Guidelines For Payment Cards: On July 15, 2009, the Payment Card Industry Security Standards Council (PCI) issued new guidelines relating to recommendations for use of 802.11 wireless access points. While the PCI guidelines for Wireless LAN, which expand upon the 12 part PCI DSS standard, are not mandatory, following the guidelines optimizes consumer protection.

HBSC Firms Fined For Data Security Failures: On July 22, 2009, the UK Financial Services Authority (FSA) announced that it fined three HBSC entities a total of $5 million (£3 million) for failing to have adequate systems and controls in place to protect their customers’ confidential data. An FSA investigation into HBSC's data security systems found that large amounts of unencrypted data had been sent to third parties and confidential information was routinely left unsecured in open areas and unlocked cabinets. The fines stem from the loss of an unencrypted CD containing sensitive personal information of approximately 180,000 policy holders.

Information Commissioner's Office May Issue Fines for Violations of Data Protection Act: On July 22, 2009, the Ministry of Justice granted the Information Commissioner's Office (ICO), an independent UK body tasked to protect personal information and promote public access to official information, the authority to fine businesses for failure to comply with the Data Protection Act, beginning April 1, 2010. Currently, the DPA prohibits the ICO from fining entities for knowing or reckless breaches of the eight data protection principles set forth in the Act.

Upcoming Events – Our 3rd Wednesdays with Winston "brown bag" lunchtime program presented by the Family Online Safety Institute and Womble Carlyle (August 26th, 12-1:30 pm in Womble Carlyle's DC Office), will focus on what's happening with online safety at the Federal Trade Commission (FTC) and what these developments may mean for your business. Attendees will hear from a panel of industry experts on updates to COPPA, behavioral advertising and other issues affecting online safety and privacy, followed by an interactive roundtable discussion. Panelists include: Peder Magee, Federal Trade Commission; Frank Torres, Microsoft; Jules Polonetsky, The Future of Privacy Forum; Eric Breisach, Womble Carlyle; and moderator, Stephen Balkam, FOSI. There is no cost to attend, but space is limited. To register, click here.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

back to top