Privacy Bulletin: Issue No. 27

In the News

Challenge to Maine Privacy Law Dismissed: On September 9, 2009, a federal judge for the United States District Court for the District of Maine dismissed the challenge filed by various media and Internet entities to Maine’s new privacy law which restricts the collection, publication and use of personal data from minors under the age of 18 without parental consent. Although the judge agreed with the challengers that the law raises significant constitutional concerns, he dismissed the case on the ground that the Maine Attorney General does not intend to enforce the law as written.

FTC Requires Sears To Destroy All Behavioral Tracking Data: On September 10, 2009, the Federal Trade Commission (FTC) gave final approval to a settlement agreement with Sears Holdings Management Corporation (Sears) for its use of software to track consumers’ behavior on the Internet. The agreement requires Sears to destroy all data that it obtained from consumers who used the tracking software. Sears maintains that its use of the software was permissible because consumers paid to download the software and participate in the tracking.

TJX Settles Additional Breach Lawsuit: TJX Companies, Inc. (TJX) has agreed to settle another lawsuit with several banks in connection with the retailer’s January 2007 data breach. TJX will pay $525,000 to AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union, and Trustco Bank as part of the agreement to cover breach related expenses incurred by the banks. In turn, the banks will drop all claims against TJX. TJX maintains it did not engage in any improper conduct.

FTC Submits Privacy Concerns to FCC for the Development of a National Broadband Plan: On September 4, 2009, the Federal Trade Commission (FTC) submitted comments in the Federal Communications Commission’s (FCC) docket focused on developing a national broadband plan (Docket No. GN 09-51). The FTC’s 17 page comments urged the FCC to consider: (1) truthful, clear and conspicuous material terms of service; (2) data security issues; and (3) general privacy concerns, including the threats posed by behavioral advertising.

ZDNet Issues Whitepaper on Massachusetts Privacy Regulations: In July 2009, ZDNet issued a whitepaper that provides an overview on the Massachusetts data protection law which requires entities doing business in Massachusetts to follow comprehensive information security requirements for both paper and electronic records. Specifically, the paper covers who must comply, the compliance timeline, compliance standards and enforcement.

Upcoming Events

• Visit Womble Carlyle’s Privacy Team in the Exhibit Hall at the IAPP Privacy Academy in Boston, September 16-18.

Privacy and Data Protection Team

The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Privacy Bulletin: Issue No. 26

New Robocall Rules Take Effect: On September 1, 2009, the Federal Trade Commission's (FTC) "Robocall" rules went into effect. The rules prohibit any prerecorded interstate telemarketing and solicitation calls to consumers unless the consumer has affirmatively elected in writing to accept the calls, including companies’ current customers. Violators may be fined up to $16,000 per call. Exceptions to the rule include calls such as those that deliver purely "informational" messages, and calls from politicians, banks, telephone carriers, and most charitable organizations.

Enforcement of Maine Behavioral Advertising Law Faces Obstacles: On August 28, 2009, the Maine Press Association, in conjunction with Internet safety advocacy group NetChoice, filed a lawsuit to enjoin legislation to prevent predatory marketing practices against minors from taking effect on September 12, 2009. The law makes it illegal to collect personal information about minors on the Internet without parental consent and provides for a private right of action for violation. Opponents claim that the law is unconstitutional because it is overly broad and infringes upon the First Amendment rights of website operators. On August 30, 2009, the Maine Attorney General announced that she would not enforce the law due to similar concerns.

FTC and HHS Issue Personal Health Record Breach Notification Rules: On August 24, 2009, the Department of Health and Human Services (HHS) released an interim final rule that requires healthcare providers, health plans and other entities covered by HIPAA to alert patients, the Secretary of HHS and the media of any unauthorized access to their health information. The interim final rule adopts definitions for breach and unsecured protected health information, specific notification requirements, and opportunity to mitigate exposure. The notifications requirements become effective September 23, 2009. On August 25, 2009, the Federal Trade Commission (FTC) also published in the Federal Register its final rule requiring vendors of personal health records, including third parties who offer personal health records, to notify consumers when their records are compromised. While both agencies were mandated to adopt rules under the American Recovery and Reinvestment Act (ARRA), the FTC's rules remain separate from efforts by the HHS and apply to only a limited number of companies; HHS remains the industry-wide authoritative rule. Companies will need to review their policies to ensure their procedures meet both agencies' requirements.

Radisson Hotels Announces Data Breach: On August 18, 2009, Radisson Hotels, through an open letter to its customers posted on its website, announced that a "limited" number of its guests may have had their personal information, including credit and debit card information, compromised due to a breach in the hotel's computer system. Radisson admitted the breach was discovered last spring, but did not disclose how many customers were affected.

Judge Orders Google to Identify Blogger: On August 19, 2009, a judge for the New York State Supreme Court ordered Google to release the name of a blogger who posted derogatory and defamatory remarks and pictures about model Liskula Cohen on a Google-owned blog site. Although Google eventually took the site down, it would not release the IP address and name until the court ruled. The Blogger then sued Google for failing to protect her identity and breaching her expectation of anonymity.

Upcoming Events
Visit Womble Carlyle's Privacy Team in the Exhibit Hall at the IAPP Privacy Academy in Boston, September 16-18.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.