Privacy Bulletin: Issue No. 30

In the News
Massachusetts Publishes Final Data Security Regulations: On November 4, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) published its final regulations governing the protection of personal information of Massachusetts residents. The final regulations, first released in 2007, require businesses who use and obtain personal information of Massachusetts residents to implement comprehensive security plans to ensure that information is not compromised. The regulations were amended in 2009 to allow greater flexibility with compliance. The final, amended, regulations will take effect on March 1, 2010.

Two Key Privacy Bills Ready for Senate Vote: In early November, the Senate Judiciary Committee voted in favor of two key privacy bills, clearing them for a full Senate vote. The Data Breach Notification Act (S.139) (Feinstein, D-Ca.) authorizes the attorney general to bring civil actions against entities that fail to notify individuals whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act (S.1490) (Leahy, D-Vt.) also sets notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and requires businesses to implement preventive security standards to guard against threats to their databases.

EU Telco Reform Includes Privacy Issues: As part of sweeping telecom reform, the Council of the European Union has passed two key amendments that strengthen and improve consumer protection and user rights in the electronic communications sector and enhance the protection of individuals’ privacy and personal data. One amendment requires telecom companies to notify their customers if data is lost or compromised. A second amendment requires consumers to provide affirmative consent before cookies may be stored on their personal computers. Currently, the use of cookies is permitted if notice is provided to the user and the user consents. The law does provide an exception for occurrences where use of a cookie is "strictly necessary." The amendments are expected to be signed within the next 18 months and are part of broader telecom reform efforts.

Tagged.com Settles with State Attorney Generals Over Deceptive Practices: On November 9, 2009, Attorney Generals of New York and Texas announced a settlement with Tagged, Inc., the operator of Tagged.com for its alleged deceptive marketing practices and invasion of customer privacy. Tagged used personal email addresses provided by new customers to sent thousands of spam messages on behalf of Tagged.com members, without permission. Tagged agreed to pay $750,000 and completely overhaul its customer information collection and disclosure process and email privacy policies.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Privacy Bulletin: Issue No. 29

In the News
FTC Extends Enforcement Deadline for Identity Theft Red Flags Rules: On October 30, 2009, the Federal Trade Commission (FTC) announced that, per congressional request, it will delay the enforcement of the Red Flags Rules until June 1, 2010 for financial institutions and creditors subject to the FTC’s jurisdiction. This news comes on the same day that the United States District Court for the District of Columbia ruled that attorneys will not be subject to the Red Flags Rules. The court held that the FTC's application of the rule to attorneys exceeded the FTC's jurisdiction. Attorneys are not the only professionals seeking exemption from compliance with the Red Flags Rules. Last week, the House passed a bill (H.R. 3763) to exempt Dentists from the reach of the rules as well.

HHS Issues HIPAA Enforcement Rule: On October 30, 2009, the Department of Health and Human Services (HHS) published a final interim rule with a request for comments to strengthen the enforcement of privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after Feb. 18, 2009. The interim final rule conforms the HIPAA enforcement regulations to these revisions made by the HITECH Act, significantly increasing the monetary penalties for violation. Comments are due by December 29, 2009.

Boucher's Web Privacy Bill Continues to Come Together: Rep. Rick Boucher (D-Va), chairman of the House Subcommittee on Communications, Technology and the Internet, continues to draft legislation that will set guidelines for users and companies as they engage in commerce over the web. Boucher is working to balance the economic benefits that targeted advertising brings to consumers against privacy implications. Boucher hopes to circulate the bill to lawmakers next month.

FTC Settles with Apparel Maker over COPPA Violations: On October 20, 2009, the Federal Trade Commission (FTC) settled charges with Iconix Brand Group, Inc. (Iconix), a group that owns, licenses and markets various children’s apparel, for Iconix's violation of the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA rule. Iconix will pay a $250,000 penalty for knowingly collecting and using personal information, including names, email addresses, and in some cases mailing addresses, from children under the age of 13 who registered on the brand-specific websites to receive updates without obtaining parental consent.

FTC Fines ChoicePoint for Failure to Protect Consumer Data: On October 19, 2009, the Federal Trade Commission (FTC) modified its settlement with ChoicePoint, Inc., one of the nation's largest data brokers, for a 2005 data breach. A 2006 settlement required ChoicePoint to pay $10 million in civil penalties and $5 million in consumer redress and engage in extensive record-keeping and monitoring requirements. The FTC modified the 2006 order due to a subsequent 2008 breach resulting from ChoicePoint’s failure to monitor unauthorized access to databases, which compromised the personal data of approximately 13,750 people. As a result, ChoicePoint will pay an additional $275,000 and will be subject to more stringent reporting duties and data security assessments.

Canada Passes Tough ID Theft Law: On October 27, 2009, the Canadian government announced it had passed new legislation to provide police and courts new tools to fight identity theft. The law creates three new Criminal Code offenses, which target the early stages of ID theft crimes, and the ability for courts to order offenders to pay restitution to victims. The goal of the legislation is to stop identity theft before it occurs.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.