BLOGS: Privacy and Data Protection

Thursday, June 17, 2010, 2:14 PM

Event Recap: Womble Carlyle Presents a Webinar – Planning and Response: Surviving a Data Breach (Recording Available)

During this interactive webinar, attendees learned real world tips to survive a data breach from Heartland Payment Systems General Counsel and Chief Legal Officer, Charles Kallenbach, and Womble Carlyle privacy lawyers, Ted Claypoole, Jennifer Kashatus, CIPP and Sarah Byer Miller. The panel discussed the best ways to handle data incidents – from advance preparation to responding to the breach, addressing litigation and official inquiries. Other topics covered include:

Click here to view a recording of this webinar.
Click here to access a PDF version of the Webinar slides.

Click here to read more...

Tuesday, June 15, 2010, 2:28 PM

Privacy Bulletin: Issue No. 41

In the News
Senators Consider Cybersecurity Bills: Sen. Joseph Lieberman (I-Conn.) announced that consideration of the bill "Protecting Cyberspace as a National Asset Act of 2010 (“PCNNA”) will be expedited, with a hearing scheduled for June 15, 2010. Sen. Lieberman introduced the legislation on June 10, 2010, with Sens. Susan Collins (R- Maine), the Homeland Security and Governmental Affairs Committee's ranking member, and Thomas Carper (D- Del.). The PCNNA would create a National Center for Cybersecurity and Communications within the Department of Homeland Security, which would be responsible for protecting against - and responding to - attacks on federal civilian networks and any private-sector assets deemed critical. The bill also would allow the President to seize control of the Internet or completely shut down access to certain parts of the Internet in the event of a “national cyberemergency,” a provision which concerns privacy advocates.

The Senate is considering another bill, the “Rockefeller-Snowe Cybersecurity Act,” which was approved by the Senate Commerce, Science, and Transportation Committee in March. A provision similar to the PCNNA provision authorizing the president to shut down access to certain networks was removed from the Rockefeller-Snowe Cybersecurity Act. Sen. Rockefeller and Sen. Lieberman have noted that the bills overlap in significant ways (such as giving the president emergency powers, establishing cybersecurity standards for certain industries and subjecting the White House cybersecurity coordinator to Senate confirmation) and Sen. Lieberman stated that the bills are “not irreconcilable.”

Ninth Circuit Affirms Gap, Inc.’s Data Breach Win: On May 28, 2010, the United States Court of Appeals for the Ninth Circuit affirmed a district court decision against a job applicant who sued Gap, Inc. when two laptops containing applicants’ personal information were stolen from a vendor who processed job applications for Gap. Ruiz, the plaintiff sued for breach of contract and violation of state unfair competition and privacy laws. The Court found that Ruiz had failed to show that he had suffered nonspeculative, appreciable damages and ruled against Ruiz on his state law privacy claim. The Court noted that the breach resulted from the accidental compromise of data by Gap’s agents and found that “California courts have yet to extend the cause of action to include accidental or negligent conduct.”

FTC Enters Into Settlement with Dave & Buster’s Due to Security Breach: The FTC announced on June 8, 2010, that it had approved a final settlement order with restaurant and entertainment company Dave & Busters. The FTC previously found that Dave & Buster’s failed to take reasonable steps to secure its customers’ credit card numbers and expiration dates, allowing a computer hacker to access about 130,000 credit and debit cards. The FTC approved the settlement after a public comment period. Under the settlement, Dave & Buster’s must establish and maintain a data breach prevention program, obtain independent audits, every other year for 10 years, and follow record-keeping provisions to allow the FTC to monitor compliance.

FTC Rejects COPPA Safe Harbor Application of i-SAFE: The FTC rejected the application of non-profit organization i-SAFE, Inc. to run a Safe Harbor program under the Children’s Online Privacy Protection Act (“COPPA”) Rule. The FTC announced in January that i-SAFE had sought approval of its proposed program, including guidelines to govern compliance with COPPA. In a letter to i-SAFE, dated June 2, 2010, the FTC explained that the application was rejected because i-SAFE’s proposed safe harbor guidelines “would result in lesser protections for children than provided by COPPA itself.” The FTC expressed concern that “i-SAFE’s own website does not provide protections for children equal or greater than the Rule,” and said that “[t]he Commission feels strongly that any organization – including a non-profit organization – to which it grants safe harbor status should itself comply with COPPA when interacting with children online.”

Consumer Groups and Tech Companies Weigh in on Boucher Bill: On June 4, 2010, representatives from 10 consumer watchdog groups including the Center for Digital Democracy and Consumer Watchdog sent a letter to House Energy and Commerce Communications Subcommittee Chairman Rick Boucher (D-Va.) and Ranking Member Cliff Stearns suggesting changes to the draft privacy legislation they released May 3, 2010. The letter expresses approval over the inclusion of certain data as “covered information” in the bill as well as language requiring express consent by customers to any material changes in companies’ privacy policies, but criticizes other clauses, including the “notice and choice model” on which the bill is based. The groups propose an opt-in approach be used instead. These criticisms are mirrored by the language of another consumer group, Center for Democracy & Technology, which filed written comments expressing concern “that the strong reliance on consent places the entire burden for privacy protection on consumers.”

Facebook and Google have also commented on the bill. Facebook argues that “information that individuals intend to share with others” should be outside the scope of the bill. Google has not made the contents of its comments public.

Google Testifies Before Congress: In a letter to Congress released on June 11, 2010, Google asserted that the collection of Wi-Fi user data by its Street View cars broke no state or federal laws. Google admitted in March that the camera-equipped cars it uses to gather Street View pictures have collected private information from unencrypted wireless networks for three years but claimed that the collection was the result of a programming error. Google faces class action lawsuits in Massachusetts, Oregon, and California related to its data collection.

Upcoming Events:
Womble Carlyle Presents a WEBINAR – Planning and Response: Surviving a Data Breach (June 16, 2010; 12:00-1:00PM EDT). Join Heartland Payment Systems General Counsel, Charles Kallenbach, and Womble Carlyle privacy professionals as they discuss the best ways to handle data incidents – from advance preparation to responding to the breach, addressing litigation and official inquiries. For more information and to register, click here.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Teamprovide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Friday, June 11, 2010, 3:46 PM

Ted Claypoole Serves as Panelist at AMC “Meaningful Privacy and Security Conference”

CHAPEL HILL, N.C. – Womble Carlyle attorney Ted Claypoole served as a panelist at the 6th Annual Academic Medical Centers (AMC) “Meaningful Privacy and Security” Conference presented by the North Carolina Healthcare Information and Communications Alliance (NCHICA) on June 7-9, 2010 at The Friday Center in Chapel Hill, NC.

Conference attendees were educated on ways other AMC and learning hospital colleagues are handling important privacy and security issues arising from the American Recovery and Reinvestment Act (ARRA), such as Breach Notification requirements, EHR certification, comparative effectiveness research data, and compliance audits.

During the presentation entitled, “Cloud Computing & Clinical Research: What Are We Handing Over?” Ted and his co-panelists discussed how cloud computing is currently being utilized for research, described the benefits and detriments of cloud computed securities, and identified strategies for AMC’s to consider when moving forward into this environment.

NCHICA is a nationally recognized nonprofit consortium dedicated to “improving health and care in North Carolina by accelerating the adoption of information technology and enabling policies.” Members include leading organizations in healthcare, research and information technology.

Ted Claypoole is a member of Womble Carlyle’s Privacy and Data Protection Team. For more information on our team, please visit: www.wcsr.com/teams/privacy-and-data-protection.

Tuesday, June 1, 2010, 2:18 PM

Privacy Bulletin: Issue No. 40

In the News
FTC Delays Enforcement of Red Flags Rule Again: On May 28, 2010, the FTC announced that it is further delaying enforcement of the Red Flags Rule until December 31, 2010. Several Members of Congress requested the delay so as to enable Congress to evaluate legislation that would affect entities covered by the Rule. The Rule became effective on January 1, 2008, with full compliance for all covered entities originally scheduled for November 1, 2008. The FTC has delayed enforcement of the Rule on several occasions.

Consumer Group Suggests Revisions To Boucher's Privacy Bill: Consumers Union, publisher of Consumer Reports magazine, has urged House Energy and Commerce Communications Subcommittee Chairman Rick Boucher (D-Va.), and Ranking Member Cliff Stearns to make major changes to the draft privacy legislation released May 3, 2010. While Consumers Union lauded certain measures in the bill including requirements that online entities give notice and obtain consent before changing privacy practices with regard to previously obtained information, "there are certain features of the proposal that cause us concern." Ellen Bloom, Consumers Union's director of federal policy, wrote that the consumer group was concerned that "the bill appears to exclusively rely on the notice and choice model, which has been shown to be particularly ineffective in protecting consumer privacy online." The group criticized a provision in the bill that would eliminate private rights of action against those violating provisions of the law.

Consumers Union also recommended changes in the definitions of “covered information” and “sensitive information” to allow for future modifications to the definitions in order to incorporate changes in technology. Those definitions are crucial to the bill, because users must proactively opt out of the collection of information that is not “sensitive” but information that is sensitive cannot be collected unless users affirmatively opt in.

Google Faces Lawsuits Over Wi-Fi Data Collection: In three separate lawsuits, plaintiffs claim that Google’s collection of Wi-Fi user data has violated state and federal privacy laws. Earlier this month, Google admitted that the camera-equipped cars it uses to gather Street View pictures have collected private information from unencrypted wireless networks for three years. Google asserts that the collection was inadvertent and resulted from a programming error that included code for an experimental project within the Street View code.

The Massachusetts lawsuit, filed by Galaxy Services International, seeks class-action status for all Massachusetts Wi-Fi users who may have been affected. The Oregon suit seeks class-action status for residents in Oregon OR in Washington state who may have been affected. The California suit goes further, seeking to include all U.S. residents. Google is also facing inquiries from several countries regarding its data collection, and some countries, including Ireland, already have ordered Google to destroy the information it obtained. The House Judiciary Committee has also launched an inquiry.

Congress Debates Mandatory Black Boxes in New Cars: A bill introduced by Rep. Jackier Speier (D-Calif.) requiring black boxes strong enough to withstand immersion in fire or water and high-speed rollover crashes in all new cars is being debated in the house. The bill passed the House Energy and Commerce Committee on May 27, 2010, despite complaints from Republican members that the bill could violate drivers’ policies. Privacy advocates are concerned about how the information will be stored and the extent to which it can be accessed and utilized.

Facebook Announces Simpler Privacy Controls: On May 26, 2010, Facebook, Inc. CEO Mark Zuckerberg, announced that Facebook has simplified its privacy settings. In the last few weeks, scrutiny of Facebook’s privacy policies has intensified. Facebook also is the subject of a class action lawsuit that alleges that Facebook “knowingly, willfully, unlawfully and intentionally without authorization divulged confidential and private information relating to plaintiff and the class' electronic communications.” The changes announced by Zuckerberg include one control for all user content, easy options for opting out of site applications, and better controls for basic information.

Upcoming Events:
Womble Carlyle Presents a WEBINAR – Planning and Response: Surviving a Data Breach (June 16, 2010; 12:00-1:00PM EDT). Join Heartland Payment Systems General Counsel, Charles Kallenbach, and Womble Carlyle privacy professionals as they discuss the best ways to handle data incidents – from advance preparation to responding to the breach, addressing litigation and official inquiries. For more information and to register, click here.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

back to top