Privacy Bulletin: Issue No. 41

In the News
Senators Consider Cybersecurity Bills: Sen. Joseph Lieberman (I-Conn.) announced that consideration of the bill "Protecting Cyberspace as a National Asset Act of 2010 (“PCNNA”) will be expedited, with a hearing scheduled for June 15, 2010. Sen. Lieberman introduced the legislation on June 10, 2010, with Sens. Susan Collins (R- Maine), the Homeland Security and Governmental Affairs Committee's ranking member, and Thomas Carper (D- Del.). The PCNNA would create a National Center for Cybersecurity and Communications within the Department of Homeland Security, which would be responsible for protecting against - and responding to - attacks on federal civilian networks and any private-sector assets deemed critical. The bill also would allow the President to seize control of the Internet or completely shut down access to certain parts of the Internet in the event of a “national cyberemergency,” a provision which concerns privacy advocates.

The Senate is considering another bill, the “Rockefeller-Snowe Cybersecurity Act,” which was approved by the Senate Commerce, Science, and Transportation Committee in March. A provision similar to the PCNNA provision authorizing the president to shut down access to certain networks was removed from the Rockefeller-Snowe Cybersecurity Act. Sen. Rockefeller and Sen. Lieberman have noted that the bills overlap in significant ways (such as giving the president emergency powers, establishing cybersecurity standards for certain industries and subjecting the White House cybersecurity coordinator to Senate confirmation) and Sen. Lieberman stated that the bills are “not irreconcilable.”

Ninth Circuit Affirms Gap, Inc.’s Data Breach Win: On May 28, 2010, the United States Court of Appeals for the Ninth Circuit affirmed a district court decision against a job applicant who sued Gap, Inc. when two laptops containing applicants’ personal information were stolen from a vendor who processed job applications for Gap. Ruiz, the plaintiff sued for breach of contract and violation of state unfair competition and privacy laws. The Court found that Ruiz had failed to show that he had suffered nonspeculative, appreciable damages and ruled against Ruiz on his state law privacy claim. The Court noted that the breach resulted from the accidental compromise of data by Gap’s agents and found that “California courts have yet to extend the cause of action to include accidental or negligent conduct.”

FTC Enters Into Settlement with Dave & Buster’s Due to Security Breach: The FTC announced on June 8, 2010, that it had approved a final settlement order with restaurant and entertainment company Dave & Busters. The FTC previously found that Dave & Buster’s failed to take reasonable steps to secure its customers’ credit card numbers and expiration dates, allowing a computer hacker to access about 130,000 credit and debit cards. The FTC approved the settlement after a public comment period. Under the settlement, Dave & Buster’s must establish and maintain a data breach prevention program, obtain independent audits, every other year for 10 years, and follow record-keeping provisions to allow the FTC to monitor compliance.

FTC Rejects COPPA Safe Harbor Application of i-SAFE: The FTC rejected the application of non-profit organization i-SAFE, Inc. to run a Safe Harbor program under the Children’s Online Privacy Protection Act (“COPPA”) Rule. The FTC announced in January that i-SAFE had sought approval of its proposed program, including guidelines to govern compliance with COPPA. In a letter to i-SAFE, dated June 2, 2010, the FTC explained that the application was rejected because i-SAFE’s proposed safe harbor guidelines “would result in lesser protections for children than provided by COPPA itself.” The FTC expressed concern that “i-SAFE’s own website does not provide protections for children equal or greater than the Rule,” and said that “[t]he Commission feels strongly that any organization – including a non-profit organization – to which it grants safe harbor status should itself comply with COPPA when interacting with children online.”

Consumer Groups and Tech Companies Weigh in on Boucher Bill: On June 4, 2010, representatives from 10 consumer watchdog groups including the Center for Digital Democracy and Consumer Watchdog sent a letter to House Energy and Commerce Communications Subcommittee Chairman Rick Boucher (D-Va.) and Ranking Member Cliff Stearns suggesting changes to the draft privacy legislation they released May 3, 2010. The letter expresses approval over the inclusion of certain data as “covered information” in the bill as well as language requiring express consent by customers to any material changes in companies’ privacy policies, but criticizes other clauses, including the “notice and choice model” on which the bill is based. The groups propose an opt-in approach be used instead. These criticisms are mirrored by the language of another consumer group, Center for Democracy & Technology, which filed written comments expressing concern “that the strong reliance on consent places the entire burden for privacy protection on consumers.”

Facebook and Google have also commented on the bill. Facebook argues that “information that individuals intend to share with others” should be outside the scope of the bill. Google has not made the contents of its comments public.

Google Testifies Before Congress: In a letter to Congress released on June 11, 2010, Google asserted that the collection of Wi-Fi user data by its Street View cars broke no state or federal laws. Google admitted in March that the camera-equipped cars it uses to gather Street View pictures have collected private information from unencrypted wireless networks for three years but claimed that the collection was the result of a programming error. Google faces class action lawsuits in Massachusetts, Oregon, and California related to its data collection.

Upcoming Events:
Womble Carlyle Presents a WEBINAR – Planning and Response: Surviving a Data Breach (June 16, 2010; 12:00-1:00PM EDT). Join Heartland Payment Systems General Counsel, Charles Kallenbach, and Womble Carlyle privacy professionals as they discuss the best ways to handle data incidents – from advance preparation to responding to the breach, addressing litigation and official inquiries. For more information and to register, click here.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Teamprovide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.