BLOGS: Privacy and Data Protection

Friday, July 16, 2010, 2:16 PM

Privacy Bulletin: Issue No. 43

In the News
Cybersecurity Legislation Update: Senate Majority Leader Harry Reid (D.-Nev.) said that he is committed to developing comprehensive cyber security legislation in a June 1, 2010, letter to President Obama. Currently, Reid and other senators are working to integrate components of several bills, including the "Protecting Cyberspace as a National Asset Act of 2010” (S. 3480), proposed by Homeland Security Chairman Joseph Lieberman (I.-Conn.) (also a signatory to the June 1, 2010 letter), which was approved by the Senate Homeland Security Committee last month. The letter was also signed by Chairmen of the Homeland Security, Judiciary, Armed Services, Foreign Relations and Intelligence Committees, as well as Chairman of the Committee on Commerce, Science and Transportation John D. Rockefeller, IV (D.-W.V.), co-author of the “Rockefeller-Snowe Cybersecurity Act,” (S. 773), the other main bill under consideration by the senators. The senators said that their committees had already “developed a number of well-considered proposals” to achieve a balance between the need for a secure digital environment and civil rights and free commerce concerns and that they intend to build upon the bills in a piece of comprehensive legislation. Senate Republicans have not been involved in these negotiations.

HHS Proposes Privacy Rights Rule: On July 8, 2010, the U.S. Department of Health and Human Services proposed new healthcare information privacy rules that will bolster the Health Insurance Portability and Accountability Act (“HIPAA”) protections. The new rules would expand individuals’ rights to access information, restrict access of health information to insurers, and broaden HIPAA regulations to apply to a wider demographic, including business associates of doctors and insurers. A comment period on the rules proposal is ongoing and will end September 14, 2010.

Nonprofit Agency Files FTC Privacy Complaint Against Online Data Aggregator Website: The Center for Democracy and Technology (“CDT”) filed a complaint with the Federal Trade Commission against Spokeo.com, (“Spokeo”) a people-search service, alleging that the website violates the Fair Credit Reporting Act (“FCRA”). CDT claims that Spokeo, which offers information on credit ratings and other financial information of millions of U.S. consumers, does not inform consumers of adverse determinations based on that data or give them an opportunity to learn who has accessed their profiles, as required by the FCRA. CDT has asked the FTC to enjoin Spokeo from offering consumer reports until the company is brought into compliance with the FCRA.

Privacy Groups Urge FTC to Draft Privacy Plan: On July 14, 2010, representatives from seventeen consumer privacy advocacy groups wrote a letter encouraging Federal Trade Commission Chairman Jon Leibowitz to draft a comprehensive plan akin to the National Broadband Plan created by the Federal Communications Commission this spring. The FTC already has held several consumer privacy workshops this year, and the groups, which include the ACLU, Consumer Watchdog, and the Electronic Privacy Information Center, asked the FTC to take what was learned in that process to create comprehensive statutory and regulatory solutions to address what they describe as “deficiencies in Americans’ privacy rights.” The groups asked the FTC to 1) create a comprehensive privacy law that enumerates consumer rights to protect their personal information, 2) draft specific regulations to govern information collection by online advertisers, 3) identify new business practices, including location-based targeting and digital signage, that raise possible privacy concerns and address those concerns, and 4) improve transparency at the FTC.

FTC’s Comment Period on COPPA Ends: On July 12, 2010, the FTC’s comment period on its review of the Children's Online Privacy Protection Rule (“COPPA” Rule) ended. Over 70 entities commented, including large telecommunications companies, industry groups and consumer advocacy groups, with companies and industry groups generally pushing for little or no change to the rules while privacy groups advocated for sweeping changes and more rigorous enforcement.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Thursday, July 8, 2010, 9:22 AM

ACC, Womble Carlyle to host Data Breach Webinar

Womble Carlyle and the Association of Corporate Counsel’s New to In-house Committee are sponsoring a program on “Preparing for and Responding to Data Breaches.” The one-hour Webinar takes place at 2 p.m. on Thursday, July 22nd.

Womble Carlyle attorneys Jennifer Kashatus and Jill Girardeau will discuss planning and preparation tactics to help you when the inevitable data breach occurs. The panelists also will discuss what to do when you learn of a data breach. The panel will focus on state notification requirements. HIPAA/HI-TECH notification issues also will be covered.

Click here to read more...

Friday, July 2, 2010, 10:07 AM

Privacy Bulletin: Issue No. 42

In the News
Supreme Court Finds Employee Had No Expectation of Privacy in Work-Issued Cell Phone: On June 17, 2010, in City of Toronto v. Quon, 08-1332, the Supreme Court held that a public employer’s review of an employee’s personalized messages on an employer-issued device did not violate the Fourth Amendment. The Supreme Court’s decision overturned the 9th Circuit, which had held that the plaintiff had a reasonable expectation of privacy in the text messages and that the City’s search was not reasonable even though conducted with a legitimate, work-related rationale. In reaching that holding, the 9th Circuit found that the City could have used less intrusive means to conduct the search and that the wireless carrier had violated the Stored Communications Act (“SCA”) by releasing the transcripts of text messages to the City.

In overturning the 9th Circuit, the Court found that the department’s search of work-issued phone records to determine if officers were using their pagers too often for personal messages was reasonable. While the Court did not reach the issue of whether employees have a reasonable expectation of privacy in work-issued phones, the Court did hold that, when an employer searches phone records for any legitimate business reason, the search does not violate the privacy rights of individuals. The Court found that, even if the City’s employees had a reasonable expectation of privacy in their text messages, the search was justified under Supreme Court precedent because there were “reasonable grounds for suspecting that the search was necessary for a noninvestigatory work-related purpose”- whether the character limit on the City’s plan was sufficient to meet the City’s needs, a purpose which made it necessary for the City to distinguish between work-related and non-work-related text messages. Furthermore, the Court found, any expectation of privacy Quon had must be extremely limited to be reasonable, because the City had a written policy explaining that texts were subject to auditing. The merits of the SCA claim were not before the Court.

FTC Enters Into Settlement with Twitter: On June 24, 2010, the FTC announced that it had approved a settlement order with social networking service Twitter. Hackers allegedly were able to obtain customer passwords and then reset some passwords and took control of others- sending fake tweets from user accounts. Under the terms of the settlement, Twitter will be “barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.” Twitter also must implement a comprehensive information security program, to be assessed by an independent auditor every other year for 10 years.

Homeland Security Committee Approves Cybersecurity Bill: The Senate Homeland Security and Governmental Affairs Committee approved a cybersecurity bill proposed by Committee Chairman Joseph I. Lieberman (I.-Conn.), after adding a substitute amendment limiting presidential powers under the bill. The bill, entitled the “Protecting Cyberspace as a National Asset Act of 2010,” would create a National Center for Cybersecurity and Communications within the Department of Homeland Security. The bill also would allow the President to seize control of the Internet or shut down access to certain parts of the Internet in the event of a “national cyberemergency,” a provision which concerns privacy advocates. The amendment clarifies that the President can declare a cyberemergency only if cyber-interference has the potential to disrupt the operation of critical infrastructure and limits the extension of a cyberemergency to 120 days, unless Congress passes a resolution approving continuation.

Senate Declines to Extend FTC Authority in Financial Regulatory Reform Legislation: On June 22, 2010, the Senate Banking Committee voted to reject language in H.R. 4173, the Wall Street Reform and Consumer Protection Act, which would have expanded the FTC’s authority in policing unfair trade practices. The provisions would have made it easier for the FTC to create regulations, requiring only a “notice and comment” period for new rules, and would have increased the FTC’s enforcement abilities by allowing it to pursue third-party claims under the FTC Act without coordinating with the U.S. Department of Justice. On June 29, 2010, the Conference Report was filed.

Utah Supreme Court Finds Candidates May Use Electronic Bids for State Office Runs: On June 22, 2010, the Utah Supreme Court held that, under the Uniform Electronic Transactions Act, electronic signatures may be counted towards the 1,000 signatures required for a candidate who is unaffiliated with a party to run for statewide office. The court cited to Utah Code Ann. § 20A-9-501, which requires 1,000 signatures, stating that, as a matter of public policy, courts should “liberally construe” statutes governing unaffiliated candidates, so as to give them “every reasonable opportunity to make their candidacy effective.”

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

back to top