BLOGS: Privacy and Data Protection

Monday, August 16, 2010, 3:11 PM

Privacy Bulletin: Issue No. 45

In the News

D.C. District Court Finds Warrantless GPS Monitoring Unconstitutional: On August 6, 2010, in United States v. Maynard, No. 08-3030, the United States Court of Appeals for the District of Columbia held that police violated the Fourth Amendment’s prohibition against unreasonable searches when they tracked a suspect’s movements with a GPS they had installed in his car, unbeknownst to him and without a valid warrant. Although the Court acknowledged that the Supreme Court had held that people driving in cars on public roads had no “reasonable expectation of privacy” in their final destination, it ultimately found that prolonged surveillance 24 hours a day for 28 days was distinguishable from surveillance for one trip. Unlike the movements of a single journey, the Court held, all of one’s movements over the course of a month are not actually exposed to the public, because it is extremely unlikely that anyone will observe all of these movements and learn the entire pattern of travel. Furthermore, the Court found, the range of movements within a 28 day period reveals an “intimate picture” of the traveler, revealing much more than the individual trips that make up that range.

Senators Introduce Federal Data Breach Notification Bill: On August 5, 2010, the Chairman of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, and Insurance Mark Pryor (D-AR) and Full Committee Chairman John Rockefeller (D-WV) introduced the “Data Security and Breach Notification Act of 2010,” S. 3742, which would require businesses to protect personal information in their possession, to notify residents if that information is breached, and to adopt a data security policy. Currently, there is no federal notification requirement for a data breach in most industries, although the vast majority of states have enacted data breach notification laws. The proposed bill requires entities to notify consumers within 60 days of a breach and to provide consumers with two years of credit monitoring services. The proposed bill would authorize the FTC to set national standards for safeguarding personal information and to seek up to $5 million in civil penalties for failure to comply. If enacted, the bill would preempt all state data breach notification and data security laws and regulations. Only companies covered by the Fair Credit Reporting Act and in compliance with that act would be exempt from the proposed law. Last month, Sens. Tom Carper, D-DE, and Robert Bennett, R-UT, reintroduced a similar bill, S. 3579.

First Circuit Upholds Main Prescription Law: On August 4, 2010, in IMS Health Inc. v. Mills, the U.S. Court of Appeals for the First Circuit held that a Maine law that banned the sale of certain prescription drug data for marketing purposes did not violate the right to free speech of companies that collect identifying data about individual medical professionals that prescribe drugs and aggregate the data for use in marketing pharmaceutical products. The law, 22 Me. Rev. Stat. Ann. Tit. 22, § 1711-E (2-A), allows doctors to withhold their prescription-writing information from “prescription drug information intermediaries,” among others. IMS Health Incorporated, Verispan, LLC, and Source Healthcare Analytics, Inc., three companies that collect identifying information about prescribing behaviors and analyze them for use in pharmaceutical marketing, challenged the law claiming that the restrictions violated the U.S. Constitution. The First Circuit found a nearly identical New Hampshire law to be constitutional in 2008, holding that the law regulated conduct, and not speech, but that even if the New Hampshire law did regulate speech, the speech in question was commercial speech, and New Hampshire’s goal is a substantial government interest that outweighed the rights of companies to sell or use prescribers’ identifying data. The court found that Maine’s law, which, unlike New Hampshire’s, required doctors to opt out of having their information shared, instead of restricting access to the data automatically, served another purpose which the court likened to the reason behind the “do-not-call” registry: doctors have a right to “avoid unwanted targeting … on the basis of their individual prescribing histories.”

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

Tuesday, August 3, 2010, 10:07 AM

Privacy Bulletin: Issue No. 44

In the News
FTC Amends Telemarketing Sales Rule: On July 29, 2010, the FTC announced new amendments to the Telemarketing Sales Rule that will prohibit debt relief companies from collecting advanced fees. Effective October 27, 2010, businesses that sell debt relief services over the phone will be prohibited from charging any fees until either (i) the debt relief company successfully renegotiates, settles or reduces, or improves the terms of at least one of the consumer’s debts; (ii) the consumer and creditor have agreed to a written settlement agreement, debt management plan, or other agreement; and (iii) the consumer has made at least one payment to the creditor pursuant to the agreement negotiated by the company. Three other provisions take effect on September 27, 2010, which will require specific disclosures to consumers by debt relief companies; prohibit such companies from making certain misrepresentations, including false representations about nonprofit status or success rates; and extend the Telemarketing Sales Rule to cover calls consumers make to the companies in response to debt relief advertising. The new amendments will also allow for dedicated accounts, in which consumers may be required to maintain fees for debt relief companies and set aside savings for payments to creditors. The FTC has created a guide to help businesses comply with the new rule.

FTC Testifies on Consumer Privacy Protections: On July 27, 2010, FTC Chairman Jon Leibowitz testified on behalf of the Commission before the Committee on Commerce, Science, and Transportation, of the United States Senate about current efforts by the Commission to protect consumer privacy. In its testimony, the Commission outlined its aggressive consumer protection efforts, including 29 cases it brought against businesses that the Commission alleged failed to adequately protect consumers’ personal information; 15 actions brought against website operators for failure to comply with CIPA; and 64 actions to enforce the Do Not Call Rule. Chairman Leibowitz also described the Commission’s recent efforts through a series of roundtables to re-examine consumer privacy protection. The Commission intends to release a report later this year to discuss new initiatives, such as a proposal it is exploring for a “do-not-track” list—an Internet corollary to the Do Not Call registry that would allow customers to opt-out of having their activities on the Internet tracked by advertisers.

Rite Aid Settles with FTC: On July 27, 2010, the FTC announced that it had settled with Rite Aid Corporation on charges that Rite Aid had failed to protect financial and medical information of its customers and employees in violation of HIPAA and other federal laws. The FTC coordinated its investigation and settlement with the Department of Health and Human Services (“HHS”), which had begun an independent investigation of Rite Aid. The FTC alleged that Rite Aid failed to use appropriate privacy protections in disposing of personal information, training employees, assessing compliance with disposal policies and procedures, and processes for discovering and remedying risks to personal information. Under the settlement, Rite Aid is required to establish a comprehensive security program and to obtain regular audits for the next 30 years. Rite Aid also will pay HHS a $1,000,000 fine.

House Commerce Subcommittee Chair Introduces Best Practices Act: On July 19, 2010, Congressman Bobby Rush (D-Ill.), Chairman of the House Commerce Subcommittee on Commerce, Trade and Consumer Protection, introduced H.R. 5777, the “Best Practices Act,” which would require any person or business that stores personal information to obtain permission from Internet users in order to collect their sensitive information (include financial and health information) or share information with third parties. The bill would require companies to provide “concise, meaningful, timely, prominent and easy-to-understand notice” to users about their privacy policies, including what information the companies will collect and why.

On July 22, 2010, just days after Congressman Rush introduced the bill, the Subcommittee on Commerce, Trade and Consumer Protection heard testimony about both the Best Practices Act and a draft bill introduced by Representative Rick Boucher (D-Va.) last May. Representatives from the FTC, U.S. PIRG, the CDT, NYU School of Law, the U.S. Chamber of Commerce, among others, testified regarding the proposed legislation.

Fourth Circuit Finds Right to Free Speech Beats Out Privacy Concerns in Online SSN Publication Case: On July 26, 2010, the United States Court of Appeals for the Fourth Circuit held in Ostergren v. Cuccinelli, No. 09-1796, that blogger Betty Ostergren, could not be punished for publishing the Social Security Numbers of public officials in Virginia to protest the fact that Virginia publishes land records online that include unredacted citizens’ social security numbers. Virginia’s clerks of court began publishing land records on the Internet during the 1990s. Virginia does not redact SSNs from land records maintained at local courthouses, even though Virginia laws require that such records remain publicly accessible. As a result, many of the records published online included unredacted SSNs. To protest what she saw as a major privacy violation, Ostergren obtained land records of public officials and courts of clerks from the state-maintained records available online and re-posted the records, which included the unredacted SSNs.

In its decision, the Fourth Circuit rejected the argument that Social Security Numbers are categorically unprotected speech that may be prohibited entirely. Under Virginia law, no person may intentionally communicate another individual’s social security number to the general public. Virginia argued that Ostergren violated this law, and she challenged the law on First Amendment grounds. The Fourth Circuit agreed with Ostergren’s interpretation, noting that she was acting similar to a news media outlet that republishes publicly available information. Instead of prohibiting protected speech like Ostergren’s, the Court stated, “Virginia could curtail SSNs’ public disclosure much more narrowly by directing clerks not to make land records available through secure remote access until after SSNs have been redacted.”

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

back to top