Tuesday, August 3, 2010, 10:07 AM

Privacy Bulletin: Issue No. 44

In the News
FTC Amends Telemarketing Sales Rule: On July 29, 2010, the FTC announced new amendments to the Telemarketing Sales Rule that will prohibit debt relief companies from collecting advanced fees. Effective October 27, 2010, businesses that sell debt relief services over the phone will be prohibited from charging any fees until either (i) the debt relief company successfully renegotiates, settles or reduces, or improves the terms of at least one of the consumer’s debts; (ii) the consumer and creditor have agreed to a written settlement agreement, debt management plan, or other agreement; and (iii) the consumer has made at least one payment to the creditor pursuant to the agreement negotiated by the company. Three other provisions take effect on September 27, 2010, which will require specific disclosures to consumers by debt relief companies; prohibit such companies from making certain misrepresentations, including false representations about nonprofit status or success rates; and extend the Telemarketing Sales Rule to cover calls consumers make to the companies in response to debt relief advertising. The new amendments will also allow for dedicated accounts, in which consumers may be required to maintain fees for debt relief companies and set aside savings for payments to creditors. The FTC has created a guide to help businesses comply with the new rule.

FTC Testifies on Consumer Privacy Protections: On July 27, 2010, FTC Chairman Jon Leibowitz testified on behalf of the Commission before the Committee on Commerce, Science, and Transportation, of the United States Senate about current efforts by the Commission to protect consumer privacy. In its testimony, the Commission outlined its aggressive consumer protection efforts, including 29 cases it brought against businesses that the Commission alleged failed to adequately protect consumers’ personal information; 15 actions brought against website operators for failure to comply with CIPA; and 64 actions to enforce the Do Not Call Rule. Chairman Leibowitz also described the Commission’s recent efforts through a series of roundtables to re-examine consumer privacy protection. The Commission intends to release a report later this year to discuss new initiatives, such as a proposal it is exploring for a “do-not-track” list—an Internet corollary to the Do Not Call registry that would allow customers to opt-out of having their activities on the Internet tracked by advertisers.

Rite Aid Settles with FTC: On July 27, 2010, the FTC announced that it had settled with Rite Aid Corporation on charges that Rite Aid had failed to protect financial and medical information of its customers and employees in violation of HIPAA and other federal laws. The FTC coordinated its investigation and settlement with the Department of Health and Human Services (“HHS”), which had begun an independent investigation of Rite Aid. The FTC alleged that Rite Aid failed to use appropriate privacy protections in disposing of personal information, training employees, assessing compliance with disposal policies and procedures, and processes for discovering and remedying risks to personal information. Under the settlement, Rite Aid is required to establish a comprehensive security program and to obtain regular audits for the next 30 years. Rite Aid also will pay HHS a $1,000,000 fine.

House Commerce Subcommittee Chair Introduces Best Practices Act: On July 19, 2010, Congressman Bobby Rush (D-Ill.), Chairman of the House Commerce Subcommittee on Commerce, Trade and Consumer Protection, introduced H.R. 5777, the “Best Practices Act,” which would require any person or business that stores personal information to obtain permission from Internet users in order to collect their sensitive information (include financial and health information) or share information with third parties. The bill would require companies to provide “concise, meaningful, timely, prominent and easy-to-understand notice” to users about their privacy policies, including what information the companies will collect and why.

On July 22, 2010, just days after Congressman Rush introduced the bill, the Subcommittee on Commerce, Trade and Consumer Protection heard testimony about both the Best Practices Act and a draft bill introduced by Representative Rick Boucher (D-Va.) last May. Representatives from the FTC, U.S. PIRG, the CDT, NYU School of Law, the U.S. Chamber of Commerce, among others, testified regarding the proposed legislation.

Fourth Circuit Finds Right to Free Speech Beats Out Privacy Concerns in Online SSN Publication Case: On July 26, 2010, the United States Court of Appeals for the Fourth Circuit held in Ostergren v. Cuccinelli, No. 09-1796, that blogger Betty Ostergren, could not be punished for publishing the Social Security Numbers of public officials in Virginia to protest the fact that Virginia publishes land records online that include unredacted citizens’ social security numbers. Virginia’s clerks of court began publishing land records on the Internet during the 1990s. Virginia does not redact SSNs from land records maintained at local courthouses, even though Virginia laws require that such records remain publicly accessible. As a result, many of the records published online included unredacted SSNs. To protest what she saw as a major privacy violation, Ostergren obtained land records of public officials and courts of clerks from the state-maintained records available online and re-posted the records, which included the unredacted SSNs.

In its decision, the Fourth Circuit rejected the argument that Social Security Numbers are categorically unprotected speech that may be prohibited entirely. Under Virginia law, no person may intentionally communicate another individual’s social security number to the general public. Virginia argued that Ostergren violated this law, and she challenged the law on First Amendment grounds. The Fourth Circuit agreed with Ostergren’s interpretation, noting that she was acting similar to a news media outlet that republishes publicly available information. Instead of prohibiting protected speech like Ostergren’s, the Court stated, “Virginia could curtail SSNs’ public disclosure much more narrowly by directing clerks not to make land records available through secure remote access until after SSNs have been redacted.”

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.


Post a Comment

<< Home

back to top