Privacy Bulletin: Issue No. 45

In the News

D.C. District Court Finds Warrantless GPS Monitoring Unconstitutional: On August 6, 2010, in United States v. Maynard, No. 08-3030, the United States Court of Appeals for the District of Columbia held that police violated the Fourth Amendment’s prohibition against unreasonable searches when they tracked a suspect’s movements with a GPS they had installed in his car, unbeknownst to him and without a valid warrant. Although the Court acknowledged that the Supreme Court had held that people driving in cars on public roads had no “reasonable expectation of privacy” in their final destination, it ultimately found that prolonged surveillance 24 hours a day for 28 days was distinguishable from surveillance for one trip. Unlike the movements of a single journey, the Court held, all of one’s movements over the course of a month are not actually exposed to the public, because it is extremely unlikely that anyone will observe all of these movements and learn the entire pattern of travel. Furthermore, the Court found, the range of movements within a 28 day period reveals an “intimate picture” of the traveler, revealing much more than the individual trips that make up that range.

Senators Introduce Federal Data Breach Notification Bill: On August 5, 2010, the Chairman of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, and Insurance Mark Pryor (D-AR) and Full Committee Chairman John Rockefeller (D-WV) introduced the “Data Security and Breach Notification Act of 2010,” S. 3742, which would require businesses to protect personal information in their possession, to notify residents if that information is breached, and to adopt a data security policy. Currently, there is no federal notification requirement for a data breach in most industries, although the vast majority of states have enacted data breach notification laws. The proposed bill requires entities to notify consumers within 60 days of a breach and to provide consumers with two years of credit monitoring services. The proposed bill would authorize the FTC to set national standards for safeguarding personal information and to seek up to $5 million in civil penalties for failure to comply. If enacted, the bill would preempt all state data breach notification and data security laws and regulations. Only companies covered by the Fair Credit Reporting Act and in compliance with that act would be exempt from the proposed law. Last month, Sens. Tom Carper, D-DE, and Robert Bennett, R-UT, reintroduced a similar bill, S. 3579.

First Circuit Upholds Main Prescription Law: On August 4, 2010, in IMS Health Inc. v. Mills, the U.S. Court of Appeals for the First Circuit held that a Maine law that banned the sale of certain prescription drug data for marketing purposes did not violate the right to free speech of companies that collect identifying data about individual medical professionals that prescribe drugs and aggregate the data for use in marketing pharmaceutical products. The law, 22 Me. Rev. Stat. Ann. Tit. 22, § 1711-E (2-A), allows doctors to withhold their prescription-writing information from “prescription drug information intermediaries,” among others. IMS Health Incorporated, Verispan, LLC, and Source Healthcare Analytics, Inc., three companies that collect identifying information about prescribing behaviors and analyze them for use in pharmaceutical marketing, challenged the law claiming that the restrictions violated the U.S. Constitution. The First Circuit found a nearly identical New Hampshire law to be constitutional in 2008, holding that the law regulated conduct, and not speech, but that even if the New Hampshire law did regulate speech, the speech in question was commercial speech, and New Hampshire’s goal is a substantial government interest that outweighed the rights of companies to sell or use prescribers’ identifying data. The court found that Maine’s law, which, unlike New Hampshire’s, required doctors to opt out of having their information shared, instead of restricting access to the data automatically, served another purpose which the court likened to the reason behind the “do-not-call” registry: doctors have a right to “avoid unwanted targeting … on the basis of their individual prescribing histories.”

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.