Womble Carlyle’s “Privacy Bulletin” highlights select developments that might be of interest to entities that collect or use personally identifiable information. Protecting a person’s privacy is a challenge to businesses, universities, and all other entities that collect personal information, particularly given the proliferation of personally identifiable information contained in consumer and employee records.
In the News
Google Settles Buzz Privacy Lawsuit for $8.5 Million: Google settled a class action lawsuit filed last April over alleged privacy violations stemming from their Buzz program. Google launched Buzz in February of last year. The program utilized the contacts of subscribers to Google’s free email service to create a public social networking tool. The lawsuit alleged that Google Buzz violated privacy protections by sharing users’ private information, including lists of users with whom they interacted, without their consent. After filing the settlement paperwork with the court, Google posted a notice on its website indicating that they were changing their privacy policy. According to Google’s Associate General Counsel, the changes wouldn’t affect any of Google’s privacy practices, rather the new policy would streamline and update the company’s privacy policies.
GAO Releases Report Criticizing Contractor Access to Sensitive Government Data: The Government Accountability Office released a report on September 10, 2010, focusing on a year and a half study of contractors assigned to three government agencies: Department of Defense, Homeland Security, and Health and Human Services (HHS). The GAO found that sensitive information released to contractors working with those agencies was not properly safeguarded and therefore posed a significant risk of improper disclosure or misuse. The report follows an announcement by Defense Secretary Robert Gates in August announcing major cuts to the government’s reliance on contractors, calling for a “10 percent annual reduction in spending on contractors who provide support services to the military, including money for intelligence-related contracts.” The report highlighted several data-breach incidents including one where a contract employee stole the names, social security numbers and birthdates of employees at the Transportation Security Administration in Boston.
EPIC Sues National Security Agency for Information about Communications with Google: On September 13, 2010, the Electronic Privacy Information Center (“EPIC”) sued the National Security Agency (“NSA”) for information regarding its alleged agreement with Google, Inc. to protect the company from cyber attacks by foreign entities. Earlier this year reports began to surface in several news outlets that Google had recruited the NSA to investigate the source of an alleged attack on Google’s corporate infrastructure originating from China and to take steps necessary to prevent future intrusions. EPIC’s suit began as a Freedom of Information Act request for any documents relating to such an agreement between Google and the NSA. When the NSA refused to provide the documents, the privacy agency sued. “In order for the public to make meaningful decisions regarding their personal data and e-mail, it must be aware of the details of that relationship [between Google and the NSA],” EPIC said, in its FOIA request.
HHS Receives Detailed Comments on Proposed HIPAA changes: The HHS Office of Civil Rights will have their hands full as they review the thousands of pages of comments filed in response to their proposal to modify the HIPAA privacy, security and enforcement rules. The filing deadline for the comments was September 13, 2010. The comments focused on a range of issues including concerns about the cost and impracticability of allowing patients to restrict certain information submitted to healthcare providers from being shared with insurance companies. The comments also touched on the proposed modification to the HIPAA requirements requiring business associates and their subcontractors to comply with privacy and security rules. While commenters generally applauded the proposal, many expressed concern with the proposed requirement that entities covered by HIPAA modify their business associate agreements to reflect the latest changes, claiming that the proposed rule would be unduly burdensome. Some commenters also requested an extension to the 180-day compliance requirement, asking that entities receive a full year to come into compliance once the final rules become effective.
International Launch of Global Privacy Enforcement Network and Website: The Federal Trade Commission along with an international group of privacy enforcement officials recently commenced a Global Privacy Enforcement Network (“GPEN”) and accompanying website, http://www.privacyenforcement.net/, to aid information sharing efforts and international support of global privacy issues. Network participants include privacy enforcement authorities from countries across North America, Europe, Australia and the Middle East. “To protect consumers’ privacy in today’s global economy, all of us who work in law enforcement around the world need to cooperate with each other,” commented FTC Chairman Jon Leibowitz. “We at the FTC are looking forward to working closely with our colleagues overseas to make this happen.”
FTC Testifies at Senate Commerce Committee Discussing Proposed Data Security Legislation: On September 22, 2010, the Consumer Protection, Product Safety, and Insurance Subcommittee of the Senate Committee on Commerce, Science, and Transportation held a hearing to discuss the pending Data Security and Breach Notification Act of 2010 (the “Act”). The bill is one of a host of newly proposed legislation designed to address data security and privacy practices. Similar to the Data Accountability and Trust Act passed by the House of Representatives in December of 2009, the Senate Act brings Congress closer to passage of comprehensive data breach and privacy reform. The Act addresses three main data security and privacy issues: (1) requiring entities that have individual’s personal information to adopt data security protection measures, including secure means for disposal of electronic and non-electronic data; (2) requiring entities to notify their customers and the Federal Trade Commission, (“FTC”) of data security breaches; and (3) requiring information brokers to put into practice procedures to guarantee data accuracy, enable consumers to access their data, and permit customers to dispute inaccurate personal information. The FTC expressed general support for the Act, but recommended that the Senate expand its reach to cover security breaches that involve both paper and electronic records and to extend the requirements of the Act to telecommunications carriers, by providing the FTC with the authority to regulate those entities, regardless of the common carrier exemption. Other industry advocates attending the hearing expressed concern that the requirements could effectively over-notify customers about security breaches that do not expose consumers to a risk of identity theft or fraud.
Major Technology Companies Indicate Support of Rush Privacy Legislation: On October 4, technology companies Intel, eBay and Microsoft sent a letter to Rep. Bobby Rush, D-Ill., Chairman of the Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection, indicating their support for his privacy legislation: "We support the bill's overall framework, which is built upon the Fair Information Practices regime. We appreciate that the BEST PRACTICES Act is technology neutral and gives flexibility to the Federal Trade Commission to adapt to changes in technology." The companies commented, however, that the House should remove the provision providing consumers the opportunity to sue for violating provisions of the bill, stating that such a provision would cause "unnecessary litigation costs and uncertainty for businesses" and would not combat consumer privacy issues. The legislation, as drafted, would permit websites and other companies covered by the bill to collect consumer information, but would require notice to the consumer and an option to opt-out. Additionally, the bill would require consumers to opt-in to disclosure of information to third-parties, unless the company participated in a “universal opt-out program.” The Subcommittee is expected to hold a hearing on the bill in November and discuss the addition of a provision requiring companies to create a “do-not-track list,” permitting consumers to opt-out of web activity tracking.
Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.
