Privacy Bulletin: Issue No. 51

President Signs Bill Clarifying Identity Theft Red Flag Legislation

During a flurry of bill signing before leaving for a holiday vacation, President Obama signed S.3987, Red Flag Program Clarification Act of 2010, into law (December 18, 2010). This legislation should limit the types of entities that are subject to the Federal Trade Commission’s identity theft prevention red flag rules. The Federal Trade Commission had delayed enforcement of the red flags rules until December 31, 2010; however, other agencies did not delay enforcement of the original November 1, 2008 deadline for institutions subject to the respective agencies’ oversight. However, the FTC had stated in a press release, dated May 28, 2010, that if Congress passed legislation limiting the scope of the red flags rule with an effective date earlier than December 31, 2010, the Commission would begin enforcement as of that effective date. The legislation is effective as of the date of enactment, December 18, 2010.

Commerce Department Releases Green Paper on Consumer Online Privacy

The U.S. Department of Commerce released a green paper on December 16, 2010 which details the Department’s initial policy recommendations to promote consumer privacy online while ensuring that the Internet remains a platform of innovation and economic growth. The Department seeks public comments on the contents of the report, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. The report recommends the creation of a new office within the Commerce Department that would meet with stakeholders and develop privacy codes of conduct. The Department also recommends the consideration of national data security breach notification laws, which would preempt state laws. The report contains several other recommendations, as stated in the Department’s press release: (i) consider establishing fair information practice principles comparable to a “Privacy Bill of Rights” for online consumers; (ii) encourage global interoperability to spur innovation and trade; (iii) consider how to harmonize disparate security breach notification rules; and (iv) review the Electronic Communications Privacy Act for the cloud computing environment.

Canada Enacts Anti-Spam Law

Canada enacted an anti-spam law; the law was approved by the Canadian Senate on December 15, 2010. Canada is one of the last G8 countries to enact an anti-spam law. Bill C-28, the Fighting Internet and Wireless Spam Act, will require businesses to follow certain best practices and will require businesses to obtain opt-in approval from the recipients of its commercial emails, unless there is a prior business relationship. This differs from the United States’ CAN-SPAM Act which requires consumers to opt-out of receiving commercial emails.

President Signs Bill Protecting Social Security Numbers

President Obama also signed legislation to further protect an individual’s social security number (S.3789, Social Security Number Protection Act of 2010, signed into law December 18, 2010). As we reported last issue, the legislation will prohibit agencies from displaying a person’s social security number (or any derivative of that number) on a check issued by an agency and prohibit agencies from employing prisoners where the prisoner would have access to a person’s social security number.

Congressional Committee Chairs and Ranking Members Approved by Respective Parties

The House Republican Conference approved committee chairmen including committees with primary leadership over privacy and data security issues on December 8, 2010. The House Democratic Caucus did the same December 9th for ranking members on those committees with primary leadership over privacy and data security issues. Rep. Fred Upton (R-MI) was approved to lead the Energy and Commerce Committee. Current Committee Chair Rep. Henry Waxman (D-CA) was approved to be the ranking member of the Committee in the next Congress. Rep. Spencer Bachus (R-AL) was elected to chair the House Financial Services Committee. Current Chair Rep. Barney Frank (D-MA) was approved to be the ranking member.

Other Committees who have addressed privacy and security issues in the past Congress include Homeland Security Committee, Oversight and Government Reform Committee, and the Judiciary Committee. Republicans elected Rep. Peter King (R-NY) to chair the Homeland Security Committee, Rep. Darrell Issa (R-CA) to chair the Oversight and Government Reform Committee, and Rep. Lamar Smith (R-TX) to chair the Judiciary Committee in the next Congress. The Democratic Caucus approved Rep. Bennie Thompson (D-MI) as ranking member of the Homeland Security Committee, Rep. Elijah Cummings (D-MD) as ranking member of the Oversight and Government Reform Committee, and Rep. John Conyers (D-MI) as ranking member of the Judiciary Committee.

Both the House and Senate Legislative calendars have been released by the respective houses. The first working day for both houses for the 112th Congress was January 5, 2011. (See http://www.house.gov/ and http://www.senate.gov/ for respective committee websites and calendar pages).

Detroit Man Faces Charges for Allegedly Reading Wife’s Email

The Detroit Free Press reported on December 27, 2010 that a man faces trial on charges that he violated Michigan’s identity theft laws and laws against the theft of trade secrets by allegedly logging on to his wife’s email account, using a laptop computer found in the home that the two shared and using his wife’s password. The man allegedly read his wife’s email to determine whether his wife was having an extramarital affair.

Class Action Filed against Apple and its iPhone Alleging Certain Applications May Have Transmitted Personal, Identifying Information

Plaintiffs filed a class action lawsuit against Apple Inc., Pandora Media, Inc, and Gogii, Inc. for violations of the plaintiffs’ privacy and unfair business practices in United States District Court, Northern District of California, San Jose Division December 23, 2010 (Lalo v. Apple Inc., Dec. 23, 2010, No. C 10-05878 PSG (No. Dist. Calif.). In the suit, the plaintiffs claim that they downloaded applications to their iPhone and iPad mobile devices from an Apple-sponsored website. Plaintiffs further allege that some of the applications transmitted personal, identifying information to advertising networks without obtaining the consent of the user. The suit also alleges that Apple, Inc., in allowing the applications to share personal, identifying information without the user’s consent violates Apple’s own privacy standards. The plaintiffs are asking for class certification, injunctive and equitable relief, a requirement that all data from and about plaintiff and class members be deleted, and others.