Privacy Bulletin: Issue No. 52

In the News
Supreme Court Finds Privacy Rights of U.S. Workers Outweighed by Government Security Interests: On January 19, 2011, the U.S. Supreme Court ruled in NASA v. Nelson, No. 09-530, that the federal government has broad discretion to make inquiries of workers and their job references. The Court overruled the 9th Circuit’s findings that questioning workers about prior drug counseling and treatment and asking their references for adverse information about them violated workers’ rights to privacy. The Court declined to address whether the questions implicated privacy rights. The Court instead focused on the government’s interest in protecting against security risks, effectively limiting its decisions to cases involving government workers. Some privacy advocates believe the case may ultimately have more far-reaching implications, especially as it comes months after the Court decided in Quon that text message searches by government agencies can be constitutionally conducted. The decision was decided 8-0, with Justices Scalia and Thomas concurring, noting that they believe that the Constitution does not protect informational privacy. Justice Elena Kagan recused herself from the case due to prior involvement in the case.

Supreme Court Considers Whether Corporations Can Invoke FOIA Privacy Provision: On January 19, 2011, the Supreme Court heard oral arguments in FCC v. AT&T, No. 09-1279 to determine whether 5 U.S.C. 552(b)(7)(C), which exempts from FOIA requirements all disclosures that could reasonably be expected to constitute an unwarranted invasion of "personal privacy," protects the privacy of corporate entities. AT&T objects to certain disclosures requested by competitor Comptel in 2005 relating to a 2004 FCC investigation of the telephone company’s billing practices. The 3rd Circuit, in finding for AT&T in the case below, held that “Corporations, like human beings, face public embarrassment, harassment and stigma because of” involvement in law enforcement investigations and should, therefore, be protected from disclosing the results of those investigations to the public.

South Carolina State Insurance Program Breached: On January 14, 2011, the state Budget and Control Board notified individuals insured by the State Employee Insurance Program that their personal information may have been breached. A computer virus attack may have compromised the personal information of up to 5,600 state employees and their dependents, officials say. A spokesman for Governor Nikki Haley said that the state Budget and Control Board had just voted to hire a new director, Eleanor Kitzman, who will ensure “something like this never happens again.”

Rep. Cohen Reintroduces Legislation to Limit Use of Credit Reports by Employers: On January 20, 2011, U.S. Representative Steve Cohen (D-Tenn.) reintroduced the Equal Employment for All Act (H.R. 321) in the House. The Act would prohibit employers from using the credit reports of employees and prospective employees to make employment decisions including hiring, promotions, transfers and terminations. The practice of using credit reports to make employment decisions has been criticized by the Equal Employment Opportunity Commission which recently filed a class action suit claiming the process violates the Civil Rights Act because it has a disparate impact on minorities. Rep. Cohen first introduced the Equal Employment for All Act in August 2009.

California State Senator Reintroduces Data Protection Bill Previously Vetoed by Governor: On January 20, 2011, California state Senator Joe Simitian introduced a data protection measure that describes the specific information which must be disclosed in each data breach notification and requires that the Attorney General of the state be notified for breaches affecting over 500 residents. The same bill was passed by the California legislature last year but was vetoed by Governor Schwarzenegger. The current breach notification law was written by Senator Simitian in 2002, and it has served as a model for numerous other states’ data breach laws.

North Carolina DHHS Clients’ Personal Information Compromised: The North Carolina Department of Health and Human Services has announced that the Division of Services for the Deaf and the Hard of Hearing (“DSDHH”) may have inadvertently thrown out computer disks containing the personal information of North Carolinians who had applied for services from DSDHH’s Equipment Distribution Service between January 2005 through December 2008. DSDHH Director Jan Withers announced that all information maintained by the agency has been encrypted since 2008.

Oregon Senator Pushes for Heightened Process to Obtain Location-Based Information: Senator Ron Wyden (D.- Oreg.) has announced he will introduce a bill requiring law enforcement officials to obtain court-ordered warrants in order to access location-based information from mobile devices. The issue of location-based privacy has gained traction since the United States District Court for the District of Columbia ruled in August that warrantless tracking of an individual’s location through electronic means, as opposed to following a suspect to ascertain his destination on a given trip, violated his Fourth Amendment rights. Sen. Wyden said that, far from hampering a police officer’s ability to do his job, a federal law regulating when a warrant is required to follow a suspect would provide law enforcement with the legal clarity needed to undertake investigations.

Upcoming Deadlines
FTC Moves Comment Deadline for Privacy Report to February 18, 2011: The Federal Trade Commission has granted an extension for responding to its privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.” The report, published on December 1, 2010, would apply a framework for consumer privacy protection for commercial entities that collect, maintain, share or otherwise use consumer data that can be linked to a specific consumer, computer or device. Comments on this paper were initially to be due January 31, 2011.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.