Thursday, June 30, 2011, 11:58 AM

Privacy Bulletin: Issue No. 60

U.S. Supreme Court strikes down Vermont law protecting prescription privacy

In a blow to medical privacy and a victory for the direct marketing industry, the Supreme Court ruled that Vermont’s Prescription Confidentiality Law violates the rights of data miners under the Free Speech Clause of the First Amendment. The Court found issue with the law’s provision that absent prescriber consent, pharmacies and similar entities may not sell or otherwise provide prescriber-identifying information for marketing purposes; yet, the same information may be disseminated and used for other purposes, such as education or research. On the surface, the decision is a victory for drug manufacturers and data marketing firms that use doctors’ prescribing history to create more informed and targeted marketing efforts. Many feel the Court’s ruling calls into question the constitutionality of prescription privacy legislation pending in other states, such as Massachusetts, Maine and New Hampshire.

So does this ruling finally answer the question of what the Supreme Court holds more sacred: corporate First Amendment rights or individual privacy concerns? The Center for Democracy and Technology argues no, and that from the beginning the Justices questioned whether the Vermont law was ever intended to protect patient privacy, especially given the federal protections already in place. “The Supreme Court explicitly states that a statute imposing a more comprehensive privacy regime ‘would present quite a different case than the one presented here.’ The court explained that had the state restricted all disclosure except in ‘a few narrow and well-justified circumstances,’ then the court would have viewed the challenge through a quite difference lens.”

Sony hit with additional lawsuits from mid-April breach

The mid-April data breach at Sony that exposed the personal data of over 77 million users of its PlayStation Network and Sony Online Entertainment network has prompted yet another class-action lawsuit–this time by three New York users of the game console. In their complaint, filed in the Southern District of California, plaintiffs allege Sony spent “lavishly” to protect its own data, while cutting costs and corners with respect to their customer’s data security. The 30-page complaint also alleges Sony did not encrypt customers’ personal data and laid off a substantial portion of its Sony Online Entertainment workforce just weeks before the breach.

Two geolocation bills introduced in Senate

In an effort to prevent government and industry abuse of location data, members of Congress recently announced two federal geolocation privacy bills. The Geolocation Privacy and Surveillance (GPS) Act, introduced by Representative Jason Chaffetz (R-Utah) and Senator Ron Wyden (D-Ore.), would require law enforcement to show probable cause and obtain a warrant to track location through mobile devices.

Addressing the geolocation issue with regard to the entities aggregating the actual data, a bill introduced by Senators Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) requires: (1) the express consent of users prior to sharing geolocation data, and (2) the deletion of user geolocation data upon request.

While both bills seek to protect citizens from unwanted physical tracking, they also both rely on the presumption that the geolocation privacy is in fact desired. At least one writer argues that the bills may be undermined by promotions, coupons and other incentives encouraging consumers to make available their personal geolocation data.

Illinois updates and adds teeth to Personal Information Protection Act

An amendment to Illinois’ Personal Information Protection Act (PIPA) has passed both houses and is now awaiting the governor’s approval to become law. The amendment specifies new minimum disclosure notices that data collectors must issue in the event of a breach, and also adds civil penalties for improper disposal of personal information. The new provision requires materials containing personal information to be disposed of “in a manner that renders the personal information unreadable, unusable, and undecipherable.” Furthermore, “any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance policies and procedures” to protect the information throughout the collection and disposal process.

Any person, business or government entity may be subject to a maximum $100 penalty for each individual whose personal information is disposed of in violation of the Act, with the total penalty not to exceed $50,000 per “instance” of improper disposal. Absent from the Act is a definition of what exactly constitutes an “instance.” We will likely have to wait for the first major violation to see how the Illinois Attorney General interprets the statute’s new language.

Help for small business website security

A joint effort among the Department of Homeland Security (DHS), SANS Institute, MITRE, and many top software security experts in the US and Europe has produced a detailed list of software vulnerabilities aimed at helping businesses set up a secure website and judge potential programming errors. While the federal program has been in development for years, the costs of programming oversight has been front page news with recent cyber attacks resulting in the theft of credit card and other personal information. Included in the publicly available research is the Top 25 List of programming errors that have been exploited in many of the recent attacks. For example, the top error is not preventing SQL-injection attacks on websites, an oversight exploited by hacking group LulzSec to retrieve user names and passwords from sites such as FBI’s InfraGard program and NATO’s online bookstore.

There is hope among IT security contractors that this latest guidance by the DHS team will prompt organizations to address the real and growing threat software security poses to their operations.

If you have any questions, please contact one of the following lawyers or any member of the Privacy and Data Protection Team:

Ted Claypoole: (704) 331-4910

Stephanie Shaw: (202) 857-4509

*Special thanks to Summer Associate Dan Tracey for his contributions to this edition of the Privacy Bulletin.


Post a Comment

<< Home

back to top