BLOGS: Privacy and Data Protection

Friday, April 23, 2010, 5:44 PM

Department of Commerce Issues Notice of Inquiry on Information Privacy and Innovation

On April 20, 2010, the Department of Commerce (“DOC”) launched a wide-sweeping, holistic review to determine the impact of U.S. and foreign privacy laws on innovation on the Internet economy. The Notice of Inquiry (“NOI”) recognizes not only the jurisdictionally fractured and often sectoral nature of privacy laws in the U.S., but also acknowledges that sister agencies, including the FTC’s roundtables regarding collection of consumer data and the FCC’s recommendations imbedded in its recently released National Broadband Plan are concurrently working on Internet privacy related policy and regulation. This proceeding, however, is distinguishable and remains important.

Click here to

Friday, April 16, 2010, 3:33 PM

Privacy Bulletin: Issue No. 37

In the News
House Passes Bill on Banks’ Privacy Notice Requirements
: On April 24, 2010, the U.S. House of Representatives passed H.R. 3506, the “Eliminate Privacy Notice Confusion Act,” which would exempt certain financial institutions from annual privacy notification requirements in years in which their privacy policies remained unchanged. The bill also would eliminate privacy notification requirements for financial institutions that do not share non-public customer information with unaffiliated third parties. The bill was intended to spare banks, especially community banks, the expense of sending notices stating only that no changes have been made to the banks’ privacy policies. The bill would also have the effect of eliminating annual reminders to customers of those financial institutions that they can opt-out of having their information shared by third parties, though the right to opt-out would remain intact.

NJ Supreme Court Recognizes Employee's Right to Privacy in Lawyer-Client Emails Stored on Company Computers: On March 30, 2010, the Supreme Court of New Jersey held that a former executive employee of Loving Care Agency, Inc. had a reasonable expectation of privacy in e-mails exchanged with her personal attorney through her personal, internet-based e-mail account, even though those e-mails were accessed, and subsequently stored, on a company-issued laptop. Loving Care Agency did not provide notice in its acceptable use policy that employees should not use their computers for personal e-mail access, nor did the company alert employees that the company could, or would, save any personal e-mails so that it could access them later. The New Jersey Supreme Court held that it would have ruled the same way regardless of the substance of the employer’s acceptable use policy, suggesting that, in New Jersey, employers cannot ban their employees from using a company-issued laptop for personal use, or notify employees that their personal e-mails can be accessed, and rely on those statements later in accessing those communications.

FTC Seeks Comment on Children's Online Privacy Protections: On March 24, 2010, the FTC announced it is seeking public comment on the costs and benefits of the Children’s Online Privacy Protection Act (COPPA), an FTC rule designed to protect children online that became effective on April 21, 2000. The FTC specifically inquired as to implications for COPPA enforcement raised by interactive media; the use of automated filtering systems to review information posted on the internet by children; if COPPA’s definition of “personal information” should be expanded to include information like persistent IP addresses; if the list of technological methods to obtain verifiable parental consent in COPPA should be modified; if parents are exercising their right to review or delete personal information collected from their children; and if COPPA’s process for FTC approval of self-regulatory guidelines – known as safe harbor programs – has enhanced compliance, and whether the criteria for FTC approval and oversight of the guidelines should be modified in any way. Written comments in this proceeding must be received by the FTC by June 30, 2010.

Dave & Buster's Settles FTC Charges it Failed to Protect Consumer Information: Dave & Buster’s, Inc., a bar and game venue chain, has agreed to settle Federal Trade Commission charges that the company failed to adequately protect consumers’ credit and debit card information, resulting in several hundred thousand dollars in fraudulent charges by hackers. Dave & Buster’s authorizes payment card purchases with credit card numbers and expiration dates it obtains from customers. The FTC claims Dave & Buster’s failed to: take sufficient measures to detect and prevent unauthorized access to the network.; appropriately restrict authorized outside access to the network, including access by service providers; monitor and filter outbound data traffic to identify and block the export of sensitive personal information without authorization; appropriately limit access to its computer networks through wireless access points. The FTC alleged that, as a result of these failures, a hacker installed unauthorized software and accessed about 130,000 credit and debit cards.

As a condition of its settlement, Dave & Buster’s will put in place a comprehensive information security program. The settlement also requires the company to obtain independent, professional audits, every other year for 10 years, to ensure that the security program meets the standards of the settlement. Certain record-keeping provisions are also required by the settlement to allow the FTC to monitor compliance.

Virginia Passes Law Requiring Notifications of Medical Information Breaches: Effective January 1, 2011, public sector entities in Virginia will be required to notify residents whose medical information, including medical history, description of mental or physical condition, treatment or diagnosis, health insurance policy numbers, or any information in an individual’s insurance application or claims history, is breached. Notification must be provided after any unencrypted or unredacted medical information is, or is reasonably believed to have been, accessed and acquired by an unauthorized person; if encrypted information was accessed and acquired in unencrypted form, or if the security breach involved someone with access to the encryption key. If more than 1,000 Virginia residents are affected by a data breach, notification must also be sent to the attorney general of Virginia. The law does not apply to entities subject to and compliant with HITECH breach notification requirements or the FTC Breach Notification Rule issued under the HITECH Act.

Mississippi Passes Data Breach Notification Law: A new Mississippi law requires persons owning, licensing or maintaining computerized personal information of a Mississippi resident to notify residents whose personal information is acquired by unauthorized persons as the result of such a breach. Mississippi is the 46th state to enact a data breach notification law. The law will go into effect July 1, 2011.

Class Action Privacy Suit Filed Against Google: On April 5, 2010, a class action was filed in federal court in San Jose, California, alleging that Google Buzz violated privacy protections by sharing users’ private information, including lists of users with whom they interacted, without their consent. The complaint follows a letter sent by 10 members of Congress to asking the Federal Trade Commission to investigate whether Buzz violated user privacy. Also on April 5, Google implemented new privacy controls including a privacy screen to appear at log-in that requires users to confirm their privacy settings, including a list of subscribers to their feeds. In a statement released on “The Official Gmail Blog,” Todd Jackson, Product Manager admitted that when Buzz was first rolled out, “we didn’t get everything right,” but that, following customer feedback, Google executives “moved as fast as possible to improve the Buzz experience.” The lawsuit addresses modifications made by Google to Buzz, alleging that they are inadequate, and that they cannot erase damage already done to users’ privacy before the modifications were made.

NIST Releases Guide to Protecting Personal Information: This month, the National Institute of Standards and Technology released a “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)”. The guide takes a risk-based approach to safeguarding personal information, suggesting controls agencies can use to provide an appropriate level of protection to PII. The Guide recommends that agencies provide the greater protection for critical information. The Guide recommends that organizations first identify all PII; limit collection and retention of PII to the extent possible; categorize PII by impact level and assign corresponding safeguards based on that impact level; and develop a response plan for breaches.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

back to top