Privacy & Information Security Law Blog

The UK Information Commissioner’s Office (the “ICO”) has indicated that UK law firm ACS:Law could face a maximum penalty of £500,000 following a major data breach.

Personal information, including names and addresses, of over 8,000 Sky broadband subscribers and 400 PlusNet users was made publicly available following an apparent attack on ACS:Law’s website.  The broadband customers involved are suspected by ACS:Law’s clients of illegally file-sharing copyright work, including music and, in some instances, pornographic films.

David Vladeck, the head of the Bureau of Consumer Protection at the Federal Trade Commission, shared his vision for consumer privacy protection with an audience at the IAPP’s Privacy Academy on September 30, 2010.  Mr. Vladeck began by reminding the audience that the FTC is aggressively enforcing on privacy and data security matters, having brought 29 cases to date.  Where possible, the FTC joins forces with other federal regulators, such as the Department of Health and Human Services, to seek broad relief that the FTC could not otherwise get on its own.  Mr. Vladeck indicated that the FTC also works closely with the states, citing a recent case in which the FTC filed concurrent settlements with 36 state attorneys general.  Mr. Vladeck stated that the FTC plans to continue to bring cases to ensure that companies “reasonably” safeguard information.

Mr. Vladeck noted three key areas for future enforcement.  The FTC will (1) bring more cases involving “pure” privacy, i.e., cases involving practices that attempt to circumvent consumers’ understanding of a company’s information practices and consumer choices; (2) focus enforcement efforts on new technologies (Mr. Vladeck noted that, to assist staff attorneys in bringing these sorts of cases, the FTC has hired technologists to assist and also have created mobile labs to respond to the proliferation of smart phones and mobile apps); and (3) increase international cooperation on privacy issues (Mr. Vladeck cited the FTC’s recently-announced participation in the Global Privacy Enforcement Network).

Please join us at these great events coming up this fall.  Several members of Hunton & Williams’ Privacy and Information Management team are presenting at these events to discuss the current and evolving privacy and data security issues occurring around the world.

Internet Rights and Technology: A Practical Legal Guide to Doing Business on the Internet – New York City Bar
On September 28, 2010, 6:00 p.m. – 8:45 p.m., the New York City Bar hosts a live program to discuss how the Internet affects various areas of law, including intellectual property, new media, litigation, regulatory and licensing.  The faculty includes Hunton & Williams partner, Aaron P. Simpson, who will lead the Privacy & Data Security session.

The United States Federal Trade Commission ("FTC") recently joined forces with privacy authorities from eleven other countries to launch the Global Privacy Enforcement Network ("GPEN"), which aims to promote cross-border information sharing and enforcement of privacy laws.  On September 21, 2010, GPEN unveiled its new website, www.privacyenforcement.net, designed to educate the public about the network.  The GPEN website, which is supported by the Organization for Economic Co-Operation and Development ("OECD"), provides guidelines and application instructions for ...

The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (generally referred to as “Convention 108”), enacted in 1981, is the only legally-binding international treaty dealing with privacy and data protection.  The Convention is also of fundamental importance in providing the underlying legal framework for instruments such as the EU Data Protection Directive 95/46.  So far, 42 countries have become parties to Convention 108.

As the European Commission reviews the EU Directive, the Council of Europe also is preparing to review Convention 108.  The review will be conducted by the Council of Europe’s Consultative Committee on data protection (referred to as T-PD) in a process that will likely take several years.  The T-PD, which meets at the Council of Europe’s headquarters in Strasbourg, is primarily composed of representatives of national governments and data protection authorities, with the International Chamber of Commerce being the only private-sector entity with formal observer status.  The group has commissioned a legal study from an outside consultant to analyze Convention 108 and provide any recommended revisions by the end of 2010, and the T-PD will begin discussions at its upcoming meeting in November.

On September 15, 2010, New York State Attorney General Andrew Cuomo announced a $100,000 settlement with EchoMetrix, a developer of parental control software that monitors children’s online activity.  The settlement comes one year after the Electronic Privacy Information Center (“EPIC”) alleged in a complaint to the Federal Trade Commission that EcoMetrix was deceptively collecting and marketing children’s information.

The United States Court of Appeals for the Seventh Circuit has rejected a defendant’s argument that the Wiretap Act’s prohibition on interception of communications applies only to an acquisition that is contemporaneous with the communication.  In United States v. Szymuszkiewicz, No. 07-CR-171 (7th Cir. Sept. 9, 2010), the defendant faced criminal charges under the Wiretap Act for having implemented an automatic forwarding rule in his supervisor’s Outlook email program that caused the workplace email server to automatically forward him a copy of all emails addressed to his supervisor.  The defendant argued that (i) the forwarding happened only after the email arrived at its intended destination and was thus not contemporaneous with the communication, (ii) the Wiretap Act prohibits only unauthorized contemporaneous interceptions (i.e., only interceptions of communications “in flight” as opposed to communications at rest or in storage), and (iii) only the Stored Communications Act applies to unauthorized access to non-contemporaneous communications.

The United States Congress is currently considering several bills addressing cybersecurity issues.  Below are brief summaries of four such bills.

The Grid Reliability and Infrastructure Defense (“GRID”) Act

The GRID Act was passed by the House of Representatives on June 9, 2010. This bill would amend the Federal Power Act to grant the Federal Energy Regulatory Commission (“FERC”) authority to issue emergency orders requiring critical infrastructure facility operators to take actions necessary to protect the bulk power system. Prior to FERC issuing such an order, the President would have to issue a written directive to FERC identifying an imminent threat to the nation’s electric grid.  FERC would be required to consult with federal agencies or facility operators before issuing an emergency order only “to the extent practicable” in light of the nature of the threat. The GRID Act is being considered by the Senate Committee on Energy and Natural Resources at this time.

On September 2, 2010, police in New Zealand issued a statement to confirm that there was no evidence Google committed a criminal offense in relation to the data it collected from unsecured WiFi networks during the Street View photography capture exercise.  The case has now been referred back to the New Zealand Privacy Commissioner.  A spokesperson from the New Zealand police force took the opportunity to underline the need for Internet users to make sure that security measures are properly implemented when using WiFi connections in order to prevent their information from being improperly accessed.

On August 18, 2010, the Connecticut Insurance Department (the “Department”) issued Bulletin IC-25, which requires entities subject to its jurisdiction to notify the Department in writing of any “information security incident” within five calendar days after an incident is identified.  In addition to providing detailed procedures and information to be included in the notification, the Bulletin states that the Department “will want to review, in draft form, any communications proposed to be made” to affected individuals.  The Bulletin further indicates that, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”