Privacy & Information Security Law Blog

The Australian government recently released an exposure draft of legislation that would fundamentally reform the Australian Privacy Act and would unify public and private sector privacy principles.  The exposure draft includes thirteen principles intended to protect individuals from the risks associated with the sharing of personal information.

Of particular interest to the international business community, Principle 8 addresses the cross-border disclosure of personal information.  The principle states that an entity must take reasonable steps to ensure that an overseas recipient does not breach the Australian Privacy Principles with respect to personal information being disclosed, but provides an exception if the entity reasonably believes that (i) the recipient of the information is subject to a law or binding scheme that provides protection that is substantially similar to protections provided by the Australian Privacy Principles, and (ii) there are mechanisms available for affected individuals to enforce such protection.

Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.  The charges stem from alleged lapses in the company’s data security that permitted hackers to access tweets that users had designated as private and to issue phony tweets from the accounts of some users, including then-President-elect Barack Obama.  According to the FTC’s complaint (main document, exhibits), these attacks on Twitter’s system were possible due to a failure to implement reasonable ...

On June 18, 2010, the data protection authority of the German federal state of Schleswig-Holstein published a press release and a comprehensive legal opinion on cloud computing.  The opinion provides an overview of cloud computing and discusses various practical and legal matters, including:

• Applicable law issues
• The legal basis for cloud computing and related processor and controller issues
• Problems associated with the possibility of third-party access
• The minimum requirements for data processor relationships and service provider contracts under the new German data protection law
• Technical and organizational security measures
• The legal landscape for clouds located outside the European Union

Reporting from Israel, legal consultant Dr. Omer Tene writes:

The Israeli Law, Information and Technology Authority (“ILITA”), Israel’s privacy regulator, continues to up the ante for data controllers in Israel.  This week ILITA imposed a $70,000 (NIS 258,000) fine against a company illicitly trading personal data.

Federal Trade Commission Chairman Jon Leibowitz recently sent a letter to Congressman Edward Markey, Co-Chairman of the bipartisan Congressional Privacy Caucus, announcing that the FTC will address the privacy risks associated with the use of digital copiers.  Congressman Markey had urged the FTC to investigate this issue after a CBS News exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information.

On April 12, 2010, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined D.A. Davidson & Co. $375,000 for failing to protect its customers’ confidential information.  In late 2007, the firm’s system was compromised when hackers employed a SQL injection attack to download the confidential customer information of approximately 192,000 individuals.  The security breach came to light when one of the persons responsible for the intrusion attempted to blackmail D.A. Davidson via email on January 16, 2008.  The firm responded quickly by notifying ...

The Madrid Resolution on global standards provided new momentum behind the concept of one world, one standard for privacy in international commerce.  New Zealand Privacy Commissioner Marie Shroff is one of the thoughtful officials who has joined in the call for a global framework.  Commissioner Shroff discussed her views on global standards in an interview with Marty Abrams during the Centre for Information Policy Leadership’s First Friday Call on April 9, 2010.

In the wake of recent amendments to the German Federal Data Protection Act, the German Federal Ministry of the Interior (the Bundesinnenministerium des Innern) is working on a draft law on special rules for employee data protection.  The draft law is intended to provide clarification on some issues that were not addressed fully in the amendments that entered into force on September 1, 2009.  The Ministry’s overarching considerations are set forth in a key issues paper that was published April 1, 2010.

On March 17, 2010, the Federal Trade Commission convened the last of its three-part series of roundtable discussions entitled “Exploring Privacy.”  In her opening remarks, outgoing Commissioner Pamela Jones Harbour emphasized the critical importance of privacy to consumers, stating that “consumer privacy cannot be run in beta,” and that companies often inappropriately expose consumer data during new product rollout.  David Vladeck, Director of the FTC’s Bureau of Consumer Protection, then set the stage by invoking the “notice is broken” theme that recurred during the first two roundtables on December 7, 2009, and January 28, 2010, and was echoed by participants in the March 17 event.

The Wall Street Journal is reporting that outgoing FTC Commissioner Pamela Jones Harbour criticized technology companies for publicly exposing consumer data, particularly during the rollout of new products.  Ms. Harbour lamented that companies do not take consumer privacy seriously.  She singled out the launch of Google Buzz as irresponsible conduct by “one of the greatest technology leaders of our time.”  Consumer advocates raised alarm when Google Buzz initially established Google Gmail users’ social network connections automatically based on the users’ email and chat contacts, and made that list public by default.  Ms. Harbour reiterated the advocates’ sentiment by stating that, from the time the product launched, consumers rather than Google should have decided whether or not to subscribe to the features that could expose their contact data.  Soon after the launch, Google changed the defaults to allow users more control.  Google put forth a conciliatory message, stating that user transparency and control are top priorities for the company and that Google is continuing to improve Buzz based on the feedback the company receives.

In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft.  The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking.  The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.

According to BNA’s Privacy Law Watch, on March 8, 2010, Senator Patrick Leahy asked President Obama to nominate members for the dormant Privacy and Civil Liberties Oversight Board.  The Board, which was created in 2004 upon the recommendation of the 9/11 Commission, focuses on ensuring that privacy and civil liberties concerns are incorporated into anti-terrorism laws and regulations.  Although President Obama had pledged in May 2009 to reconstitute the board, which has had no members since January 2008, privacy advocates say that his focus on cybersecurity issues has delayed ...

Alberta’s Information and Privacy Commissioner, Frank Work, issued a news release regarding the recent Court of Appeal of Alberta decision in Alberta Teachers’ Association v. Alberta (Information and Privacy Commissioner).  In the case, the Court held that the Information and Privacy Commission has no authority to extend investigation time limits under the Personal Information Protection Act (“PIPA”) after the statutory time limit has expired.  Further, if the Commissioner extends the time in an inquiry process within the time limit, he must provide reasons for the extension, and his decision will be subject to judicial review.  The Court noted that “[b]lanket or routine extensions seem unlikely to be regarded as reasonable if they cannot also be justified in the specific circumstances of the case.”  PIPA is provincial legislation that governs the use of personal information by private sector organizations in Alberta.

On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection.  The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.

On March 2, 2010, the German Federal Constitutional Court ruled that the mass storage of telephone and Internet data for law enforcement purposes is unlawful in its current form.

Since 2008, the challenged law has required telecom companies to retain data from telephone, email and Internet traffic, as well as mobile phone location data, for six months.  This information may be retrieved for law enforcement and safety purposes.  Constitutional claims were brought before the Court by nearly 35,000 citizens, representing the largest mass claim proceeding in German history. 

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC.

After several delays and revisions, the Massachusetts information security regulations, entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth,” will take effect on March 1, 2010. The regulations apply to entities that own or license personal information about Massachusetts residents. “Personal information” is defined as a combination of a resident’s first and last name and Social Security number, driver’s license or state ID number, or financial account number or payment card number that permits access to the individual’s financial account.

A computer user’s failure to secure his wireless network contributed to the defeat of his claim that a neighbor’s unwelcome access to his files violated the Electronic Communications Privacy Act ("ECPA").  The ECPA places restrictions on unauthorized interception of, and access to, electronic communications.

On February 5, 2010, the European Commission adopted a new set of standard contractual clauses (“SCCs”) for transfers of personal data from data controllers in the EU to data processors outside the EU.  View the European Commission press release.

Cloud computing raises complex legal issues related to privacy and information security.  As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments.  In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use ...

On January 25, 2010, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 10-06, Guidance on Blogs and Social Networking Web Sites (the “Guidance”) for securities firms, investment advisors and brokers.  FINRA, which is the largest non-governmental financial regulator, previously had issued guidance on other issues pertaining to interactive web sites, such as participation by securities firms and their employees in Internet chat rooms discussing stocks or investments.  The goals of the Guidance are to “ensure that—as the use of social media sites increases over time—investors are protected from false or misleading claims and representations” as well as “to interpret [the] rules in a flexible manner to allow firms to communicate with clients and investors using” blogs and social networking.

Microsoft is urging Congress and the information technology industry to act now to ensure that cloud computing is guided by an international commitment to privacy, security and transparency for consumers, businesses and government.  A survey commissioned by Microsoft found that while the general population and senior business leaders are excited about the potential of cloud computing, most are concerned about the security, access and privacy of their information in the cloud and believe the government should establish laws, rules and policies for cloud computing.  Microsoft ...

On January 12, 2010, Ms. Viviane Reding, Commissioner-designate for Justice, Fundamental Rights and Citizenship, was questioned during a public hearing before the European Parliament.  During this hearing, Ms. Reding revealed her priorities in the field of privacy and data protection.  “Fundamental rights and data protection will be top of the line” said Ms. Reding, who explained that she intends to incorporate the EU’s data protection rules into a modern and comprehensive legal instrument.

On January 8, 2010, the Swiss Federal Administrative Court (“Bundesverwaltungsgericht”) published a decision that declared the transfer of banking data to U.S. law enforcement authorities by the Swiss bank UBS to be illegal.  In late 2009, UBS transferred the data of over 300 customers suspected of evading U.S. taxes to the U.S. Department of Justice and Internal Revenue Service following an order issued by the Swiss Financial Market Supervisory Authority (“Finma”) pursuant to an agreement Finma reached with the U.S. authorities.

On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire.  The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

On January 5, 2010, the Article 29 Working Party published an opinion dated December 1, 2009, finding that Israeli data protection law largely provides an "adequate level of data protection" under the European Union Data Protection Directive 95/46.  The European Commission will now take this opinion into account when determining whether to issue an "adequacy decision" for Israel in the coming months.  Such a decision would provide that data transfers to Israel from the EU are adequately protected for purposes of compliance with the Directive ...

On December 1, 2009, the Article 29 Working Party adopted a contribution (the “Contribution”) to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data (the “Consultation”).  The Consultation was launched on July 9, 2009, to explore the challenges to personal data protection presented by new technologies and globalization.  The Consultation was also motivated by the recent adoption by the EU of the Lisbon Treaty, which will necessitate a reworking of structure of the EU legal framework for data protection.  The Contribution’s thoughtful examination of several important data protection issues makes it one of the most significant documents that the Working Party has issued in recent years.

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers.  The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

On November 9, 2009, Connecticut’s Attorney General, Richard Blumenthal, announced an investigation of whether Blue Cross and Blue Shield (“BCBS”) violated Connecticut’s data breach notification law by waiting until two months after a data breach had occurred to notify affected Connecticut residents.  The data breach, which Attorney General Blumenthal called “one of the most sizable and significant in Connecticut’s history,” involved the theft of a laptop containing confidential unencrypted data from the car of a BCBS employee in late August.  BCBS notified affected Connecticut residents of the breach in late October.

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

The FTC today announced that it would, for the fourth time, delay enforcement of the Identity Theft Red Flags Rule.  The enforcement date is now June 1, 2010 for creditors and financial institutions subject to FTC jurisdiction.  The agency stated that the delay was requested by members of Congress, who are currently considering a bill that would limit the rule's scope.  That bill (which would exclude certain entities with 20 or fewer employees from the rule's definition of "creditor" and also would provide a mechanism for other entities to apply for that exclusion) recently passed the ...

It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association's argument that the FTC's Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers.  The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act").  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly.  The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered.  For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.

Although China has yet to enact a national data protection law, certain provincial-level rules implementing national consumer protection laws impact the collection and use of personal data.  These provincial regulations may warrant specific attention by entities doing business in the relevant Chinese provinces.  The impact of each of these will often be limited, both because they affect only enterprises doing business in the respective provinces and because the actual requirements of each of these regulations are typically modest.  Also, the potential penalties for violation ...

The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.

The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists.  The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule.  MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada.  The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions.  The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC's Red Flags Rule, including employee training and ongoing monitoring to detect fraud.

On October 14, 2009, the Australian government released a report entitled “Enhancing National Privacy Protection” that contains proposed reforms to Australia’s privacy laws, including the Privacy Act 1988 (“Privacy Act”).  In announcing the report, Cabinet Secretary and Special Minister of State Joe Ludwig stated that the reforms aim to “provide for one set of streamlined Privacy Principles for Australian Government agencies and private sector organizations which will provide greater clarity and cut red tape.”  The report comprises the first stage of a two-stage response to a report issued by the Australian Law Reform Commission (“ALRC”) in 2008 that contained 295 recommendations to revise Australian privacy laws and practices.

Lisa J. Sotto, Partner and Chair of Hunton & Williams' Privacy and Information Management practice, discusses the roles individuals, companies, service providers and governments play in helping to create a safer, more trusted Internet.   End to End Trust is Microsoft's broad and all encompassing vision for creating a "safer, more trusted Internet," which is achieved by focusing on three areas: security and privacy fundamentals, technology innovations and social, economic, political and IT alignment.  Microsoft believes these combined elements will help people make better ...

On August 19, 2009, the state DPA in North Rhine-Westphalia fined a subsidiary of the discount supermarket chain Lidl €36,000 (approximately $51,000) for illegally keeping records of employee health data.

The case was triggered by a report in the German news magazine Der Spiegel.  A Bochum resident found papers and forms containing Lidl employees' health data in a trash bin at a car wash and forwarded them to the magazine.  Subsequent investigations revealed that at least four Lidl branches in North Rhine-Westphalia were using a form to record data about employees' medical ...

On August 17, the Federal Trade Commission ("FTC") issued a final rule ("FTC Final Rule") addressing security breaches of personal health records ("PHRs").  The FTC Final Rule applies to all breaches discovered on or after September 24, 2009, and to “foreign and domestic vendors of personal health records, PHR related entities, and third party service providers” that “maintain information of U.S. citizens or residents.”  The FTC Final Rule does not apply to covered entities or business associates as defined under regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  Full compliance is required by February 22, 2010.

New Hampshire recently enacted legislation restricting the use and disclosure of protected health information (“PHI”). As of January 1, 2010, health care providers and their business associates will be obligated to notify affected individuals of disclosures of PHI that are allowed under federal law, but are prohibited under the New Hampshire statute.

The New Hampshire law requires health care providers and their business associates to (i) obtain authorization for the use or disclosure of PHI for “marketing” and (ii) offer individuals an opt-out opportunity for the use or disclosure of PHI for fundraising purposes. In addition, it prohibits the disclosure of PHI for marketing (even with an authorization) or fundraising by voice mail, unattended facsimile, or through other methods of communication that are not secure.

On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”

On September 12, 2009, Maine’s Act to Prevent Predatory Marketing Practices Against Minors (the “Act”) will take effect.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor.  Pursuant to the Act, the use of information in such a manner is a ...

Privacy laws in China are still evolving, and at this time there is no coordinated legal framework addressing data protection.  There are, however, a number of Chinese laws that are applicable to the processing and protection of personal information.  Navigating the indirect, piecemeal Chinese approach to regulation in this area may prove challenging for foreign counsel accustomed to practicing in jurisdictions with explicit privacy protection legislation and data security laws.  To shed some light on these issues, we have prepared an overview of various Chinese laws that bear on ...

July saw a flurry of activity involving data security breach notification laws. 

• On July 1, breach notification laws in Alaska and South Carolina went into effect.
• On July 9, Missouri became the 45th state to enact a data breach notification law. 
• On July 22, Senator Patrick Leahy reintroduced a comprehensive federal data security bill calling it one of his “highest legislative priorities.”
• On July 27, North Carolina amended its breach notification law to require notification of the state attorney general any time consumers are notified of a breach involving their personal information.  The amendment also included content requirements for the attorney general’s notice.

On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program.  The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule.  The new enforcement deadline for creditors and ...

On July 3, 2009, the German Federal Parliament passed comprehensive amendments to the Federal Data Protection Act (the "Federal Act"). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law ...

The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers' confidential data. HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.

Kaiser Permanente Bellflower Hospital has again been penalized for failing to prevent unauthorized access to confidential patient information.  On July 16, 2009, the California Department of Public Health announced that it had levied administrative penalties totaling $187,500 on the hospital after it was determined that eight Kaiser employees had compromised the privacy of four patients' medical information.  On May 14, 2009, the same facility was fined $250,000 -- the maximum allowable penalty under the new state health privacy provisions that came into effect on January 1st -- for violations related to unauthorized employee access to the medical records of Nadya Suleman.  The latest fine included a $25,000 penalty for each of four patients whose medical records allegedly were breached, plus $17,500 per incident for five subsequent alleged breaches of those medical records after the first.

As of January 1, 2010, Nevada law will require businesses to use encryption when data storage devices that contain personal information are moved beyond the physical or logical controls of the business, in addition to continuing to require that personal information be encrypted if it is transferred outside the secure system of the business. The new law repeals the existing Nevada encryption law, which will remain in effect until January 1, 2010. (For more information on the existing Nevada encryption law, please see our previous Client Alert.) The new law also mandates compliance ...

The Obama Administration today formally announced its sweeping proposal for new regulation of the financial industry.  The plan proposes the formation of a new watchdog agency that would seek to protect consumers' interests.  The proposal raises a number of privacy and data security questions, such as the role of the new financial services consumer protection agency in protecting privacy and data security and the continued role of the Federal Trade Commission as the lead agency in this area.  We will keep you posted as more details regarding the plan emerge.

A lawsuit that will soon commence in Arizona has the potential to alter the data breach liability landscape by making data security auditors liable for data breaches experienced by the companies they audit.  The case, Merrick Bank Corp. v. Savvis Inc., has its origins in events that began in 2003, when Merrick Bank (“Merrick”) offered to hire CardSystems Solutions (“CardSystems”) to process credit card transactions for its merchant customers.  The offer was contingent upon CardSystems achieving certification under VISA’s Cardholder Information Security Program (“CISP”), which is the predecessor to the Payment Card Industry Data Security Standard (“PCI DSS”).  Savvis audited CardSystems in 2004 and found that it had “implemented sufficient security solutions” and followed “industry best practices.”  VISA certified CardSystems shortly after receiving Savvis’ audit report.  In 2005, CardSystems revealed that it had experienced an information security breach that compromised forty million payment cards.

On April 27, 2009, the Article 29 Working Party issued a new working document (WP 155 rev.04) on frequently asked questions relating to binding corporate rules ("BCRs").  Two new FAQs were adopted: (1) FAQ 10 deals with the relationship between EEA data protection laws and BCRs; and (2) FAQ 11 relates to the reversal of the burden of proof in the context of BCRs.  The Working Party reiterated that, although BCRs may offer an adequate level of protection to personal data being transferred within the same company, they do not exempt multinationals from complying with national data ...

The White House today released the report from the 60-day cybersecurity review the President ordered in February. Speaking to a packed audience in the East Room, President Obama outlined the broad range of threats facing the digital infrastructure, focusing not only on national security and organized crime attacks, but also on identity theft and incursions into individual privacy.

He promised a “new comprehensive approach to securing our nation’s infrastructure,” including appointment of a White House cybersecurity coordinator reporting to both the National Security Council and the National Economic Council. The coordinator would have broad responsibilities, but little direct authority, although the President did promise that the coordinator would have access to him.

On May 14, 2009, the California Department of Public Health issued an Administrative Penalty Notice to the Kaiser Foundation Hospital — Bellflower for patient medical information privacy violations. Although the state did not identify the affected patient by name, the facts and circumstances described in the Notice correspond to the case of Nadya Suleman, the single mother of six who gave birth to octuplets at Bellflower in January 2009. The hospital was fined $250,000 for failure to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical ...

On May 12, 2009, the European Commission issued a long-awaited recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (“RFID”).  The recommendation follows a process initiated in 2006 when the European Commission launched a public consultation on RFID technologies.  Following this public consultation and in order to protect consumers’ privacy and data protection, the European Commission decided to take further steps by preparing a recommendation to regulate the use of RFID.

On May 6, 2009, the proposed amendments to the e-Privacy Directive received a second reading in the European Parliament.  In addition to other measures, it will include a definition of “personal data breach” and will introduce a data breach notification requirement. 

The review of the e-Privacy Directive forms part of a wider review of telecoms legislation.  The objective of that review is to improve network security and integrity, to increase protection for user personal data and to improve measures to prevent spam and “cyber attacks.”  The scope of the amended Directive will include the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks within the European Community, including public communications networks supporting data collection and identification devices.

On May 5, 2009, the Federal Trade Commission’s ("FTC's") Acting Director of the Bureau of Consumer Protection, Eileen Harrington, testified before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection in support of the proposed federal Data Accountability and Trust Act (H.R. 2221).  The Act would require companies to implement reasonable data security policies and procedures to protect personal information.  It would also mandate security breach notifications for consumers affected by data security breaches.

At the eleventh hour, the Federal Trade Commission announced that it will once again delay enforcement of the Red Flags Rule.  The Red Flags Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACTA").  The previous compliance date was May 1, 2009, which was an extension from the original deadline of November 1, 2008.  The new extension applies only to the provisions of the Rule requiring financial institutions and creditors to implement an identity theft prevention program.  The continuing enforcement delays respond to ongoing uncertainty about ...

Last week, the Federal Trade Commission published a Notice of Proposed Rulemaking regarding notification for security breaches involving electronic health information. The FTC issued the proposal pursuant to certain health information technology provisions in the American Recovery and Reinvestment Act, signed into law on February 17th, 2009. The Commission's proposal includes a requirement that vendors of personal health records notify U.S. citizens and residents if their personal health information is subject to a security breach. In addition, vendors must notify the FTC no later than five business days following the discovery of a breach that affects 500 or more individuals, or, for breaches affecting fewer than 500 individuals, maintain a log to be submitted annually to the Commission.

On April 17, the U.S. Department of Health and Human Services ("HHS") issued proposed information security guidance, as required by the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act") passed as part of American Recovery and Reinvestment Act of 2009 on February 17.  The HITECH Act requires covered entities and business associates, as well as vendors of personal health records, to provide notice of information security breaches affecting “unsecured protected health information” or “unsecured personal health record information,” respectively.  The HITECH Act further requires the Secretary of HHS to specify technologies and methodologies that would render protected health information ("PHI") unusable, unreadable, or indecipherable to unauthorized individuals.  If covered entities, business associates and vendors of personal health records apply the technologies and methodologies specified in the guidance to protected health information, they will not be required to provide notice to affected individuals, HHS or the media, as otherwise required by the HITECH Act, in the event the information is breached.

News last week that Chinese and Russian hackers had infiltrated the U.S. electrical power grid gave practical significance to already high-profile issues in Washington -- how better to secure the nation’s cyber-infrastructure.  Late in 2008, the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency (the Commission) released a report citing the U.S.’s failure to protect cyberspace as “one of the most urgent national security problems” facing the Obama administration.  The failure threatens the safety and well-being of the United States and its allies and raises immediate risks for the economy.  In a global economy, where economic strength and technological leadership are as important to national power as military force, failing to secure cyberspace puts the U.S. at a disadvantage.  When Chinese and Russian intruders apparently left software on networks supporting the U.S. power grid that could be used to compromise electric and water systems, the warnings of the Commission proved true in a real-world way.

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

On March 20, 2009, the Federal Trade Commission (“FTC”) published its long-awaited guide to the Red Flags Rule (the “Rule”), entitled “Fighting Fraud with Red Flags Rule:  A How-To Guide for Business.”  The guide applies to creditors and certain financial institutions (such as state-chartered credit unions and mutual funds that offer accounts with check-writing privileges) that are subject to the FTC’s jurisdiction and addresses the provision of the Rule that requires implementation of an Identity Theft Prevention Program.  For entities subject to the FTC’s jurisdiction, the relevant compliance deadline is May 1, 2009.  Financial institutions that are regulated by federal bank regulatory agencies or the National Credit Union Administration (which issues their own versions of the Red Flags Rule) were required to comply with the Rule as of November 1, 2008.

On March 20, 2009, the Federal Trade Commission published a Red Flags Rule compliance guide for businesses, entitled “Fighting Fraud with the Red Flags Rule.”  The guide offers an overview of the Rule and practical steps businesses need to take to comply.  In addition, the guide addresses the issue that has raised the most concern among businesses -- the Rule's scope.  As expected, the FTC is interpreting the Rule broadly, suggesting, for example, that any company that sells goods or services and bills customers later is a "creditor" subject to the Rule.  According to the guide ...

Former Silicon Valley entrepreneur Rod Beckstrom has tendered his resignation from the post of Director of United States National Cybersecurity Center, effective March 13, 2009.  In his resignation letter to Secretary of Homeland Security Janet Napolitano, Mr. Beckstrom complained of inadequate funding and criticized the National Security Agency’s dominant role in “most national cyber efforts.”  He characterized this arrangement as “bad strategy” because “intelligence culture is very different than a network operations or security culture,” and he argued ...

The Federal Trade Commission, the Asia-Pacific Economic Cooperation forum, and the Organisation for Economic Co-operation and Development are hosting a multinational workshop on "Securing Personal Data in the Global Economy" in Washington, D.C. on March 16-17, 2009. In anticipation of that workshop, the Centre for Information Policy Leadership at Hunton & Williams LLP is releasing this white paper with ten key recommendations for data breach and information security policy, drawn from published research and extensive experience with data breaches, breach notices, and ...

A former computer security consultant was sentenced Wednesday to four years in federal prison for fraud stemming from his involvement with a cyber-crime ring that used botnets to infect an estimated 250,000 computers.  He has also been ordered to pay $20,000 in restitution to companies defrauded by the scheme.  The 27 year-old California man made history last year when he became the first "bot herder" in the United States to plead guilty to wiretapping charges in connection with the use of botnets.  His guilty plea included admissions of accessing protected computers to conduct fraud and disclosing illegally intercepted electronic communications, as well as wire and bank fraud.  He faced up to 60 years in prison and $1.75 million in fines.

Emerging economies developing privacy laws are confronted with two challenges: how best to protect the privacy interests of local citizens and how to put in place privacy governance that assures companies and individuals outside the economy that information that flows into the region is properly protected and secured.  The APEC Privacy Framework provides sound guidance for drafters engaged in this effort.  By recognizing that privacy reflects the mores and values of local culture, it provides an approach to privacy protection that can be adapted to reflect the needs of local citizens within a widely recognized and adopted architecture.  At the same time, it sets out requirements for strong security, compliance with rules governing the use and management of data and cross-border cooperation for dispute resolution and enforcement. 

The Standing Committee of the National People’s Congress recently passed an amendment to the P.R.C. Criminal Law.  The amendment includes a provision imposing criminal liability on persons who misappropriate personal information during the course of performing their professional duties.  A previous Hunton & Williams Client Alert reported on the amendment that has now become effective as law.

This week, the Federal Communications Commission announced a broad consumer privacy enforcement action against over 600 telecommunications carriers.  The Commission issued notices of liability against carriers that failed to certify compliance with regulations governing the protection of Consumer Proprietary Network Information (“CPNI”) and carriers that filed inadequate certifications.  The Commission proposed fines of $20,000 against carriers that failed to file the required certification and up to $10,000 against carriers whose certifications were non-compliant.

CVS Pharmacy (“CVS”), reportedly the largest retail pharmacy chain, has agreed to pay the Department of Health and Human Services (“HHS”) $2.25 million and submit a Corrective Action Plan (“CAP”) to HHS after an extensive nationwide investigation by the HHS Office of Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) which revealed that CVS employees disposed of protected health information (“PHI”) in violation of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule.  In addition, CVS Caremark, the parent company of CVS, simultaneously entered into a Consent Order with the FTC to resolve claims that CVS had engaged in unfair or deceptive trade practices in violation of the FTC Act by failing to use reasonable and appropriate measures to prevent unauthorized access to PHI and by disseminating a false or misleading privacy notice about CVS’s protection of PHI.  In the Consent Order, the FTC specifically highlighted CVS’s failure to render PHI unreadable before disposal as well as its claim in its privacy notice that maintaining the privacy of its customers’ PHI was central to its operations as examples of unfair or deceptive trade practices.  The CVS settlement is noteworthy for two reasons: (1) it is the first joint enforcement action between OCR and the FTC and (2) although it is the second substantial monetary settlement for alleged HIPAA violations, the $2.25 million resolution amount dwarfs the first settlement for $100,000 between HHS and Providence Health in July 2008.

On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation issued a revised version of its information security regulations and extended the compliance deadline from May 1, 2009 to January 1, 2010. This is the second time Massachusetts has extended the deadline; previously, the deadline was changed to May 1, 2009 in consideration of the economic climate.

The New Jersey Division of Consumer Affairs has published a pre-proposal of rules relating to the protection of personal information (“PPR”) and is accepting comments on the PPR until February 13, 2009, after which it will formally propose rules. The PPR comes nearly a year after the state withdrew earlier proposed rules (the “Original Proposal”) that drew fire from the business community for the burdens they would have imposed. Among other obligations, the PPR would (i) require implementation of a comprehensive written security program; (ii) impose security breach ...

A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy.  Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009). 

Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared.  During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number.  Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information.  Pinero alleged that she relied on this statement in her decision to turn over her information.

Provisions of the economic stimulus legislation (known as the American Recovery and Reinvestment Act (“ARRA”)), recently passed by the U.S. House of Representatives, require certain entities to notify affected individuals, government agencies and the media of breaches of “unsecured protected health information.” Additional provisions substantially revise regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While these provisions are specifically limited to the context of health data, they have ...

Two California medical privacy laws became effective on January 1, 2009.  The laws, A.B. 211 and S.B. 541, create new obligations for health care providers and facilities in California to protect against unlawful or unauthorized access to patient medical information.  In contrast, other medical privacy regulations, including the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), focus only on the unauthorized use or disclosure of protected health information.

New York State recently enacted legislation restricting the use of Social Security numbers (“SSNs”) by employers. The legislation takes effect on January 3, 2009.

Massachusetts recently announced that it is extending the deadline for compliance with new state data security regulations. In consideration of the current economic climate, Massachusetts has extended its original compliance deadline of January 1, 2009. The new compliance deadline will be phased in. By May 1, 2009, companies that are subject to the regulations must generally comply with the new standards and must contractually ensure the compliance of their third-party service providers. In addition, by May 1, 2009, covered businesses must encrypt laptops containing personal information. By January 1, 2010, companies are required to have a written certification of compliance from their third-party service providers and must encrypt other company portable devices, such as memory sticks and PDAs.