Privacy & Information Security Law Blog

On September 20, 2012, Hunton & Williams LLP announced Lisa J. Sotto, head of the firm’s Global Privacy and Data Security practice and managing partner of the New York office, was named among Ethisphere Institute’s “Attorneys Who Matter” for 2012. The annual listing includes approximately 100 lawyers from a range of legal disciplines who surpass their peers based on their experience, public service, legal community engagement and client endorsement.

As reported in the Hunton Employment & Labor Perspectives Blog:

On September 7, 2012, the National Labor Relations Board invalidated Costco Wholesale Corp.’s policy of prohibiting employee electronic posts in its first decision involving an employer’s social media policy. In Costco Wholesale Corporation and UFCW Local 371, Case No. 3A-CA-012421, the Board held, among other things, that Costco’s rule prohibiting employees from posting statements electronically that “damage the Company, defame any individual or damage any person’s reputation” was overly broad. The Board reasoned that the policy language contained no restrictions on its application and, thus, clearly encompassed protected concerted communications, such as speech that is critical of Costco or its agents. Accordingly, the rule had a tendency to chill employees’ protected activity in violation of Section 8(a)(1) of the National Labor Relations Act, which makes it an unfair labor practice for an employer to interfere with, restrain, or coerce employees in the exercise of their rights guaranteed by Section 7.

On September 13, 2012, the PCI Security Standards Council (“PCI SSC”) issued new guidelines entitled “PCI Mobile Payment Acceptance Security Guidelines” (the “Guidelines”), which outline best practices for mobile payment acceptance security. As we reported in May, the PCI SSC Mobile Working Group published its “At a Glance: Mobile Payment Acceptance Security” fact sheet, detailing how merchants can more securely accept payments on mobile devices.

On September 17, 2012, the Department of Health and Human Services (“HHS”) announced a $1.5 million settlement with the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (“MEEI”) for potential violations of the HIPAA Security Rule. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that organizations should pay special attention to safeguarding information “stored and transported on portable devices such as laptops, tablets, and mobile phones” and that “compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

On July, 19, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that the Principality of Monaco ensures an “adequate level of protection” for personal data within the meaning of the European Data Protection Directive (Article 25 of Directive 95/46/EC) (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an “adequate” level of data protection.

On September 12, 2012, Congressman Edward Markey (D-MA) released a bill that would require companies to tell customers about monitoring software installed on their mobile devices and obtain customers’ express consent before engaging in monitoring. These requirements would apply to mobile phone makers, network providers and application developers.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

In a detailed, 27-page decision (Admin. App. 24867-02-11 IDI Insurance v. Database Registrar), the Tel Aviv District Court recently upheld the validity of an instruction issued by the data protection regulator restricting financial institutions from using information about a third party’s attachment of their client’s account for the financial institution’s own purposes. The court held that the regulator is authorized to issue market instructions interpreting the law. The decision is likely to have far-reaching effects on the validity and weight given to a series of detailed guidance documents and market instructions published by the Israeli Law, Information and Technology Authority (“ILITA”) over the past two years. These include instructions regarding:

On September 5, 2012, the Federal Trade Commission issued guidelines for mobile app developers entitled “Marketing Your Mobile App: Get It Right from the Start.” The guidelines are largely a distillation of the FTC’s previously expressed views on a range of topics that have relevance to the mobile app space. They are summarized below:

As of September 1, 2012, all personal data in Germany may only be processed and used for marketing purposes (including address trading) with the express opt-in consent of the affected individuals. Furthermore, the consent language must have been specifically drawn to the attention of the relevant individual as part of the terms and conditions governing the use of his or her personal data.

The American Bar Association Journal is compiling a list of the 100 best legal blogs of 2012 and is inviting readers to submit nominations. Click the voting button below to submit a nomination for Hunton & Williams' Privacy and Information Security Law. PR News named Hunton & Williams' Privacy Blog the Best Legal PR Blog of 2011.

Submissions are accepted through Friday, September 7th, so please vote!