Privacy & Information Security Law Blog

On October 30, 2012, the U.S. District Court for the Southern District of California ruled that an opt-out confirmation text sent by Citibank (South Dakota), N.A. (“Citibank”) did not violate the Telephone Consumer Protection Act (“TCPA”). Under a “common sense” interpretation, the court determined that Citibank’s opt-out text does not demonstrate the type of invasion of privacy the TCPA seeks to prevent.

Hunton & Williams LLP is pleased to announce that several privacy attorneys were named to the New York Metro Super Lawyers list for 2012. For the seventh consecutive year, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, was selected as a New York Super Lawyer. In addition, partner Aaron P. Simpson was included as a Rising Star for the second year in a row, and associate Melinda L. McLellan debuted in the Rising Stars category. As members of the firm’s Privacy and Data Security team, their practices focus on complex privacy and ...

Bloomberg Law’s Lee Pacchia interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, to discuss the recent data security incident involving Barnes & Noble stores. Sotto discussed life in the modern world of technology where there is an increased risk of data security incidents, and many companies only reach out to counsel after a data breach occurs. Sotto also described how large companies should protect themselves against these sophisticated cyberattacks. View the full live interview now. 

On October 26, 2012, three resolutions were adopted by the closed session of the 34th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. Below we provide an overview of these resolutions.

Reporting from Washington, D.C., Hunton & Williams partner Frederick Eames writes:

Elections have consequences. What are the consequences of the 2012 election on U.S. federal privacy, data security and breach notice legislation? We outline some key developments in the U.S. House of Representatives and Senate and explain how these developments might affect legislative priorities and prospects for the 113th Congress beginning in 2013.

The Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) announced that it will host the 35th International Conference of Data Protection and Privacy Commissioners on September 23-27, 2013, in Warsaw, Poland. The first two days will be dedicated to the closed session, with the open sessions and side events taking place September 25-27.

In February 2013, the GIODO will facilitate the Global Accountability Project for which the Centre for Information Policy Leadership acts as Secretariat.

On October 26, 2012, the Federal Trade Commission finalized its settlement agreements with two businesses that allegedly exposed thousands of customers’ sensitive personal information by allowing peer-to-peer (“P2P”) file-sharing software to be installed on the companies’ computer systems. The approved settlements prohibit Georgia auto dealer Franklin’s Budget Car Sales, Inc. (“Franklin”) and Utah-based debt collector EPN, Inc. (“EPN”) from misrepresenting their privacy and information security practices and requires both businesses to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years. The settlement with Franklin also bars the company from violating the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule and Privacy Rule.

On November 7, 2012, the Federal Trade Commission announced that it had settled charges against payday lending and check cashing companies alleged to have improperly disposed of consumers’ personal information. In its complaint, the FTC maintained that PLS Financial Services, Inc., and The Payday Loan Store of Illinois violated the FTC’s Disposal Rule as well as the Gramm-Leach-Bliley Act’s Privacy Rule and Safeguards Rule by disposing of documents that contained consumers’ Social Security numbers, bank account numbers and credit reports in unsecured dumpsters near the companies’ payday lending and check cashing retail stores. The FTC also alleged that the companies violated the FTC Act by misrepresenting that they would reasonably protect consumer information.

On October 29, 2012, the UK Information Commissioner’s Office (“ICO”) served private sector financial services company The Prudential Assurance Company Limited (“Prudential”) with a monetary penalty of £50,000 in connection with a serious violation of the Data Protection Act 1998 (“DPA”). The violation concerned a mix-up involving Prudential customer details. In March 2007, the customer records of two individuals who shared the same first name, surname and date of birth were mistakenly merged into a single customer record. Over the course of the following three years, mortgage and pension policy information relating to each customer was routinely sent to the wrong individual until Prudential took steps to separate the two customers’ records in September 2010.

On October 31, 2012, the UK Information Commissioner’s Office (“ICO”) published a consultation on changes to the notification process in the UK (the “Consultation”), which will be open for comment until November 30, 2012. The purpose of the Consultation is to provide the ICO with feedback on its proposed changes regarding: (1) whether an online and telephone payment service would be beneficial to data controllers, (2) whether the inclusion of contact details for information requests is useful and (3) whether the format of the public register should become narrative-based. The ICO is also seeking input regarding whether these changes would make the public register more meaningful and notification simpler for data controllers.