Privacy & Information Security Law Blog

On March 1, 2011, the United States Supreme Court issued a unanimous ruling in Federal Communications Commission v. AT&T Inc., finding that corporations are not entitled to “personal privacy” and therefore may not invoke Exemption 7(C) of the Freedom of Information Act (“FOIA”).  AT&T sought to employ this exemption, which prevents the disclosure of law enforcement records that “could reasonably be expected to constitute an unwarranted invasion of personal privacy,” to prohibit the Federal Communications Commission (the “FCC”) from turning over documents in response to a trade association’s FOIA request.  Applicable federal law defines “person” to include “an individual, partnership, corporation, association, or public or private organization other than an agency;” AT&T contended that the adjective “personal” is a derivative of the noun “person,” giving it “personal privacy” rights as a “private corporate citizen.”

The Council of the European Union (the “Council”) released its conclusions following meetings held on February 24 and 25, 2011, regarding the European Commission’s November 4, 2010 Communication proposing “a comprehensive approach on personal data protection in the European Union” which we reported on last November.

A draft document, entitled Information Security Technology - Guidelines for Personal Information Protection, has been issued in China for comment.  While comments are being solicited at this time, if issued in its proposed form, this document has the potential to add significantly to the rules governing the handling of personal information in China.  Read More...

On February 24, 2011, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced a $1,000,000 Resolution Agreement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (“Mass General”) that stemmed from the loss of protected health information (“PHI”) of 192 patients.  A Mass General employee had left hard-copy records containing PHI on the subway in March 2009.  The records originated from Mass General’s Infectious Disease Associates outpatient practice and included sensitive records discussing patients’ treatments for HIV/AIDS.  After receiving a complaint from an affected patient, OCR conducted an investigation that demonstrated that Mass General had “failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.”

The Government of India’s Ministry of Communications & Information Technology has published three draft rules that would implement the Information Technology Act, 2000. These include: Reasonable Security Practices and Procedures and Sensitive Personal Information; Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The first two of these rules could affect international companies that provide digital services or process data in India. The comment period on the rules ends February 28, 2011.

On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies.  Some security and privacy considerations.”

On February 22, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed its first civil money penalty for an entity’s violation of HIPAA’s Privacy Rule.  In its Notice of Final Determination, OCR concluded that Cignet Health withheld patient records despite requests for their disclosure.  Of the $4.3 million penalty, $1.3 million was levied for denying patients access to their own medical records, while an additional $3 million was imposed due to Cignet’s failure to cooperate with OCR’s investigation as required by the Privacy Rule.  Increased penalty amounts were authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act).

In our August 2009 blog post on data protection issues in China, we noted that there was no uniform Chinese law that specifically addresses the protection of personal data, and that it seemed likely that Chinese personal information protection law would continue to develop as a patchwork of piecemeal regulations. This remains true today, and developments since our previous article was published have in fact reinforced this assumption. In the past year and a half, new laws affecting personal information protection in China have arisen in various forms, including a consumer ...

On February 14, 2011, Senator Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, announced the creation of a subcommittee on Privacy, Technology and the Law.  The subcommittee will be chaired by Senator Al Franken (D-MN), and its jurisdiction will include oversight of laws and policies that govern the commercial collection, use and dissemination of personal information.  Senator Franken said, “The boom of new technologies…has also put an unprecedented amount of personal information into the hands of large companies that are unknown and unaccountable to the ...

On February 10, 2011, the California Supreme Court ruled in Pineda v. Williams-Sonoma Stores, Inc. that ZIP codes are “personal identification information” under the state’s Song-Beverly Credit Card Act of 1971 (the “Credit Card Act”).  This finding effectively prohibits California businesses from requesting and recording cardholders’ ZIP codes during credit card transactions.