Monthly Archives: May 2010

FTC Further Extends Enforcement Deadline for Red Flags Rule

Posted on May 28, 2010 by Hunton & Williams LLP

On May 28, 2010, the FTC announced that it would again delay enforcement of the Identity Theft Red Flags Rule.  This is the fifth time the Commission has announced an extension of the enforcement deadline, after most recently extending the deadline to June 1, 2010.  The Red Flags Rule requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as “red flags” – that could indicate identity theft.  The enforcement date is now December 31, 2010, for creditors and financial institutions subject to FTC jurisdiction.  The FTC stated that the delay had been requested by members of Congress who are currently considering a bill that would limit the rule’s scope.  If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC will begin enforcement as of that effective date.

Please refer to our previous post regarding other developments that may limit the Red Flags Rule’s application.

Tags: , ,

FTC Investigating Privacy Risks to Data Stored on Digital Copiers

Posted on May 26, 2010 by Hunton & Williams LLP

Federal Trade Commission Chairman Jon Leibowitz recently sent a letter to Congressman Edward Markey, Co-Chairman of the bipartisan Congressional Privacy Caucus, announcing that the FTC will address the privacy risks associated with the use of digital copiers.  Congressman Markey had urged the FTC to investigate this issue after a CBS News exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information.

Continue reading…

Tags: ,

HHS To Examine Breach Notification and Risk Mitigation Plans

Posted on May 24, 2010 by Hunton & Williams LLP

The Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”) has announced that it will more closely examine covered entities’ breach notification and risk mitigation plans.  OCR noted that small and medium sized covered entities have been particularly vulnerable to data breaches.  The National Institute of Standards and Technology (“NIST”) will publish a guide for covered entities that “outlines the steps to mitigate risks for data breaches, training for how to respond to breaches, and overall preparation in the event of a breach, such as alternate storage facilities for data.”

As previously discussed on this blog, OCR has announced an uptick in HIPAA Security Rule enforcement and issued draft guidance regarding the “risk analysis” implementation specification in the Security Rule.

Tags: , , , , ,

Russia Considers Improving its Data Protection Law

Posted on May 21, 2010 by Hunton & Williams LLP

The Russian Federation is considering amending the country’s data protection law, according to BNA’s Privacy Law Watch.  Businesses have long complained that the law contains restrictions on data processing that are extremely difficult to meet.  For example, the law requires affirmative written consent for most types of data processing.  In the online context, this provision has been interpreted to require a consumer’s digital signature.  A check box, which is an acceptable mechanism for expressing consent in the EU, for example, is deemed unacceptable in Russia.  In practice, this and other requirements of the data protection law have been widely ignored, even by Russia’s biggest Internet businesses.  Not surprisingly, Russia’s data protection regulator – the Russian Federal Service for Oversight of Communications, Information Technology and Mass Media (“Roscomnadzor”) – has found the rate of noncompliance with the law to be high.  Roscomnadzor has reported that over 400 audits conducted in 2009 revealed 86 incidents of noncompliance.  In connection with the proposed amendments to the law, the regulator already has received over 100 recommendations from businesses and data protection professionals aimed at improving the law and implementing regulations.

Tags:

Hague Conference Adopts Paper on Privacy and Data Protection

Posted on May 18, 2010 by Hunton & Williams LLP

At a meeting held April 7-9, 2010, the Council on General Affairs and Policy of the Hague Conference on Private International Law adopted a document entitled ‘Cross-Border Data Flows and Protection of Privacy’ that outlines the organization’s possible future work in the area of privacy and data protection law.  The document contains an overview of international data protection initiatives of the last few years, and addresses various cross-border cooperation issues, including problems created by the difficulty of determining applicable law and jurisdiction in cross-border data flows.  In this regard, the Conference refers to the writings of Hunton & Williams partner Christopher Kuner, which it calls "the most relevant research conducted to date" (see page 9).

Continue reading…

Tags: , ,

HHS Official Reports Uptick in HIPAA Security Rule Enforcement

Posted on May 14, 2010 by Hunton & Williams LLP

David Holtzman, a health information privacy specialist at the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), stated at a health privacy conference on May 11, 2010, that OCR has been “vigorously” enforcing the Security Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”).  Prior to 2009, HHS divided civil enforcement responsibility for HIPAA between OCR, which enforced the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (“CMS”), which enforced the HIPAA Security Rule.  In July 2009, the Secretary of HHS delegated authority to enforce the HIPAA Security Rule to OCR to “facilitate improvements by eliminating duplication and increasing efficiency.”

Continue reading…

Tags: , , , , ,

Uncertainty Reigns Supreme: What Impact Will a Coalition Government Have on Data Protection Law in the UK?

Posted on May 13, 2010 by Hunton & Williams LLP

Following the first “hung parliament” since 1974, the UK is facing considerable legislative reform under the newly formed Conservative – Liberal Democrat coalition government.  Although the parties appear to have differing opinions on a number of legislative issues, one issue that unites them is their commitment (at least in theory) to strengthening the current data protection regime implemented under the Labour government.

Each party’s manifesto states that, should it be elected, it will enhance the audit powers of the Information Commissioner (the UK data protection regulator).  Currently, the Information Commissioner may audit government departments and public authorities suspected of violating data protection principles without their prior consent.  The Conservatives and Liberal Democrats propose to extend the Information Commissioner’s audit powers to private sector organizations.  This could be achieved in theory by secondary legislation.

Continue reading…

Tags: , ,

EU Agency for Fundamental Rights: Prosecutions and Sanctions for Violations of Data Protection Law Limited or Non-Existent

Posted on May 12, 2010 by Hunton & Williams LLP

According to a report issued by the EU Agency for Fundamental Rights (“FRA”), European data protection authorities lack sufficient independence and funding.  In addition, DPAs impose few sanctions for violations of data protection laws.  DPAs “are often not equipped with full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings.”  In a number of countries, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, “prosecutions and sanctions for violations are limited or non-existing.”  The report also highlights EU citizens’ limited awareness of the DPAs’ existence.  The FRA Director, Morten Kjaerum, noted that “improvements need to take place concerning the independence, effectiveness, resources and powers of data protection authorities.” 

Tags: , , , , , , ,

German DPA Imposes €120,000 Fine on Deutsche Postbank AG

Posted on May 12, 2010 by Hunton & Williams LLP

On May 7, 2010, the data protection authority of the German federal state of North Rhine-Westphalia imposed a fine of €120,000 on Deutsche Postbank AG for illegal disclosure of customers’ bank account transaction data.  The bank unlawfully allowed approximately 4,000 self-employed agents to access information on more than a million customer accounts for sales purposes.

Continue reading…

Tags: ,

Commerce Department Takes Lead in Developing U.S. Internet Privacy Framework

Posted on May 11, 2010 by Hunton & Williams LLP

“The Department of Commerce is back.”  With those words Cameron Kerry, General Counsel of the U.S. Department of Commerce, made it clear the Department intends to take a leading role in shaping domestic privacy policy and representing U.S. privacy interests in international discussions.  The announcement was made at the May 7, 2010, Department of Commerce symposium, “A Dialogue on Privacy and Innovation,” where the mostly business audience welcomed Mr. Kerry’s declaration with great enthusiasm.

Continue reading…

Tags: , , , , , ,