Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft.  The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking.  The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Alberta’s Information and Privacy Commissioner, Frank Work, issued a news release regarding the recent Court of Appeal of Alberta decision in Alberta Teachers’ Association v. Alberta (Information and Privacy Commissioner).  In the case, the Court held that the Information and Privacy Commission has no authority to extend investigation time limits under the Personal Information Protection Act (“PIPA”) after the statutory time limit has expired.  Further, if the Commissioner extends the time in an inquiry process within the time limit, he must provide reasons for the extension, and his decision will be subject to judicial review.  The Court noted that “[b]lanket or routine extensions seem unlikely to be regarded as reasonable if they cannot also be justified in the specific circumstances of the case.”  PIPA is provincial legislation that governs the use of personal information by private sector organizations in Alberta.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection.  The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 2, 2010, the German Federal Constitutional Court ruled that the mass storage of telephone and Internet data for law enforcement purposes is unlawful in its current form.

Since 2008, the challenged law has required telecom companies to retain data from telephone, email and Internet traffic, as well as mobile phone location data, for six months.  This information may be retrieved for law enforcement and safety purposes.  Constitutional claims were brought before the Court by nearly 35,000 citizens, representing the largest mass claim proceeding in German history. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC.  The full text of the Opinion (in English) has been made public on the Dutch DPA’s website.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After several delays and revisions, the Massachusetts information security regulations, entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth,” will take effect on March 1, 2010.  The regulations apply to entities that own or license personal information about Massachusetts residents.  “Personal information” is defined as a combination of a resident’s first and last name and Social Security number, driver’s license or state ID number, or financial account number or payment card number that permits access to the individual’s financial account.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A computer user’s failure to secure his wireless network contributed to the defeat of his claim that a neighbor’s unwelcome access to his files violated the Electronic Communications Privacy Act (ECPA).  The ECPA places restrictions on unauthorized interception of, and access to, electronic communications.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Cloud computing raises complex legal issues related to privacy and information security.  As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments.  In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On February 5, 2010, the European Commission adopted a new set of standard contractual clauses (“SCCs”) for transfers of personal data from data controllers in the EU to data processors outside the EU.  View the European Commission press release.  The clauses were negotiated over several years between the European Commission and a group of business associations led by Brussels-based Hunton & Williams partner Christopher Kuner, who is chair of the Task Force on Privacy and Data Protection of the International Chamber of Commerce.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 25, 2010, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 10-06, Guidance on Blogs and Social Networking Web Sites (the “Guidance”) for securities firms, investment advisors and brokers.  FINRA, which is the largest non-governmental financial regulator, previously had issued guidance on other issues pertaining to interactive web sites, such as participation by securities firms and their employees in Internet chat rooms discussing stocks or investments.  The goals of the Guidance are to “ensure that—as the use of social media sites increases over time—investors are protected from false or misleading claims and representations” as well as “to interpret [the] rules in a flexible manner to allow firms to communicate with clients and investors using” blogs and social networking.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Microsoft is urging Congress and the information technology industry to act now to ensure that cloud computing is guided by an international commitment to privacy, security and transparency for consumers, businesses and government.  A survey commissioned by Microsoft found that while the general population and senior business leaders are excited about the potential of cloud computing, most are concerned about the security, access and privacy of their information in the cloud and believe the government should establish laws, rules and policies for cloud computing.  Microsoft also has called for an international dialogue on data sovereignty to address users' desire that rules and regulations governing their data remain uniform regardless of the physical location of the information. 

Microsoft’s proposal includes reforming and strengthening the Electronic Communications Privacy Act to provide stronger protections for consumers and businesses; modernizing the Computer Fraud and Abuse Act to give law enforcement the tools to prosecute malicious hackers and deter online-based crimes; enacting legislation to ensure that consumers and businesses know whether and how their information is accessed and used by service providers and how it will be protected online; and pursuing a new multilateral framework to address data access issues globally.

View more information on Microsoft’s proposal.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 12, 2010, Ms. Viviane Reding, Commissioner-designate for Justice, Fundamental Rights and Citizenship, was questioned during a public hearing before the European Parliament.  During this hearing, Ms. Reding revealed her priorities in the field of privacy and data protection.  “Fundamental rights and data protection will be top of the line” said Ms. Reding, who explained that she intends to incorporate the EU’s data protection rules into a modern and comprehensive legal instrument.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 8, 2010, the Swiss Federal Administrative Court (“Bundesverwaltungsgericht”) published a decision that declared the transfer of banking data to U.S. law enforcement authorities by the Swiss bank UBS to be illegal.  In late 2009, UBS transferred the data of over 300 customers suspected of evading U.S. taxes to the U.S. Department of Justice and Internal Revenue Service following an order issued by the Swiss Financial Market Supervisory Authority (“Finma”) pursuant to an agreement Finma reached with the U.S. authorities.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire.  The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 5, 2010, the Article 29 Working Party published an opinion dated December 1, 2009, finding that Israeli data protection law largely provides an "adequate level of data protection" under the European Union Data Protection Directive 95/46.  The European Commission will now take this opinion into account when determining whether to issue an "adequacy decision" for Israel in the coming months.  Such a decision would provide that data transfers to Israel from the EU are adequately protected for purposes of compliance with the Directive.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On December 1, 2009, the Article 29 Working Party adopted a contribution (the “Contribution”) to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data (the “Consultation”).  View the full text of the Contribution, which was published today.  The Consultation was launched on July 9, 2009, to explore the challenges to personal data protection presented by new technologies and globalization.  The Consultation was also motivated by the recent adoption by the EU of the Lisbon Treaty, which will necessitate a reworking of structure of the EU legal framework for data protection.  The Contribution’s thoughtful examination of several important data protection issues makes it one of the most significant documents that the Working Party has issued in recent years.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers.  The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On November 9, 2009, Connecticut’s Attorney General, Richard Blumenthal, announced an investigation of whether Blue Cross and Blue Shield (“BCBS”) violated Connecticut’s data breach notification law by waiting until two months after a data breach had occurred to notify affected Connecticut residents.  The data breach, which Attorney General Blumenthal called “one of the most sizable and significant in Connecticut’s history,” involved the theft of a laptop containing confidential unencrypted data from the car of a BCBS employee in late August.  BCBS notified affected Connecticut residents of the breach in late October.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The FTC today announced that it would, for the fourth time, delay enforcement of the Identity Theft Red Flags Rule.  The enforcement date is now June 1, 2010 for creditors and financial institutions subject to FTC jurisdiction.  The agency stated that the delay was requested by members of Congress, who are currently considering a bill that would limit the rule's scope.  That bill (which would exclude certain entities with 20 or fewer employees from the rule's definition of "creditor" and also would provide a mechanism for other entities to apply for that exclusion) recently passed the House by a margin of 400 to 0 and was referred to the Senate Committee on Banking, Housing and Urban Affairs.  Please refer to our recent post regarding other developments that limit the rule's application.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association's argument that the FTC's Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers.  The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act").  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly.  The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered.  For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Although China has yet to enact a national data protection law, certain provincial-level rules implementing national consumer protection laws impact the collection and use of personal data.  These provincial regulations may warrant specific attention by entities doing business in the relevant Chinese provinces.  The impact of each of these will often be limited, both because they affect only enterprises doing business in the respective provinces and because the actual requirements of each of these regulations are typically modest.  Also, the potential penalties for violation are manageable in most cases. In addition, these provincial regulations could be superseded by national-level data protection legislation, depending on its terms.  Read more...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.

The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists.  The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule.  MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada.  The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions.  The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC's Red Flags Rule, including employee training and ongoing monitoring to detect fraud.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On October 14, 2009, the Australian government released a report entitled “Enhancing National Privacy Protection” that contains proposed reforms to Australia’s privacy laws, including the Privacy Act 1988 (“Privacy Act”).  In announcing the report, Cabinet Secretary and Special Minister of State Joe Ludwig stated that the reforms aim to “provide for one set of streamlined Privacy Principles for Australian Government agencies and private sector organizations which will provide greater clarity and cut red tape.”  The report comprises the first stage of a two-stage response to a report issued by the Australian Law Reform Commission (“ALRC”) in 2008 that contained 295 recommendations to revise Australian privacy laws and practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Lisa J. Sotto, Partner and Chair of Hunton & Williams' Privacy and Information Management practice, discusses the roles individuals, companies, service providers and governments play in helping to create a safer, more trusted Internet.   End to End Trust is Microsoft's broad and all encompassing vision for creating a "safer, more trusted Internet," which is achieved by focusing on three areas: security and privacy fundamentals, technology innovations and social, economic, political and IT alignment.  Microsoft believes these combined elements will help people make better choices and have more control about whom and what to trust online.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 19, 2009, the state DPA in North Rhine-Westphalia fined a subsidiary of the discount supermarket chain Lidl € 36,000 (approximately $51,000) for illegally keeping records of employee health data. 

The case was triggered by a report in the German news magazine Der Spiegel.  A Bochum resident found papers and forms containing Lidl employees' health data in a trash bin at a car wash and forwarded them to the magazine.  Subsequent investigations revealed that at least four Lidl branches in North Rhine-Westphalia were using a form to record data about employees' medical conditions, partly without their knowledge.  This activity was found to violate data protection law in many cases. 

Click here for a press release issued by the German Data Protection Authority (in German).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 17, the Federal Trade Commission ("FTC") issued a final rule ("FTC Final Rule") addressing security breaches of personal health records ("PHRs").  The FTC Final Rule applies to all breaches discovered on or after September 24, 2009, and to “foreign and domestic vendors of personal health records, PHR related entities, and third party service providers” that “maintain information of U.S. citizens or residents.”  The FTC Final Rule does not apply to covered entities or business associates as defined under regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  Full compliance is required by February 22, 2010.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

New Hampshire recently enacted legislation restricting the use and disclosure of protected health information (“PHI”). As of January 1, 2010, health care providers and their business associates will be obligated to notify affected individuals of disclosures of PHI that are allowed under federal law, but are prohibited under the New Hampshire statute.

The New Hampshire law requires health care providers and their business associates to (i) obtain authorization for the use or disclosure of PHI for “marketing” and (ii) offer individuals an opt-out opportunity for the use or disclosure of PHI for fundraising purposes. In addition, it prohibits the disclosure of PHI for marketing (even with an authorization) or fundraising by voice mail, unattended facsimile, or through other methods of communication that are not secure.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On September 12, 2009, Maine’s Act to Prevent Predatory Marketing Practices Against Minors (the “Act”) will take effect.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor.  Pursuant to the Act, the use of information in such a manner is a predatory marketing practice, which may be sanctioned as an unfair trade practice.  The law also allows individuals subject to unlawful data collection or predatory marketing practices to bring a private right of action against violators.

For businesses, the implications of Maine's new data collection and marketing restrictions are far-reaching.  The scope of the law covers both online and off-line marketing activities, and the broad definition of personal information includes a minor’s name in combination with any information concerning the minor.  In light of the Act’s restrictive requirements and considerable scope, businesses would be well-advised to evaluate their current marketing practices and age verification mechanisms.  The text of the law is available here.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Privacy laws in China are still evolving, and at this time there is no coordinated legal framework addressing data protection.  There are, however, a number of Chinese laws that are applicable to the processing and protection of personal information.  Navigating the indirect, piecemeal Chinese approach to regulation in this area may prove challenging for foreign counsel accustomed to practicing in jurisdictions with explicit privacy protection legislation and data security laws.  To shed some light on these issues, we have prepared an overview of various Chinese laws that bear on privacy and information security.  Click here for the full article.
 
The article was originally published on the DataGuidance website at www.dataguidance.com.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

July saw a flurry of activity involving data security breach notification laws. 

• On July 1, breach notification laws in Alaska and South Carolina went into effect.
• On July 9, Missouri became the 45th state to enact a data breach notification law. 
• On July 22, Senator Patrick Leahy reintroduced a comprehensive federal data security bill calling it one of his “highest legislative priorities.”
• On July 27, North Carolina amended its breach notification law to require notification of the state attorney general any time consumers are notified of a breach involving their personal information.  The amendment also included content requirements for the attorney general’s notice.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program.  The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule.  The new enforcement deadline for creditors and financial institutions is November 1, 2009.  The FTC news release is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 3, 2009, the German Federal Parliament passed comprehensive amendments to the Federal Data Protection Act (the "Federal Act"). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law provisions.  To read more, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers' confidential data. HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Kaiser Permanente Bellflower Hospital has again been penalized for failing to prevent unauthorized access to confidential patient information.  On July 16, 2009, the California Department of Public Health announced that it had levied administrative penalties totaling $187,500 on the hospital after it was determined that eight Kaiser employees had compromised the privacy of four patients' medical information.  On May 14, 2009, the same facility was fined $250,000 -- the maximum allowable penalty under the new state health privacy provisions that came into effect on January 1st -- for violations related to unauthorized employee access to the medical records of Nadya Suleman.  The latest fine included a $25,000 penalty for each of four patients whose medical records allegedly were breached, plus $17,500 per incident for five subsequent alleged breaches of those medical records after the first.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

As of January 1, 2010, Nevada law will require businesses to use encryption when data storage devices that contain personal information are moved beyond the physical or logical controls of the business, in addition to continuing to require that personal information be encrypted if it is transferred outside the secure system of the business. The new law repeals the existing Nevada encryption law, which will remain in effect until January 1, 2010. (For more information on the existing Nevada encryption law, please see our previous Client Alert.) The new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards. The law applies to organizations doing business in Nevada and provides that compliance will shield such businesses from liability for damages from a security breach.  To read more, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Obama Administration today formally announced its sweeping proposal for new regulation of the financial industry.  The plan proposes the formation of a new watchdog agency that would seek to protect consumers' interests.  The proposal raises a number of privacy and data security questions, such as the role of the new financial services consumer protection agency in protecting privacy and data security and the continued role of the Federal Trade Commission as the lead agency in this area.  The announcement is available here.  We will keep you posted as more details regarding the plan emerge.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A lawsuit that will soon commence in Arizona has the potential to alter the data breach liability landscape by making data security auditors liable for data breaches experienced by the companies they audit.  The case, Merrick Bank Corp. v. Savvis Inc., has its origins in events that began in 2003, when Merrick Bank (“Merrick”) offered to hire CardSystems Solutions (“CardSystems”) to process credit card transactions for its merchant customers.  The offer was contingent upon CardSystems achieving certification under VISA’s Cardholder Information Security Program (“CISP”), which is the predecessor to the Payment Card Industry Data Security Standard (“PCI DSS”).  Savvis audited CardSystems in 2004 and found that it had “implemented sufficient security solutions” and followed “industry best practices.”  VISA certified CardSystems shortly after receiving Savvis’ audit report.  In 2005, CardSystems revealed that it had experienced an information security breach that compromised forty million payment cards.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 27, 2009, the Article 29 Working Party issued a new working document (WP 155 rev.04) on frequently asked questions (FAQs) relating to binding corporate rules (BCRs). Two new FAQs were adopted: (1) FAQ 10 deals with the relationship between EEA data protection laws and BCRs; and (2) FAQ 11 relates to the reversal of the burden of proof in the context of BCRs. The Working Party reiterated that, although BCRs may offer an adequate level of protection to personal data being transferred within the same company, they do not exempt multinationals from complying with national data protection laws and taking local compliance steps. The Working Document is available here.

To read more and for additional EU data protection updates, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The White House today released the report from the 60-day cybersecurity review the President ordered in February. Speaking to a packed audience in the East Room, President Obama outlined the broad range of threats facing the digital infrastructure, focusing not only on national security and organized crime attacks, but also on identity theft and incursions into individual privacy. 

He promised a “new comprehensive approach to securing our nation’s infrastructure,” including appointment of a White House cybersecurity coordinator reporting to both the National Security Council and the National Economic Council. The coordinator would have broad responsibilities, but little direct authority, although the President did promise that the coordinator would have access to him.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 14, 2009, the California Department of Public Health issued an Administrative Penalty Notice to the Kaiser Foundation Hospital — Bellflower for patient medical information privacy violations. Although the state did not identify the affected patient by name, the facts and circumstances described in the Notice correspond to the case of Nadya Suleman, the single mother of six who gave birth to octuplets at Bellflower in January 2009. The hospital was fined $250,000 for failure to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information as required by new provisions recently added to California’s Health and Safety Code. California law also requires health care providers and facilities to notify the Department of any unlawful or unauthorized access to patient medical information within five days of detecting such access. These provisions were reportedly enacted in the wake of several high-profile health data compromises at California health care facilities involving celebrities such as Farrah Fawcett, Britney Spears and California first lady Maria Shriver.  To read more, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 12, 2009, the European Commission issued a long-awaited recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (“RFID”).  The recommendation follows a process initiated in 2006 when the European Commission launched a public consultation on RFID technologies.  Following this public consultation and in order to protect consumers’ privacy and data protection, the European Commission decided to take further steps by preparing a recommendation to regulate the use of RFID.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 6, 2009, the proposed amendments to the e-Privacy Directive received a second reading in the European Parliament.  In addition to other measures, it will include a definition of “personal data breach” and will introduce a data breach notification requirement. 

The review of the e-Privacy Directive forms part of a wider review of telecoms legislation.  The objective of that review is to improve network security and integrity, to increase protection for user personal data and to improve measures to prevent spam and “cyber attacks.”  The scope of the amended Directive will include the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks within the European Community, including public communications networks supporting data collection and identification devices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 5, 2009, the Federal Trade Commission’s ("FTC's") Acting Director of the Bureau of Consumer Protection, Eileen Harrington, testified before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection in support of the proposed federal Data Accountability and Trust Act (H.R. 2221).  The Act would require companies to implement reasonable data security policies and procedures to protect personal information.  It would also mandate security breach notifications for consumers affected by data security breaches.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

At the eleventh hour, the Federal Trade Commission announced that it will once again delay enforcement of the Red Flags Rule.  The Red Flags Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACTA").  The previous compliance date was May 1, 2009, which was an extension from the original deadline of November 1, 2008.  The new extension applies only to the provisions of the Rule requiring financial institutions and creditors to implement an identity theft prevention program.  The continuing enforcement delays respond to ongoing uncertainty about the Rule's intended scope.  In announcing this latest delay, the FTC cited "the ongoing debate about whether Congress wrote this provision [of FACTA] too broadly" and stated that extending the compliance deadline would "allow industries and associations to share guidance with their members . . . and give Congress time to consider the issue further."  On March 20, 2009, the FTC published the Red Flags Rule Compliance Guide to assist organizations that must comply with the Red Flags Rule.  The FTC stated in its news release yesterday that it will attempt to address some of the concerns regarding compliance with the Rule by publishing an identity theft prevention program template for low risk entities.  The FTC's news release is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last week, the Federal Trade Commission published a Notice of Proposed Rulemaking regarding notification for security breaches involving electronic health information. The FTC issued the proposal pursuant to certain health information technology provisions in the American Recovery and Reinvestment Act, signed into law on February 17th, 2009. The Commission's proposal includes a requirement that vendors of personal health records notify U.S. citizens and residents if their personal health information is subject to a security breach. In addition, vendors must notify the FTC no later than five business days following the discovery of a breach that affects 500 or more individuals, or, for breaches affecting fewer than 500 individuals, maintain a log to be submitted annually to the Commission.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 17, the U.S. Department of Health and Human Services (HHS) issued proposed information security guidance, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 on February 17.  The HITECH Act requires covered entities and business associates, as well as vendors of personal health records, to provide notice of information security breaches affecting “unsecured protected health information” or “unsecured personal health record information,” respectively.  The HITECH Act further requires the Secretary of HHS to specify technologies and methodologies that would render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals.  If covered entities, business associates and vendors of personal health records apply the technologies and methodologies specified in the guidance to protected health information, they will not be required to provide notice to affected individuals, HHS or the media, as otherwise required by the HITECH Act, in the event the information is breached.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

News last week that Chinese and Russian hackers had infiltrated the U.S. electrical power grid gave practical significance to already high-profile issues in Washington -- how better to secure the nation’s cyber-infrastructure.  Late in 2008, the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency (the Commission) released a report citing the U.S.’s failure to protect cyberspace as “one of the most urgent national security problems” facing the Obama administration.  The failure threatens the safety and well-being of the United States and its allies and raises immediate risks for the economy.  In a global economy, where economic strength and technological leadership are as important to national power as military force, failing to secure cyberspace puts the U.S. at a disadvantage.  When Chinese and Russian intruders apparently left software on networks supporting the U.S. power grid that could be used to compromise electric and water systems, the warnings of the Commission proved true in a real-world way.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Plaintiff Joel Ruiz brought a putative class action against Gap, Inc. and its service provider Vangent, Inc. after a thief stole a laptop computer from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and approximately 750,000 other Gap job applicants.  Shortly after the theft, Gap notified Ruiz and the other applicants of the breach and offered them 12 months of free credit monitoring and fraud assistance.  Ruiz sought damages under various theories, including negligence (failure to exercise due care to protect the data) and breach of contract (breach of the security provisions of Gap’s contract with Vangent, under the theory that Ruiz was a third-party beneficiary of the contract).

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On March 20, 2009, the Federal Trade Commission (“FTC”) published its long-awaited guide to the Red Flags Rule (the “Rule”), entitled “Fighting Fraud with Red Flags Rule:  A How-To Guide for Business.”  The guide applies to creditors and certain financial institutions (such as state-chartered credit unions and mutual funds that offer accounts with check-writing privileges) that are subject to the FTC’s jurisdiction and addresses the provision of the Rule that requires implementation of an Identity Theft Prevention Program.  For entities subject to the FTC’s jurisdiction, the relevant compliance deadline is May 1, 2009.  Financial institutions that are regulated by federal bank regulatory agencies or the National Credit Union Administration (which issues their own versions of the Red Flags Rule) were required to comply with the Rule as of November 1, 2008.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 20, 2009, the Federal Trade Commission published a Red Flags Rule compliance guide for businesses, entitled “Fighting Fraud with the Red Flags Rule.”  The guide offers an overview of the Rule and practical steps businesses need to take to comply.  In addition, the guide addresses the issue that has raised the most concern among businesses -- the Rule's scope.  As expected, the FTC is interpreting the Rule broadly, suggesting, for example, that any company that sells goods or services and bills customers later is a "creditor" subject to the Rule.  According to the guide, “creditors” also may include retailers that merely “process” credit applications.  Please visit our blog next week for a detailed analysis of the FTC’s guide. The guide is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Former Silicon Valley entrepreneur Rod Beckstrom has tendered his resignation from the post of Director of United States National Cybersecurity Center, effective March 13, 2009.  In his resignation letter to Secretary of Homeland Security Janet Napolitano, Mr. Beckstrom complained of inadequate funding and criticized the National Security Agency’s dominant role in “most national cyber efforts.”  He characterized this arrangement as “bad strategy” because “intelligence culture is very different than a network operations or security culture,” and he argued that the centralization within one organization of all top-level government network security and monitoring constituted a significant threat to the democratic process.  Mr. Beckstrom’s resignation letter is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission, the Asia-Pacific Economic Cooperation forum, and the Organisation for Economic Co-operation and Development are hosting a multinational workshop on "Securing Personal Data in the Global Economy" in Washington, D.C. on March 16-17, 2009. In anticipation of that workshop, the Centre for Information Policy Leadership at Hunton & Williams LLP is releasing this white paper with ten key recommendations for data breach and information security policy, drawn from published research and extensive experience with data breaches, breach notices, and information security broadly.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A former computer security consultant was sentenced Wednesday to four years in federal prison for fraud stemming from his involvement with a cyber-crime ring that used botnets to infect an estimated 250,000 computers.  He has also been ordered to pay $20,000 in restitution to companies defrauded by the scheme.  The 27 year-old California man made history last year when he became the first "bot herder" in the United States to plead guilty to wiretapping charges in connection with the use of botnets.  His guilty plea included admissions of accessing protected computers to conduct fraud and disclosing illegally intercepted electronic communications, as well as wire and bank fraud.  He faced up to 60 years in prison and $1.75 million in fines.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Emerging economies developing privacy laws are confronted with two challenges: how best to protect the privacy interests of local citizens and how to put in place privacy governance that assures companies and individuals outside the economy that information that flows into the region is properly protected and secured.  The APEC Privacy Framework provides sound guidance for drafters engaged in this effort.  By recognizing that privacy reflects the mores and values of local culture, it provides an approach to privacy protection that can be adapted to reflect the needs of local citizens within a widely recognized and adopted architecture.  At the same time, it sets out requirements for strong security, compliance with rules governing the use and management of data and cross-border cooperation for dispute resolution and enforcement. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Standing Committee of the National People’s Congress recently passed an amendment to the P.R.C. Criminal Law.  The amendment includes a provision imposing criminal liability on persons who misappropriate personal information during the course of performing their professional duties.  A previous Hunton & Williams Client Alert reported on the amendment that has now become effective as law.  Click here for a detailed summary of the relevant requirements.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week, the Federal Communications Commission announced a broad consumer privacy enforcement action against over 600 telecommunications carriers.  The Commission issued notices of liability against carriers that failed to certify compliance with regulations governing the protection of Consumer Proprietary Network Information (“CPNI”) and carriers that filed inadequate certifications.  The Commission proposed fines of $20,000 against carriers that failed to file the required certification and up to $10,000 against carriers whose certifications were non-compliant.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

CVS Pharmacy (“CVS”), reportedly the largest retail pharmacy chain, has agreed to pay the Department of Health and Human Services (“HHS”) $2.25 million and submit a Corrective Action Plan (“CAP”) to HHS after an extensive nationwide investigation by the HHS Office of Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) which revealed that CVS employees disposed of protected health information (“PHI”) in violation of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule.  In addition, CVS Caremark, the parent company of CVS, simultaneously entered into a Consent Order with the FTC to resolve claims that CVS had engaged in unfair or deceptive trade practices in violation of the FTC Act by failing to use reasonable and appropriate measures to prevent unauthorized access to PHI and by disseminating a false or misleading privacy notice about CVS’s protection of PHI.  In the Consent Order, the FTC specifically highlighted CVS’s failure to render PHI unreadable before disposal as well as its claim in its privacy notice that maintaining the privacy of its customers’ PHI was central to its operations as examples of unfair or deceptive trade practices.  The CVS settlement is noteworthy for two reasons: (1) it is the first joint enforcement action between OCR and the FTC and (2) although it is the second substantial monetary settlement for alleged HIPAA violations, the $2.25 million resolution amount dwarfs the first settlement for $100,000 between HHS and Providence Health in July 2008.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation issued a revised version of its information security regulations and extended the compliance deadline from May 1, 2009 to January 1, 2010. This is the second time Massachusetts has extended the deadline; previously, the deadline was changed to May 1, 2009 in consideration of the economic climate.  Read more...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The New Jersey Division of Consumer Affairs has published a pre-proposal of rules relating to the protection of personal information (“PPR”) and is accepting comments on the PPR until February 13, 2009, after which it will formally propose rules. The PPR comes nearly a year after the state withdrew earlier proposed rules (the “Original Proposal”) that drew fire from the business community for the burdens they would have imposed. Among other obligations, the PPR would (i) require implementation of a comprehensive written security program; (ii) impose security breach response requirements (including new breach-notification procedures); and (iii) alter existing record disposal obligations. Read more...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy.  Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009). 

Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared.  During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number.  Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information.  Pinero alleged that she relied on this statement in her decision to turn over her information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Provisions of the economic stimulus legislation (known as the American Recovery and Reinvestment Act (“ARRA”)), recently passed by the U.S. House of Representatives, require certain entities to notify affected individuals, government agencies and the media of breaches of “unsecured protected health information.” Additional provisions substantially revise regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While these provisions are specifically limited to the context of health data, they have far-reaching implications for businesses across industry that manage personal information.  Read more...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Two California medical privacy laws became effective on January 1, 2009.  The laws, A.B. 211 and S.B. 541, create new obligations for health care providers and facilities in California to protect against unlawful or unauthorized access to patient medical information.  In contrast, other medical privacy regulations, including the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), focus only on the unauthorized use or disclosure of protected health information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

New York State recently enacted legislation restricting the use of Social Security numbers (“SSNs”) by employers. The legislation takes effect on January 3, 2009.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Massachusetts recently announced that it is extending the deadline for compliance with new state data security regulations. In consideration of the current economic climate, Massachusetts has extended its original compliance deadline of January 1, 2009. The new compliance deadline will be phased in. By May 1, 2009, companies that are subject to the regulations must generally comply with the new standards and must contractually ensure the compliance of their third-party service providers. In addition, by May 1, 2009, covered businesses must encrypt laptops containing personal information. By January 1, 2010, companies are required to have a written certification of compliance from their third-party service providers and must encrypt other company portable devices, such as memory sticks and PDAs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link