As part of the AVC, MetLife agreed to pay a civil penalty of $10,000 to reimburse Connecticut’s investigative and enforcement costs and consumer losses. MetLife also agreed to reimburse consumers who paid to place a security freeze on their credit file as a result of the incident, and to improve its employee training materials to include a specific prohibition against posting Social Security numbers on the Internet.

Read the announcement and the accompanying AVC.

Listen to the webinar now.

Regarding FOIA, Christopher Graham warned of a widening gap between “the rhetoric of openness” and “the day-to-day reality of reluctance and foot-dragging.” Despite FOIA taking effect seven years ago, some public authorities still regard it as a “distraction.” The Commissioner argued that information rights can deliver “huge benefits in terms of better government, better services, and the protection of freedoms,” but conceded that post-legislative scrutiny may be beneficial in some respects.

On enforcement, in both the blog post and the Information Rights Strategy document, the Commissioner affirmed the ICO’s current prioritization of action in health, credit and finance, criminal justice, Internet and mobile services, and information security. The Commissioner made clear his desire to operate transparently, and by explicitly stating his priorities indicated that we can expect to see increased enforcement action in these fields in 2012.

Within the sphere of credit and finance, the Commissioner is widely considered to be focusing particular attention on the insurance industry. Not dissimilarly, in 2010, the Irish DPA published a special investigation into the use of a shared database within the Irish insurance industry. Scrutiny of the UK insurance industry is expected to follow in 2012, and it is believed that the ICO has requested an increased number of voluntary audits of insurance industry participants. The ICO’s current emphasis on using voluntary audits as an enforcement tool is expected to continue more generally across all industry sectors in 2012.

Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, intends to finalize the agreement before the end of 2012. Commissioner Reding will discuss the agreement with FTC Chairman Jon Leibowitz at the World Economic Forum in Davos, Switzerland this week.

It appears the momentum on this transatlantic endeavor will carry through to the next scheduled meeting of the Article 29 Working Party on February 1-2, 2012. David Vladeck, Director of the FTC’s Division of Consumer Protection, and Michael Donohue, Senior Policy Analyst at the OECD, are named in a draft agenda recently published by the Working Party. No further details of this meeting have been released.

The package will now enter the EU’s legislative procedure, which can be expected to take at least two years. The proposals released today include a number of changes from the interservice drafts that were widely leaked in late November 2011, reflecting the controversy that surrounded the drafts within the Commission and the negative opinions issued by a number of Directorates-General.

The Article 29 Working Party also released a response to the Commission’s proposal.

We will provide a detailed analysis of the package by Hunton & Williams partner Christopher Kuner in the coming days.

Accretive, a licensed debt collector in Minnesota, provides revenue and cost management services to two Minnesota hospital systems by grading patients according to their risk of hospitalization, compiling profit and loss reports at the patient level, and identifying “real-time interventions with significant revenue or cost impact.” In providing these services to the hospitals, Accretive was a business associate pursuant to the HIPAA Privacy Rule and gained widespread access to patient PHI. This PHI included a patient’s name, address, Social Security number and medical condition, such as whether the patient suffers from depression, is HIV-positive or has diabetes.

In the complaint, Attorney General Swanson is requesting that the District Court enjoin Accretive from violating the HIPAA Security Rule, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit also requests statutory damages under HIPAA, the HITECH Act and Minnesota state law, and reasonable attorneys’ fees. Finally, the complaint requests that the court order Accretive to disclose to affected patients “the data that [Accretive] has about them, where and how such data is stored, including but not limited to whether it has been sent overseas, and how such data is utilized.”

Read Attorney General Swanson’s announcement and the accompanying complaint.

The Hungarian national data protection authority (“DPA”) was established under Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest (“PPD”), and maintained independent status as an ombudsman. In June 2011, the Hungarian government adopted Act CXII on Informational Self-Determination and Freedom of Information (the “Information Act”) which replaced the PPD as of January 1, 2012. The Information Act abolished the previous DPA before the expiration of its mandate and replaced it with a new administrative authority, the National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, or “NAIH”). The Commission is concerned that the Hungarian Prime Minister and President now have the ability to dismiss the NAIH on arbitrary grounds. Further, the NAIH is a public authority, not an independent body, which breaches Article 16 of the Treaty of the European Union and Article 8 of the European Charter of Fundamental Rights.

The Information Act also makes a number of other changes to the data protection landscape in Hungary. Under the PPD, the head of the DPA was appointed by Parliament for a renewable term of six years, whereas under the Information Law, the head of the NAIH is appointed directly by the President for a renewable term of nine years. Other new features of the Information Law include fees for data controller registrations, possible voluntary data protection audits conducted by the NAIH, and monetary penalties of up to HUF 10 million (approximately €35,000) for violations of the Information Law.

“It is important to be clear about what occurred in this case: The Government physically occupied private property for the purpose of obtaining information. We have no doubt that such a physical intrusion would have been considered a ‘search’ within the meaning of the Fourth Amendment when it was adopted.” 

We reported on U.S. v. Jones in November of last year, when the Supreme Court heard oral arguments in the case.

In December 2009, a hacker may have gained access to personal and financial information of Ceridian’s customers, including names, addresses, Social Security numbers, dates of birth and bank account information. Although it is not known if the hacker read, copied or understood the data, Ceridian sent notification letters to affected individuals informing them of the breach and offering to provide one year of complimentary credit monitoring and identity theft protection.

The appellants, who were employees of a law firm that was a former customer of Ceridian, filed a complaint alleging that, as a result of the breach, they experienced an increased risk of identity theft, incurred costs to monitor credit activity and suffered emotional distress. The U.S. District Court for the District of New Jersey granted Ceridian’s motion to dismiss for lack of standing and failure to state a claim.

On the appeal, the Third Circuit affirmed the dismissal, agreeing with the district court that “allegations of a hypothetical, future injury do not establish standing under Article III.” The court noted that the appellants relied on speculation that the hacker: (1) read, copied and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of appellants by making unauthorized transactions. According to the court, “[u]nless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”

In support of its conclusion, the Third Circuit cited cases that were dismissed because the alleged future harm was deemed “neither imminent nor certainly impending,” distinguishing decisions in Pisciotta v. Old National Bancorp and Krottner v. Starbucks in which there was evidence that the threatened harms were significantly more “imminent” and “certainly impending.” The court also held that the appellants’ analogies to defective medical device, toxic substance and environmental injury cases were not valid on several grounds, including because such cases involve an actual physical injury, hinge on human health concerns and cannot necessarily be remedied by monetary compensation.

In May 2011, we reported on Ceridian’s settlement with the Federal Trade Commission over charges the FTC filed against Ceridian in connection with the 2009 breach. As part of the resulting consent order, Ceridian is prohibited from making misleading claims regarding its privacy practices and is required to maintain a comprehensive information security program.

The French Commercial Code grants the French Competition Authority the power to inspect the premises of a company suspected of anti-competitive practices and to search and seize all company documents and information that may be relevant to an investigation. On February 19, 2010, the Court of Appeals of Versailles upheld the Commission Authority’s unlimited search and seizure of emails belonging to employees of the company, Janssen-Cilag. The Court of Appeals found that the agents of the Commission Authority were authorized by a “freedoms and custody judge” to inspect the emails as part of the Commission Authority’s investigation into an alleged abuse of the company’s dominant position in the pharmaceutical market.

Janssen-Cilag and several of its employees challenged the validity of the search on the grounds that the Competition Authority violated the individuals’ rights to privacy, right to secrecy of correspondence, and right to the protection of personal data by seizing all employee emails, including private emails of employees and certain third parties. The Court of Appeals held that the seizure of private emails and documents that were potentially irrelevant to the investigation did not invalidate the search because the investigation had been authorized by a judge, which excluded the application of the French Data Protection Act. The Court of Appeals also reasoned that the investigation was not disproportionate and employees were permitted to reclaim all emails and documents that were identified as private, confidential or irrelevant to the investigation.

Read the French Court of Cassation’s decision (in French).

For more information on the decision of the Court of Appeals, read Olivier Proust’s May 2010 article analyzing the conflict of laws between data protection and competition law.