Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

As reported in BNA’s Privacy Law Watch, as a result of the FTC’s opposition to the transfer of the personal information, the parties entered into a consent order agreeing that the information will be destroyed before the magazine’s assets are sold.  The consent order called for the destruction to be carried out in a manner that will make the information “unreadable, undecipherable, or non-reconstructable through generally available means.”

This incident is a reminder of the legal significance of privacy promises made outside the context of an actual privacy policy.  It also highlights the need to anticipate changes in business circumstances (such as mergers or sales of assets) when making any privacy representations. Inappropriate commitments may prove damaging to the company, its investors and creditors.  Read more about emerging privacy issues in bankruptcy in an article published by GC New York.

The settlement with the FTC requires Rite Aid to establish a comprehensive information security program and to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the settlement order.  The order also bars future misrepresentations of the company’s security practices.  In addition to requiring a $1 million payment, the HHS settlement obligates Rite Aid pharmacies to establish policies and procedures for disposing of protected health information, create a training program for handling and disposing of patient information, conduct internal monitoring, and get an independent assessment of its compliance for three years.

This is the second case in which the FTC and HHS coordinated their investigations and settlements.  The agencies resolved similar allegations with CVS Caremark in February 2009, when CVS Caremark agreed to pay a record $2.25 million and implement remedial measures to settle the investigations.

Vladeck’s letter explained that, since its inception, the debtor’s website “Sign-up Confirmation Page” told potential members/subscribers: “Please note our amazing privacy policy. We never give your info to anybody.”  Another representation, which appeared on the website and was directed to magazine subscribers, stated: “[O]ur privacy policy is simple: we never share your information with anybody.”  Those submitting online profile information were told that such information “will not be published. [W]e keep it secret.”  The magazine catered to a young gay audience, including individuals whose sexual orientation was a secret.  The creditors have been seeking to acquire the magazine’s subscriber information, among other assets.  Under these circumstances, Vladeck argues, a transfer of the information to the creditors would contradict the privacy statements made to the subscribers, in possible violation of the FTC Act’s prohibition against “unfair or deceptive acts or practices.”

This incident is a reminder of the legal significance of privacy promises made outside the context of an actual privacy policy, and it highlights the need to anticipate changes in business circumstances (such as mergers or sales of assets) when making any privacy representations.  Inappropriate commitments may prove damaging to the company, its investors and creditors.  Read more about emerging privacy issues in bankruptcy in an article published by GC New York by Lisa J. Sotto, Scott H. Bernstein and Boris Segalis.

The Working Party’s request references individual letters sent to Google, Yahoo! and Microsoft, also dated May 26, 2010, in which the Working Party stated that Yahoo! and Microsoft had not provided sufficient information about their anonymization practices to allow the Working Party to assess the quality of their policies, and Google’s existing policies were insufficient to guarantee adequate anonymization.  As a result, the Working Party could not conclude that the three companies’ retention and anonymization policies complied with the EU Data Protection Directive.

These concerns were first raised in March 2008, when the Working Party issued a detailed Opinion about search engines (Opinion 1/2008 - WP 148), which attempted to clarify and harmonize specific obligations for search engine providers with respect to the EU Data Protection Directive.  The Opinion also highlighted the Working Party’s concerns over the sensitivity of personal data related to search queries and the treatment of such personal data by search engine operators.  It urged companies to review their retention policies and bring them in line with the recommended maximum period of six months.  Following various consultations with the service providers in February 2009, the companies pledged their commitment to reduce retention periods (with limited exceptions) and announced steps to improve their anonymization procedures.

The Working Party urged all three service providers to review their anonymization claims and make the process verifiable.  To this end, the Working Party strongly suggested the use of audit procedures involving external and independent auditors.

In addition to the letter to the FTC, the Working Party also sent a copy of the service providers’ letters to Commissioner Viviane Reding in an effort to contribute in a meaningful way to the development and better enforcement of adequate, transatlantic data protection principles.

In the letter to Congressman Markey, Mr. Leibowitz promised the FTC would collaborate with “copier manufacturers, resellers, and retail copy and office supply stores to ensure that they are aware of the privacy risk associated with digital copiers and to determine whether they are warning their customers about these risks, whether they are providing education and guidance on this subject, and whether manufacturers and resellers are providing options for secure copying.”  He also stated that the FTC would “provide additional guidance to both consumers and businesses specifically addressing how to protect personal information that may be stored on hard drives of digital copiers and other devices.”

By not erasing personal information stored on the hard drives of digital copiers, businesses may be violating numerous state records disposal laws that require businesses to take reasonable steps to ensure that records containing personal information be destroyed such that the information is unreadable or undecipherable through any means.  Personal information stored on digital copiers also may trigger federal and state breach notification laws if that information is not erased.  In April 2010, Affinity Health Plan notified over 400,000 current and former customers that their personal information had been stored on the hard drives of a leased office copier that Affinity later returned to the leasing company.  The copier containing the Affinity customers’ information was featured in the CBS News exposé when reporters found information from “drug prescriptions, to blood test results, to a cancer diagnosis.”

To help ensure compliance with applicable privacy and information security laws, businesses should destroy or erase any hard drives in digital copiers before selling or discarding those machines, and should contractually require that the hard drives of leased digital copiers be erased at the termination of the lease.

Among other things, covered entities would be required to:

• provide an individual with a privacy notice and an opportunity to opt-out before they may collect, use or disclose covered information from or about that individual;
• obtain the opt-in consent of individuals before collecting sensitive information such as medical or financial records;
• obtain the opt-in consent of individuals before sharing covered information with unaffiliated parties; and
• establish, implement and maintain appropriate administrative, technical and physical safeguards to protect covered information.

The draft legislation gives enforcement authority to the Federal Trade Commission, which may issue regulations to implement the measure, and allows state attorneys general and state consumer protection agencies to bring civil actions on behalf of their states’ residents against anyone who violates the law.

The bill will be formally introduced following a one-month comment period.

The Senators’ letter to Facebook comes on the heels of New York Senator Charles Schumer’s April 26, 2010, letter to the Federal Trade Commission asking it to look into privacy concerns about the use and disclosure of personal data on social networking websites.  Senator Schumer offered to “introduce appropriate legislation” that would give the FTC authority in “creating effective guidelines and protecting the privacy of online social network site users.” 

At the state level, the California Senate passed a bill on April 22, 2010, that prohibits social networking websites from displaying, “the home address or telephone number of a registered user who identifies himself or herself as being under 18 years of age” to the public or to other registered users.  Social networking websites that “knowingly and willfully” violate the provision can be fined up to $10,000 for each violation.  The measure is currently being considered by the California State Assembly.

The complaint advances a detailed technical description of some aspects of the behavioral advertising world and states that the “compilation and analysis of data on users in real time involve highly sophisticated data mining technologies that few users—and likely regulators!— understand.”  The advocacy groups ask the FTC to “compel companies involved in real-time online tracking and auction bidding, including providing related data optimization, to provide an opt-in for such a process.”  They also ask the FTC to “[e]nsure that consumers receive fair financial compensation for the use of their data.”

Julie Brill brings twenty years of privacy enforcement experience as Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina.  Edith Ramirez was a litigation partner at Quinn Emanuel Urquhart & Sullivan in Los Angeles.

Additional information is available on the Commissioners' page of the Federal Trade Commission’s website.

According to the revised rule, print advertisements for free credit reports must include the following disclosure in close proximity to the first mention of a free credit report:

Similarly, Internet websites must display the following disclosure, including the functioning hyperlinks depicted below, on each page that mentions a free credit report and on each page of the ordering process:

The website disclosure must also include a clickable button that states “Take me to the authorized source” and links to www.AnnualCreditReport.com. 

Telemarketers who offer free credit reports must announce to consumers:  “The following notice is required by law.  You have the right to a free credit report at AnnualCreditReport.com or 877-322-8228, the ONLY authorized source under federal law.”

The revised Free Credit Reports Rule also requires certain disclosures for television and radio advertisements for free credit reports, but those provisions do not become effective until September 1, 2010.

The first three panels of the day described the emerging environment for information and the privacy protection issues raised by a rapidly changing data ecosystem.  The opening session on internet architecture focused closely on the security issues inherent in current architecture and the privacy questions that must be addressed as the infrastructure evolves in response to security concerns.  The second panel discussed health information and the complex concerns raised by using genomic data for medical research.  In the third segment, panelists grappled with the perennial question of what constitutes sensitive information, and considered the extent to which that characterization of data is a useful differentiator for purposes of data governance.

The final panel, “Lessons Learned and Looking Forward,” which included the Centre for Information Policy Leadership's Paula Bruening and Fred Cate, asked participants to consider the findings of all three roundtables and to offer solutions to privacy questions raised in those discussions.  The panelists proposed possible new approaches to privacy protections and, when asked, gave suggestions about what the FTC should do next.  Comments reflected the need for fresh thinking about new models of protection, and cautioned the FTC against reverting to traditional models of notice and choice that have proven limited in their usefulness.

FTC staff has committed to a thorough review of the proceedings and the public comments submitted in conjunction with the three roundtables.  The FTC noted that any document issuing from the roundtable series likely will be made available for public comment, providing an additional opportunity for interested parties to weigh in.

Ms. Harbour concluded that privacy is a fundamental right that consumers expect businesses to respect regardless of advances in technology.  She expects the FTC to continue to evaluate consumers’ preferences and, armed with these insights, “shape the conversation about the intrinsic value of privacy.”  Ms. Harbour also expects the FTC to step in to protect consumers where the Commission believes companies have violated privacy promises.

While Ms. Harbour noted that she was expressing her own views rather than the FTC’s, recent commissioner appointments suggest that the FTC will continue to be increasingly active in privacy enforcement.  Specifically, one of the newly appointed commissioners, Julie Brill, has spearheaded litigation and legislative efforts in a wide variety of areas affecting consumers, including privacy, in her roles as Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina.  Ms. Brill also has served as Chair of the Committee on Privacy for the National Association of Attorneys General.

In her introductory remarks, outgoing FTC Commissioner Pamela Jones Harbour identified many of the key issues addressed over the course of the day, including (1) the importance of defaults, (2) the lack of consumer knowledge regarding how data are collected and used, (3) the lack of consumer engagement with online notices, (4) the special challenges presented by mobile devices and cloud computing, and (5) the role of de-identified data.

In his opening comments, David Vladeck, Director of the Bureau of Consumer Protection, identified what he perceived to be the three main messages from the first Exploring Privacy workshop, which was held in Washington, D.C., on December 7, 2009.  First, consumers have little understanding of how their data are used and transferred.  Second, notices often are not an effective tool for communicating with consumers, but they remain important to facilitate transparency.  And finally, consumers do care about privacy even though they may behave otherwise.  Vladeck also stressed that the roundtables are not the only tool the FTC is using to address privacy.  “We continue to maintain an active law enforcement practice to protect privacy,” Vladeck noted.

Over the course of the day, 35 panelists addressed technology’s role in protecting privacy and how the government should encourage the adoption and use of privacy-enhancing technologies.  There was broad agreement that stand-alone privacy-enhancing technologies have met with little consumer acceptance, but that these technologies have been adopted by businesses and have been introduced into operating systems, browsers and email clients.  When encountering these protective measures, consumers often avoid or turn off privacy features of technologies that interfere with their access to the material and services they want.

As at the first workshop, there was broad agreement that, although notice and choice have offered little privacy protection, there is no clear consensus as to what might replace or supplement that framework.  Two approaches that were frequently mentioned are the Centre for Information Policy Leadership’s use model and its accountability project.

Thursday’s roundtable revealed a surprising amount of agreement in favor of the FTC playing a more pronounced regulatory role in, at a minimum, identifying the objectives of “good” privacy protection, as well as setting standards for measuring the achieved objectives.  This position was supported not only by privacy advocates and academics, but also by a number of business participants who noted the need for greater certainty in privacy regulation.

Speaking on the final panel, the Centre for Information Policy Leadership’s Senior Policy Advisor, Fred Cate, echoed two themes from his earlier presentation at the December roundtable: first, that the government should be careful to avoid creating disincentives for good privacy behavior or otherwise discouraging efforts to protect privacy; and second, that government can contribute to enhancing privacy in many ways, including by funding the development of more useful privacy-enhancing technologies and then helping to create a market for such technologies by purchasing them itself.

Whatever the government’s ultimate role may be, there seemed to be general agreement that protecting privacy responsibly requires, in Peter Cullen’s words, “people, processes, and technologies.”  Essentially, although technologies alone are not sufficient, technological considerations must not be left out of the equation.

The FTC’s third and final roundtable in this series will take place in Washington, D.C., in March 2010.  In addition, Danny Weitzner, Associate Administrator for Policy at the National Telecommunications and Information Administration, announced that the Department of Commerce is looking at the linkage between privacy and innovation and is observing the FTC’s process.  He further welcomed input from stakeholders as to the Department’s role in helping protect privacy.

The lack of meaningful consent has raised the possibility that privacy is moving beyond the advise-and-consent model toward a post-disclosure era.  It remains to be seen how the post-disclosure era will evolve and how the new paradigm will replace consumer notice and choice.  The FTC is examining the issue, and aims to publish a report by July 2010.  Although the final content of the report is yet to be determined, Chairman Leibowitz stated, “I have a sense, and it’s still amorphous, that we might head toward opt-in.”

For further information, view The New York Times blog post.

The Forum’s paper presents the details of a model for data protection in which the use of data, rather than its collection, sets in motion an organization’s obligations to apply fair information practices.  The model employs the full complement of fair information practices: notice, choice, access and correction, collection limitation, use minimization, data retention, data quality and integrity, data security and accountability.  The paper describes in granular detail how each of these practices applies to various uses of data (e.g., fulfillment, internal business processes, marketing, fraud prevention and authentication and national security and legal).  The approach proposes a means to implement fair information practices in a way that reflects the data environment of the 21st century.

Barbara Lawler of Intuit represented the Forum at the FTC’s “Exploring Privacy” event.  In introducing the concepts presented in the paper, she built upon the observation of panelists at the FTC event that the “choice” model is of increasingly limited utility in the new data environment.  Ms. Lawler noted that consumers would have to read and act on privacy notices almost constantly throughout the day to exercise any kind of control over their data, and that consumers cannot be expected to police a marketplace full of complex business models, vendor relationships and technologies.

Next year likely will be an important one, as privacy regulators, experts, advocates and business representatives continue to consider ways to provide optimal protection for data while best enabling its productive and creative use.  The use-and-obligations model will likely serve as an important contribution to that discussion.

EPIC’s complaint, which was signed by nine other privacy organizations, alleges that Facebook’s privacy changes injure users by “invading their privacy; allowing for disclosure and use of information in ways and for purposes other than those consented to or relied upon by such users; causing them to believe falsely that they have full control over the use of their information; and undermining the ability of users to avail themselves of the privacy protections promised by the company.”  EPIC’s complaint further alleges that Facebook’s claim that users “have extensive and precise controls available to choose who sees what among their network and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities” is deceptive because “Facebook’s changes to users’ privacy settings and associated policies in fact categorize as ‘publicly available information’ users’ names, profile photos, lists of friends, pages they are fans of, gender, geographic regions, and networks to which they belong.”

EPIC is requesting the FTC compel Facebook to “restore its previous privacy settings” and “make its data collection practices clearer and more comprehensible and to give Facebook users meaningful control over personal information provided by Facebook to advertisers and developers.”  In response to EPIC’s complaint, Facebook released a statement that the company had “discussed the privacy program with many regulators, including the FTC, prior to launch and expect to continue to work with them in the future.”
 

The event’s closing session – “Exploring Existing Regulatory Frameworks” – featured several speakers including Barbara Lawler of Intuit who provided an overview of the Business Forum for Consumer Privacy's “Use-and-Obligations” approach to privacy governance.  The Business Forum’s paper is available here.  In response to the FTC's request for greater simplicity, Professor Fred Cate suggested a framework based on three categories of information-related activities:  those that are prohibited or heavily disfavored, those that are permitted without specific notice or consent, and a large middle ground that applies consent requirements on a sliding scale from implied to explicit.  The panel’s tone indicated a general consensus that the "notice and choice" privacy governance model is becoming increasingly irrelevant.  At the IAPP conference the following day, EPIC’s Marc Rotenberg agreed that "notice and choice is only effective when the consumer has real choices to make."

The FTC’s Exploring Privacy series will continue with roundtables scheduled for January 28, 2010, in Berkeley, California and March 17, 2010, in Washington, DC.  The FTC is expected to complete the creation of the record during the January session and to explore future initiatives at the meeting in March.

Issuance of this model notice follows the enactment, in October 2006, of the Financial Services Regulatory Relief Act (“Relief Act”).  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model privacy notice that incorporates all of GLBA-mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy notice.  The final model privacy notice is substantially similar to the proposed model with certain revisions based on comments submitted to the agencies and consumer testing.

For further information regarding the final model privacy notice please refer to our earlier post.

In reaching the decision, Judge Reggie Walton is reported to have stated that he was reluctant to conclude that Congress intended to regulate lawyers when it enacted the FACT Act, which the Red Flags Rule implements.  The court also questioned the FTC's broad interpretation of the term "creditor." Judge Walton is reported to have questioned whether the term could be interpreted so broadly as to render a plumber who bills a customer after performing his work a "creditor" within the meaning of the Rule.  Notably, the Judge's comment may leave the door open for other challenges to the Rule by myriad small businesses whom the FTC considers "creditors" subject to the Rule.

It is reported that the court granted an injunction against the enforcement of the Rule and a declaratory judgment finding that lawyers are not subject to the Rule.  The FTC is expected to appeal the decision.

Although numerous organizations such as the American Medical Association have expressed their objections to the scope of the rule, the American Bar Association (“ABA”) escalated matters in August 2009 by requesting a federal court to issue an injunction that bars the FTC from enforcing the Red Flags Rule with respect to attorneys.  The ABA argues in its complaint that there is no “legally supportable basis for application of the red flags rule to lawyers engaged in the practice of law.”  On September 23, 2009, the ABA filed a motion for summary judgment in the case, and the FTC responded by filing a memorandum in opposition that argues that “subjecting attorneys to the Red Flags Rule is based on the attorney’s billing arrangement with clients—essentially an accounting function—and not on some essential element of the lawyer-client relationship, such as the protection of client confidences.”  The District Court of the District of Columbia has scheduled a hearing on the ABA’s motion on October 29, 2009, just three days before the Red Flags Rule is set to take effect.

On October 20, 2009, the House of Representatives approved H.R. 3763, which amends the Fair Credit Reporting Act to exclude health care, accounting and legal practices with 20 or fewer employees from being deemed “creditors” subject to the Red Flags Rule.  In addition to the specific exemptions for small health care providers, accounting firms, and law firms, H.R. 3763 also allows the FTC to exclude any other business from the definition of “creditor” if the business applies for an exclusion and either (1) knows all of its customers or clients individually; (2) only performs services in or around the residences of its customers; or (3) has not experienced incidents of identity theft and identity theft is rare for businesses of that type.  Finally, the bill requires the FTC to issue regulations within 180 days of the enactment of the bill that set forth the process by which businesses may apply for these exclusions.  Despite the House’s passage of the bill, there has been no similar legislation introduced in the Senate and it is unclear whether there are any plans to do so before the November 1st deadline.

In October 2006, the Financial Services Regulatory Relief Act (“Relief Act”) was enacted.  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model form privacy notice that incorporates all of GLBA mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy form.  The final model privacy form is substantially similar to the proposed model form with certain revisions based on comments submitted to the agencies and consumer testing.

The final model form privacy notice addresses the legal requirements of GLBA and is designed to facilitate consumer comprehension.  In terms of content, it is two pages in length, but may be printed on a single sheet of paper.  The first page is organized in five parts: (i) the title, (ii) an introductory section, (iii) a disclosure table describing the types of sharing by financial institutions and, if appropriate, whether a consumer can limit or opt out of sharing, (iv) a mechanism to limit sharing for opt out purposes, and (v) the financial institution’s customer service contact information.  The second page contains supplemental explanatory information in frequently asked question format, as well as definitions of relevant terms.  The content set forth in the model form must remain unchanged for financial institutions to rely on the safe harbor.

The financial services agencies' announcement of the final model privacy notice is anticipated in the near future although a draft of the final rule has been circulated.

The FTC also announced today a settlement with Iconix Brand Group, Inc., which owns, licenses and markets apparel brands including Candie's, Mudd, Bongo and OP.  The FTC alleged violations of the Children’s Online Privacy Protection Act ("COPPA") and Section 5 of the FTC Act.  As to the COPPA violations, the FTC noted that several of the brands' websites collected full dates of birth, presumably putting the company on notice that it had collected information from individuals under the age of 13 although it did not notify parents in advance or seek their consent.  In addition, the brands' privacy statements included a representation that the company does not "seek to collect" personal information from individuals under the age of 13, which the FTC charged was a deceptive trade practice in violation of Section 5 of the FTC Act.  Iconix agreed to pay $250,000 in civil money penalties and to delete all information collected and maintained in violation of COPPA, in addition to other equitable measures such as training employees.

Yesterday, the FTC announced that ChoicePoint, Inc. agreed to strengthen its data security in order to settle charges that it failed to implement a comprehensive information security program as required by the earlier consent order it entered into with the agency following its well-publicized 2005 security breach.  This agreement, which expands the company's obligations under the original consent order, follows a security breach that occurred in 2008.  ChoicePoint allegedly turned off a security feature used to monitor access to one of its databases and failed to detect that the feature was disabled for four months.  During that period, the FTC alleged that the personal information of 13,750 people was compromised, putting them at risk of identity theft.  In addition to paying $275,000 to be used for consumer redress, the modified court order requires ChoicePoint to report to the FTC every two months for the next two years, providing "detailed information about how it is protecting the breached database and certain other databases and records containing personal information."

The three cases, following closely on the heels of seven Safe-Harbor-related settlements, demonstrate the FTC's resolve to enforce more aggressively and levy larger fines when settling cases.

The Guides address the application of Section 5 of the FTC Act to the use of endorsements and testimonials in advertising.  Although the Guides provide a basis for voluntary compliance with the law by advertisers and endorsers, practices inconsistent with them may result in enforcement action by the FTC.  The Guides set forth general principles that the FTC intends to use in evaluating endorsements and testimonials, together with examples illustrating the application of those principles.

First issued in 1975 and 1980, these Guides generally require that endorsements reflect the honest opinion of the endorser and not contain representations that would be deceptive if made by the advertiser.  In November 2008, the Commission proposed amendments to the Guides, including changes to clarify the obligations of bloggers and other users of new communication technologies and advertising strategies.  In the final Guides, as under the pre-amendment Guides, when an expert or celebrity receives payment to endorse a company’s product in advertisements, the company does not need to explicitly disclose the fact of the payment in advertisements, since the public generally understands that experts and celebrities endorse products because they are paid to do so.  Conversely, when a non-expert or non-celebrity endorses a product (e.g., a “man-on-the-street” testimonial), any payment must be disclosed, since the public generally does not expect such endorsement to have been influenced by payment.  The amended Guides provide a new example of this principle in the online context:  an employee of a manufacturer of MP3 players visits an online MP3 discussion board and posts comments promoting her employer’s products without disclosing the employment relationship.  As a result, whether or not a company has its own blog or engages third-party bloggers, there may be some risk of enforcement based on employee activities.  The amendment explains that the employee should disclose the relationship, since knowledge of the poster’s employment likely would affect the weight or credibility of her endorsement.  The scope of the amendments suggest that the FTC’s view on this matter would extend to promotional comments made by persons with such undisclosed material connections to the promoted company in any emerging communications tool, such as online discussion boards, blogs, social networking sites, Twitter, etc.

To mitigate risk given the FTC’s new focus on this sort of activity, businesses may wish to (i) require their employees to disclose the employment relationship when making online comments that promote the employer or its products, (ii) require that such comments be vetted by the business, or (iii) prohibit employees from making online comments.  Businesses should also consider training employees on any such policies that the business may establish.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000.  The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  To maintain its certification to the Safe Harbor program, a company must re-certify on an annual basis that it continues to comply with the seven principles. The Department of Commerce maintains a list of all currently-certified companies.

The proposed FTC settlement agreements highlight that companies certified to the Safe Harbor program should verify that their certifications remain current.  If companies wish to cease Safe Harbor membership, their representations, including those in website notices and marketing materials, should be promptly updated to avoid deceptive representations to consumers.  In all cases, the defendant companies had let their memberships lapse; exhibits to the FTC's complaints included pages from their websites, in which the companies continued to purport Safe Harbor membership.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  A company under the FTC’s jurisdiction that self-certifies to the Safe Harbor principles but fails to implement them may be subject to an enforcement action under Section 5 of the FTC Act, which prohibits deceptive trade practices. 

In this case, the FTC successfully argued that, regardless of the company’s data protection practices, falsely claiming to be Safe Harbor certified could constitute a violation of the FTC Act in and of itself.  The defendants have been ordered to appear on September 25, 2009 to show cause why the court should not enter a preliminary injunction prohibiting further violations.

The FTC Final Rule requires PHR vendors and PHR related entities to notify U.S. citizens and residents if their PHR identifiable health information is subject to a security breach, and requires additional notification of the FTC and prominent media outlets for breaches that affect 500 or more individuals.  Third party service providers must notify the PHR vendor, or PHR related entities to which they provide services, of any breaches they discover.  To facilitate the notification process, the FTC has developed a standard form entitled “Notice of Breach of Health Information” that PHR vendors and PHR related entities can complete and send to the FTC.  Both the form and the FTC Final Rule are available on the FTC’s website.
 
On August 19, 2009, as required by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Department of Health and Human Services ("HHS") issued an interim final rule ("HHS Interim Final Rule") addressing security breaches of unsecured protected health information ("PHI").  The regulations will apply to all breaches occurring on or after September 23, 2009 that are discovered by covered entities and business associates, but the HHS Interim Final Rule indicates that HHS will not impose sanctions for failure to notify with respect to breaches that are discovered within the first 180 days after the effective date. 

Notably, unlike the FTC Final Rule, the HHS Interim Final Rule includes a harm threshold limiting the breach notification requirement to breaches that present a significant risk of harm.  This disparity may be due to the fact that breaches common to HIPAA-covered entities, such as those involving disclosures to other HIPAA-covered entities, are less likely to result in actual harm than the kinds of breaches suffered by the service providers and vendors covered under the FTC's Final Rule.  Similar to the FTC Final Rule, the HHS Interim Final Rule requires covered entities to (1) notify individuals if their PHI is subject to a security breach, and (2) notify the Secretary of HHS and prominent media outlets in the event of a breach that affects 500 or more individuals.  Business associates must notify the covered entity to which they provide services of any breaches they discover.  Finally, the HHS Interim Final Rule updated the  information security guidance issued by HHS in April 2009 to emphasize encryption and destruction as the only methods for securing PHI in a manner consistent with the HITECH Act’s breach notification provisions.  The HHS Interim Final Rule is available on the HHS website.

On July 9, Missouri Governor Jay Nixon signed a data security breach bill into law leaving Alabama, Kentucky, Mississippi, New Mexico and South Dakota as the only remaining states without a breach notification requirement.  The Missouri law’s noteworthy provisions include a broad definition of personal information that encompasses medical and health insurance information and a requirement to notify consumer reporting agencies and the state attorney general if more than 1,000 consumers are being notified of a security breach.  The Missouri law goes into effect August 28, 2009.

On July 22, Senator Patrick Leahy (D-VT) reintroduced a privacy bill that includes federal data security breach notification requirements.  The Personal Data Privacy and Security Act would require businesses engaged in interstate commerce to notify individuals if their computerized sensitive personally identifiable information (SPII) is subject to a data security breach.  Notably:

• The bill requires notification of: (1) major media within any state where more than 5,000 individuals are affected by a breach; (2) consumer reporting agencies if more than 5,000 individuals are affected; and (3) the Secret Service if more than 10,000 individuals are affected or if the breach involves a federal database, national security officials or a database containing information on more than 1,000,000 individuals. 
• Businesses that collect, use or access the SPII of more than 10,000 individuals must implement a comprehensive data security and privacy program (financial institutions that are subject to the Gramm-Leach-Bliley Act (GLB) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) are exempt from this requirement). 
• The notification provisions of the proposed federal law would not preempt existing state data breach notification laws, but they would supersede any other provision of federal law or any provision of any state law relating to notification by a business engaged in interstate commerce. 

Similar federal privacy legislation has been approved by the Senate Judiciary Committee in prior sessions of Congress, but has never been voted upon by the full Senate.  Senator Leahy’s bill is the third major federal data privacy bill to be introduced in 2009.  Senator Diane Feinstein introduced a data breach notification law in January; in April, Representative Bobby Rush introduced H.R. 2221 (the Data Accountability and Trust Act), a bill  which is strongly supported by the FTC's Acting Director of the Bureau of Consumer Protection.

Finally, on July 27, North Carolina Governor Beverly Perdue signed a bill amending that state’s data breach notification law.  As of October 1, 2009, any time a business provides notice pursuant to the North Carolina statute, the business must also notify the Consumer Protection Division of the North Carolina Attorney General’s Office.  The notice must include information on the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future and information regarding the timing, distribution and content of the notice being sent to affected individuals.   Previously, North Carolina required notification of the state attorney general only when a business provided notice to more than 1,000 persons at one time, and such notification needed to include only the timing, distribution and content of the notice to consumers.

The final rules and guidelines include provisions allowing consumers to dispute inaccuracies in their credit files directly with entities that furnish information to credit reporting agencies, including financial institutions and other organizations.  The Agencies’ guidelines specify the steps credit information furnishers should take to ensure the accuracy and integrity of the information they provide to credit reporting agencies, including suggestions such as when it may be necessary to provide supplemental information in order to avoid creating misleading impressions about creditworthiness.  The accuracy and integrity of information contained in credit reports is critical to individual consumers, as this information is used to assess eligibility for credit, employment, insurance and housing, and consumers with errors in their credit reports may be denied access to benefits.    

A copy of the final rules and guidelines is available here.

Behavioral advertising involves collecting and analyzing information about consumer online behavior for marketing-related purposes, such as serving targeted ads, or developing purchase propensity models. In the U.S., the practice has come under scrutiny by consumer groups, legislators and the FTC. The FTC published a second report on its own proposed self-regulatory principles on February 12, 2009.

The new self-regulatory guidelines are based on seven principles: Education, Transparency, Consumer Control, Data Security, Consent to Material Changes, Sensitive Data and Accountability. The principles call on participating organizations to (i) conduct outreach campaigns to educate consumers about behavioral advertising, (ii) provide clear disclosures about their online behavioral advertising practices (including notices at data collection points), (iii) allow consumers to choose whether their data is used for behavioral advertising, (iv) provide security for consumer information and limit its retention, (v) obtain consumer consent to material changes regarding the use of their information, and (vi) require parental consent for the use of information collected from children under the age of 13. The principles also call for establishing an accountability program for monitoring compliance with the guidelines and reporting non-compliance to appropriate government agencies. The Better Business Bureau and the Direct Marketing Association are currently working together to develop accountability mechanisms, which are intended to be in place by early 2010.

The publication detailing the Self-Regulatory Principles is available at www.iab.net/behavioral-advertisingprinciples.

The enforcement action began after Sears disseminated a “research” software application for consumers to download and install on their home computers in connection with the “My SHC Community” program.  According to the FTC, Sears represented to consumers that this software application, if downloaded and installed, would track consumers’ “online browsing” activities.  The FTC alleged that Sears failed to disclose to consumers that the application would (i) track nearly all of the consumers’ online behavior (including information provided in secure sessions with third-party websites, shopping carts and online accounts), (ii) track certain offline activity on the computer, and (iii) transmit most of the tracked information to Sears’ remote computer servers.  In its complaint, the FTC argued that these facts would be material to consumers when deciding whether to install the software, and Sears’ failure to disclose the information constituted a deceptive act in violation of Section 5 of the FTC Act.  The FTC acknowledged the application “functioned and transmitted information substantially as described in the [Privacy Statement and User License Agreement],” but noted that this disclosure was available only in the lengthy agreement provided near the end of the multi-step registration process.

As part of the proposed settlement, Sears has agreed to do the following:

• Disclose to consumers all of the types of data that will be tracked by any software program or application disseminated by or on behalf of Sears, its subsidiaries or affiliates, that is capable of being installed on consumers’ computers and is used to monitor, record or transmit information about activities occurring on those computers or data that may be stored on, created on, or transmitted to or from those computers.  Disclose how data collected by such an application may be used, and whether the data may be used by a third party.  In accordance with the settlement, this information must be provided to the consumer on a distinct page prior to the display of any privacy policy, terms of use or end user license agreement.
• Obtain express, opt-in consent from consumers to the download of any such application and the collection of data through use of a button or link that is not pre-selected and is clearly labeled.
• Provide notification within thirty days of approval of the settlement to consumers who previously installed such an application.  This notification must explain (i) that they installed a Sears’ tracking application, (ii) that the application collects and transmits data as described in the company’s “Privacy Statement & User License Agreement,” and (iii) how they may uninstall the application.  The notification must be prominently posted on the My SHC Community website for two years from approval of the settlement.
• Within three days of the approval of the settlement, discontinue collecting any data transmitted by such applications installed prior to approval of the settlement.
• Within five days of the approval of the settlement, destroy any information collected about consumers by Sears through the use of the application in all cases where the application was installed prior to approval of the settlement.

While the Rule does not explicitly contemplate a category of entities that are "at low risk for identity theft," the imposition of less onerous requirements on lower-risk entities is consistent with the Rule'’s risk-based approach to combating identity theft.  To take advantage of the template, an entity first must assess whether it is at low risk for identity theft.  The FTC suggests that low risk may be shown by factors such as knowing customers personally, providing services at customers'’ homes, not having experienced fraud based on identity theft in the past and being in a line of business in which it is uncommon to experience fraud due to identity theft.  These factors are not exhaustive, however, as the template requires entities to also consider their unique circumstances in determining their identity theft risk level.  The assessment and the resulting conclusion must be documented in the template. 

The FTC template then guides low-risk entities through the requirements of the Rule by asking them to identify red flags they may experience in their business if a consumer tries to obtain a product or service via identity theft.  The template assists low-risk entities in selecting methods to detect and respond to red flags and administering their Identity Theft Prevention Programs, including implementing updates and managing service providers.  Unlike the Rule, the template requires low-risk entities to document only the final, streamlined Identity Theft Prevention Program (which may be done by simply printing the completed template) and, as compared to the Rule, appears to place less emphasis on the process by which the program is developed.  The template'’s program administration requirements are also less onerous than those contemplated by the Rule.

Notably, the template does not address the issue of whether an entity is subject to the Rule; rather, it assists only in implementation of an Identify Theft Prevention Program once the entity has determined that it is subject to the Rule and is a low-risk entity. In other words, the template does not assist entities in the determination of whether they are financial institutions or creditors, nor does it assist entities in determining whether they have "covered accounts" that necessitate implementation of an Identity Theft Prevention Program, although these issues have been the subject of much debate and confusion among business interests.  In order to make these determinations, businesses may look to the Rule and the FTC’s Red Flags Guide for guidance.

The FTC Identity Theft Prevention Program compliance template for entities that are at low risk for identity theft is available here.  

Ms. Harrington stated that the FTC views lax data security as a threat to the marketplace and, therefore, strongly supports the proposed legislation.  The legislation is limited in scope to address only electronic data, but the FTC advocated expanding that scope to include hard copy data.  The FTC also supported provisions in the proposed statute that give consumers rights to access and dispute the accuracy of information held by data brokers, but sought assurances that such rights would be compatible with and not displace the existing protections afforded to consumers under the Fair Credit Reporting Act.

In the FTC’s opinion, a key provision of the legislation grants the Commission authority to impose civil penalties for violations.  Ms. Harrington contrasted this proposed authority with the FTC's current data security enforcement mechanism that is generally limited to injunctive relief the agency seeks when alleging that information security practices are unfair or deceptive under Section 5 of the FTC Act.  The proposed legislation, on the other hand, would allow the FTC to undertake enforcement actions against practices it deems harmful to consumers, irrespective of whether such practices could be construed as unfair or deceptive.  In addition, the rulemaking authority the legislation provides would enable the FTC to promulgate enforceable regulations establishing standards for data security.  

Statements and testimony of Ms. Harrington and other witnesses are available here.

The FTC's Rule will apply to vendors of personal health records and entities that offer products or services through the websites of such vendors. Also included in the Rule's scope are entities that are not covered by the Department of Health and Human Services' rules, but that offer products or services through the websites of DHHS-covered entities, and those that interface with an individual's personal health records. Because ARRA does not limit the FTC's enforcement authority to its enforcement jurisdiction under Section 5 of the FTC Act, the proposed FTC Rule would apply to these entities whether or not they would otherwise fall within the scope of the FTC's regulatory jurisdiction.

Public comments on the proposed rule are due by June 1, 2009. Currently, the rule is set to apply to breaches discovered on or after September 18, 2009. The text of the Federal Register Notice can be accessed on the FTC's website by clicking here.

Richard A. Feinstein, who was appointed Director of the Bureau of Competition, is rejoining the agency from a partnership at Boies, Schiller & Flexner LLP, where he focused on antitrust litigation and counseling. He was formerly an Assistant Director in the Bureau of Competition’s Health Care Services and Products Division, focusing on antitrust enforcement, including anticompetitive practices and mergers involving health care providers and payers, and anticompetitive conduct in the pharmaceutical industry. Feinstein worked previously at McKenna & Cuneo, LLP, and he was a trial attorney and supervisor in the Antitrust Division of the U.S. Department of Justice.

David C. Vladeck, who will serve as Director of the Bureau of Consumer Protection, has been a Professor of Law at Georgetown University Law Center, teaching federal courts, government processes, civil procedure, and First Amendment litigation. He co-directed the Center’s Institute for Public Representation, a clinical law program for civil rights, civil liberties, First Amendment, open government, and regulatory litigation. Vladeck previously spent almost 30 years with Public Citizen Litigation Group, including 10 years as Director. He has argued a number of First Amendment and civil rights cases before the U.S. Supreme Court, and more than 60 cases before the federal courts of appeal and state courts of last resort.

Joseph Farrell, who was named Director of the Bureau of Economics, has been a Professor of Economics at the University of California, Berkeley, where he has been Chair of the Competition Policy Center and an Affiliated Professor in the Haas School of Business. He also has served as Deputy Assistant Attorney General and Chief Economist for the Antitrust Division of the U.S. Department of Justice, and as Chief Economist for the Federal Communications Commission. His research has centered on competition policy, compatibility standards, and innovation. Farrell is a Fellow of the Econometric Society.

Susan S. DeSanti, who will be Director of Policy Planning, joins the Commission from Sonnenschein Nath & Rosenthal, where her practice has focused on antitrust counseling and litigation in a variety of industries. She previously spent 15 years at the Commission, during which she helped develop federal antitrust policy in standard setting, intellectual property licensing, antitrust and patent issues, generic drug entry, mergers, and joint ventures among competitors. During that time, she served in a variety of positions, including Director of Policy Planning, Deputy General Counsel for Policy Studies, senior attorney advisor to Chairman Robert Pitofsky, and attorney advisor to Commissioner Dennis Yao. In addition to several years in private practice before she joined the Commission, DeSanti recently served as Senior Counsel to the Antitrust Modernization Commission.

Jeanne Bumpus, who was re-appointed as Director of the Office of Congressional Relations, has served in that position since June 2006. She was a principal advisor to Senator John McCain and served as Staff Director and Chief Counsel for the U.S. Senate Committee on Commerce, Science, and Transportation. Bumpus began her work on Capitol Hill in the office of Washington State Senator Slade Gorton, where she served as Legislative Counsel. Earlier, she worked as an associate in the law firm of Davis Wright Tremaine in Seattle, Washington.

Joni Lupovitz, who will serve as Chief of Staff to the Chairman, joined the FTC in 1999 as an attorney in the Bureau of Consumer Protection’s Division of Enforcement and was promoted to Assistant Director for Enforcement the following year. Since 2005, she has served as an attorney advisor in the Office of Commissioner (now Chairman) Leibowitz, focusing on consumer protection matters. Before joining the FTC, Lupovitz was a partner with McDermott, Will & Emery, where she had a diverse civil litigation and administrative practice.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

MEDIA CONTACT:

Office of Public Affairs
202-326-2180

The guide follows the broad interpretation of the Rule that FTC lawyers have previously articulated on various panels and in FTC publications.  First, the guide confirms that any entity that is a “creditor” under the Rule’s broad definition is subject to the Rule.  The FTC appears to interpret this definition to encompass entities that may have little or no involvement in credit decisions, such as retailers that accept credit card applications for forwarding to credit card companies.  Second, the guide sets out an expansive view of “covered accounts.”  For example, the guide would require a “creditor” to evaluate not only accounts that involve credit but any accounts the business offers or maintains, including non-credit and single transaction accounts, to determine which of its accounts are “covered” under the Rule.  Financial institutions, which had been required to evaluate consumer and non-consumer accounts that involve multiple transactions and have check-writing or similar withdrawal or transfer privileges, may now also have to determine whether their single transaction accounts and accounts without check-writing privileges may be “covered.”

Broad Definition of “Creditor”
According to the guide, any business that sells goods or services and allows customers to pay for them later is a “creditor” under the Rule and, therefore, is subject to the provisions requiring the implementation of an Identity Theft Prevention Program.  This definition of “creditor” may encompass any “invoice billing” arrangements, including those often utilized by law firms, doctors, manufacturers, utility companies and myriad other businesses that do not require immediate payment for their products or services.  Based on the FTC guide, retailers that offer “no interest/no payment” programs are also likely “creditors” under the Rule. 

The second category of “creditors” is entities that “participate” in credit decisions.  This definition, found in Regulation B (from which the definition of “creditor” is derived for purposes of the Rule), covers businesses that may: (i) arrange for loans, (ii) participate in decisions to renew, continue or extend credit, (iii) set the terms of credit, or participate in credit decisions in other, often relatively tangential ways.   A business may be deemed a “creditor” under the Rule if it participates in conducting an initial assessment of credit applications, deciding which applications to send to a lender, receiving proceeds from a portion of the interest rate charged on a loan, restructuring the terms of the sale in order to meet the concerns of the creditor, or advocating for extending credit.  

Notably, Regulation B also defines “creditors” for certain purposes as businesses that “do not participate in credit decisions” but rather only: (i) accept applications, (ii) refer applicants to creditors, or (iii) select or offer to select creditors to whom credit requests can be made.  This definition, relevant only to the Equal Credit Opportunity Act’s anti-discriminatory provisions, suggests that businesses that merely accept credit applications and are in not involved in the approval process or any of the activities that constitute “participating” in a credit decision (for example, retailers, restaurants, hotels or airlines) are “creditors” subject to the Rule.  The FTC appears to take this position in its guide, which lists as an example of creditors, “retailers that offer financing or help consumers get financing from others… by processing credit applications.”

Expanded Scope of “Covered Accounts”
After a business determines that it is a “creditor” or a “financial institution” within the meaning of the Rule, the next step is to determine if the business offers or maintains any “covered accounts.”  If it does, the business must implement an Identity Theft Prevention Program for those accounts.

The guide appears to take a broader view of the definition of “covered accounts” than what had previously been the conventional wisdom.   For example, it was thought that “creditors” needed to consider only consumer and non-consumer credit accounts in deciding which accounts were “covered.”  Under the guide’s interpretation of the Rule, however, a creditor’s covered accounts could include any accounts, rather than only those involving credit.  Thus, for example, if an insurance company allows some consumers to pay for policies after the coverage period and requires others to make periodic payments that prepay coverage, the guide appears to suggest that all such accounts would be “covered” and that the insurance company would need to evaluate the risk of identity theft associated with its non-consumer credit and non-credit accounts to determine if those accounts are covered.  The implication of the guide’s interpretation for financial institutions subject to the FTC’s jurisdiction is that the coverage of the Rule would extend to non-transaction accounts (i.e., accounts that do not allow check writing or similar withdrawal or transfer transactions). 

Finally, the guide suggests that in deciding which accounts are “covered,” financial institutions and creditors  must evaluate the risks associated with “single transaction” accounts. This requirement appears to significantly expand the scope of the Rule, which defines an account only as a “continuing relationship.”  Here, the guide also appears to be in conflict with the position the FTC and the federal banking agencies articulated in the preamble to the Rule that the agencies “determined that… the burden that would be imposed upon financial institutions and creditors by a requirement to detect, prevent and mitigate identity theft in connection with single, non-continuing transaction by non-customers would outweigh the benefits of such a requirement.”

The FTC guide is available on the new FTC website dedicated to the Red Flags Rule, located here.
 

While there has been considerable discussion of online behavioral advertising, the placement of targeted ads on the Internet is not a new phenomenon.  A number of well-known companies, including Yahoo! and Microsoft, have made use of the technology for years.  Facebook has joined the bandwagon and notified advertisers that they could begin targeting ads to users based on language and location.  A posting on Facebook’s company blog indicated that the location and language features represented a “huge upgrade for Facebook’s targeting.”  The ability for advertisers to target specific users is significant given that Facebook recently announced that it expects to have 200 million users by the end of March 2009.  Google also announced that it will begin interest-based advertising that provides users with ads based on the types of websites they visit.  This service would supplement Google’s existing contextual advertising.  As part of its approach to targeted ads, and perhaps to allay privacy concerns,  Google will offer users an opt-out by downloading a browser level plug-in to restrict the use of interest-based ads.   

The FTC’s online behavioral advertising principles are available here.

In 2006, media exposés revealed that CVS employees disposed of prescription drug bottles with labels containing patient information, pharmacy orders, and other items potentially containing PHI in unsecured dumpsters that could be accessed by anyone.  These exposés prompted a joint investigation between the OCR and the FTC which the agencies allege confirmed the allegations against CVS and resulted in the payment of the resolution amount, the CAP, and the FTC Consent Order.

The CAP, which applies for three years, requires CVS to: (1) develop privacy policies and procedures that provide for administrative and physical safeguards for the disposal of all non-electronic PHI; (2) implement a training program that instructs employees on how to adequately dispose of PHI; (3) develop plans to monitor compliance and report any noncompliance with the privacy policies and procedures; and (4) engage an independent third-party to conduct an assessment of CVS’s compliance with the privacy policies and procedures.  The CAP also requires CVS to provide an initial “Implementation Report” as well as an annual “Periodic Report” to the OCR and to retain all documents related to compliance with the CAP for six years.  The Consent Order with the FTC, which applies for twenty years, requires CVS to establish and implement a comprehensive information security program designed to protect the security, confidentiality, and integrity of customer personal information and to engage an independent third party to conduct an initial assessment of CVS’ compliance with its privacy procedures (which can be the same assessment required by the CAP) as well as biennial assessments thereafter for the remainder of the twenty-year duration of the Consent Order.

The CVS settlement is just one of several recent developments that may herald the dawn of a new era of increased HIPAA enforcement.  Last November, the HHS Office of Inspector General published a report that encouraged the Centers for Medicare and Medicaid Services (“CMS”), which enforces HIPAA’s Security Rule, to conduct more frequent compliance reviews of HIPAA-covered entities.  This week, President Obama signed the economic stimulus package into law, which requires HIPAA-covered entities to notify affected individuals, HHS and the media of information security breaches, and also substantially revises HIPAA, providing for steeper fines and enabling state Attorneys General to bring enforcement actions for HIPAA violations.
 

According to the FTC's complaints, one of the parties purchased telephone numbers from a lead-generating website that harvests consumer information through travel surveys, and the other obtained numbers from online sweepstakes entry forms.  In both cases, most of the numbers collected and called had been registered on the Do Not Call list.  

The FTC deemed insufficient putative notification to consumers that they would receive telemarketing calls because the language was "buried in [the] 'terms and conditions' or 'privacy policy' pages" of the harvesting website.  The FTC also asserted that a waiver contained in the fine print on the back of the sweepstakes entry form did not provide the "express agreement" necessary to call consumers whose numbers are on the Do Not Call list.  The FTC repudiated the notion that completing the entry form had created an "established business relationship," stating that a reasonable consumer would not have expected that filling out the online form would result in telemarketing calls.

In addition to having called numbers on the Do Not Call registry, one of the parties was also charged with violations of the TSR's abandoned call provisions because it failed to connect calls to a sales agent within two seconds of when the call recipient answered.

Links to the relevant complaints, as well as the consent orders entered by the federal court, can be found here on the FTC's website.