Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

EPIC’s complaint, which was signed by nine other privacy organizations, alleges that Facebook’s privacy changes injure users by “invading their privacy; allowing for disclosure and use of information in ways and for purposes other than those consented to or relied upon by such users; causing them to believe falsely that they have full control over the use of their information; and undermining the ability of users to avail themselves of the privacy protections promised by the company.”  EPIC’s complaint further alleges that Facebook’s claim that users “have extensive and precise controls available to choose who sees what among their network and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities” is deceptive because “Facebook’s changes to users’ privacy settings and associated policies in fact categorize as ‘publicly available information’ users’ names, profile photos, lists of friends, pages they are fans of, gender, geographic regions, and networks to which they belong.”

EPIC is requesting the FTC compel Facebook to “restore its previous privacy settings” and “make its data collection practices clearer and more comprehensible and to give Facebook users meaningful control over personal information provided by Facebook to advertisers and developers.”  In response to EPIC’s complaint, Facebook released a statement that the company had “discussed the privacy program with many regulators, including the FTC, prior to launch and expect to continue to work with them in the future.”
 

The event’s closing session – “Exploring Existing Regulatory Frameworks” – featured several speakers including Barbara Lawler of Intuit who provided an overview of the Business Forum for Consumer Privacy's “Use-and-Obligations” approach to privacy governance.  The Business Forum’s paper is available here.  In response to the FTC's request for greater simplicity, Professor Fred Cate suggested a framework based on three categories of information-related activities:  those that are prohibited or heavily disfavored, those that are permitted without specific notice or consent, and a large middle ground that applies consent requirements on a sliding scale from implied to explicit.  The panel’s tone indicated a general consensus that the "notice and choice" privacy governance model is becoming increasingly irrelevant.  At the IAPP conference the following day, EPIC’s Marc Rotenberg agreed that "notice and choice is only effective when the consumer has real choices to make."

The FTC’s Exploring Privacy series will continue with roundtables scheduled for January 28, 2010, in Berkeley, California and March 17, 2010, in Washington, DC.  The FTC is expected to complete the creation of the record during the January session and to explore future initiatives at the meeting in March.

Ms. Harrington stated that the FTC views lax data security as a threat to the marketplace and, therefore, strongly supports the proposed legislation.  The legislation is limited in scope to address only electronic data, but the FTC advocated expanding that scope to include hard copy data.  The FTC also supported provisions in the proposed statute that give consumers rights to access and dispute the accuracy of information held by data brokers, but sought assurances that such rights would be compatible with and not displace the existing protections afforded to consumers under the Fair Credit Reporting Act.

In the FTC’s opinion, a key provision of the legislation grants the Commission authority to impose civil penalties for violations.  Ms. Harrington contrasted this proposed authority with the FTC's current data security enforcement mechanism that is generally limited to injunctive relief the agency seeks when alleging that information security practices are unfair or deceptive under Section 5 of the FTC Act.  The proposed legislation, on the other hand, would allow the FTC to undertake enforcement actions against practices it deems harmful to consumers, irrespective of whether such practices could be construed as unfair or deceptive.  In addition, the rulemaking authority the legislation provides would enable the FTC to promulgate enforceable regulations establishing standards for data security.  

Statements and testimony of Ms. Harrington and other witnesses are available here.

In 2006, media exposés revealed that CVS employees disposed of prescription drug bottles with labels containing patient information, pharmacy orders, and other items potentially containing PHI in unsecured dumpsters that could be accessed by anyone.  These exposés prompted a joint investigation between the OCR and the FTC which the agencies allege confirmed the allegations against CVS and resulted in the payment of the resolution amount, the CAP, and the FTC Consent Order.

The CAP, which applies for three years, requires CVS to: (1) develop privacy policies and procedures that provide for administrative and physical safeguards for the disposal of all non-electronic PHI; (2) implement a training program that instructs employees on how to adequately dispose of PHI; (3) develop plans to monitor compliance and report any noncompliance with the privacy policies and procedures; and (4) engage an independent third-party to conduct an assessment of CVS’s compliance with the privacy policies and procedures.  The CAP also requires CVS to provide an initial “Implementation Report” as well as an annual “Periodic Report” to the OCR and to retain all documents related to compliance with the CAP for six years.  The Consent Order with the FTC, which applies for twenty years, requires CVS to establish and implement a comprehensive information security program designed to protect the security, confidentiality, and integrity of customer personal information and to engage an independent third party to conduct an initial assessment of CVS’ compliance with its privacy procedures (which can be the same assessment required by the CAP) as well as biennial assessments thereafter for the remainder of the twenty-year duration of the Consent Order.

The CVS settlement is just one of several recent developments that may herald the dawn of a new era of increased HIPAA enforcement.  Last November, the HHS Office of Inspector General published a report that encouraged the Centers for Medicare and Medicaid Services (“CMS”), which enforces HIPAA’s Security Rule, to conduct more frequent compliance reviews of HIPAA-covered entities.  This week, President Obama signed the economic stimulus package into law, which requires HIPAA-covered entities to notify affected individuals, HHS and the media of information security breaches, and also substantially revises HIPAA, providing for steeper fines and enabling state Attorneys General to bring enforcement actions for HIPAA violations.
 

According to the FTC's complaints, one of the parties purchased telephone numbers from a lead-generating website that harvests consumer information through travel surveys, and the other obtained numbers from online sweepstakes entry forms.  In both cases, most of the numbers collected and called had been registered on the Do Not Call list.  

The FTC deemed insufficient putative notification to consumers that they would receive telemarketing calls because the language was "buried in [the] 'terms and conditions' or 'privacy policy' pages" of the harvesting website.  The FTC also asserted that a waiver contained in the fine print on the back of the sweepstakes entry form did not provide the "express agreement" necessary to call consumers whose numbers are on the Do Not Call list.  The FTC repudiated the notion that completing the entry form had created an "established business relationship," stating that a reasonable consumer would not have expected that filling out the online form would result in telemarketing calls.

In addition to having called numbers on the Do Not Call registry, one of the parties was also charged with violations of the TSR's abandoned call provisions because it failed to connect calls to a sales agent within two seconds of when the call recipient answered.

Links to the relevant complaints, as well as the consent orders entered by the federal court, can be found here on the FTC's website.