Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

In her introductory remarks, outgoing FTC Commissioner Pamela Jones Harbour identified many of the key issues addressed over the course of the day, including (1) the importance of defaults, (2) the lack of consumer knowledge regarding how data are collected and used, (3) the lack of consumer engagement with online notices, (4) the special challenges presented by mobile devices and cloud computing, and (5) the role of de-identified data.

In his opening comments, David Vladeck, Director of the Bureau of Consumer Protection, identified what he perceived to be the three main messages from the first Exploring Privacy workshop, which was held in Washington, D.C., on December 7, 2009.  First, consumers have little understanding of how their data are used and transferred.  Second, notices often are not an effective tool for communicating with consumers, but they remain important to facilitate transparency.  And finally, consumers do care about privacy even though they may behave otherwise.  Vladeck also stressed that the roundtables are not the only tool the FTC is using to address privacy.  “We continue to maintain an active law enforcement practice to protect privacy,” Vladeck noted.

Over the course of the day, 35 panelists addressed technology’s role in protecting privacy and how the government should encourage the adoption and use of privacy-enhancing technologies.  There was broad agreement that stand-alone privacy-enhancing technologies have met with little consumer acceptance, but that these technologies have been adopted by businesses and have been introduced into operating systems, browsers and email clients.  When encountering these protective measures, consumers often avoid or turn off privacy features of technologies that interfere with their access to the material and services they want.

As at the first workshop, there was broad agreement that, although notice and choice have offered little privacy protection, there is no clear consensus as to what might replace or supplement that framework.  Two approaches that were frequently mentioned are the Centre for Information Policy Leadership’s use model and its accountability project.

Thursday’s roundtable revealed a surprising amount of agreement in favor of the FTC playing a more pronounced regulatory role in, at a minimum, identifying the objectives of “good” privacy protection, as well as setting standards for measuring the achieved objectives.  This position was supported not only by privacy advocates and academics, but also by a number of business participants who noted the need for greater certainty in privacy regulation.

Speaking on the final panel, the Centre for Information Policy Leadership’s Senior Policy Advisor, Fred Cate, echoed two themes from his earlier presentation at the December roundtable: first, that the government should be careful to avoid creating disincentives for good privacy behavior or otherwise discouraging efforts to protect privacy; and second, that government can contribute to enhancing privacy in many ways, including by funding the development of more useful privacy-enhancing technologies and then helping to create a market for such technologies by purchasing them itself.

Whatever the government’s ultimate role may be, there seemed to be general agreement that protecting privacy responsibly requires, in Peter Cullen’s words, “people, processes, and technologies.”  Essentially, although technologies alone are not sufficient, technological considerations must not be left out of the equation.

The FTC’s third and final roundtable in this series will take place in Washington, D.C., in March 2010.  In addition, Danny Weitzner, Associate Administrator for Policy at the National Telecommunications and Information Administration, announced that the Department of Commerce is looking at the linkage between privacy and innovation and is observing the FTC’s process.  He further welcomed input from stakeholders as to the Department’s role in helping protect privacy.

The lack of meaningful consent has raised the possibility that privacy is moving beyond the advise-and-consent model toward a post-disclosure era.  It remains to be seen how the post-disclosure era will evolve and how the new paradigm will replace consumer notice and choice.  The FTC is examining the issue, and aims to publish a report by July 2010.  Although the final content of the report is yet to be determined, Chairman Leibowitz stated, “I have a sense, and it’s still amorphous, that we might head toward opt-in.”

For further information, view The New York Times blog post.

EPIC’s complaint, which was signed by nine other privacy organizations, alleges that Facebook’s privacy changes injure users by “invading their privacy; allowing for disclosure and use of information in ways and for purposes other than those consented to or relied upon by such users; causing them to believe falsely that they have full control over the use of their information; and undermining the ability of users to avail themselves of the privacy protections promised by the company.”  EPIC’s complaint further alleges that Facebook’s claim that users “have extensive and precise controls available to choose who sees what among their network and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities” is deceptive because “Facebook’s changes to users’ privacy settings and associated policies in fact categorize as ‘publicly available information’ users’ names, profile photos, lists of friends, pages they are fans of, gender, geographic regions, and networks to which they belong.”

EPIC is requesting the FTC compel Facebook to “restore its previous privacy settings” and “make its data collection practices clearer and more comprehensible and to give Facebook users meaningful control over personal information provided by Facebook to advertisers and developers.”  In response to EPIC’s complaint, Facebook released a statement that the company had “discussed the privacy program with many regulators, including the FTC, prior to launch and expect to continue to work with them in the future.”
 

The event’s closing session – “Exploring Existing Regulatory Frameworks” – featured several speakers including Barbara Lawler of Intuit who provided an overview of the Business Forum for Consumer Privacy's “Use-and-Obligations” approach to privacy governance.  The Business Forum’s paper is available here.  In response to the FTC's request for greater simplicity, Professor Fred Cate suggested a framework based on three categories of information-related activities:  those that are prohibited or heavily disfavored, those that are permitted without specific notice or consent, and a large middle ground that applies consent requirements on a sliding scale from implied to explicit.  The panel’s tone indicated a general consensus that the "notice and choice" privacy governance model is becoming increasingly irrelevant.  At the IAPP conference the following day, EPIC’s Marc Rotenberg agreed that "notice and choice is only effective when the consumer has real choices to make."

The FTC’s Exploring Privacy series will continue with roundtables scheduled for January 28, 2010, in Berkeley, California and March 17, 2010, in Washington, DC.  The FTC is expected to complete the creation of the record during the January session and to explore future initiatives at the meeting in March.

In reaching the decision, Judge Reggie Walton is reported to have stated that he was reluctant to conclude that Congress intended to regulate lawyers when it enacted the FACT Act, which the Red Flags Rule implements.  The court also questioned the FTC's broad interpretation of the term "creditor." Judge Walton is reported to have questioned whether the term could be interpreted so broadly as to render a plumber who bills a customer after performing his work a "creditor" within the meaning of the Rule.  Notably, the Judge's comment may leave the door open for other challenges to the Rule by myriad small businesses whom the FTC considers "creditors" subject to the Rule.

It is reported that the court granted an injunction against the enforcement of the Rule and a declaratory judgment finding that lawyers are not subject to the Rule.  The FTC is expected to appeal the decision.

Although numerous organizations such as the American Medical Association have expressed their objections to the scope of the rule, the American Bar Association (“ABA”) escalated matters in August 2009 by requesting a federal court to issue an injunction that bars the FTC from enforcing the Red Flags Rule with respect to attorneys.  The ABA argues in its complaint that there is no “legally supportable basis for application of the red flags rule to lawyers engaged in the practice of law.”  On September 23, 2009, the ABA filed a motion for summary judgment in the case, and the FTC responded by filing a memorandum in opposition that argues that “subjecting attorneys to the Red Flags Rule is based on the attorney’s billing arrangement with clients—essentially an accounting function—and not on some essential element of the lawyer-client relationship, such as the protection of client confidences.”  The District Court of the District of Columbia has scheduled a hearing on the ABA’s motion on October 29, 2009, just three days before the Red Flags Rule is set to take effect.

On October 20, 2009, the House of Representatives approved H.R. 3763, which amends the Fair Credit Reporting Act to exclude health care, accounting and legal practices with 20 or fewer employees from being deemed “creditors” subject to the Red Flags Rule.  In addition to the specific exemptions for small health care providers, accounting firms, and law firms, H.R. 3763 also allows the FTC to exclude any other business from the definition of “creditor” if the business applies for an exclusion and either (1) knows all of its customers or clients individually; (2) only performs services in or around the residences of its customers; or (3) has not experienced incidents of identity theft and identity theft is rare for businesses of that type.  Finally, the bill requires the FTC to issue regulations within 180 days of the enactment of the bill that set forth the process by which businesses may apply for these exclusions.  Despite the House’s passage of the bill, there has been no similar legislation introduced in the Senate and it is unclear whether there are any plans to do so before the November 1st deadline.

The FTC also announced today a settlement with Iconix Brand Group, Inc., which owns, licenses and markets apparel brands including Candie's, Mudd, Bongo and OP.  The FTC alleged violations of the Children’s Online Privacy Protection Act ("COPPA") and Section 5 of the FTC Act.  As to the COPPA violations, the FTC noted that several of the brands' websites collected full dates of birth, presumably putting the company on notice that it had collected information from individuals under the age of 13 although it did not notify parents in advance or seek their consent.  In addition, the brands' privacy statements included a representation that the company does not "seek to collect" personal information from individuals under the age of 13, which the FTC charged was a deceptive trade practice in violation of Section 5 of the FTC Act.  Iconix agreed to pay $250,000 in civil money penalties and to delete all information collected and maintained in violation of COPPA, in addition to other equitable measures such as training employees.

Yesterday, the FTC announced that ChoicePoint, Inc. agreed to strengthen its data security in order to settle charges that it failed to implement a comprehensive information security program as required by the earlier consent order it entered into with the agency following its well-publicized 2005 security breach.  This agreement, which expands the company's obligations under the original consent order, follows a security breach that occurred in 2008.  ChoicePoint allegedly turned off a security feature used to monitor access to one of its databases and failed to detect that the feature was disabled for four months.  During that period, the FTC alleged that the personal information of 13,750 people was compromised, putting them at risk of identity theft.  In addition to paying $275,000 to be used for consumer redress, the modified court order requires ChoicePoint to report to the FTC every two months for the next two years, providing "detailed information about how it is protecting the breached database and certain other databases and records containing personal information."

The three cases, following closely on the heels of seven Safe-Harbor-related settlements, demonstrate the FTC's resolve to enforce more aggressively and levy larger fines when settling cases.

The Guides address the application of Section 5 of the FTC Act to the use of endorsements and testimonials in advertising.  Although the Guides provide a basis for voluntary compliance with the law by advertisers and endorsers, practices inconsistent with them may result in enforcement action by the FTC.  The Guides set forth general principles that the FTC intends to use in evaluating endorsements and testimonials, together with examples illustrating the application of those principles.

First issued in 1975 and 1980, these Guides generally require that endorsements reflect the honest opinion of the endorser and not contain representations that would be deceptive if made by the advertiser.  In November 2008, the Commission proposed amendments to the Guides, including changes to clarify the obligations of bloggers and other users of new communication technologies and advertising strategies.  In the final Guides, as under the pre-amendment Guides, when an expert or celebrity receives payment to endorse a company’s product in advertisements, the company does not need to explicitly disclose the fact of the payment in advertisements, since the public generally understands that experts and celebrities endorse products because they are paid to do so.  Conversely, when a non-expert or non-celebrity endorses a product (e.g., a “man-on-the-street” testimonial), any payment must be disclosed, since the public generally does not expect such endorsement to have been influenced by payment.  The amended Guides provide a new example of this principle in the online context:  an employee of a manufacturer of MP3 players visits an online MP3 discussion board and posts comments promoting her employer’s products without disclosing the employment relationship.  As a result, whether or not a company has its own blog or engages third-party bloggers, there may be some risk of enforcement based on employee activities.  The amendment explains that the employee should disclose the relationship, since knowledge of the poster’s employment likely would affect the weight or credibility of her endorsement.  The scope of the amendments suggest that the FTC’s view on this matter would extend to promotional comments made by persons with such undisclosed material connections to the promoted company in any emerging communications tool, such as online discussion boards, blogs, social networking sites, Twitter, etc.

To mitigate risk given the FTC’s new focus on this sort of activity, businesses may wish to (i) require their employees to disclose the employment relationship when making online comments that promote the employer or its products, (ii) require that such comments be vetted by the business, or (iii) prohibit employees from making online comments.  Businesses should also consider training employees on any such policies that the business may establish.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  A company under the FTC’s jurisdiction that self-certifies to the Safe Harbor principles but fails to implement them may be subject to an enforcement action under Section 5 of the FTC Act, which prohibits deceptive trade practices. 

In this case, the FTC successfully argued that, regardless of the company’s data protection practices, falsely claiming to be Safe Harbor certified could constitute a violation of the FTC Act in and of itself.  The defendants have been ordered to appear on September 25, 2009 to show cause why the court should not enter a preliminary injunction prohibiting further violations.

On July 9, Missouri Governor Jay Nixon signed a data security breach bill into law leaving Alabama, Kentucky, Mississippi, New Mexico and South Dakota as the only remaining states without a breach notification requirement.  The Missouri law’s noteworthy provisions include a broad definition of personal information that encompasses medical and health insurance information and a requirement to notify consumer reporting agencies and the state attorney general if more than 1,000 consumers are being notified of a security breach.  The Missouri law goes into effect August 28, 2009.

On July 22, Senator Patrick Leahy (D-VT) reintroduced a privacy bill that includes federal data security breach notification requirements.  The Personal Data Privacy and Security Act would require businesses engaged in interstate commerce to notify individuals if their computerized sensitive personally identifiable information (SPII) is subject to a data security breach.  Notably:

• The bill requires notification of: (1) major media within any state where more than 5,000 individuals are affected by a breach; (2) consumer reporting agencies if more than 5,000 individuals are affected; and (3) the Secret Service if more than 10,000 individuals are affected or if the breach involves a federal database, national security officials or a database containing information on more than 1,000,000 individuals. 
• Businesses that collect, use or access the SPII of more than 10,000 individuals must implement a comprehensive data security and privacy program (financial institutions that are subject to the Gramm-Leach-Bliley Act (GLB) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) are exempt from this requirement). 
• The notification provisions of the proposed federal law would not preempt existing state data breach notification laws, but they would supersede any other provision of federal law or any provision of any state law relating to notification by a business engaged in interstate commerce. 

Similar federal privacy legislation has been approved by the Senate Judiciary Committee in prior sessions of Congress, but has never been voted upon by the full Senate.  Senator Leahy’s bill is the third major federal data privacy bill to be introduced in 2009.  Senator Diane Feinstein introduced a data breach notification law in January; in April, Representative Bobby Rush introduced H.R. 2221 (the Data Accountability and Trust Act), a bill  which is strongly supported by the FTC's Acting Director of the Bureau of Consumer Protection.

Finally, on July 27, North Carolina Governor Beverly Perdue signed a bill amending that state’s data breach notification law.  As of October 1, 2009, any time a business provides notice pursuant to the North Carolina statute, the business must also notify the Consumer Protection Division of the North Carolina Attorney General’s Office.  The notice must include information on the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future and information regarding the timing, distribution and content of the notice being sent to affected individuals.   Previously, North Carolina required notification of the state attorney general only when a business provided notice to more than 1,000 persons at one time, and such notification needed to include only the timing, distribution and content of the notice to consumers.

The final rules and guidelines include provisions allowing consumers to dispute inaccuracies in their credit files directly with entities that furnish information to credit reporting agencies, including financial institutions and other organizations.  The Agencies’ guidelines specify the steps credit information furnishers should take to ensure the accuracy and integrity of the information they provide to credit reporting agencies, including suggestions such as when it may be necessary to provide supplemental information in order to avoid creating misleading impressions about creditworthiness.  The accuracy and integrity of information contained in credit reports is critical to individual consumers, as this information is used to assess eligibility for credit, employment, insurance and housing, and consumers with errors in their credit reports may be denied access to benefits.    

A copy of the final rules and guidelines is available here.

Behavioral advertising involves collecting and analyzing information about consumer online behavior for marketing-related purposes, such as serving targeted ads, or developing purchase propensity models. In the U.S., the practice has come under scrutiny by consumer groups, legislators and the FTC. The FTC published a second report on its own proposed self-regulatory principles on February 12, 2009.

The new self-regulatory guidelines are based on seven principles: Education, Transparency, Consumer Control, Data Security, Consent to Material Changes, Sensitive Data and Accountability. The principles call on participating organizations to (i) conduct outreach campaigns to educate consumers about behavioral advertising, (ii) provide clear disclosures about their online behavioral advertising practices (including notices at data collection points), (iii) allow consumers to choose whether their data is used for behavioral advertising, (iv) provide security for consumer information and limit its retention, (v) obtain consumer consent to material changes regarding the use of their information, and (vi) require parental consent for the use of information collected from children under the age of 13. The principles also call for establishing an accountability program for monitoring compliance with the guidelines and reporting non-compliance to appropriate government agencies. The Better Business Bureau and the Direct Marketing Association are currently working together to develop accountability mechanisms, which are intended to be in place by early 2010.

The publication detailing the Self-Regulatory Principles is available at www.iab.net/behavioral-advertisingprinciples.

The enforcement action began after Sears disseminated a “research” software application for consumers to download and install on their home computers in connection with the “My SHC Community” program.  According to the FTC, Sears represented to consumers that this software application, if downloaded and installed, would track consumers’ “online browsing” activities.  The FTC alleged that Sears failed to disclose to consumers that the application would (i) track nearly all of the consumers’ online behavior (including information provided in secure sessions with third-party websites, shopping carts and online accounts), (ii) track certain offline activity on the computer, and (iii) transmit most of the tracked information to Sears’ remote computer servers.  In its complaint, the FTC argued that these facts would be material to consumers when deciding whether to install the software, and Sears’ failure to disclose the information constituted a deceptive act in violation of Section 5 of the FTC Act.  The FTC acknowledged the application “functioned and transmitted information substantially as described in the [Privacy Statement and User License Agreement],” but noted that this disclosure was available only in the lengthy agreement provided near the end of the multi-step registration process.

As part of the proposed settlement, Sears has agreed to do the following:

• Disclose to consumers all of the types of data that will be tracked by any software program or application disseminated by or on behalf of Sears, its subsidiaries or affiliates, that is capable of being installed on consumers’ computers and is used to monitor, record or transmit information about activities occurring on those computers or data that may be stored on, created on, or transmitted to or from those computers.  Disclose how data collected by such an application may be used, and whether the data may be used by a third party.  In accordance with the settlement, this information must be provided to the consumer on a distinct page prior to the display of any privacy policy, terms of use or end user license agreement.
• Obtain express, opt-in consent from consumers to the download of any such application and the collection of data through use of a button or link that is not pre-selected and is clearly labeled.
• Provide notification within thirty days of approval of the settlement to consumers who previously installed such an application.  This notification must explain (i) that they installed a Sears’ tracking application, (ii) that the application collects and transmits data as described in the company’s “Privacy Statement & User License Agreement,” and (iii) how they may uninstall the application.  The notification must be prominently posted on the My SHC Community website for two years from approval of the settlement.
• Within three days of the approval of the settlement, discontinue collecting any data transmitted by such applications installed prior to approval of the settlement.
• Within five days of the approval of the settlement, destroy any information collected about consumers by Sears through the use of the application in all cases where the application was installed prior to approval of the settlement.

While the Rule does not explicitly contemplate a category of entities that are "at low risk for identity theft," the imposition of less onerous requirements on lower-risk entities is consistent with the Rule'’s risk-based approach to combating identity theft.  To take advantage of the template, an entity first must assess whether it is at low risk for identity theft.  The FTC suggests that low risk may be shown by factors such as knowing customers personally, providing services at customers'’ homes, not having experienced fraud based on identity theft in the past and being in a line of business in which it is uncommon to experience fraud due to identity theft.  These factors are not exhaustive, however, as the template requires entities to also consider their unique circumstances in determining their identity theft risk level.  The assessment and the resulting conclusion must be documented in the template. 

The FTC template then guides low-risk entities through the requirements of the Rule by asking them to identify red flags they may experience in their business if a consumer tries to obtain a product or service via identity theft.  The template assists low-risk entities in selecting methods to detect and respond to red flags and administering their Identity Theft Prevention Programs, including implementing updates and managing service providers.  Unlike the Rule, the template requires low-risk entities to document only the final, streamlined Identity Theft Prevention Program (which may be done by simply printing the completed template) and, as compared to the Rule, appears to place less emphasis on the process by which the program is developed.  The template'’s program administration requirements are also less onerous than those contemplated by the Rule.

Notably, the template does not address the issue of whether an entity is subject to the Rule; rather, it assists only in implementation of an Identify Theft Prevention Program once the entity has determined that it is subject to the Rule and is a low-risk entity. In other words, the template does not assist entities in the determination of whether they are financial institutions or creditors, nor does it assist entities in determining whether they have "covered accounts" that necessitate implementation of an Identity Theft Prevention Program, although these issues have been the subject of much debate and confusion among business interests.  In order to make these determinations, businesses may look to the Rule and the FTC’s Red Flags Guide for guidance.

The FTC Identity Theft Prevention Program compliance template for entities that are at low risk for identity theft is available here.  

Ms. Harrington stated that the FTC views lax data security as a threat to the marketplace and, therefore, strongly supports the proposed legislation.  The legislation is limited in scope to address only electronic data, but the FTC advocated expanding that scope to include hard copy data.  The FTC also supported provisions in the proposed statute that give consumers rights to access and dispute the accuracy of information held by data brokers, but sought assurances that such rights would be compatible with and not displace the existing protections afforded to consumers under the Fair Credit Reporting Act.

In the FTC’s opinion, a key provision of the legislation grants the Commission authority to impose civil penalties for violations.  Ms. Harrington contrasted this proposed authority with the FTC's current data security enforcement mechanism that is generally limited to injunctive relief the agency seeks when alleging that information security practices are unfair or deceptive under Section 5 of the FTC Act.  The proposed legislation, on the other hand, would allow the FTC to undertake enforcement actions against practices it deems harmful to consumers, irrespective of whether such practices could be construed as unfair or deceptive.  In addition, the rulemaking authority the legislation provides would enable the FTC to promulgate enforceable regulations establishing standards for data security.  

Statements and testimony of Ms. Harrington and other witnesses are available here.

While there has been considerable discussion of online behavioral advertising, the placement of targeted ads on the Internet is not a new phenomenon.  A number of well-known companies, including Yahoo! and Microsoft, have made use of the technology for years.  Facebook has joined the bandwagon and notified advertisers that they could begin targeting ads to users based on language and location.  A posting on Facebook’s company blog indicated that the location and language features represented a “huge upgrade for Facebook’s targeting.”  The ability for advertisers to target specific users is significant given that Facebook recently announced that it expects to have 200 million users by the end of March 2009.  Google also announced that it will begin interest-based advertising that provides users with ads based on the types of websites they visit.  This service would supplement Google’s existing contextual advertising.  As part of its approach to targeted ads, and perhaps to allay privacy concerns,  Google will offer users an opt-out by downloading a browser level plug-in to restrict the use of interest-based ads.   

The FTC’s online behavioral advertising principles are available here.

In 2006, media exposés revealed that CVS employees disposed of prescription drug bottles with labels containing patient information, pharmacy orders, and other items potentially containing PHI in unsecured dumpsters that could be accessed by anyone.  These exposés prompted a joint investigation between the OCR and the FTC which the agencies allege confirmed the allegations against CVS and resulted in the payment of the resolution amount, the CAP, and the FTC Consent Order.

The CAP, which applies for three years, requires CVS to: (1) develop privacy policies and procedures that provide for administrative and physical safeguards for the disposal of all non-electronic PHI; (2) implement a training program that instructs employees on how to adequately dispose of PHI; (3) develop plans to monitor compliance and report any noncompliance with the privacy policies and procedures; and (4) engage an independent third-party to conduct an assessment of CVS’s compliance with the privacy policies and procedures.  The CAP also requires CVS to provide an initial “Implementation Report” as well as an annual “Periodic Report” to the OCR and to retain all documents related to compliance with the CAP for six years.  The Consent Order with the FTC, which applies for twenty years, requires CVS to establish and implement a comprehensive information security program designed to protect the security, confidentiality, and integrity of customer personal information and to engage an independent third party to conduct an initial assessment of CVS’ compliance with its privacy procedures (which can be the same assessment required by the CAP) as well as biennial assessments thereafter for the remainder of the twenty-year duration of the Consent Order.

The CVS settlement is just one of several recent developments that may herald the dawn of a new era of increased HIPAA enforcement.  Last November, the HHS Office of Inspector General published a report that encouraged the Centers for Medicare and Medicaid Services (“CMS”), which enforces HIPAA’s Security Rule, to conduct more frequent compliance reviews of HIPAA-covered entities.  This week, President Obama signed the economic stimulus package into law, which requires HIPAA-covered entities to notify affected individuals, HHS and the media of information security breaches, and also substantially revises HIPAA, providing for steeper fines and enabling state Attorneys General to bring enforcement actions for HIPAA violations.
 

According to the FTC's complaints, one of the parties purchased telephone numbers from a lead-generating website that harvests consumer information through travel surveys, and the other obtained numbers from online sweepstakes entry forms.  In both cases, most of the numbers collected and called had been registered on the Do Not Call list.  

The FTC deemed insufficient putative notification to consumers that they would receive telemarketing calls because the language was "buried in [the] 'terms and conditions' or 'privacy policy' pages" of the harvesting website.  The FTC also asserted that a waiver contained in the fine print on the back of the sweepstakes entry form did not provide the "express agreement" necessary to call consumers whose numbers are on the Do Not Call list.  The FTC repudiated the notion that completing the entry form had created an "established business relationship," stating that a reasonable consumer would not have expected that filling out the online form would result in telemarketing calls.

In addition to having called numbers on the Do Not Call registry, one of the parties was also charged with violations of the TSR's abandoned call provisions because it failed to connect calls to a sales agent within two seconds of when the call recipient answered.

Links to the relevant complaints, as well as the consent orders entered by the federal court, can be found here on the FTC's website.