Privacy & Information Security Law Blog

On June 28, 2012, the UK Ministry of Justice outlined its negotiating position on the proposed EU Data Protection Regulation (the “Proposed Regulation”) in its published “Summary of Responses - Call for Evidence on Proposed EU Data Protection Legislative Framework” (the “Summary”).

The Call for Evidence sought to gain perspective and solicit feedback on how the Proposed Regulation would impact organizations and individuals in the UK. The responses received from the private sector were the most significant, which is not surprising given the potentially huge impact on business.

As reported in the Hunton Employment & Labor Perspectives Blog:

In recent years, the National Labor Relations Board ("NLRB") and unions have placed a growing emphasis on extending the application of labor law into the social media arena. As part of this initiative, the NLRB has adopted a strong stance against social media policies that it believes pose a threat to employees’ right to engage in protected activities under Section 7 of the National Labor Relations Act ("NLRA").

In recent weeks, both state and federal regulators have considered security breach notification legislation. On June 15, 2012, Connecticut Governor Dannel Malloy signed a budget bill that, among other things, amends the state’s security breach notification law. The changes, which will take effect on October 1, 2012, most notably require businesses to notify the state Attorney General no later than the time when notice of a security breach is provided to state residents. Although the law does not specify when notice must be provided to affected individuals, the law states that such notice must be made “without unreasonable delay,” subject to law enforcement delays and the completion of an investigation by the business to determine the nature and scope of the incident, to identify affected individuals, or to restore the reasonable integrity of the data system. As we previously reported, Vermont also recently amended its breach notification statute to require businesses to notify the state Attorney General within 14 days of discovering a security breach or concurrently when notifying consumers, whichever is sooner.

On June 26, 2012, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $1.7 million settlement with the Alaska Department of Health and Social Services (“DHSS”) for violations of the HIPAA Security Rule. This is the first HIPAA enforcement action taken by HHS against a state agency. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that OCR “expect[s] organizations to comply with their obligations under [the HIPAA Security and Privacy Rules] regardless of whether they are private or public entities.”

On June 26, 2012, the Federal Trade Commission announced that it had filed suit against Wyndham Worldwide Corporation and three of its subsidiaries (“Wyndham”) alleging failures to maintain reasonable security that led to three separate data breaches involving hackers accessing sensitive consumer data. The FTC’s complaint claims that Wyndham violated the FTC Act by posting misleading representations on Wyndham websites regarding how the company safeguarded customer information, and by failing to provide reasonable security for personal information it collected ...

On June 6, 2012, the Article 29 Working Party (the “Working Party”) adopted WP 195 (the “Opinion”) setting out the requirements for Binding Corporate Rules (“BCRs”) for processors. Similar to WP 153, the Opinion lists the requirements to be covered in the processor BCRs application form and the BCRs document itself. The Opinion likely will be welcomed by processors, in particular those that provide large-scale, multinational data processing services.

On May 30, 2012, the Federal Trade Commission hosted a public workshop addressing the need for new guidance on advertising and privacy disclosures online and in mobile environments. During the workshop, the FTC announced that it hopes to release an updated version of its online advertising disclosure guidance this fall that would incorporate input from businesses and consumer advocates. Topics explored at the workshop included:

• Best practices for privacy disclosures on mobile platforms and how they can be short, effective and accessible to consumers;
• how to put disclosures in proximity to offers on mobile platforms;
• social media disclosures; and
• the placement of material information on webpages.

On June 15, 2012, the National Telecommunications and Information Administration (“NTIA”) announced that, in response to a substantial number of comments it received regarding mobile privacy issues, it will convene its first multistakeholder meeting on July 12 to begin the process of developing a code of conduct that promotes transparency in the mobile application context.

On May 31, 2012, the UK Information Commissioner’s Office (“ICO”) published a draft anonymization code of practice (the “Code”) which will be open to public consultation until August 23, 2012. The purpose of the Code is to provide organizations with guidance on how personal data can be anonymized successfully, and how to assess the risk of individuals being identified using data that has been anonymized. The ICO also has launched a £15,000 invitation to tender to establish a network of experts to share best practices regarding anonymization.

On June 11, 2012, the Federal Communications Commission published in the Federal Register its final revised rules requiring prior express written consent for all autodialed or prerecorded telemarketing “calls” to wireless phones, and for prerecorded telemarking calls to residential lines. The FCC takes the position that the “calls” covered by this written consent requirement include essentially all marketing-oriented text messages. The FCC’s rules implement the findings of the Commission’s February 2012 Report and Order.

On June 7, 2012, the Federal Trade Commission announced settlement agreements with two businesses that allegedly exposed customers’ sensitive personal information by allowing peer-to-peer (“P2P”) file-sharing software to be installed on their company computers and networks.

In its complaint against Franklin’s Budget Car Sales (“Franklin”), a Georgia automobile dealership that also provides financing services to its customers, the FTC alleged that Franklin failed to implement reasonable security measures to protect the consumer personal information that Franklin routinely collects in connection with its business. The FTC claimed that personal information of approximately 95,000 customers, including names, Social Security numbers, addresses, dates of birth, and drivers’ license numbers were made available and disclosed by a P2P application installed on a computer that was connected to Franklin’s computer network. In addition to alleging violations of Section 5 of the FTC Act, the FTC also claimed that Franklin violated the Gramm-Leach Bliley Act (“GLB”). This is the first FTC case against an auto dealer involving GLB violations. The FTC stated in its complaint that Franklin failed to implement reasonable security policies and procedures in violation of the GLB Safeguards Rule, and also failed to send consumers annual privacy notices and to provide the required opt-out mechanisms in violation of the GLB Privacy Rule.

As policymakers around the world consider revisions to existing privacy and data protection law, they often refer to “interoperability” as a mechanism to facilitate the flow of data across national and regional borders. Reports released this year by the Obama Administration and the Federal Trade Commission recognize the value of interoperability to the growth of the digital economy and improving privacy compliance. Principles underlying the APEC framework would support a system for transferring data across APEC economies, and the OECD has acknowledged that regulatory authorities worldwide share the responsibility of promoting the protection of cross-border data flows. But although interoperability is expected to help lower barriers to data transfers, simplify compliance and protect individuals’ rights, there has been little discussion of how interoperability would work in practice.

On June 7, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion analyzing the exemptions to the prior opt-in consent requirement for cookies. Although the Opinion focuses on cookies, the Working Party also notes that the same analysis applies to any technology allowing information to be stored or accessed on a user’s computer or mobile device.

On June 12, 2012, the Federal Trade Commission announced a settlement agreement with data broker Spokeo, Inc. (“Spokeo”). The FTC alleged that Spokeo operated as a consumer reporting agency and violated the Fair Credit Reporting Act (“FCRA”), and that certain of its advertisements were deceptive in violation of Section 5 of the FTC Act. The proposed settlement order imposes a $800,000 civil penalty on Spokeo and prohibits future violations of the FCRA. This is the first FTC case to address the sale of Internet and social media data in the employment screening context.

On May 24, 2012, Hunton & Williams LLP and Jordan Lawrence Group hosted a webcast on “Preparing for a New U.S. Privacy Landscape: An Overview of the FTC and White House Frameworks.” The webcast featured Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams, Aaron P. Simpson, partner at Hunton & Williams, and Rebecca Perry, Executive Vice President of Professional Services of Jordan Lawrence Group.

Hunton & Williams LLP is pleased to announce its 2012 top rankings from Chambers and Partners and The Legal 500: United States. The firm consistently has maintained its number one ranking in both surveys for its Privacy and Data Security practice.

On May 24, 2012, Massachusetts Attorney General Martha Coakley announced that South Shore Hospital agreed to a consent judgment and $750,000 payment to settle a lawsuit stemming from a data breach that occurred in February 2010. At that time, South Shore Hospital shipped several boxes of unencrypted back-up tapes to a service provider in Texas to erase them. The tapes contained the personal and protected health information of approximately 800,000 individuals, including names, Social Security numbers, financial account numbers and medical diagnoses. Several of the boxes went missing and have yet to be recovered, though there is no evidence that the information on the missing tapes has been misused.

On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.

On June 1, 2012, the Attorney General of Vermont announced a series of recent legislative moves to enhance the state’s consumer protection laws, including amendments to Vermont’s security breach notification law. The changes, which were signed into law by Governor Peter Shumlin in early May, include a revised definition of “security breach,” the addition of a 45-day timing requirement for notifying affected consumers, and a requirement to notify the state Attorney General within 14 days of discovering the breach (or when notifying consumers, if sooner).

On May 24, 2012, the German Federal Government submitted to the Parliament (Bundestag) a proposal to amend the Geodatenzugangsgesetz, a federal law concerning access to geographical data that has been in force since 2009.

The current law implements Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (“INSPIRE”). In addition to establishing a national geographical data infrastructure, the law aims to provide a legal framework for (1) accessing geographical data, geographical data services and metadata of organizations that maintain such data, and (2) using such data and services, in particular with regard to measures that may affect the environment. The law applies to federal agencies and corporations under public law.

In recent months, two high-profile cases involving Hulu and Netflix have raised questions regarding the scope and application of the Video Privacy Protection Act (“VPPA”), a federal privacy law that has been the focus of increasing attention over the past few years. In the Hulu case, Hulu users claimed that the subscription-based video streaming service disclosed their viewing history to third parties.