Privacy & Information Security Law Blog

On August 30, 2012, Taiwan’s Executive Yuan announced that the Personal Data Protection Act will become effective on October 1, 2012. In connection with the announcement, the Executive Yuan also proposed several amendments to certain controversial provisions to be discussed by the Legislative Yuan in September.

Reportedly, the amendments would include the following changes:

1. adding “medical records” as a type of sensitive personal data, and inserting exceptions to restrictions on the use of sensitive personal data (e.g., for public interest reasons or with the data ...

On July 31, 2012, Minnesota Attorney General Lori Swanson announced a $2.5 million settlement with Accretive Health, Inc. (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, and various Minnesota debt collection and consumer protection laws. As we previously reported in January 2012, Accretive, which acted as a business associate to two Minnesota hospital systems, experienced a breach in July 2011 that involved the protected health information of more than 23,000 patients.

On August 15, 2012, Philippines President Benigno S. Aquino III signed the Data Privacy Act of 2012 passed earlier this year by the Philippine Senate and House of Representatives. Concerns about the creation of the National Privacy Commission and the criminal penalties associated with the Act delayed final enactment.

On August 8, 2012, the Federal Trade Commission settled with HireRight Solutions, Inc. (“HireRight”) for failure to comply with certain Fair Credit Reporting Act (“FCRA”) requirements. At first blush, the case may appear to be a simple FCRA matter – the FTC alleged that HireRight functioned as a consumer reporting agency when providing employment screening services to companies, but then failed to take steps to assure the accuracy of those reports and prevented consumers from dispute inaccurate information. Despite initial appearances, however, the case has broader geopolitical implications.

On August 10, 2012, a federal district court in California denied Hulu’s motion to dismiss the remaining claim in a putative class action suit alleging that the online streaming video provider transmitted users’ personal information to third parties in violation of the Video Privacy Protection Act (“VPPA”). The VPPA prohibits a “video tape service provider” from transmitting personally identifiable information of “consumers,” except in certain, limited circumstances. According to the complaint, Hulu allegedly allowed KISSmetrics, a data analytics company, to place tracking codes on the plaintiffs’ computers that re-spawned previously-deleted cookies, and shared Hulu users’ video viewing choices and “personally identifiable information” with third parties, including online ad networks, metrics companies and social media networks.

On July 24, 2012, Lisa J. Sotto, partner and head of the Global Privacy and Data Security Practice at Hunton & Williams LLP, gave a presentation on “Data Privacy in the Global Era” to the Western Independent Bankers Service Corporation. Sotto discussed U.S., EU and other international privacy laws, with a focus on two specific areas of interest, cloud computing and vendor management. 

On August 10, 2012, the Federal Trade Commission announced that it has accepted the final settlement with Facebook which resolves allegations “that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” As we previously reported, the settlement requires Facebook to (1) not misrepresent how it maintains the privacy or security of users’ personal information; (2) obtain users’ “affirmative express consent” before sharing their information with any third ...

On August 8, 2012, the Federal Trade Commission announced a settlement agreement with employment screening company HireRight Solutions, Inc. (“HireRight”). In its first enforcement action against an employment background screening company for Fair Credit Reporting Act (“FCRA”) violations, the FTC alleged that HireRight functioned as a consumer reporting agency, but failed to comply with certain FCRA requirements. The proposed consent order imposes a $2.6 million penalty on HireRight and requires the company to remedy the alleged FCRA violations, create and retain certain records and submit reports to demonstrate compliance.

As reported in the Hunton Employment & Labor Perspectives Blog:

The National Labor Relations Board ("NLRB") has again asserted its willingness to encroach upon employers’ long standing legitimate employment policies in a non-unionized workforce. In Banner Health System, 358 NLRB No. 93 (July 30, 2012), the Board held that a blanket policy prohibiting an employee from discussing an ongoing investigation violates section 8(a)(1) of the National Labor Relations Act.

Earlier this year, the Consumer Financial Protection Bureau (“CFPB”) published a Bulletin signaling its intent to regulate and exercise enforcement authority over service providers to financial institutions. Pursuant to Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act and its implementing regulation, Regulation P, the CFPB has authority over certain large banks, credit unions and other consumer financial services companies. The Bulletin notes that the CFPB’s goal is to ensure compliance with “[f]ederal consumer financial law,” which includes the Gramm-Leach-Bliley Act and its implementing regulations, the Privacy Rule and the Safeguards Rule.

In recent months we have seen a dismissal and two settlements in class action suits alleging violations of the Telephone Consumer Protection Act (“TCPA”) by companies that used text messaging as part of advertising campaigns. The TCPA is a federal privacy law that imposes restrictions on telephone solicitations, including telemarketing calls and text messages.

On August 1, 2012, the Federal Trade Commission announced that it is seeking public comments on additional proposed modifications to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”). According to the FTC, the second-round revisions modify certain COPPA Rule definitions to “clarify the Rule’s scope and strengthen its protections for the online collection, use, or disclosure of children’s personal information.” The FTC developed these new definitions after reviewing the 350 public comments submitted in response to the Commission’s September 2011 proposal to amend the Rule.