Privacy & Information Security Law Blog

On September 27, 2012, the European Commission presented its new strategy on cloud computing, entitled “Unleashing the Potential of Cloud Computing in Europe.” The Commission’s strategy is outlined on a new webpage that includes a communication document and a more detailed staff working paper.

On September 25, 2012, the Federal Trade Commission announced that it had settled a case involving allegations of spying by software company DesignerWare, LLC (“DesignerWare”) and several rent-to-own companies that rent computers to consumers, such as Aaron’s, Inc., ColorTyme, Inc., and Premier Rental Purchase. The FTC collaborated with Illinois Attorney General Lisa Madigan in its investigation.

As reported in the Hunton Employment & Labor Perspectives Blog:

On September 20, 2012, Administrative Law Judge Clifford H. Anderson struck down telecommunications company EchoStar Corporation’s policy prohibiting employees from making disparaging comments about it on social media sites. The National Labor Relations Board (“NLRB”) judge found that the prohibition, as well as a ban on employees using social media sites with company resources or on company time, chilled employees’ exercise of their rights under Section 7 of the National Labor Relations Act (“NLRA”). The EchoStar decision comes on the heels of the NLRB’s recent ruling striking down Costco Wholesale Corporation’s policy barring employees from posting statements online that were harmful to the company’s reputation.

On September 27, 2012, the UK Information Commissioner’s Office (“ICO”) published guidance on complying with the requirements of the UK Data Protection Act 1998 (“DPA”) in the context of cloud computing services (the “Guidance”). In its Guidance, the ICO reminds data controllers that transferring personal data to the cloud does not absolve them of their compliance obligations under the DPA.

On September 20, 2012, Hunton & Williams LLP announced Lisa J. Sotto, head of the firm’s Global Privacy and Data Security practice and managing partner of the New York office, was named among Ethisphere Institute’s “Attorneys Who Matter” for 2012. The annual listing includes approximately 100 lawyers from a range of legal disciplines who surpass their peers based on their experience, public service, legal community engagement and client endorsement.

As reported in the Hunton Employment & Labor Perspectives Blog:

On September 7, 2012, the National Labor Relations Board invalidated Costco Wholesale Corp.’s policy of prohibiting employee electronic posts in its first decision involving an employer’s social media policy. In Costco Wholesale Corporation and UFCW Local 371, Case No. 3A-CA-012421, the Board held, among other things, that Costco’s rule prohibiting employees from posting statements electronically that “damage the Company, defame any individual or damage any person’s reputation” was overly broad. The Board reasoned that the policy language contained no restrictions on its application and, thus, clearly encompassed protected concerted communications, such as speech that is critical of Costco or its agents. Accordingly, the rule had a tendency to chill employees’ protected activity in violation of Section 8(a)(1) of the National Labor Relations Act, which makes it an unfair labor practice for an employer to interfere with, restrain, or coerce employees in the exercise of their rights guaranteed by Section 7.

On September 13, 2012, the PCI Security Standards Council (“PCI SSC”) issued new guidelines entitled “PCI Mobile Payment Acceptance Security Guidelines” (the “Guidelines”), which outline best practices for mobile payment acceptance security. As we reported in May, the PCI SSC Mobile Working Group published its “At a Glance: Mobile Payment Acceptance Security” fact sheet, detailing how merchants can more securely accept payments on mobile devices.

On September 17, 2012, the Department of Health and Human Services (“HHS”) announced a $1.5 million settlement with the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (“MEEI”) for potential violations of the HIPAA Security Rule. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that organizations should pay special attention to safeguarding information “stored and transported on portable devices such as laptops, tablets, and mobile phones” and that “compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

On July, 19, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that the Principality of Monaco ensures an “adequate level of protection” for personal data within the meaning of the European Data Protection Directive (Article 25 of Directive 95/46/EC) (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an “adequate” level of data protection.

On September 12, 2012, Congressman Edward Markey (D-MA) released a bill that would require companies to tell customers about monitoring software installed on their mobile devices and obtain customers’ express consent before engaging in monitoring. These requirements would apply to mobile phone makers, network providers and application developers.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

In a detailed, 27-page decision (Admin. App. 24867-02-11 IDI Insurance v. Database Registrar), the Tel Aviv District Court recently upheld the validity of an instruction issued by the data protection regulator restricting financial institutions from using information about a third party’s attachment of their client’s account for the financial institution’s own purposes. The court held that the regulator is authorized to issue market instructions interpreting the law. The decision is likely to have far-reaching effects on the validity and weight given to a series of detailed guidance documents and market instructions published by the Israeli Law, Information and Technology Authority (“ILITA”) over the past two years. These include instructions regarding:

On September 5, 2012, the Federal Trade Commission issued guidelines for mobile app developers entitled “Marketing Your Mobile App: Get It Right from the Start.” The guidelines are largely a distillation of the FTC’s previously expressed views on a range of topics that have relevance to the mobile app space. They are summarized below:

As of September 1, 2012, all personal data in Germany may only be processed and used for marketing purposes (including address trading) with the express opt-in consent of the affected individuals. Furthermore, the consent language must have been specifically drawn to the attention of the relevant individual as part of the terms and conditions governing the use of his or her personal data.

The American Bar Association Journal is compiling a list of the 100 best legal blogs of 2012 and is inviting readers to submit nominations. Click the voting button below to submit a nomination for Hunton & Williams' Privacy and Information Security Law. PR News named Hunton & Williams' Privacy Blog the Best Legal PR Blog of 2011.

Submissions are accepted through Friday, September 7th, so please vote!

On August 21, 2012, the European Commission formally approved Uruguay’s status as a country providing “adequate protection” for personal data within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC). This follows the Article 29 Working Party’s earlier favorable Opinion issued in 2010, and takes into account certain interpretative assurances and clarifications provided by Uruguay. Accordingly, transfers of personal data from the EU to Uruguay may now take place without additional intergovernmental guarantees and in accordance with applicable data protection provisions.

On August 23, 2012, the Federal Trade Commission announced that it had filed suit against DISH Network LLC (“DISH Network”) alleging violations of the FTC’s Telemarketing Sales Rule (“TSR”). The FTC’s complaint claims that DISH Network is a “seller” and “telemarketer” as such terms are defined by the TSR because the company sells satellite television programming to consumers and also markets its programming through a variety of methods, including telemarketing. According to the complaint, since September 2007, DISH Network has engaged in initiating ...

On August 23, 2012, the United States Court of Appeals for the Sixth Circuit held in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co. that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy’s computer fraud endorsement.