On June 8, 2016, the Federal Trade Commission announced that Practice Fusion, an electronic health records company, agreed to settle FTC charges that the company misled consumers about the privacy of doctor reviews submitted to the company.
Recently, Aegerion Pharmaceuticals announced that it will enter into several settlements and plead guilty to two misdemeanors in connection with alleged violations of HIPAA, drug marketing regulations and securities laws. The criminal charges stem from the company’s marketing of a cholesterol drug called Juxtapid. Aegerion allegedly failed to comply with risk evaluation and management strategies and marketed Juxtapid (which is labeled with a warning about liver toxicity) without proper directions for use.
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced resolution agreements with Raleigh Orthopaedic Clinic, P.A., (“Raleigh Orthopaedic”) and New York-Presbyterian Hospital (“NYP”) for HIPAA Privacy Rule violations.
On April 14, 2016, after four years of drafting and negotiations, the long awaited EU General Data Protection Regulation (“GDPR”) has been adopted at the EU level. Following the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs’ vote earlier this week and the EU Parliament in plenary session, the GDPR is now officially EU law and will directly apply in all EU countries, replacing EU and national data protection legislation.
On March 16, 2016, and March 17, 2016, respectively, the Department of Health and Human Services (“HHS”) announced resolution agreements with North Memorial Health Care of Minnesota (“North Memorial”) and The Feinstein Institute for Medical Research (“Feinstein Institute”) over potential violations of the HIPAA Privacy Rule.
On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) reached a settlement with Dwolla, Inc. (“Dwolla”), an online payment system company, to resolve claims that the company made false representations regarding its data security practices in violation of the Consumer Financial Protection Act. Among other things, the consent order imposes a $100,000 fine on Dwolla. This marks the first data security-related fine imposed by the CFPB.
On February 3, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that an Administrative Law Judge (“ALJ”) ruled that Lincare, Inc. (“Lincare”) violated the HIPAA Privacy Rule and ordered the company to pay $239,800 to OCR.
On December 30, 2015, Taiwan’s Office of the President issued an order to promulgate certain amendments (the “Amendments”) to Taiwan’s Personal Data Protection Law (the “PDPL”). The Amendments revise 12 articles in the PDPL. The Amendments concern the collection and use of sensitive personal data, the form of consent for the collection and use of non-sensitive personal data, and the imposition of criminal liability for violations of certain provisions of the PDPL. The Amendments are expected to become effective in the first half of 2016 on a date to be determined by the Executive Yuan.
On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc. (“Schein”), agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company engaged in unfair or deceptive acts or practices by falsely representing that the Dentrix G5 software used industry-standard encryption and helped dentists protect patient data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority (“DPA”) of data security breaches, and (2) authorizes the DPA to impose direct fines for violations of the Data Protection Act.
On December 27, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published the P.R.C. Anti-Terrorism Law. The law was enacted in response to a perceived growing threat from extremists and terrorists, particularly in regions in Western China, and came into effect on January 1, 2016.
On December 15, 2015, the California Attorney General announced an approximately $25 million settlement with Comcast Cable Communications, LLC (“Comcast”) stemming from allegations that Comcast disposed of electronic equipment (1) without properly deleting customer information from the equipment and (2) in landfills that are not authorized to accept electronic equipment. The settlement must be approved by a California judge before it is finalized.
On December 17, 2015, the Federal Trade Commission announced that LifeLock, Inc. (“LifeLock”) has agreed to pay $100 million to settle contempt charges for deceptive advertising. According to the FTC, “[t]his is the largest monetary award obtained by the Commission in an order enforcement action.” Under the terms of the settlement, $68 million of the settlement amount will be paid to class action consumers who were injured by the identity theft protection company’s violation of a 2010 settlement with the FTC that required LifeLock to protect consumer information. The rest of the money will be used for settlements with state attorneys general, and any remaining money will go to the FTC. The case is Federal Trade Commission v. LifeLock Inc., et al. (2:10-cv-00530), in the U.S. District Court for the District of Arizona.
On December 17, 2015, the FTC announced a pair of COPPA settlements against operators of child-directed mobile apps available for download in the major app stores. These cases are the FTC’s first COPPA actions involving the collection of persistent identifiers, and no other personal information, from children since the FTC’s updated COPPA Rule went into effect in 2013. The FTC levied civil penalties, totaling $360,000, in both cases.
On December 14, 2015, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with the University of Washington on behalf of the university’s medical center, medical school and affiliated labs and clinics (collectively, “UW Medical”).
On November 5, 2015, the Enforcement Bureau of the Federal Communications Commission (“FCC”) entered into a Consent Decree with cable operator Cox Communications to settle allegations that the company failed to properly protect customer information when the company’s electronic data systems were breached in August 2014 by a hacker. The FCC alleged that Cox failed to properly protect the confidentiality of its customers’ proprietary network information (“CPNI”) and personally identifiable information, and failed to promptly notify law enforcement authorities of security breaches involving CPNI in violation of the Communications Act of 1934 and FCC’s rules.
On November 13, 2015, the French Data Protection Authority (“CNIL”) announced its decision in a case against Optical Center, imposing a fine of €50,000 on the company for violations related to the security and confidentiality of its customers’ personal data.
On October 2, 2015, California Attorney General Kamala D. Harris announced that her office settled a lawsuit against home design website, Houzz Inc. (“Houzz”). Houzz was charged with secretly recording incoming and outgoing telephone calls for training and quality assurance purposes without notifying its customers, employees or call recipients, in violation of California eavesdropping and wiretapping laws. As part of the settlement, the Attorney General required Houzz to destroy the recordings, pay a fine of $175,000 and hire a Chief Privacy Officer to supervise its compliance with privacy laws and conduct privacy risk evaluations to assess Houzz’s privacy practices. This is the first time that the Attorney General has required the hiring of a Chief Privacy Officer as part of a settlement.
On September 25, 2015, the UK Information Commissioner’s Office (the “ICO”) issued a fine of £200,000 (approximately $303,000) to Home Energy & Lifestyle Management Ltd. (“HELM”) for making a large number of automated marketing calls in violation of the UK’s direct marketing laws. This is the largest fine that the ICO has issued to date in connection with automated marketing calls.
On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.
On August 20, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor.
On June 30, 2015, the French Data Protection Authority (the “CNIL”) summarized the results of the cookie inspections it conducted at the end of 2014.
On May 28, 2015, the German government adopted a draft law that would require telecommunications and Internet service providers to retain Internet and telephone usage data. The initiative comes more than a year after the European Court of Justice declared the EU Data Retention Directive invalid, which had been implemented previously by German law. The German law implementing the EU Data Protection Directive had been declared unconstitutional by the German Federal Constitutional Court five years ago.
On May 26, 2015, the Upper House of the Dutch Parliament passed a bill that introduces a general obligation for data controllers to notify the Dutch Data Protection Authority (“DPA”) of data security breaches and provides increased sanctions for violations of the Dutch Data Protection Act. A Dutch Royal Decree still needs to be adopted to set the new law’s date of entry into force. According to the Dutch DPA, the new law is likely to come into force on January 1, 2016.
On May 5, 2015, the Financial Crimes Enforcement Network of the U.S. Treasury Department (“FinCEN”), in coordination with the U.S. Attorney’s Office for the Northern District of California (“USAO”), announced a civil monetary penalty of $700,000 against Ripple Labs, Inc. (“Ripple Labs”) and its subsidiary XRP II, LLC (“XRP II”) for violations of the Bank Secrecy Act (“BSA”). This assessment represents the first BSA enforcement action against a virtual currency exchanger by FinCEN. The fine coincides with a settlement agreement between Ripple Labs, XRP II and the USAO to resolve any criminal and civil liability arising out of these activities, the terms of which include a $450,000 forfeiture and full cooperation by Ripple Labs in the ongoing investigation.
The Department of Health and Human Services (“HHS”) recently announced a resolution agreement and $125,000 settlement with Cornell Prescription Pharmacy (“Cornell”) in connection with the disposal of prescription records in an unsecured dumpster on Cornell’s premises. After receiving a report from a Denver television station regarding Cornell’s disposal practices, the HHS’ Office for Civil Rights (“OCR”) investigated Cornell and found several HIPAA Privacy Rule violations, including that Cornell had failed to:
On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:
- personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
- a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
- unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).
On April 16, 2015, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2014 (the “Report”) highlighting its main accomplishments in 2014 and outlining some of the topics it will consider further in 2015.
On April 8, 2015, the Federal Communications Commission announced a $25 million settlement with AT&T Services, Inc. (“AT&T”) stemming from allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia and the Philippines. The breaches, which took place over 168 days from November 2013 to April 2014, involved unauthorized access to customers’ names, full or partial Social Security numbers and certain protected account-related data, affecting almost 280,000 U.S. customers.
On February 27, 2015, the White House released a highly-anticipated draft of the Consumer Privacy Bill of Rights Act of 2015 (the “Act”) that seeks to establish baseline protections for individual privacy in the commercial context and to facilitate the implementation of these protections through enforceable codes of conduct. The Federal Trade Commission is tasked with the primary responsibility for promulgating regulations and enforcing the rights and obligations set forth in the Act.
On January 28, 2015, the Brazilian government issued the Preliminary Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) on a website specifically created for public debate on the draft bill. The text of the bill (in Portuguese) is available on the website. (http://participacao.mj.gov.br/)
Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.
On January 5, 2015, the Alameda County District Attorney’s Office announced that Safeway Inc. (“Safeway”) has agreed to pay $9.87 million to settle claims that the company unlawfully disposed of customer medical information and hazardous waste in violation of California’s Confidentiality of Medical Information Act and Hazardous Waste Control Law. In a series of waste inspections from 2012 to 2013, a group of California district attorneys and environmental regulators found that Safeway was disposing of both its pharmacy customers’ confidential information and various types of hazardous wastes in the company’s dumpsters. Based on the investigation, 42 California district attorneys and two city attorneys brought a complaint on December 31, 2014, alleging, among other things, that more than 500 Safeway stores and distribution centers engaged in the disposal of their customers’ medical information in a manner that did not preserve the confidentiality of the information.
On December 18, 2014, the Financial Crimes Enforcement Network (“FinCEN”) issued a $1 million civil penalty against Thomas E. Haider, the former Chief Compliance Officer of MoneyGram International, Inc. (“MoneyGram”). In a press release announcing the assessment, FinCEN alleged that during Haider’s oversight of compliance for MoneyGram, he failed to adequately respond to thousands of customer complaints regarding schemes that utilized MoneyGram to defraud consumers. In coordination with FinCEN, the U.S. Attorney’s office in the Southern District of New York filed a civil complaint on the same day, seeking a $1 million civil judgment against Haider to collect on the assessment and requesting injunctive relief barring him from participating in the affairs of any financial institution located or conducting business in the United States.
On December 19, 2014, the Federal Trade Commission announced a settlement of at least $90 million with mobile phone carrier T-Mobile USA, Inc. (“T-Mobile”) stemming from allegations related to mobile cramming. This settlement amount will primarily be used to provide refunds to affected customers who were charged by T-Mobile for unauthorized third party charges. As part of the settlement, T-Mobile also will pay $18 million in fines and penalties to the attorneys general of all 50 states and the District of Columbia, and $4.5 million to the Federal Communications Commission.
The Department of Health and Human Services (“HHS”) recently announced a resolution agreement and $150,000 settlement with Anchorage Community Mental Health Services, Inc. (“ACHMS”) in connection with a data breach caused by malware. ACHMS, which provides nonprofit behavioral health care services in Alaska, experienced a breach in March 2012 that affected the electronic protected health information (“ePHI”) of 2,743 individuals. After ACHMS reported the breach to the HHS Office for Civil Rights (“OCR”), OCR investigated ACHMS and found several HIPAA Security Rule violations, including that ACHMS had failed to:
On November 17, 2014, the Federal Trade Commission announced that data privacy certifier True Ultimate Standards Everywhere, Inc. (“TRUSTe”) has agreed to settle charges that the company deceived consumers about its recertification program and misrepresented that it was a non-profit entity in violation of Section 5 of the FTC Act.
On October 24, 2014, the Federal Communications Commission announced that it intends to impose a $10 million fine on TerraCom, Inc. (“TerraCom”) and YourTel America, Inc. (“YourTel”) for violating privacy laws relating to their customers’ personal information. This announcement marks the FCC’s first enforcement action in the data security arena as well as its largest privacy action to date.
The UK government has announced proposals designed to make it easier for the Information Commissioner’s Office (“ICO”) to fine companies responsible for nuisance calls and text messages. Under the proposals, the current maximum fine of £500,000 would remain unchanged, but the threshold for imposing fines would be lowered.
On October 10, 2014, TD Bank, N.A. entered into an assurance of voluntary compliance (“Assurance”) with a multistate group of nine attorneys general to settle allegations that the company violated state consumer protection and personal information safeguards laws in connection with a 2012 data breach. The breach involved the loss of two unencrypted backup tapes containing the personal information of approximately 260,000 customers. The Assurance requires TD Bank to pay $850,000 to the attorneys general.
On October 14, 2014, rent-to-own retailer Aaron’s, Inc. (“Aaron’s”) entered into a $28.4 million settlement with the California Office of the California Attorney General related to charges that the company permitted its franchised stores to unlawfully monitor their customers’ leased laptops.
On October 8, 2014, the Federal Trade Commission announced an $80 million settlement with mobile phone carrier AT&T Mobility, LLC (“AT&T”) stemming from allegations related to mobile cramming. The $80 million payment to the FTC is part of a larger $105 million settlement between AT&T and various federal and state regulators, including the Federal Communications Commission and the attorneys general of all 50 states and the District of Columbia. According to the FCC, “[t]he settlement is the largest enforcement action in FCC history.”
On October 6, 2014, the Irish Office of the Data Protection Commissioner (“ODPC”) announced its success in bringing prosecution proceedings against M.C.K Rentals Limited (“MCK”), a firm of private investigators, and its two directors, for breaches of the Irish Data Protection Acts 1998 and 2003. Specifically MCK and its directors were found to have (1) obtained personal data without the prior authority of the data controller who was responsible for the data and (2) disclosed the personal data obtained to various third parties.
On September 8, Vermont Attorney General William Sorrell announced that SEI/Aaron’s, Inc. has entered into an assurance of discontinuance, which includes $51,000 in total fines, to settle charges over the company’s remote monitoring of its customers’ leased laptops. The settlement stems from charges accusing SEI/Aaron’s, an Atlanta-based franchise of the national rent-to-own retailer Aaron’s, Inc., of unlawfully using surveillance software on its leased laptops to assist the company in the collection of its customers’ overdue rental payments. The Vermont Office of the Attorney General claimed that such remote monitoring of the laptop users’ online activities in connection with debt collection constituted an unfair practice in violation of the Vermont Consumer Protection Act.
On September 4, 2014, the Federal Trade Commission announced a proposed settlement with Google Inc. (“Google”) stemming from allegations that the company unfairly billed consumers for mobile app charges incurred by children. The FTC’s complaint alleges that since 2011, Google violated the FTC Act’s prohibition on unfair commercial practices by billing consumers for in-app charges made by children without the authorization of the account holder.
On June 23, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $800,000 settlement with Parkview Health System, Inc. (“Parkview”) following a complaint involving patient medical records that were dumped by Parkview employees and left unattended on a physician’s driveway.
On May 7, 2014, the Department of Health and Human Services (“HHS”) announced that NewYork-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million in the largest HIPAA settlement to date, to settle charges that they potentially violated the HIPAA Privacy and Security Rules.
On April 23, 2014, the Department of Health and Human Services (“HHS”) announced settlements with two health care companies stemming from allegations of inadequate information security practices in the wake of investigations involving stolen laptop computers. Concentra Health Services (“Concentra”) and QCA Health Plan Inc. (“QCA”) will collectively pay nearly $2 million to settle the claims.
On April 9, 2014, the Federal Trade Commission announced settlements with two data brokers, Instant Checkmate, Inc. (“Instant Checkmate”) and InfoTrack Information Services, Inc. (“InfoTrack”), which sell public record information about consumers. The settlements stem from allegations that Instant Checkmate and InfoTrack violated various provisions of the Fair Credit Reporting Act (“FCRA”). According to the press release, the FTC asserts that the companies violated the FCRA by “providing reports about consumers to users such as prospective employers and landlords without taking reasonable steps to make sure that they were accurate, or without making sure their users had a permissible reason to have them.”
On March 7, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $215,000 settlement with Skagit County, Washington, following a security breach that affected approximately 1,600 individuals.
Triple-S Management Corporation reported in the 8-K it recently filed with the U.S. Securities and Exchange Commission that its health insurance subsidiary, Triple-S Salud, Inc. (“Triple S”), which is Puerto Rico’s largest health insurer, will be fined $6.8 million for a data breach that occurred in September 2013. The civil monetary penalty, which is being levied by the Puerto Rico Health Insurance Administration, will be the largest fine ever imposed following a breach of protected health information.
On January 31, 2014, the Federal Trade Commission announced a settlement with GMR Transcription Services, Inc. (“GMR”) stemming from allegations that GMR’s failure to provide reasonable security allowed certain patients’ medical transcripts to be exposed to the public on the Internet. The FTC issued an accompanying press release stating it was the FTC’s 50th data security settlement.
On January 16, 2014, the Federal Trade Commission announced a settlement with TeleCheck Services, Inc., and its affiliated debt-collection entity, TRS Recovery Services, Inc. (collectively, “TeleCheck”). The settlement stems from allegations that TeleCheck violated various provisions of the Fair Credit Reporting Act (“FCRA”). According to the press release, the settlement is “part of a broader initiative to target the practices of data brokers, which often compile, maintain, and sell sensitive consumer information” and is similar to an FTC settlement with a different company in August 2013.
On January 15, 2014, the Federal Trade Commission announced a proposed settlement with Apple Inc. stemming from allegations that the company billed consumers for mobile app charges incurred by children without their parents’ consent. Specifically, the FTC’s complaint alleges that Apple violated the FTC Act by not informing account holders that, for a 15-minute window after entering their password to approve a single in-app purchase, their children could make unlimited purchases without further action by the parent.
On December 26, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $150,000 settlement with Adult & Pediatric Dermatology, P.C. (“APDerm”), a private dermatology practice based in Massachusetts, following a security breach that affected approximately 2,200 individuals. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that “[c]overed entities of all sizes need to give priority to securing electronic protected health information.”
In recent months, the Chinese government has devoted attention to the protection of personal information with, as we previously reported, the promulgation of a number of new data protection regulations. This focus is also illustrated by recent actions related to crimes involving personal information.
On November 14, 2013, the Minister of the Malaysian Communications and Multimedia Commission (the “Minister”) announced that Malaysia’s Personal Data Protection Act 2010 (the “Act”) would be going into effect as of November 15, marking the end of years of postponements. The following features of the law are of particular significance:
On November 13, 2013, Google entered into a $17 million settlement agreement with the attorneys general from 37 states and the District of Columbia related to allegations that the company bypassed users’ cookie-blocking settings on Apple’s Safari browser in 2011 and 2012. The settlement requires Google to refrain from bypassing cookie controls in the future and requires Google to maintain a page on its site informing users about cookies and how to manage them. Last year, Google agreed to a $22.5 million settlement with the Federal Trade Commission in connection with similar ...
On October 22, 2013, the Federal Trade Commission announced a proposed settlement with Aaron’s, Inc. (“Aaron’s”) stemming from allegations that it knowingly assisted its franchisees in spying on consumers. Specifically, the FTC alleged that Aaron’s facilitated its franchisees’ installation and use of software on computers rented to consumers that surreptitiously tracked consumers’ locations, took photographs of consumers in their homes, and recorded consumers’ keystrokes in order to capture login credentials for email, financial and social media accounts. The FTC had previously settled similar allegations against Aaron’s and several other companies.
As reported in the Hunton Employment & Labor Perspectives Blog:
The U.S. District Court for the District of New Jersey recently ruled that non-public Facebook wall posts are protected under the Federal Stored Communications Act (the “SCA”) in Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-CV-3305 (WMJ) (D.N.J. Aug. 20, 2013). The plaintiff was a registered nurse and paramedic at Monmouth-Ocean Hospital Service Corp. (“MONOC”). She maintained a personal Facebook profile and was “Facebook friends” with many of her coworkers but none of the MONOC managers. She adjusted her privacy preferences so only her “Facebook friends” could view the messages she posted onto her Facebook wall. Unbeknownst to the plaintiff, a coworker who was also a “Facebook friend” took screenshots of the plaintiff’s wall posts and sent them to a MONOC manager. When the manager learned of a wall post in which the plaintiff criticized Washington, D.C. paramedics in their response to a museum shooting, MONOC temporarily suspended the plaintiff with pay and delivered a memo warning her that the wall post reflected a “deliberate disregard for patient safety.” The plaintiff subsequently filed suit alleging violations of the SCA, among other claims.
On September 4, 2013, the Federal Trade Commission announced a settlement with TRENDnet, Inc. (“TRENDnet”) stemming from allegations that TRENDnet’s failure to provide reasonable security for its Internet Protocol (“IP”) security cameras allowed hackers to publicly post online live feeds from approximately 700 customers’ cameras. As the FTC noted in its press release, “this is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the ‘Internet of Things.’”
On August 28, 2013, on the UK Information Commissioner’s Office’s (“ICO’s”) blog, Simon Rice, Technology Group Manager for the ICO, discussed the importance of encryption as a data security measure. He stated that storing any personal information is “inherently risky” but encryption can be a “simple and effective means” to safeguard personal information and reduce the risk of security breaches.
On August 15, 2013 the Federal Trade Commission announced a settlement with Certegy Check Services, Inc. (“Certegy”) stemming from allegations that Certegy violated various provisions of the Fair Credit Reporting Act (“FCRA”). The settlement agreement includes a $3.5 million civil penalty for “knowing violations ... that constituted a pattern or practice of violations.”
On August 14, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $1,215,780 settlement with Affinity Health Plan (“Affinity”) stemming from a security breach that affected approximately 350,000 individuals.
On July 16, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) issued a new rule entitled Provisions on the Protection of Personal Information of Telecommunications and Internet Users (the “Provisions”). The Provisions, which will take effect on September 1, 2013, are intended to implement the general requirements set forth in last December’s Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (the “Resolution”). The Provisions are the first specific regulations concerning personal information protection by telecommunications service providers in China.
On July 3, 2013, the French Data Protection Authority (“CNIL”) released its decision in a case against PS Consulting, imposing a fine of €10,000 on the information systems consulting company for violations related to the operation of its CCTV system.
On July 1, 2013, the Republic of Croatia joined the European Union, increasing the number of EU Member States to 28. As of the day of its accession, Croatia must implement the acquis communautaire (the complete body of the EU legislation), which includes the EU Data Protection Directive 95/46/EC (“Data Protection Directive”).
On June 20, 2013, the UK Information Commissioner’s Office (“ICO”) launched its Annual Report and Financial Statements for 2012/13 (the “Report”). Introducing the Report, Information Commissioner Christopher Graham strongly emphasized that, as consumers become increasingly aware of their information rights, good privacy practices will become a commercial benefit and a business differentiator. He outlined the seven key “e”s of the ICO’s role: enforce, educate, empower, enable, engage, and to be effective and efficient.
On May 30, 2013, the European Court of Justice held that Sweden failed to fulfill its obligations under EU law when it delayed complying with the Court’s 2010 ruling regarding the country’s implementation of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”). The Court ordered Sweden to pay a lump sum of €3,000,000.
On May 20, 2013, the Estonian Data Protection Inspectorate issued its Annual Report 2012 (the “Report,” summary available in English). The number of inquiries, complaints and supervision proceedings have remained the same over the last few years. The main topics of complaints include employment relations, CCTV, electronic direct marketing and social media. The Inspectorate stated that its primary goal is to stop violations of the law, not to impose sanctions. According to the Report, the Inspectorate issued orders regarding compliance in 48 cases and imposed fines in 39 cases.
On April 10, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) enacted two draft rules (“Provisions on the Protection of Personal Information of Telecommunications and Internet Users” and “Provisions on the Registration of Real Identity Information of Telephone Users”) to solicit public comments. The comment period is open until May 15, 2013. Both Drafts include proposals for substantial provisions on the protection of personal information and were enacted according to the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (issued by the Standing Committee in December 2012) and some other telecommunications rules.
On March 20, 2012, the UK Information Commissioner’s Office announced that it has issued a monetary penalty of £90,000 against DM Design Bedrooms Ltd. (“DM Design”) for making thousands of unwanted marketing calls.
On March 1, 2013, the German Federal Council (Bundesrat) passed a new registration law after insisting on a number of important amendments (in German). Among other issues covered in the bill, the new law regulates how businesses can obtain the registered addresses of individuals in Germany from Germany’s public authorities (“official address data”) and use that information for commercial purposes.
On February 5, 2013, Singapore’s new data protection agency, the Personal Data Protection Commission, published its first consultation paper (the “Paper”) articulating proposals for a data protection regulation. The Paper outlines the Commission’s positions on three key issues: (1) requests for access and correction; (2) transfer of personal data outside of Singapore; and (3) individuals who may act for others under the Personal Data Protection Act (“PDPA”). The PDPA was passed by the Singapore Parliament in October 2012 and became law in January 2013.
On January 28, 2013, the London office of Hunton & Williams marked European Data Privacy Day with the launch of the fourth edition of Data Protection Law & Practice, written by Senior Attorney Rosemary Jay. A panel comprised of the current UK Information Commissioner, Christopher Graham; his three predecessors, Eric Howe CBE, Elizabeth France CBE and Richard Thomas CBE; and the UK Minister of State for Justice, Lord McNally, spoke at the event and provided a retrospective on data protection in the United Kingdom since the Information Commissioner’s Office’s (“ICO’s”) inception in 1984.
On February 1, 2013, the Federal Trade Commission issued a new report entitled Mobile Privacy Disclosures: Building Trust Through Transparency. The report makes recommendations “for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures,” offering specific recommendations for mobile platforms, app developers, advertising networks and other third parties operating in this space. The FTC’s report also makes mention of the Department of Commerce’s National Telecommunications and Information Administration’s efforts to engage in a multistakeholder process to develop an industry code of conduct for mobile apps.
On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) served Sony Computer Entertainment Europe Limited (“Sony”) with a monetary penalty of £250,000 resulting from a serious breach of the Data Protection Act 1998. An April 2011 security incident involving the Sony PlayStation Network Platform affected the personal data of millions of customers, including names, addresses, email addresses, dates of birth, account passwords and credit card details.
On January 7, 2013, Massachusetts Attorney General Martha Coakley announced that several Massachusetts medical practices have agreed to a consent judgment and $140,000 payment to settle charges they improperly disposed of medical information. The defendants, which include several pathology practices and a firm that provided medical billing services to those practices, were accused of dumping hard copy medical records at the Georgetown Transfer Station, a waste management facility open to the public. The records allegedly contained the names, Social Security numbers and medical diagnoses of approximately 67,000 individuals. The illegal dumping allegations were publicized in a Boston Globe article after a photographer for the newspaper discovered medical records at the facility while he was disposing of his own trash.
On December 6, 2012, California Attorney General Kamala D. Harris announced a lawsuit against Delta Air Lines, Inc. (“Delta”) for violations of the California Online Privacy Protection Act (“CalOPPA”). The suit, which the Attorney General filed in the San Francisco Superior Court, alleges that Delta failed to conspicuously post a privacy policy within Delta’s “Fly Delta” mobile application to inform users of what personally identifiable information is collected and how it is being used by the company. CalOPPA requires “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service,” such as a mobile application, to post a privacy policy that contains the elements set out in CalOPPA. According to Attorney General Harris’ complaint, Delta has operated the “Fly Delta” application for smartphones and other electronic devices since at least 2010. The complaint alleges that “[d]espite collecting substantial personally identifiable information (“PII”) such as user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs, and geo-location, the Fly Delta application does not have a privacy policy. It does not have a privacy policy in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.”
On November 28, 2012, the UK Information Commissioner’s Office (“ICO”) issued monetary penalties totaling £440,000 to two owners of a marketing company that sent millions of unlawful spam SMS text messages over a period of three years.
On November 7, 2012, the Federal Trade Commission announced that it had settled charges against payday lending and check cashing companies alleged to have improperly disposed of consumers’ personal information. In its complaint, the FTC maintained that PLS Financial Services, Inc., and The Payday Loan Store of Illinois violated the FTC’s Disposal Rule as well as the Gramm-Leach-Bliley Act’s Privacy Rule and Safeguards Rule by disposing of documents that contained consumers’ Social Security numbers, bank account numbers and credit reports in unsecured dumpsters near the companies’ payday lending and check cashing retail stores. The FTC also alleged that the companies violated the FTC Act by misrepresenting that they would reasonably protect consumer information.
On October 29, 2012, the UK Information Commissioner’s Office (“ICO”) served private sector financial services company The Prudential Assurance Company Limited (“Prudential”) with a monetary penalty of £50,000 in connection with a serious violation of the Data Protection Act 1998 (“DPA”). The violation concerned a mix-up involving Prudential customer details. In March 2007, the customer records of two individuals who shared the same first name, surname and date of birth were mistakenly merged into a single customer record. Over the course of the following three years, mortgage and pension policy information relating to each customer was routinely sent to the wrong individual until Prudential took steps to separate the two customers’ records in September 2010.
On October 23, 2012, just two weeks after issuing a series of reports highlighting the UK Information Commissioner’s Office’s (“ICO’s”) concerns regarding data protection compliance within the public sector, the ICO has imposed a monetary penalty of £120,000 and issued an enforcement notice against Stoke-on-Trent City Council (“Stoke Council”) in relation to a serious data breach. The breach involved the transmission of sensitive personal information related to a child protection case by email in an unmarked and unprotected manner to the incorrect email address.
On October 10, 2012, the Federal Trade Commission announced that consumer reporting agency Equifax Information Services LLC (“Equifax”) and several of its customers, including Direct Lending Source, Inc. (“Direct Lending”), have agreed to pay a combined total of nearly $1.6 million to settle FTC allegations that they violated the Fair Credit Reporting Act (“FCRA”) in connection with the sale of data regarding consumers in financial distress.
On October 4, 2012, the Federal Trade Commission announced that Artist Arena LLC (“Artist Arena”), an operator of fan websites for several popular recording artists, agreed to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s COPPA Rule (“the Rule”) by improperly collecting personal information from children under the age of 13 without first obtaining verifiable parental consent. The settlement will impose a $1 million penalty on Artist Arena, bar future violations of the Rule and require deletion of the information collected in violation of the Rule.
On September 17, 2012, the Department of Health and Human Services (“HHS”) announced a $1.5 million settlement with the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (“MEEI”) for potential violations of the HIPAA Security Rule. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that organizations should pay special attention to safeguarding information “stored and transported on portable devices such as laptops, tablets, and mobile phones” and that “compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”
On August 8, 2012, the Federal Trade Commission settled with HireRight Solutions, Inc. (“HireRight”) for failure to comply with certain Fair Credit Reporting Act (“FCRA”) requirements. At first blush, the case may appear to be a simple FCRA matter – the FTC alleged that HireRight functioned as a consumer reporting agency when providing employment screening services to companies, but then failed to take steps to assure the accuracy of those reports and prevented consumers from dispute inaccurate information. Despite initial appearances, however, the case has broader geopolitical implications.
On August 8, 2012, the Federal Trade Commission announced a settlement agreement with employment screening company HireRight Solutions, Inc. (“HireRight”). In its first enforcement action against an employment background screening company for Fair Credit Reporting Act (“FCRA”) violations, the FTC alleged that HireRight functioned as a consumer reporting agency, but failed to comply with certain FCRA requirements. The proposed consent order imposes a $2.6 million penalty on HireRight and requires the company to remedy the alleged FCRA violations, create and retain certain records and submit reports to demonstrate compliance.
In recent months we have seen a dismissal and two settlements in class action suits alleging violations of the Telephone Consumer Protection Act (“TCPA”) by companies that used text messaging as part of advertising campaigns. The TCPA is a federal privacy law that imposes restrictions on telephone solicitations, including telemarketing calls and text messages.
On June 27, 2012, the Hong Kong Legislative Council passed a bill to amend the Personal Data (Privacy) Ordinance (the “Ordinance”). The amendment will become effective in phases. Most provisions will become effective on October 21, 2012, and the others will take effect on a day to be announced by publication in the Hong Kong Government Gazette.
In June, China’s National Internet Information Office and its Ministry of Industry and Information Technology jointly published draft amendments to the Regulation on Internet Information Services (the “Regulation”). The amendments update the Regulation to cover new issues related to the rapid development of Internet services in China since the Regulation first took effect on September 25, 2000. Although the Regulation originally contained no specific provisions directly pertaining to the protection of personal information, the draft amendments do address personal information protection issues.
In recent weeks, both state and federal regulators have considered security breach notification legislation. On June 15, 2012, Connecticut Governor Dannel Malloy signed a budget bill that, among other things, amends the state’s security breach notification law. The changes, which will take effect on October 1, 2012, most notably require businesses to notify the state Attorney General no later than the time when notice of a security breach is provided to state residents. Although the law does not specify when notice must be provided to affected individuals, the law states that such notice must be made “without unreasonable delay,” subject to law enforcement delays and the completion of an investigation by the business to determine the nature and scope of the incident, to identify affected individuals, or to restore the reasonable integrity of the data system. As we previously reported, Vermont also recently amended its breach notification statute to require businesses to notify the state Attorney General within 14 days of discovering a security breach or concurrently when notifying consumers, whichever is sooner.
On May 24, 2012, Massachusetts Attorney General Martha Coakley announced that South Shore Hospital agreed to a consent judgment and $750,000 payment to settle a lawsuit stemming from a data breach that occurred in February 2010. At that time, South Shore Hospital shipped several boxes of unencrypted back-up tapes to a service provider in Texas to erase them. The tapes contained the personal and protected health information of approximately 800,000 individuals, including names, Social Security numbers, financial account numbers and medical diagnoses. Several of the boxes went missing and have yet to be recovered, though there is no evidence that the information on the missing tapes has been misused.
In the past month, the Department of Health and Human Services (“HHS”) sent its final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules to the White House Office of Management and Budget (“OMB”) and announced a $100,000 settlement with Phoenix Cardiac Surgery, P.C. for violations of the HIPAA Rules.
On March 27, 2012, the Federal Trade Commission announced a proposed settlement order with RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The FTC alleged that RockYou failed to protect the personal information of 32 million of its users, and violated multiple provisions of the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule when it collected information from approximately 179,000 children.
On March 21, 2012, Massachusetts Attorney General Martha Coakley announced that Maloney Properties Inc. (“MPI”), a property management firm, executed an Assurance of Discontinuance and agreed to pay $15,000 in civil penalties following an October 2011 theft of an unencrypted company-issued laptop. The laptop contained personal information of more than 600 Massachusetts residents and was left in an employee’s car overnight. MPI has indicated that it has no evidence of unauthorized access to or use of the personal information in connection with this breach.
On March 13, 2012, the Department of Health and Human Services (“HHS”) announced that it had settled the first case related to the HITECH Act Breach Notification Rule. BlueCross Blue Shield of Tennessee (“BCBS Tennessee”) agreed to pay $1.5 million to settle potential HIPAA violations related to the October 2009 theft of 57 unencrypted hard drives containing protected health information (“PHI”) from a network data closet at a leased facility leased in Chattanooga, Tennessee.
The American Bar Association’s (“ABA’s”) House of Delegates adopted a non-binding resolution urging courts to consider foreign data protection and privacy laws when resolving discovery issues. The full text of the resolution is as follows:
“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”
Monetary penalties are one mechanism in a suite of tools that the UK Information Commissioner’s Office (“ICO”) uses to encourage compliance with data protection regulations. The ICO generally uses monetary penalties to sanction deliberate or negligent breaches of the law, but the purpose is not to impose financial hardship but rather to “act as an encouragement towards compliance, or at least as a deterrent against non-compliance.” The following is a brief overview of the ICO’s authority to issue monetary penalties.
On January 17, 2012, the European Commission initiated expedited infringement proceedings against Hungary over recent changes to its Constitution which are considered incompatible with EU law. The proceedings follow a number of changes made to the Hungarian Constitution that came into effect on January 1, 2012. Of particular concern to the Commission are amendments affecting the independence of the national data protection authority. The Hungarian government has one month to comply, or face enforcement proceedings in the European Court of Justice.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code