Privacy & Cybersecurity

According to the Federal Trade Commission, the most remarkable aspect of Upromise, an online college savings program, was not how much its users saved. Rather, it was how much they were giving away.

Since it's traditionally the time for new beginnings and resolutions to clear away old habits, we'd like to pass on some tips for improving privacy and security in your operations -- and in your own life --  in 2012.

Adoption of cloud computing is certainly on the increase -- but 2011 has seen evidence of some of the risks associated with moving to the cloud. Notable among the year's data breaches was the breach at e-mail marketer Epsilon Data. 

Following on the heels of Facebook's landmark settlement with the Federal Trade Commission, a bipartisan group of members of the House of Representatives has apparently read the "new and improved" Facebook privacy policy and were not impressed.

“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users” --  Federal Trade Commission Chairman Jon Leibowitz

The ruling by Judge Lynn Hughes of the Southern District of Texas last week, declaring unconstitutional a provision of the Stored Communications Act (SCA) of 1986, won’t add much to the privacy debate.

If you're a power Facebook user, you are likely tired of the constant changes to privacy settings. At last count, the most recent change was the 13th. This report may make your day.

Senators John Kerry and John McCain today requested that the Department of Commerce and the Federal Trade Commission issue their final reports on consumer privacy protections. Both agencies released draft reports identifying large holes in current privacy protections in December 2010, but have not yet issued final reports.

Can you identify the major problems lurking in this one short paragraph?  We've given you some help.

In yet another privacy class action addressing the question of whether data breach claimants have suffered legally cognizable damages, the First Circuit’s ruling in Anderson v. Hannaford Bros. Co., Nos. 10-2384, 10-2450 (1st Cir. Oct. 20, 2011), reversed the trial court’s dismissal of negligence and implied contract claims arising from a 2007 breach of Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit card and debit card numbers.

The Securities and Exchange Commission (SEC) has issued guidance to public companies with respect to disclosure relating to cybersecurity and data breach risks.

My colleagues, Robert Delahunt, Jr. and Matthew Levitt, have authored an excellent advisory on cyberbullying that should be required reading for every parent.

Nemours Children’s Health System has reported the loss of three, unencrypted computer backup takes containing patient billing and employee payroll data.  The tapes had been stored in a locked cabinet, and were reported missing on September 8th. 

We have a new expert in the house for cybersecurity, privacy and technology issues. Our government relations affiliate, ML Strategies has announced a new Manager of Government Relations,  Rachel Sanford. 

We update the myriad of state data breach notification laws on a quarterly basis in what we fondly call the Mintz Data Breach Matrix. Hot off the presses is the version current as of October 1, 2011. 

In an important ruling for Internet service providers, the U.S. Court of Appeals for the Ninth Circuit has  unanimously affirmed the ruling of a district court that the provisions of the Electronic Communications Privacy Act of 1986 (ECPA) prohibiting internet service providers from disclosing the contents of stored communications protect the U.S.-stored electronic communications of foreign citizens.

Connecticut Attorney General George Jepsen has announced the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers.

The Federal Trade Commission has released its long anticipated proposed revisions to its rule implementing the Children’s Online Privacy Protection Act (“COPPA”). COPPA governs (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13. 

In a mixed decision, a federal court judge in New York dismissed federal statutory claims arising from Web-based advertisers' use of cookies that tracked users' Web browsing activities, but denied a motion to dismiss claims under state law.

Recently the California Public Utilities Commission (CPUC) in a unanimous decision approved data protection rules for the following Smart Grid providers: Pacific Gas and Electric Company, Southern California Edison, San Diego Gas and Electric Company, and the companies that assist them in utility operations, companies under contract with the utilities, and other companies that, after authorization by a customer or by the action of the CPUC, gain access to such customer's usage data directly from the utility.