Privacy & Cybersecurity

Senators John Kerry and John McCain today requested that the Department of Commerce and the Federal Trade Commission issue their final reports on consumer privacy protections. Both agencies released draft reports identifying large holes in current privacy protections in December 2010, but have not yet issued final reports.

Can you identify the major problems lurking in this one short paragraph?  We've given you some help.

In yet another privacy class action addressing the question of whether data breach claimants have suffered legally cognizable damages, the First Circuit’s ruling in Anderson v. Hannaford Bros. Co., Nos. 10-2384, 10-2450 (1st Cir. Oct. 20, 2011), reversed the trial court’s dismissal of negligence and implied contract claims arising from a 2007 breach of Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit card and debit card numbers.

The Securities and Exchange Commission (SEC) has issued guidance to public companies with respect to disclosure relating to cybersecurity and data breach risks.

My colleagues, Robert Delahunt, Jr. and Matthew Levitt, have authored an excellent advisory on cyberbullying that should be required reading for every parent.

Nemours Children’s Health System has reported the loss of three, unencrypted computer backup takes containing patient billing and employee payroll data.  The tapes had been stored in a locked cabinet, and were reported missing on September 8th. 

We have a new expert in the house for cybersecurity, privacy and technology issues. Our government relations affiliate, ML Strategies has announced a new Manager of Government Relations,  Rachel Sanford. 

We update the myriad of state data breach notification laws on a quarterly basis in what we fondly call the Mintz Data Breach Matrix. Hot off the presses is the version current as of October 1, 2011. 

In an important ruling for Internet service providers, the U.S. Court of Appeals for the Ninth Circuit has  unanimously affirmed the ruling of a district court that the provisions of the Electronic Communications Privacy Act of 1986 (ECPA) prohibiting internet service providers from disclosing the contents of stored communications protect the U.S.-stored electronic communications of foreign citizens.

Connecticut Attorney General George Jepsen has announced the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers.

The Federal Trade Commission has released its long anticipated proposed revisions to its rule implementing the Children’s Online Privacy Protection Act (“COPPA”). COPPA governs (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13. 

In a mixed decision, a federal court judge in New York dismissed federal statutory claims arising from Web-based advertisers' use of cookies that tracked users' Web browsing activities, but denied a motion to dismiss claims under state law.

Recently the California Public Utilities Commission (CPUC) in a unanimous decision approved data protection rules for the following Smart Grid providers: Pacific Gas and Electric Company, Southern California Edison, San Diego Gas and Electric Company, and the companies that assist them in utility operations, companies under contract with the utilities, and other companies that, after authorization by a customer or by the action of the CPUC, gain access to such customer's usage data directly from the utility.

Texas covered entities (health care providers, health insurers and clearinghouses) and other entities that use and disclose PHI of Texas residents using electronic health records (EHRs) face new risks and stringent requirements under HB300, a new Texas privacy law. 

It is time for covered entities and business associates to jump start HIPAA privacy and security programs and make sure that everything is in compliance.   GovInfoSecurity reports that the Department of Health and Human Services (HHS) has awarded a $9.2 million contract to KPMG to develop protocols for conducting the long-awaited HITECH Act-mandated HIPAA compliance audit program. 

Regular readers of this blog will be familiar with my view that difficulty in proving actual damages poses challenges to would-be plaintiffs in privacy class actions. 

In a settlement announced by the Federal Trade Commission (“FTC”) on June 27, 2011, Teletrack, Inc. agreed to pay $1.8 million to settle FTC charges that it violated the Fair Credit Reporting Act (“FCRA”) by selling consumer reports to marketers without a “permissible purpose.”

Bank Info Security reports that a magistrate for the U.S. District Court in Maine issued an Order that further defines what constitutes “reasonable” security practices.

On Monday, a federal judge in Los Angeles issued an order granting final approval to a previously-announced settlement of consolidated class actions alleging that the use of so-called “flash cookies” in connection with advertising on web sites resulted in unauthorized tracking of web users’ browsing activity.

The United States District Court for the Northern District of California has dismissed the claims of the plaintiffs against Facebook in the case of In re: Facebook Privacy Litigation.