Scott Technology Attorneys

In a report released by the Federal Trade Commission (“FTC”) in February 2013, the FTC makes recommendations for best practices concerning privacy disclosures in the hope of making them more effective. While noting the proliferation of smart phone usage and accessibility of apps, as well as the increasing amount of transparent personal data being shared across platforms, the report’s focus with regard to its recommendations is disclosure.

Read more

Last month, California Governor Jerry Brown signed Assembly Bill 1844 into law, making California the third state, behind Maryland and Illinois, to create statutory privacy protections for social media users from their employers. Senate Bill 1349 applies the same prohibitions on the state’s colleges and universities.

Read more

While data privacy and compliance professionals clamor for a single, Federal data breach notification statute, states have continued to establish and amend their own medley of breach notification statutes. As of September, 2012, 46 states and the District of Columbia have enacted some version of consumer data breach notification requirements. This disparate environment makes compliance under these evolving and sometimes divergent state notification frameworks both technically and logically challenging for organizations that find themselves cleaning up after a data breach.

Read more

In August of 2012, the Sixth Circuit ruled on a case that determined who is responsible for the costs associated with loss of data arising from a hacking incident in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co., -- F.3d --, 2012 WL 3608432 (6th Cir. Aug. 23, 2012). In this matter, DSW Shoe Warehouse was targeted by computer hackers who successfully accessed their systems and harvested the credit card and checking account information for more than 1.4 million DSW customers. In its efforts to conduct thorough investigations into the incident and comply with the numerous state and federal data breach notification requirements, DSW incurred expenses of more than $5M.

Read more

On June 15, 2012, Connecticut amended the state’s security breach notification law. The amendment will go into effect on October 1, 2012, and requires businesses to notify the state Attorney General when notice of a security breach is provided to state residents—with such notice to affected residents to be provided “without unreasonable delay.” Connecticut follows Vermont as the second state this summer to amend its data breach statute to require notice to be given to the state’s Attorney General.

Read more

On June 26th, the Office for Civil Rights (OCR),the federal agency that enforces the privacy and security regulations underHIPAA, published theprotocol it uses to conduct the audits required by the 2009 HITECH Act. Accordingto OCR, the protocol is designed to analyze the “processes, controls, andpolicies” of covered entities in an effort to measure compliance under theHIPAA mandate. OCR set out three different areas that will be analyzed underthis audit protocol: 1) privacy; 2) security; and 3) breach notification.

Read more

On April 26, 2012, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). According to the bill sponsors, CISPA is an essential update to the National Security Act of 1947 that adds provisions allowing for information about “cyber threats” to be shared between the government and private industry.

Read more

In late February 2012, the White House outlined a consumer data privacy framework that includes a “Consumer Privacy Bill of Rights” in a report entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In it, the administration sets out a plan for a four-element approach to protection of consumer privacy: 1) enumerate the consumer privacy rights; 2) encourage industry developed of codes of conduct; 3) strengthen FTC enforcement power; and 4) ensure interoperability with international privacy rules and regulations.

Read more

On November 8, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services notified members of its HIPAA Privacy Rule listserv that it will begin conducting a pilot program of the audit requirement under Section 13411 of the HITECH Act. In the communication, OCR indicated that it will perform approximately 150 audits of covered entities in order to assess the protocols established for conducting the audits as well as to uncover any additional risks or vulnerabilities in the privacy and security rules themselves. The targeted covered entities will be notified of the request for their participation sometime this month, with OCR’s goal to conclude these pilot program audits by the end of next year.

Read more

The U.S. House Judiciary Committee will consider the Stop Online Piracy Act ("SOPA") on November 16, a bill designed to complement the proposed PROTECT IP Act in the Senate in efforts to fight online piracy and copyright infringement.

Read more

Starting on September 1, 2012, businesses handling electronic protected health information (ePHI) in Texas will be subject to more stringent data privacy and security regulations and harsher penalties than those imposed by federal HIPAA regulations. Among other things, the new bill, signed into law in June 2011 by Governor Rick Perry, expands on the HIPAA definition of a “covered entity.”

Read more

Arguably as a result of the Obama administration’s call for federal data privacy and security legislation, a number of bills have been introduced this year in both the House and Senate to address consumer-data privacy issues. Introduced earlier this spring were the Do Not Track Online Act, discussed here previously, and the comprehensive, Commercial Privacy Bill of Rights Act sponsored by political heavyweights Senators John Kerry and John McCain. A new crop of bills introduced this summer focuses on data-protection procedures and breach-notification requirements. Highlights from these entries, by Senators Leahy and Pryor and Representative Bono Mack, are outlined below.

Read more

Last month, California Representative Jackie Speier introduced H.R. 654, the so-called Do Not Track Me Online bill, to Congress. The bill is the first response to the Federal Trade Commission’s December 2010 request for the establishment of a Do Not Track registry for online users that would be similar to the Do Not Call registry for telemarketing calls established in 2003. The Do Not Track Me Online bill calls for the FTC to establish regulations requiring covered entities (defined as companies engaging in interstate commerce that collect or store online data), to allow customers to opt out of online tracking. The bill provides for monetary penalties for violations of the bill, not to exceed $5 million for a related series of events.

Read more

In a ruling handed down on December 14, 2010, the Sixth Circuit in United States v. Warshak held that a user of a third-party e-mail service has a reasonable expectation of privacy in the e-mails stored on the third-party’s servers. In the case, the government failed to obtain a search warrant based on probable cause before it compelled Warshak’s ISP to turn over his e-mail communications. The government argued that the Stored Communications Act of 1986 (SCA) permitted just such a warrantless search. In holding that Warshak had a reasonable expectation of privacy, the court struck that part of the SCA as unconstitutional.

Read more

Earlier this year, Mississippi passed legislation requiring organizations to notify individuals whose personal information is compromised by a data breach. With only Alabama, Kentucky, New Mexico and South Dakota as the remaining states without data breach notification laws, Mississippi joins the vast majority of states to have passed such legislation. House Bill 583 will not go into effect until July 1, 2011, but its form and structure tracks many other states’ notice requirements in the event of a data breach.

Read more

The FTC recently approved a settlement with Dave & Buster’s, Inc., a restaurant and arcade chain, for the largest recorded data breach of private credit card information.

Read more

Read more

A complaint filed in the U.S. District Court for the Eastern District of Missouri is a reminder of the importance of implementing a thorough system of procedures and protocols regarding data security and responses to security breaches.

Read more

Like other companies, governmental agencies are also required to maintain the privacy of records in their possession. The Privacy Act prohibits government agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.”

Read more

Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).

Read more

 In the past year, five states – Alaska, Iowa, South Carolina, Virginia, and West Virginia – have enacted data breach notification laws, bringing to 45 the total number of U.S. jurisdictions (plus Washington D.C.) with laws on the books. The states with no data breach notification laws are Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.

Read more

 By now, many U.S. businesses (hopefully) have taken steps to familiarize themselves and to contend with the patchwork quilt of state laws that sets forth standards regarding what must be done in the wake of an IT security breach affecting customer data.

Read more

The U.S. District Court in New Hampshire recently issued a written opinion that undoubtedly will give some Internet service providers reason to re-think their policies with regard to some anonymous user accounts. In Doe v. Friendfinder Network, Inc., the plaintiff discovered prior to filing suit that an unnamed individual had created a number of profiles using information about the plaintiff’s identity on various social networking websites operated by the defendants and oriented toward people seeking sexual relationships with others. 

Read more

The Supreme Court of New Jersey recently became one of the first courts in the nation to determine that Internet users have a Constitutional right to privacy under Article I of the New Jersey Constitution. Because of the ruling, a grand jury warrant will be required before law enforcement officials can access personal information about the Internet users.  

Read more

The FTC announced on March 4 a settlement with Goal Financial, LLC, a San Diego-based student loan company that allegedly violated information privacy laws. If accepted, the settlement will require Goal Financial to implement a comprehensive information security program and subject itself to independent, third-party audits every two years for 10 years. 

Read more

 Many companies have started to experience the consequences of non-existent, insufficient or poorly implemented data security plans in the form of enforcement lawsuits filed by state attorneys general for violations of state data privacy and data security laws. However, in an interesting twist on this usual variety of state-initiated litigation arising out of poor data breach planning, the State of Connecticut is suing IT consultant Accenture for alleged negligence in losing electronic files containing information on bank accounts for almost all Connecticut state agencies as well as several hundred state purchasing cards and a handful of Connecticut taxpayers.

Read more

A recent Government Accountability Office report has provided some interesting new statistics regarding the effects of data breaches on victims. The gist of the report (available here) is helpfully summarized in its title: “Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However the Full Extent is Unknown.” The GAO found that there have been what would seem to be a distressingly high total number of reported breaches in recent years, including 570 breaches reported in the public media from 2005 to 2006, 788 breaches involving 17 different federal agencies 2003 to 2006, and 225 reported breaches in New York State alone in the ten months from December 2005 to October 2006.  

Read more

In a record settlement, ValueClick recently agreed to pay the Federal Trade Commission (“FTC”) $2.9 million to settle claims that ValueClick violated federal law and used deceptive advertising. The FTC alleged that ValueClick failed to protect consumer information and misled consumers with advertising that did not clearly disclose the cost of products. 

Read more