Third Quarter 2009
In This Issue:
I. COMMUNICATIONS PRIVACY
A. B. FTC Seeks Comment Extending TSR to Debt Relief Services C. Court Considers Liability Under CAN-SPAM for E-mails Sent by Affiliates D. Twittersquatting Generates Cybersquatting Lawsuit
II. ONLINE CONTRACTS
III. BLOGGING
IV. LIABILITY SHIELDS
V. CONSUMER AND ONLINE PRIVACY
VI. DATA BREACH AND DATA SECURITY
VII. FINANCIAL PRIVACY
VIII. WORKPLACE PRIVACY
IX. HEALTH CARE PRIVACY
I. COMMUNICATIONS PRIVACY
Andrew Bridges will be participating in a panel on intellectual property issues at PLI’s Communications Law in the Digital Age 2009 seminar in New York City on November 12, 2009. For more information and to register, visit http://www.pli.edu/product/seminar_detail.asp?id=48723. |
A. EBR Exception for Pre-recorded Telemarketing Calls Ends
An amendment to the Telemarketing Sales Rule (TSR), which was passed last year by the Federal Trade Commission (FTC), took effect on September 1, 2009. The amendment expressly prohibits telemarketing sales calls that deliver pre-recorded messages, whether answered in person by a consumer or by an answering machine or voice-mail service, unless the seller has previously obtained the recipient's signed, written agreement to receive such calls. Prior to the amendment, the TSR included an exception to the prohibition on pre-recorded telemarketing calls where the seller had a established business relationship with the recipient. Under the TSR, the FTC, states, and private citizens may bring civil actions in federal district courts to enforce the TSR. Anyone who violates the TSR is subject to civil penalties of up to $11,000 per violation. In addition, violators may be subject to nationwide injunctions that prohibit certain conduct, and may be required to pay redress to injured consumers. However, it should be noted that the TSR only applies to interstate telemarketing calls, not intrastate telemarketing calls.
TIP: Advertisers should review their telemarketing efforts to ensure that any interstate pre-recorded calls made by them or on their behalf by a third-party agency are made only to recipients who have provided their express, written consent to receive such calls, as there will no longer be any pre-existing business relationship exemption.
B. FTC Seeks Comment Extending TSR to Debt Relief Services
The FTC is currently seeking comment on proposed rules to amend the Telemarketing Sales Rule ("TSR") to address "pervasive illegal conduct" in the sale of debt relief services. The rules would (i) impose fee restrictions, (ii) require various specified disclosures, and (iii) prohibit certain marketing activities in connection with debt relief services. If adopted, the rule would significantly impact the manner in which (i) debt relief services (a term given an expansive definition in the proposal) could be marketed and (ii) providers could charge consumers for services. In addition, the rule would bring consumers' inbound calls to debt relief services within the scope of the rule, provided the call is made in response to an advertisement. Bona fide nonprofit organizations that provide debt relief services are exempt from the TSR and the proposed rule, but third-party companies providing services to non-profit entities, such as telemarketers, are not. The FTC will accept comments through October 9, 2009.
TIP: If your company offers debt relief services or marketing services for any debt-relief company, the rule could have a significant impact on your operations. You should review the proposed rule and supplemental information, and submit your comments to the FTC. If the rule is enacted, you should review your policies, procedures, and other materials to ensure compliance.
C. Court Considers Liability Under CAN-SPAM for E-mails Sent by Affiliates
The United States brought suit under CAN-SPAM against Impulse Media Group ("Impulse") for e-mails sent by its affiliates. Impulse operated an affiliate program named "SoulCash" in which affiliates earned money every time they referred a customer who subscribed to one of Impulse's websites. Impulse argued that it should not be liable under CAN-SPAM because it did not intend for its affiliates to send such messages. Specifically, the SoulCash terms prohibited affiliates from sending unsolicited e-mails. The court found that CAN-SPAM requires that a plaintiff prove that the defendant intentionally paid or induced another party to send a commercial e-mail. Because it was unclear whether the plaintiff intended its affiliates to use commercial e-mail to drive traffic to its websites, the court denied the government's summary judgment motion.
TIP: You can be liable for violation of CAN-SPAM if you pay compensation to affiliates as an inducement to send commercial e-mails. However, taking affirmative steps to ensure that your affiliates do not send e-mails in violation of CAN-SPAM may help insulate you from liability.
D. Twittersquatting Generates Cybersquatting Lawsuit
When Anthony La Russa, manager of the St. Louis Cardinals, learned that an unknown Twitter user created an account at twitter.com/TonyLaRussa and pretended to post updates as La Russa, he filed suit against the unknown user and Twitter in the Superior Court of San Francisco, alleging trademark infringement and dilution, cybersquatting, and misappropriation of name and likeness. Twitter removed the page within 30 minutes of the lawsuit being filed and La Russa's attorney reported that Twitter agreed to pay legal fees and make a donation to La Russa's Animal Rescue Foundation to settle the case. However, Twitter has announced that it will not settle and plans to fight the suit. It should be noted that, assuming this case does not settle, it is questionable whether La Russa will be successful on his cybersquatting claim, as the cybersquatting provisions of the Lanham Act seem to only cover domain names, not user names in social networking websites.
TIP: Brand owners should monitor social networking websites to ensure that their brands are not being squatted and take prompt action if they are.
II. ONLINE CONTRACTS
Andrew Bridges and Becky Troutman will be speaking on open source updates at the Silicon Valley Association of General Counsel All Hands Meeting on December 3, 2009 in Santa Clara, CA. To learn more, and to register, visit http://www.ivyevents.com/allhands/index.php?q=home. |
A. Website Terms Found Unenforceable, Contained Unilateral Right to Modify
Blockbuster operates an online service where consumers can rent videos online, and, through a contract Blockbuster has with Facebook, consumers' movie rental choices will then be placed on the consumers' Facebook pages. Blockbuster was sued by a group of consumers who objected to this practice. The group argued that the posting of their video choices on Facebook violated the Video Privacy Protection Act, which requires that before information about movie selections can be transmitted to third parties, the individual must first give his or her informed, written consent. Blockbuster argued that before consumers could use the online service, they first had to click to accept terms and conditions, which prohibited the filing of a class action, and contained a mandatory arbitration provision. Blockbuster therefore tried to avoid the lawsuit by having it dismissed in favor of the mandatory arbitration. The plaintiffs argued, and the court agreed, that the terms as a whole, including the arbitration provision, were illusory and unenforceable. The plaintiffs argued that because the terms gave Blockbuster the right to amend the agreement at any time in its sole discretion, and because those revised terms would become effective immediately after they were posted online, the entire terms were illusory, making the arbitration provision unenforceable.
TIP: Consider whether a unilateral right to modify or terminate your website terms is appropriate, as at least one court has held that it causes the entire terms to be unenforceable.
B. Website Terms Bind Unauthorized Users
A District Court in Maryland recently denied a motion to dismiss for lack of personal jurisdiction, rejecting the Defendants' argument that they were not bound by the forum selection clause in the website's Terms of Use agreement. The plaintiff, CoStar Realty Information, owns a database of photos of real property around the country and it licenses its information to users for a subscription fee. CoStar filed suit against the defendants after they had accessed the database without authorization using another's password. The court reasoned that the forum selection clause bound the defendants in light of the fact that a user must accept the Terms of Use the first time the user accesses the database and had to periodically assent to the Terms of Use during the four years they accessed the database. The court noted that the "Subscriber Login Area" of the website states that by logging in to the database, the user agrees to the Terms of Use and the first time an authorized user accesses the database, a pop-up screen containing the Terms of Use appears, requiring the user to scroll through and affirmatively accept the Terms of Use.
TIP: The more conspicuous you make your website Terms of Use, the more likely a court is to find your Terms of Use enforceable.
C. User That Did Not See Site Terms May Still Be Bound
Plaintiff sued Expedia in the Eastern District of Missouri despite a provision in Expedia's terms and conditions stipulating that all disputes be brought in the courts of Kings County, Washington. In order to book travel through Expedia, a user must either create an account or log in as a guest. Either way, the user must click to agree to Expedia's terms and conditions. Expedia moved to dismiss based on the venue selection clause. The plaintiff claimed that he had never accepted the terms because he never saw or read them and that someone else may have clicked the button agreeing to the terms without his knowledge. The court granted Expedia's motion to dismiss, rejecting the plaintiff's argument because he did not present any evidence that someone else set up the account used to purchase the travel at issue, which was associated with his own e-mail address. The court further reasoned that even if the plaintiff never knew that he created a user account or that an account was created for him, he was still bound by Expedia's user agreement because a link to the full text of the agreement is found at the bottom of every Web page and the agreement specifically states that users consent to be bound by the agreement by accessing and using the website.
TIP: Companies should ensure that their user agreements are available from every page on their website.
D. Site Not Required to Follow UK Website Claims When Agreement Terms Differed
A couple who had used the Swimming Pool & Allied Trades Association Ltd. (SPATA) - an industry group that provides listings of manufacturers - to select a swimming pool manufacturer to assist in building their pool sued SPATA for statements on its website about the manufacturer they selected. The couple, Mr. and Mrs. Patchett, had used SPATA's website to choose a builder to construct a pool for them, and that builder subsequently went bankrupt. The Patchetts alleged that SPATA should be held responsible under its website's stated warranty, namely that "SPATA pool installer members are fully vetted....with checks on their financial record, their experience...and inspections of their work." And even: "only SPATA registered pool and spa installers belong to SPATASHIELD, SPATA's unique Bond and Warranty Scheme offering customers peace of mind that their installation will be completed fully to SPATA Standards come what may!" Notwithstanding these statements, website visitors were encouraged to obtain the SPATA information pack before choosing a builder. The Patchetts did not do so. If they had they would have learned that their choice of builder was only an affiliate member and that the SPATA warranty only applied to full members of SPATA. In a 2 to 1 decision, the English Court of Appeal rejected the Patchetts' warranty claim. The court found that the Patchetts failed to establish that SPATA owed them a duty of care (a necessary requirement to establish SPATA liability for a claim of negligent misstatement under English law).
TIP: Under English law, representations you make on your website that relate to product warranties may be negated by additional documentation. Nevertheless, companies are advised to ensure that their online disclosures closely track the terms of relevant contracts, and that all material terms are clearly disclosed online.
III. BLOGGING
A. NY AG Takes Action Over Fake Blog Postings
The New York Attorney General recently settled with Lifestyle Lift ("Lifestyle"), a cosmetic surgery franchise, over allegations that Lifestyle posted fake customer reviews of its services on its blog and other websites. According to the NY AG, Lifestyle employees were instructed to pose as satisfied consumers and publish positive reviews of Lifestyle's cosmetic surgery services on various websites, as well as attack posts published by actual consumers that criticized Lifestyle's services. Lifestyle also created its own websites, which appeared to have been created by independent consumers, to serve as a forum for consumers to share their Lifestyle experiences. In fact, the majority of posts on the website were created by Lifestyle employees and those that were posted by actual consumers were modified by Lifestyle in the company's favor. In one instance, a fake online journal was created to document a consumer's experience from first consultation to two months post-procedure. The journal, which was not created or maintained by one of Lifestyle's consumers, contained pictures and details such as the names of the consumer's children and encouraged others to take advantage of Lifestyle's services. The AG alleged that publishing consumer reviews without disclosing that the reviews were written and published by Lifestyle and not by consumers constituted deceptive commercial practices, false advertising, and fraudulent and illegal conduct under the New York and federal consumer protection law. Lifestyle's settlement with the AG's office includes $300,000 in penalties and an agreement that Lifestyle employees will not pose as consumers and Lifestyle will not promote its services online without clearly and conspicuously disclosing that any such comments originate from the company.
TIP: Fake blogs and/or blog postings are only appropriate in very limited circumstances, which does not include when a company is making product/service endorsements. Companies should not fictionalize any statements that could be interpreted by the general public as directly representing an actual consumer's experience with or opinion of the company's products or services. Companies should either find actual consumers who subscribe to the actual opinion expressed or frame the advertising to clarify that it is the opinion of the company and not any particular consumer.
B. UK Court Declines to Protect Anonymous Blogger's Identity
Anonymous bloggers suffered a further blow earlier this summer when the English High Court refused to protect the identity of "NightJack," a mystery policeman who had run an award-winning blog for several years. The Times newspaper had investigated the identity of NightJack and were about to publish, when the blogger sought an injunction to prevent it from doing so. The attempt to invoke and develop the nascent doctrine of privacy failed at the first hurdle when the Judge, Mr. Justice Eady, memorably commented that "blogging is essentially a public rather than private activity." The court expressed concern that freedom of speech should not be curtailed and that human rights could be invoked, although not in this case, because of the recognized restraints put on the political activities of civil servants (including policemen) in the UK. The court also noted that it was not attracted by the argument that anonymity should be preserved where a blogger would face the threat of disciplinary action by his or her employer, or other legal proceedings. This ruling can now be seen in the light of the recent U.S. case, in which fashion model Liskula Cohen has successfully obtained an order against Google to reveal the identity of a blogger so that she can bring defamation proceedings against that person. This decision, although groundbreaking in the U.S., is in line with the longstanding position in England.
TIP: If you become the victim of an anonymous blogger, at least in the UK, it now appears you can take steps to uncover their identity so appropriate action can be taken. If you are working with bloggers, keep in mind that those who claim to be anonymous may not always be able to remain so.
C. Harpo Inc. Sues for Use of Oprah's Name Without Permission
In 2008, Oprah hosted Dr. Mehmet Oz, the director of the Cardiovascular Institute and a surgery professor at Columbia University. While on the show, Oz discussed the anti-aging properties of acai berries. Shortly after that show, marketers of nutritional supplements containing the acai berry mentioned the Oprah show, implying that their products had been endorsed by both Oz and Oprah. However, according to the complaint that was just filed by Harpo Inc., Oprah did not endorse those products, and her name and brand had been used without permission, constituting trademark infringement.
TIP: Do not use a celebrity's name or likeness in conjunction with the advertising or sale of your product, even indirectly, without first obtaining permission. This includes not only statements in traditional advertising vehicles, but also in the online world.
D. Weight Loss Site Must Disclose Relationship To Products Featured In Its Reviews
The Electronic Retailing Self-Regulation Program ("ERSP") reviewed Urban Nutrition's website in response to a challenge from its competitors. The website claimed to be an unbiased, independent resource for consumers regarding weight loss and diet products. Specifically, the website stated that its "goal is to give you a quick snapshot of what options are available to you." The website also included a "Most Popular" and "Customer Choice Award" for the best weight loss products and diet programs. The FTC endorsement guides state that "when there exists a connection between the endorser and the seller of the advertised product which might materially affect the weight or credibility of the endorsement such connection must be fully disclosed, and...when the endorser is neither represented in the advertisement as an expert nor is known to a significant portion of the viewing public, then the advertiser should clearly and conspicuously disclose either the payment or promise of compensation prior to and in exchange for the endorsement." ERSP found that Urban Nutrition owned several of the weight loss and diet websites it was reviewing, and featured many of its products at the top of the "Most Popular" or "Customer Service Award" lists. As such, ERSP recommended that Urban Nutrition include additional disclosures and make several modifications in future advertising and clearly and conspicuously disclose the nature of the relationship between Urban Nutrition and the products being reviewed to consumers immediately upon visiting the site.
TIP: If a company has a material connection to the products or services that it reviews, it should clearly and conspicuously disclose the connection. Additionally, if a blogger or reviewer was paid for his or her opinion, companies should clearly and conspicuously disclose such information.
E. Court Finds Blogger Postings Not Protected Under NJ Reporter Shield Laws
Too Much Media LLC ("TMM"), a software company, sued a blogger who posted an allegedly defamatory comment about Too Much's data breach on an Internet message board. Several news agencies reported that TMM became aware of a security breach in its computers that allowed hackers to access adult websites' subscriber lists. On several occasions, the blogger reported about the data breach. TMM sued the blogger for Internet defamation, among other claims. The blogger alleged that the postings were similar to newspapers or magazines, triggering the blogger's protection under the New Jersey news reporter shield laws. The court rejected the blogger's argument, finding that the blogger was not entitled to protection under such laws.
TIP: Bloggers should be aware that posting statements about third parties may be subject to litigation against the parties referenced in the blog postings.
F. Blog Post Describing Patient Experience Did Not Violate Privacy Policy
A Kentucky court recently ruled that a nursing student's blog post about a patient giving birth did not violate the school's policies, which prohibit students from disclosing confidential information, including medical information about patients. The court also found that the blog post did not evidence unprofessional behavior in violation of the school's Honor Code. Because the blog post did not contain any identifying information (it merely disclosed the patient's behavior, her treatment, and the date of labor, none of which could be used to determine the patient's identity), the post was not in violation of the school's written patient confidentiality policy. In particular, that policy did not contain language prohibiting the disclosure of non-identifying information. In addition, because the blog was not posted in the student's role as a nursing student or as a representative of the school, because it had no clearly intended audience, and because it was posted on a personal page, the blog was not created in a professional context and therefore could not violate the professionalism requirement of the school's Honor Code.
TIP: When creating policies for employees, students, or others who are affiliated with your organization, care should be taken to clearly define what types of information should not be disclosed. Companies may want to prohibit individuals not only from disclosing personally identifiable information about others in certain circumstances, for example.
IV. LIABILITY SHIELDS
A. CDA Defense Not Available Against FTC Claims of Unfair Practices
According to the FTC, Accusearch Inc. had engaged in an unfair practice when it sold information contained in telephone records. The information was sold to individuals who visited Accusearch's Abika.com website, which according to Accusearch, was an intermediary for third-party researchers. One of Accusearch's arguments against the case was that it was shielded from liability under the Communications Decency Act ("CDA"), available if, inter alia, the company in question has not participated in the creation of the infringing content. The court disagreed, finding that Accusearch was responsible, at least in part, for the development of infringing content because it had solicited requests for the infringing content to be developed and found researchers to create the infringing content.
TIP: This is one of the first cases where a company has unsuccessfully attempted to use the CDA as a shield in an action brought by the FTC. We will be watching with interest to see if others attempt to use this defense for infringing activities conducted on their sites. In the meantime, companies should be reminded that they will likely be viewed as responsible for the infringing activities occurring on their websites, including by the FTC, if the companies are viewed as participating in the creation of the infringing content.
B. CDA Shields Site Because It Did Not Require User to Provide Information
Plaintiff sued MySpace in state court on behalf of her daughter, who was assaulted by a sexual predator she met on the social network. MySpace claimed immunity under the CDA, which provides immunity for entities that are merely providing interactive computer services. The plaintiff argued that MySpace was more than a mere provider, and had participated in the creation of content since it had created user profiles using information provided by users about their interests and other personal information. Plaintiff relied on a similar case where users were required to fill out profile information before they could register for the site. The case was before the District Court for the Eastern District of Texas. In a brief opinion, the court held that prior case was distinguishable, inasmuch as MySpace users were not required to provide profile information. As such, the court found that MySpace did fall within CDA protections.
TIP: Companies that post information submitted by users on their websites should avoid making the displayed information mandatory so that they do not lose CDA immunity.
C. CDA Shields "Good Samaritan" Software From Claims by Blocked Internet Services
Plaintiff Zango, Inc. sued Kaspersky Lab, Inc., for providing a software product that filters and blocks potentially malicious software, including Zango's adware. The court held that Kaspersky was entitled to immunity under the CDA's "good samaritan" safe harbor, because it provides an "interactive computer service" that enables or makes available to information content providers or others the technical means to restrict access to offensive material." The court rejected Zango's argument that the CDA requires the party seeking CDA protection to enable people to access the Internet or access content found on the Internet, stating that the CDA only requires provision of "access by multiple users to a computer server" and Kaspersky does this by providing its customers with online access to its software update servers.
TIP: Companies that provide software tools that filter, screen, allow or disallow content that the provider or user considers objectionable should enjoy protection under the CDA; however, before relying on the CDA immunity, you should review your specific product or service with counsel.
D. DMCA Shields Site Because Notice Was Sent to Parent
Plaintiff Perfect 10, Inc., sued Amazon.com, Inc., and its affiliate, A9.com, for copyright infringement based on search results provided on A9's website. In granting summary judgment in favor of A9, the court held that A9 did not have "actual knowledge" that infringing materials were available using its system and was entitled to a safe harbor under the Digital Millennium Copyright Act (DMCA), Section 512(c). Takedown notices sent by Perfect 10 to A's parent, Amazon, did not put A9 on notice of infringement because: (1) A9's Conditions of Use designated a different copyright agent; (2) although Amazon's Conditions of Use stated that notice should be sent to its copyright agent to notify Amazon.com and its "affiliates" and "subsidiaries" of infringement, Amazon's Conditions of Use and its copyright agent designation on file with the Copyright Office did not identify entities that were Amazon's affiliates and A9 was not listed as an alternative service provider on the designation; and (3) there was no evidence that A9 actually received the notices sent to Amazon.
TIP: DMCA takedown notices must be sent to the correct agent for the offending website to put it on notice. Review the terms of use on the site to identify the agent. If you believe notice should be sent to a parent or other affiliate company, confirm that the offending site is listed in the agent designation form filed by such parent or affiliate with the Copyright Office.
V. CONSUMER AND ONLINE PRIVACY
Brian Fergemann will be speaking at Ad Law Conference in NY, NAD in Action: The Mock Challenge (October 5-6, 2009). To register and for more information, visit http://www.narcpartners.org/events. Liisa Thomas will be a panelist on “Working with CARU – The Anatomy of a CARU Case” at the CARU Annual Conference 2009 on October 7, 2009 in New York City. For more information and to register, go to http://www.narcpartners.org/events/conference/event2.aspx.
|
A. Linking From Kids' Site to a Non-Compliant Site Violates CARU Guidelines
The Children's Advertising Review Unit ("CARU") recently found that Kidz Bop LLC violated the CARU Guidelines when it contained a link on the Kidz Bop website to a website which allowed the collection of personally identifiable information from children without fully complying with CARU guidelines. The non-compliant website did not implement a neutral age-screening mechanism to filter children under 13, and various areas of the site collected personally identifiable information. CARU found that Kidz Bop could reasonably expect children under 13 to visit their website and CARU guidelines specifically provide that operators of websites which are for children or contain areas for children should not knowingly link to other websites that do not comply with CARU guidelines. In addition, the Kidz Bop website privacy policy did not include Kidz Bop's contact information, as required by the Children's Online Privacy Protection Act.
TIP: If you operate a website which is likely to appeal to children under the age of 13, ensure that your website is compliant with CARU Guidelines, including removing any links to websites which you know are not in compliance with the Guidelines.
B. Advertising Industry Releases Online Behavioral Advertising Principles
As we reported in February, the Federal Trade Commission issued a report that month about how companies should disclose to consumers if they engage in behavioral advertising, and give consumers choice over such practices. As part of its report, the FTC called on the industry to develop self-regulatory guidelines. The industry responded this month, with the American Association of Advertising Agencies, the Association of National Advertisers, the Interactive Advertising Bureau, and the Council of Better Business Bureaus issuing a set of principles under which online websites that allow data collection for behavioral advertising purposes. The industry self-regulatory principles provide different levels of notice and choice requirements depending on whether a company (1) allows data to be collected on its website for online behavioral advertising (OBA) purposes; (2) allows ads to be served based on information collected for OBA purposes; (3) collects data for behavioral advertising purposes on one site, and passes it to another (unaffiliated) website in order to serve targeted ads; or (4) is engaging in OBA and acting as a "Service Provider" (namely if it is a provider of Internet access, toolbars, browsers, or provides other desktop applications or software).
Companies in the first group must have on the pages where information is collected for OBA purposes a link that takes users to a disclosure about the OBA practices occurring at the site. This link would be separate from the link to the company's privacy policy. Companies in the second and third groups must provide prominent notice about the OBA activities on the site where the ad is served. This notice can be in a link that is included in or near the advertisement, and can be either a link to a page created by the website where the ad appears, or a link to a page created by the company that has passed data from one site to another. Additionally, companies in the third group must have a prominent disclosure on their own websites that they engage in OBA activities. The notice provided by companies in both groups two and three must include information about how consumers can opt out of having their information used for OBA purposes, as well as the types of data collected, the use of such data, and whether data is transferred to any third parties for OBA purposes. The notice needs to be on a link on both group two and three companies' websites (a link separate from the privacy policy link), as well as in or near the advertisement that is delivered as a result of the OBA activities. The link near the ad that is being served is not necessary, however, if there was a link to the company's notice on the Web page where data was first collected. The principles anticipate that this might happen in instances where the website on which the ad is served has a relationship with the original website where information was collected. Unlike companies in the first three groups, Service Providers are held to a higher standard, and must get consumers' consent before they can engage in behavioral advertising. Service Providers also must have a notice - linked from their websites - that describes their OBA activities, including information about how a consumer can opt out of having his or her information used for OBA purposes, as well as the types of data collected, the use of such data, and whether data is transferred to any third parties for OBA purposes.
TIP: If you engage in online behavioral advertising, you should be aware of these new guidelines. For example, if you allow third parties to collect information while a consumer browses on your site, and that data gets passed along to a third-party site where the consumer will be served with a customized advertisement after the consumer leaves your site, these self-regulatory principles have disclosure and notice requirements for you and the vendor providing the advertising services. While these principles do not carry the force of law, they may be looked to in the industry as a new "standard" for OBA practices.
C. FTC Brings Action Over Online Tracking Application
The Federal Trade Commission recently settled with a major U.S. retailer over claims that the company engaged in unfair and deceptive practices by asking consumers to download an online tracking application without accurately disclosing what information would be collected by the application, and how such information would be used. According to the FTC's complaint, the company distributed to consumers an application which it represented would track consumer "online browsing." The FTC alleged, however, that the company did not adequately inform consumers that the application monitored and transmitted to its remote servers nearly all of the consumer's Internet behavior, including the information exchanged between the consumer and websites owned by entities other than the company. According to the FTC complaint, this information included data submitted by the consumer in secure sessions with third-party websites – such as information in online banking statements, online drug prescription records, and e-mail header fields showing the sender, recipient, and subject.
TIP: When providing software for consumers to download to their computers, be sure to adequately disclose to consumers any and all data that might be collected by such software, how the data will be used, and obtain consumers’ consent prior to download.
D. EU Working Group Says Social Networks and Some Users Must Comply with Privacy Laws
Under the EU Data Privacy Directive, a working group was set up to examine the impact of the directive on the protection of individuals with regard to the processing of their personal data. Over the years, the working group has issued a variety of opinions, including an opinion in May 2002 that in certain circumstances, if a company located outside of the European Union places a cookie on the computer of a user located within the European Union, that company may be subject to local European laws. This opinion was revisited in August last year, when the working group examined the obligations of search engines under the directive, and concluded that search engines using cookies (including for behavioral tracking purposes) could be subjecting themselves to European laws, even if the search engine companies were located outside of the EU. Last month, the impact of the use of cookies was reviewed again, this time in the context of social networking websites, which the working party viewed as information society services that must respect the rights and freedoms of site users (including users' privacy rights). To the extent that social networking sites use cookies, the working party concluded that even sites that are based in countries outside of the EU must follow the requirements of the directive.
According to the working group, complying with the directive means that social networking sites should have "privacy-friendly" settings, such as (a) having a user's profile default to require consent before others can access the user's data, (b) not having a user's postings "findable" by search engines, and (c) not having decisions about whether to extend access to a user's profile be implicit (so that a user would have to opt out of such extension of access). Social networking websites should also follow the notice requirements of the directive, including letting users know (a) if their information will be used for direct marketing, (b) if their information will be shared with third parties, (c) how profiles of users are created (and where the data comes from to create the profiles), and (d) how sensitive data is used. The working party also recommended that sites give users warnings about privacy risks to themselves and to others when uploading data, that uploading information about other people might infringe on those individuals' rights, and that if users want to upload photos of other people, they need those people's consent. The working party also indicated that data should be deleted if the user terminates his or her account or if an account is inactive for a set period of time (but only after first notifying the user that data will be deleted).
TIP: If you host social networking websites that use cookies, keep in mind that you may be viewed as subject to the laws of European Union Member States, and thus will need to consider whether you must have "privacy-friendly" settings as defaults, among other requirements.
E. Maine Predatory Marketing Law Developments
As we reported recently, the Maine Independent Colleges Association and others filed a case in the United States District Court of Maine against the Governor of Maine and the Maine Attorney General to have the Maine Act to Prevent Predatory Marketing Practices Against Minors declared unconstitutional. The parties argued that the law impinges upon Free Speech and the Commerce Clause, and that it is preempted by COPPA. As we reported in the past few weeks, the Act: 1) puts an absolute prohibition on using personal information of a minor to market to the minor or to promote any course of action regarding a product to a minor – whether parental permission has been obtained or not and whether you know the person's age or not; and (2) prohibits knowingly collecting personal information from children in Maine under 18 for "marketing purposes," without first obtaining parental consent. Just prior to implementation of the Act, the court entered an order noting that the plaintiffs were likely to succeed on the merits of their claims, namely that the law is overbroad and violates the First Amendment. Although the court did dismiss the suit (and the law has now subsequently gone into effect), it noted that the Attorney General will not enforce the law, and that the legislature will be reconsidering the statute when it reconvenes. In reaching its decision, the court indicated that even though the law would go into effect, "third parties are on notice that a private cause of action under Chapter 230 could suffer from the same constitutional infirmities." This proclamation appears to be intended to discourage consumers from filing suit under the statute before the Maine Legislature has the opportunity to reconsider it.
TIP: Companies should be aware that even though the District Court of Maine has issued a decision that the Maine kids' privacy law is unconstitutional, the law is technically still on the books. Thus, any company that believes it may be impacted should analyze the law and decide what is the appropriate compliance strategy for its business.
VI. DATA BREACH AND DATA SECURITY
A. Massachusetts Data Security Law Now Extended to March 1, Further Amended
Many have been following the Massachusetts data security law, which requires businesses to have plans in place to protect certain consumer data in their possession and control. The law was first set to take effect January 1, 2009, but has since been delayed several times, with the most recent effective date being January 1, 2010. Companies were concerned, however, about certain of the laws' requirements, and bowing to that pressure, the Office of Consumer Affairs and Business Regulation in Massachusetts has delayed implementation until March 1, 2010. In addition, the rules have been changed to allow companies, when putting in place their data security plans, to take into account the size of the businesses putting in place data security plans, the resources of the business in question, and the amount of data being stored. A hearing has been scheduled for September 22, 2009 to discuss the amendments.
TIP: Companies that hold personal information about Massachusetts residents that includes Social Security numbers, drivers' license or state ID numbers, or financial account/credit card numbers should have plans in place to adhere to the security requirements of this law. That security plan will need to be in place by March 1, and impacted companies are encouraged to not only review the rules, but also participate in the September hearings.
B. Missouri Enacts Data Breach Notification Law
Effective August 28, 2009, businesses in Missouri are now required to notify Missouri residents if their unencrypted personal information is breached when a risk of harm is present. Unlike many state data breach notification laws, the Missouri statute defines personal information to include not only Social Security numbers, driver's license numbers and financial data, but also medical information and health insurance data. Notably, the law provides that if, after an appropriate investigation or consultation with the relevant law enforcement agencies, a business determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach, then notification is not required. The Attorney General is authorized to seek monetary damages of up to $150,000 per breach of the new notification requirements.
TIP: In the event your company's data is breached, ensure that you comply with the data breach notification laws of the relevant states. Forty-five states and the District of Columbia now have data breach notification laws.
C. Class Action Settlement Reached Over Sale of Customers' Personal Information
According to a complaint filed against Time Warner Entertainment Co. in 1998, the company had sold the personal information of over 7 million customers - including the customers' Social Security numbers and driver's license numbers - to third parties including telemarketers, direct marketing companies, and Time Warner affiliates and divisions. Under the Cable Communications Policy Act, it is a violation not to notify consumers about how their information will be used and shared, and to share information with third parties without giving consumer's notice and obtaining consent, except in certain circumstances. These requirements - in particular with respect to providing consumers with notice - are reminiscent of FTC guidelines, enforced under the Deceptive Trade Practices Act, which are applicable more generally to non-cable companies. After moving through the courts for over ten years, the case was recently settled (settlement was approved by the Eastern District of New York in July 2009), with Time Warner agreeing to pay $2.3 million to the class members, $3.6 million in attorneys' fees, and $250,000 to a privacy think-tank at Berkeley and a public interest group in Washington, D.C.
TIP: While many companies may not be subject to the Cable Act, this settlement suggests that privacy concerns are on the forefront of consumers' minds, and that payments for alleged violations of consumers' privacy rights can result in potential liability in the millions of dollars. Thus, before engaging in practices where consumer information will be used - and especially shared with third parties - it is a good idea to carefully analyze applicable laws and potential risks.
D. EFF Urges Companies Collecting Location-Based Data to Protect that Data
On August 5, the Electronic Frontier Foundation (EFF) released a white paper urging companies that provide digital services based on the location of the individual user to take the necessary steps to protect those users' privacy. While the EFF stated that in the long term, lawmakers should determine when individuals have an expectation of privacy in data about their locations, it recommends in the meantime that it is in companies' best interest to design these systems with privacy considerations. The EFF claims that benefits of such an approach can include decreased legal compliance costs and an advantage over competitors who do not offer similar protections to increasingly privacy-minded consumers. The EFF recommends that companies can offer increased privacy protection of location-based data through tools such as encryption, anonymous credentials, and limitation on data retention.
TIP: Companies should take into account privacy considerations when designing systems that use data based on the location of individual users.
E. The English War of the Roses 2.0 - The Importance of Passwords
A high profile bitter divorce proceeding in the UK may have far wider reach than the estranged husband and wife. Lisa Tchenguiz married Vivian Imerman in 2001. Lisa Tchenguiz's brothers shared business interests and even an office with Mr. Imerman. Together, the Tchnguiz brothers and Imerman each featured in the Sunday Times Rich List, reportedly worth hundreds of millions of pounds. It seemed like a match made in heaven. But the marriage broke down. Lisa Tchenguiz petitioned for divorce at the end of 2008 and it is undisputed that in January and February this year, one of the Tchenguiz brothers copied a huge amount of data (there was an argument over whether it was 250,000 or 2.5 million documents) belonging to Imerman from their shared computer network. Imerman sought an injunction and demanded the return of the password-protected documents. Among various claims, Mr. Imerman argued that the search and seizure amounted to an infringement of his right to privacy under Article 8 of the European Convention. The UK judge considered whether or not the information itself was confidential, found that it was, and ordered the return of the information and restrained its use. The judge identified the password protection of the documents as being important in highlighting the confidential nature of the materials. The judge also hinted that the old rules (admitting such evidence to proceedings) might need to change going forward, saying "whether such an argument [namely for admitting evidence obtained in such circumstances] could be advanced in the future may be another matter."
TIP: Always password-protect documents and data held on a computer. This can be a key indicator of the confidential nature of that information, especially in the EU.
F. Class Action Over Breach of 2.6 Million Cardholders' Data Dismissed
On July 7, the Federal District Court for the Southern District of New York dismissed a class action lawsuit, filed against JPMorgan Chase N.A. ("Chase") on behalf of 2.6 million credit card holder's whose card data was breached, for failure to state a claim upon which relief could be granted. In September 2006, Chase announced that it had unintentionally disposed of computer tapes holding personal information on 2.6 million cardholders as trash. On February 17, 2009, James Willey filed a class action suit against Chase on behalf of himself and the other 2.6 million cardholders, alleging violations of the Fair Credit Reporting Act (FCRA) and various state law claims. The court dismissed the FCRA claim for failure to state a claim finding that Willey's complaint contained only a "formulaic recitation" of the elements of an FCRA claim without sufficiently alleging how Chase's conduct and practices violated the FCRA. The court also found that the FCRA claims were beyond the two-year statute of limitations as Willey was on notice of the breach from Chase's original announcement and therefore dismissed the claim with prejudice. With regard to the state law claims, the court dismissed them as well, finding that they were preempted by the FCRA, and to the extent that they were not preempted, they failed to assert any actual damages, which was a necessary element.
TIP: Companies that suffer a data breach should consider promptly disclosing the breach in order to start the statute of limitations running and prevent actual damage from occurring to the consumers whose personal information was breached.
G. FTC Extends Red Flags Enforcement Deadline
The FTC extended its red flags enforcement deadline to November 1, 2009, from its previous deadline of August 1, 2009. The Red Flags Rule requires financial institutions and creditors to develop and implement written identity theft prevention programs. The FTC received pressure from the House Appropriations Committee, which stated that the definition of "creditor" was too broad, requiring retailers, utility companies, health care providers, telecommunications firms, real estate agents, automobile dealers, and lawyers to implement the identity theft prevention programs. This delay is intended to allow Congress to look at additional concerns before taking any action.
TIP: Companies should review their identity theft prevention programs to determine if they comply with the Red Flags Rule.
VII. FINANCIAL PRIVACY
A. Payday Lender Settles with FTC Over Misuse of Bank Account Data
The owner of a payday lender and certain of its marketing affiliates paid a $52,000 settlement in connection with an online promotion which the FTC alleged to involve deceptive marketing practices. The FTC alleged that consumers who applied for a payday loan through the lender's website were misled into unknowingly consenting for their bank account to be debited up to a $54.95 fee for a prepaid debit card with a zero balance. The settlement prohibits the defendants from misrepresenting any material fact, including the cost of products or services, and from charging consumers without first disclosing material details of the charge and subsequently receiving affirmative authorization. The online lender is also required to take reasonable steps to monitor marketing affiliates to ensure compliance with all unfair or deceptive acts and practices laws.
TIP: Companies with an online presence should ensure that their interactions with consumers could not be considered deceptive, including charging consumers any amounts not fully and clearly disclosed, and should take reasonable steps to monitor any marketing affiliate or similar relationships. Take corrective action when necessary.
B. Illinois' New Credit Marketing Law Further Restricts the Use of Student Data
The recently enacted Credit Card Marketing Act of 2009 will expand Illinois' restrictions on the use of college students' personal information for credit card marketing to private institutions as well as the "agents, employees, student groups, alumni organizations, or any affiliates" ("Institution Parties") of both public and private institutions. The institutions and Institution Parties are prohibited from providing the names, addresses, telephone numbers, Social Security numbers, e-mail addresses or other personally identifying information of students under the age of 21 to any business or financial institution which issues credit cards. The law also amends the Illinois Freedom of Information Act to require institutions to disclose information regarding the institutions relationship with credit card issuers, including the terms of any agreements and how the funds from the agreements were utilized, on the institution's website, to the Illinois Board of Higher Education, and along with any credit card marketing materials mailed to students. The law does not prohibit institutions from allowing credit cards to be marketed to students; however, it requires that if institutions do allow such marketing they must also offer students credit management education. Finally, the new law prohibits institutions from allowing companies to market credit cards by coupling them with free gifts, offers, discounts, or other incentives designed to encourage students to sign up for credit.
TIP: The new Illinois law strictly regulates the ability to market credit cards on campus to students under the age of 21. Institutions should not provide students' personally identifiable information for such purposes, and where they allow companies to market credit, should ensure that the law's disclosure requirements are met, that they are offering credit management education and that the company's practices are in compliance (no gifts or offers for signing up).
C. E-Mail Confirmation Can Include Credit Card Expiration Date - No FACTA Violation
The U.S. District Court for the Southern District of Florida held on April 16 that e-mail order confirmations are not "printed" for purposes of the Fair and Accurate Credit Transactions Act (FACTA), and therefore, failure to remove a credit card's expiration date in an e-mail confirmation did not violate FACTA. FACTA provides that "no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." When the plaintiff received an e-mail confirmation from the defendant which contained plaintiff's credit card expiration date, plaintiff filed suit for violations of FACTA, seeking statutory and punitive damages. The court dismissed the suit for failure to state a claim, finding that the term "print" referred only to imprinting on paper or other tangible surface and not e-mail conformations, based on the statutory language as well as similar decisions in other courts.
TIP: While credit card numbers or expiration dates may be included in e-mail confirmations of purchases, sellers should take steps to ensure that such information does not appear in any tangible, hard copy receipt.
D. FTC Settles Suit Alleging Violations of the FCRA Pre-Screening Rules
A home mortgage lender that sent prescreened offers of credit to consumers without properly informing them of their right to opt out of receiving such offers in the future has agreed to settle Federal Trade Commission charges that it violated federal law. The settlement requires the company to pay a $20,000 civil penalty and bars future violations. In addition, the settlement requires the lender to maintain records and imposes reporting requirements regarding pre-screened offers in order to allow the FTC to monitor compliance with the order. Prescreened offers of credit or insurance typically are mailings sent to selected consumers based on information in their credit report indicating that they meet the offering company's criteria. The Fair Credit Reporting Act permits lenders or insurers to make prescreened offers if the offer clearly and conspicuously discloses that, among other things, (i) the consumer's credit report was used to make the offer and (ii) the consumer can opt out of receiving such offers in the future.
TIP: The FTC's Prescreen Opt-Out Notice Rule (Prescreen Rule) requires that each written solicitation contain a short and a long notice, and it specifies the format, type size, and content in order to make the notices simple and easy for consumers to see and understand.
VIII. WORKPLACE PRIVACY
A. FTC Settles with Railroad That Didn't Notify Employees of Credit Report Use
In two separate actions, the FTC recently settled with Quality Terminal Services, LLC ("Quality") and Rail Terminal Services, LLC ("Rail Terminal") regarding allegations that Quality and Rail Terminal violated the Fair Credit Reporting Act ("FCRA") when it used credit reporting service data to conduct background checks on its employees without first notifying them. Under the FCRA, before an employer uses credit report data to take adverse action against an employee, the employer must 1) provide the employee with a copy of his or her credit report; 2) identify the agency that provided the report; 3) notify the employee that the agency is not responsible for the adverse action; and 4) notify the employee of his or her right to receive a free credit report from the agency to verify the information. According to the FTC, Quality used information from consumer credit reports to deny employment without giving applicants the proper FCRA notices. Similarly, Rail Terminal put several employees on administrative leave after they failed to clear their background checks due to information on their credit reports, without providing notice in compliance with FCRA requirements. Quality settled with the FTC for $53,000 while Rail Terminal settled for $24,000 in penalties.
TIP: When obtaining credit reports on job applicants or existing employees, be sure to properly notify them under the FCRA before denying employment, taking disciplinary action or terminating employment.
B. Random Drug Testing of Teachers Held Unconstitutional
The North Carolina Court of Appeals recently found a North Carolina school system's random drug and alcohol testing policy unconstitutional because it violated the state constitution's guarantees against unreasonable searches. The policy required all school employees to submit to random drug and alcohol testing at random and also upon "reasonable suspicion" of drug or alcohol abuse, and provided for suspension of any employee that had a detectable amount of an illegal drug or alcohol in its test. The court indicated that reasonable suspicion is usually a prerequisite to a constitutional search or seizure, unless the government has "special needs" in justification of such a search. In this case, the court found that the policy was "remarkably intrusive" and noted that the employees of the school, unlike the students, did not have a reduced expectation of privacy by virtue of their employment in the public school system. The court concluded that the employees' privacy interests outweigh the school board's interest in conducting random testing.
TIP: Public entities' drug and alcohol testing programs should balance the nature of the intrusion on the individual's privacy against the promotion of legitimate government interests.
C. First Amendment Challenge to Wisconsin Identity Theft Statute Fails
The Wisconsin Supreme Court rejected a First Amendment challenge to a state statute that punishes the unauthorized use of another individual's personal identifying information in order to harm the individual's reputation. The defendant, Christopher Baron, a disgruntled city emergency medical technician, accessed his supervisor's e-mail account, compiled a number of e-mails allegedly showing that his supervisor was having an extramarital affair, and forwarded them to people in the Jefferson community under the supervisor's e-mail account. His supervisor committed suicide the next day. The court rejected Baron's argument that the statute violated his First Amendment right to defame a public official, finding that the statue applies only when the defendant intentionally uses an individual's personal information to harm that individual's reputation and therefore is narrowly tailored to achieve a compelling government interest and survives a strict scrutiny review.
TIP: Note that an identity theft statute that regulates speech and conduct and that is narrowly tailored to achieve a compelling government interest, as applied to the specific facts of a case, may survive a First Amendment constitutional challenge.
D. French Decision Regarding Expectation of Privacy in the Workplace
In line with the position of the French Data Protection Authority ("CNIL") that it would be disproportionate to ban any private use of the Internet and e-mails with a professional computer, the French Supreme Court recently ruled that every employee has a right to protection of his private life, even at the place and hours of work, which notably includes a right to the secrecy of correspondence for personal messages. As such, if there is an apparent breach of privacy and it is necessary to examine access to and use of an employee's personal e-mails, staff representatives have the right to take part in the investigation carried out by the employer.
TIP: In the event that it is necessary to examine a French employee's e-mail messages for legitimate business purposes (such as to investigate a potential data breach), care should be taken not to run afoul of the French Penal Code. The presence of staff representatives during an investigation may be necessary to ensure that no violation of privacy is committed.
IX. HEALTH CARE PRIVACY
A. HHS and FTC Issue Standards Governing Breaches of Protected Health Information
Both the U.S. Department of Health and Human Services (HHS) and the FTC have recently issued regulations governing breaches of protected health information. The HHS standards, published August 24 in the Federal Register, cover a much broader group of health care entities than the FTC rule. Under the HHS regulations, entities governed by HIPAA's privacy and security rules must perform an appropriate assessment of a potential breach of an individual's "unsecured" health information to determine whether the risk of harm to the individual is insignificant such that no breach notification is required. This risk of harm threshold is consistent with many state breach of notification regulations and should eliminate the need for unnecessary notification of insignificant breaches.
The HHS standards also state that encryption and guidelines from the National Institute of Standards and Technology (NIST), while not required under the HIPAA security rule, can be used by HIPAA entities to eliminate any potential breach notification obligations since data subject to these methodologies would not be considered unsecured. HHS's citation to and apparent reliance on specific technology standards to secure health care data appear to give HIPAA entities a safe harbor approach to address unsecured data. While the HHS regulations apply to entities governed by HIPAA, the FTC rule generally applies only to personal health record vendors and their service providers. Pursuant to the FTC rule, vendors are required to contact the individual directly if a breach involves unsecured data, while a breach by service provider would require notice to the vendor. Although the HHS regulations state that its standards were developed after close consultation with the FTC, the FTC's breach notification does not have an explicit risk of harm trigger. Therefore, under the FTC rule, even a breach of security which results in no harm will require notification. Moreover, some entities normally outside the reach of FTC jurisdiction are subject to the FTC rule, such as not-for-profits and educational institutions.
TIP: Review your health data breach notification procedures to make sure they are consistent with the new HHS and FTC regulations.
B. HIPAA Found Not to Preempt Certain Texas Ex Parte Rules
In a medical malpractice case, a plaintiff sought a protective order from the Texas state trial court to prevent the defendant physician from having ex parte contacts with the plaintiff's non-party treating physicians. The plaintiff contended that, while she had sent the defendant an authorization form for release of protected health care information in order to investigate her claim, which included the names of non-party treating physicians, it is common practice for the defendant physician's counsel to have communications with non-party treating physicians to obtain information beyond the plaintiff's medical records and that the defendant should be barred from doing so. Although Texas evidence rules have an exception to patient privacy where the information is relevant in a suit by a patient against a doctor, the trial court granted the protective order. The Texas Court of Appeals also upheld the protective order, concluding that the Texas evidence rules did not specifically prohibit such an order. The Texas Supreme Court reversed. While courts in some other jurisdictions have held that HIPAA preempts state laws permitting ex parte contacts with non-party treating physicians, the Texas Supreme Court said none of those cases involved a written authorization like the one executed by the plaintiff. The Texas Supreme Court also rejected the plaintiff's argument that HIPAA preempted Texas evidence rules permitting the ex parte communications. In so doing, the court concluded that HIPAA preempts state law only if it would be impossible for a covered entity to comply with both the federal and state requirements, or if the action would undermine HIPAA's purposes. In re Lester Collins, M.D., Relator, No. 07-0737 (Tex. Sup. Ct. June 5, 2009).
TIP: Note that states are interpreting HIPAA preemption differently in some cases and check applicable case law in relevant jurisdictions as needed.
C. Posting Health Data on Website is Publication For State Privacy Claim
In a case involving the access of a patient's medical file by a clinic worker who shared the information with a relative who worked at another hospital, the Minnesota Court of Appeals determined that the posting of health data on an anonymously created page on MySpace is sufficient to satisfy the publication requirement for a state law invasion of privacy claim. In reversing the trial court, the appellate court concluded that it did not matter how many people actually viewed the web page since the site was not password protected or otherwise blocked from public view, analogizing the posting as similar to putting the data on a sign in a shop window for any member of the public to see who happened to pass by. The appeals court also held that Minnesota privacy law permitting an individual to assert an invasion of privacy claim for the misuse of protected health information is not preempted by HIPAA which does not provide a private right to sue. In so doing, the appellate court concluded that the state law allowing a private right of action does not conflict with but rather complements HIPAA such that an individual or entity covered by HIPAA and the state statute could comply with both provisions. Yath v. Fairview Clinics, No. A08-1556 (June 23, 2009).
TIP: Be sure to have procedures in place to address the sharing of health care data on all media, even seemingly private web pages.
D. HHS Office of Civil Rights Now Enforces HIPAA Security Rule
HHS has moved the administration and enforcement of the HIPAA security rule from the Centers for Medicare and Medicaid Services (CMS) to HHS's Office of Civil Rights. According to HHS Secretary Kathleen Sebelius, the move eliminates duplication of effort and increases efficiencies. CMS will retain the responsibility for HIPAA administrative simplification regulations. 74 Fed. Reg. 38630 (Aug. 4, 2009). OCR already has enforcement responsibility for the HIPAA privacy rule. Placing the HIPAA security rule under OCR's purview is likely to increase HIPAA security rule enforcement actions in the future.
TIP: Note that OCR now enforces the HIPAA security rule, which may lead to more enforcement actions in the future.
E. New Hampshire Laws Enacted to Protect E-Health Privacy Beyond HIPAA
New Hampshire has enacted a series of laws which, according to legislative sponsors, go beyond HIPAA to protect e-health privacy. One measure (H.B. 542) limits access to health data provided to health information exchanges (entities which exchange health data for clinical decision-making purposes) to health care providers for purposes of treatment only. Another measure (H.B. 619) permits individuals to opt out of sharing their personal data for marketing and fund-raising purposes. Unlike HIPAA, H.B. 619 also allows individuals to sue for violations of the marketing and fund-raising restrictions, including reasonable attorneys' fees. And H.B. 619 requires health care providers and their business associates to notify individuals of any unauthorized disclosures of protected health information prohibited by New Hampshire law, even if such disclosures would be permitted under federal laws such as HIPAA. Other states are considering similar measures in the wake of the significant increase in the use and sharing of e-health data.
TIP: States increasingly may enact laws to protect e-health privacy beyond HIPAA protections, including the right to sue and recover attorneys' fees.
F. Indiana AG Settles With CVS and Walgreen's Over Disposal Of Health Records
The Indiana Attorney General initiated a complaint against Walgreen's and CVS regarding the destruction and disposal of non-electronic personal health information. The investigation stems from complaints received by the Indiana AG that Walgreen's and CVS were disposing of such information in dumpsters outside of Walgreen's and CVS pharmacies, in violation of Indiana law. As part of the settlement, both companies agreed to permit inspection at pharmacies located in Indiana, properly train employees for compliance with HIPAA, designate an internal compliance representative to oversee compliance, and donate $1,000 to a charity of their choosing.
TIP: Companies should review their procedures for all disposal and destruction of personally identifiable information to ensure that the destruction and disposal methods comply with all state and federal laws.
If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:
| CHICAGO | NEW YORK | ||
|
Liisa M. Thomas |
(312) 558-8121 |
Virginia R. Richard (Intellectual Property) |
(212) 294-4639 |
| Monique Bhargava (Advertising) |
(312) 558-3732 | ||
Stephen P. Durchslag |
(312) 558-5288 |
PARIS | |
Christine A. Edwards |
(312) 558-5571 |
Sébastian Ducamp |
33 0(1) 53 64 82 08 |
Brian D. Fergemann |
(312) 558-8024 |
Blaise Deltombe (Employment, Litigation) |
33 0(1) 53 64 82 31 |
Delilah B. Flaum |
(312) 558-8922 |
Nathalie Hadjadj-Cazier (Intellectual Property) |
33 (0)1 53 64 81 50 |
Jason W. Gordon |
(312) 558-6145 |
Vanessa Lerner (Employment, Health) |
33 0(1) 53 64 82 70 |
Brian L. Heidelberger |
(312) 558-5897 |
Gwendaline Sarrat (Intellectual Property) |
33 (0) 1 53 64 82 47 |
Mary Hutchings Reed |
(312) 558-5721 |
||
| Michael Melbinger (Employee Benefits) |
(312) 558-7588 | SAN FRANCISCO |
|
Roberth H. Newman |
(312) 558-8125 |
David S. Bloch (Intellectual Property, Litigation) |
(415) 591-1452 |
| Michael Philipp (Financial Services) |
(312) 558-5905 | Andrew P. Bridges (Intellectual Property) |
(415) 591-1482 |
Cardelle B. Spangler |
(312) 558-7541 |
Kimberly E. Eckhart (Intellectual Property) |
(415) 591-6805 |
Marc H. Trachtenberg |
(312) 558-7964 |
Jennifer A. Golinveaux (Intellectual Property, Litigation) |
(415) 591-1056 |
| Becky L. Troutman (Intellectual Property) |
(415) 591-1401 | ||
| LONDON | |||
| Zoe Ashcroft (Corporate, Financial) |
44 (0)20 7105 0025 |
WASHINGTON, D.C. | |
| Danvers Baillieu (Litigation, Financial) |
44 (0)20 7105 0017 |
Richard P. Gilly (Intellectual Property) |
(202) 282-5853 |
| Barry Vitou (Corporate, Financial) |
44 (0)20 7105 0018 |
Marion K. Goldberg (Health Care) |
(202) 282-5788 |
| Michael A. Mancusi (Financial Services) |
(202) 282-5729 | ||
| LOS ANGELES | Paul S. Pilecki (Financial Services) |
(202) 282-5730 | |
| Steven D. Atlee (Litigation) |
(213) 615-1827 | ||
| Anna S. Masters (Labor and Employment) |
(213) 615-1711 | ||
| Evan R. Moses (Labor and Employment) |
(213) 615-1713 | ||
Attorney Advertising Materials
These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.
Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).
Copyright © 2009. Winston & Strawn LLP.