Privacy & Information Security Law Blog

On July 24, 2012, Lisa J. Sotto, partner and head of the Global Privacy and Data Security Practice at Hunton & Williams LLP, gave a presentation on “Data Privacy in the Global Era” to the Western Independent Bankers Service Corporation. Sotto discussed U.S., EU and other international privacy laws, with a focus on two specific areas of interest, cloud computing and vendor management. 

On August 10, 2012, the Federal Trade Commission announced that it has accepted the final settlement with Facebook which resolves allegations “that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” As we previously reported, the settlement requires Facebook to (1) not misrepresent how it maintains the privacy or security of users’ personal information; (2) obtain users’ “affirmative express consent” before sharing their information with any third ...

On August 8, 2012, the Federal Trade Commission announced a settlement agreement with employment screening company HireRight Solutions, Inc. (“HireRight”). In its first enforcement action against an employment background screening company for Fair Credit Reporting Act (“FCRA”) violations, the FTC alleged that HireRight functioned as a consumer reporting agency, but failed to comply with certain FCRA requirements. The proposed consent order imposes a $2.6 million penalty on HireRight and requires the company to remedy the alleged FCRA violations, create and retain certain records and submit reports to demonstrate compliance.

As reported in the Hunton Employment & Labor Perspectives Blog:

The National Labor Relations Board ("NLRB") has again asserted its willingness to encroach upon employers’ long standing legitimate employment policies in a non-unionized workforce. In Banner Health System, 358 NLRB No. 93 (July 30, 2012), the Board held that a blanket policy prohibiting an employee from discussing an ongoing investigation violates section 8(a)(1) of the National Labor Relations Act.

Earlier this year, the Consumer Financial Protection Bureau (“CFPB”) published a Bulletin signaling its intent to regulate and exercise enforcement authority over service providers to financial institutions. Pursuant to Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act and its implementing regulation, Regulation P, the CFPB has authority over certain large banks, credit unions and other consumer financial services companies. The Bulletin notes that the CFPB’s goal is to ensure compliance with “[f]ederal consumer financial law,” which includes the Gramm-Leach-Bliley Act and its implementing regulations, the Privacy Rule and the Safeguards Rule.

In recent months we have seen a dismissal and two settlements in class action suits alleging violations of the Telephone Consumer Protection Act (“TCPA”) by companies that used text messaging as part of advertising campaigns. The TCPA is a federal privacy law that imposes restrictions on telephone solicitations, including telemarketing calls and text messages.

On August 1, 2012, the Federal Trade Commission announced that it is seeking public comments on additional proposed modifications to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”). According to the FTC, the second-round revisions modify certain COPPA Rule definitions to “clarify the Rule’s scope and strengthen its protections for the online collection, use, or disclosure of children’s personal information.” The FTC developed these new definitions after reviewing the 350 public comments submitted in response to the Commission’s September 2011 proposal to amend the Rule.

On July 10, 2012, the Federal Financial Institutions Examination Council (“FFIEC”) released a statement on outsourced cloud computing activities. The statement, which was prepared by the FFIEC Information Technology Subcommittee, discusses key risk considerations associated with using third-party vendors to implement cloud computing solutions, and identifies applicable risk mitigation considerations contained in the various booklets that comprise the FFIEC IT Examination Handbook. The statement indicates that the FFIEC agencies “consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.” The paper focuses on addressing key risks of outsourced cloud computing identified in existing guidance. Key points include the following:

On July 24, 2012, a bipartisan group of eight members of Congress sent letters to nine major data brokerage companies requesting information on how the companies collect, assemble and sell consumer information to third parties. Representatives Ed Markey (D-MA) and Joe Barton (R-TX), who serve as co-chairmen of the Bipartisan Congressional Privacy Caucus, are leading the inquiry. The Privacy Caucus, which is an ad hoc group rather than a formally constituted congressional committee, is comprised of members who have a common interest in privacy issues. The Caucus cannot call formal hearings, compel production of materials or pass legislation.

On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.