Privacy & Information Security Law Blog

In the past month, the Department of Health and Human Services (“HHS”) sent its final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules to the White House Office of Management and Budget (“OMB”) and announced a $100,000 settlement with Phoenix Cardiac Surgery, P.C. for violations of the HIPAA Rules.

On April 17, 2012, the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioners of Alberta and British Columbia released guidance on their expectations for accountable privacy programs as required by Canadian law. The guidance, entitled “Getting Accountability Right with a Privacy Management Program,” discusses the building blocks of a comprehensive privacy program for businesses of all sizes. Although intended for a Canadian audience, the paper likely will have worldwide influence given recent privacy law developments around the globe.

On March 8, 2012, during the CeBIT international IT trade show, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”) accepted the German Insurance Association’s application for certification of the “Trusted German Insurance Cloud,” a project that aims to establish a secure IT platform for the German insurance industry.  The parties previously had agreed to work together to develop practical requirements for a secure cloud solution, and to implement appropriate security measures in the “Trusted ...

On April 9, 2012, Maryland became the first state to pass legislation that would prevent employers from asking or forcing employees and applicants to hand over their social media login credentials. The bill, which passed the state Senate unanimously (Senate Bill 433) and the House of Delegates by a wide margin (House Bill 964), now awaits Maryland Governor Martin O’Malley’s signature.

On April 5, 2012, social media giant Twitter, Inc. (“Twitter”) filed a civil lawsuit against spammers and makers of spamming software claiming violations of Twitter’s user agreement and various California state and common laws. Borrowing from the popular term for unsolicited email messages, Twitter’s complaint describes “spam” on Twitter as “a variety of abusive behaviors” including “posting a Tweet with a harmful link … and abusing the @reply and @mention functions to post unwanted messages to a user.” The suit alleges that certain defendants violated Twitter’s Terms of Service, which prohibit “spam and abuse,” by distributing software tools “designed to facilitate abuse of the Twitter platform and marketed to dupe customers into violating Twitter’s user agreement.” Other defendants allegedly operated large numbers of automated Twitter accounts through which they attempted to “trick Twitter users into clicking on links to illegitimate websites.”

On March 22, 2012, the Article 29 Working Party (the “Working Party”), adopted an Opinion analyzing the privacy and data protection law framework applicable to the use of facial recognition technology in online and mobile services, such as social networks and smartphones. The Working Party defines facial recognition as the “automatic processing of digital images which contain the faces of individuals for the purpose of identification, authentication/verification or categorization of those individuals.”

Drawing on its eleven years of experience facilitating multistakeholder processes, on April 2, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP filed comments in response to the Department of Commerce’s National Telecommunications and Information Administration’s request for public comments on the multistakeholder process to develop consumer data privacy codes of conduct. The NTIA’s request relates to the topics and processes that will inform the creation of binding codes of conduct as discussed in the Obama Administration’s February ...

On March 23, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Commission’s data protection law reform proposals, including the draft Regulation that is of particular importance for businesses. The Working Party’s Opinion serves as the national data protection authorities’ contribution to the legislative process before the European Parliament and the European Council.

On March 27, 2012, the Federal Trade Commission announced a proposed settlement order with RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The FTC alleged that RockYou failed to protect the personal information of 32 million of its users, and violated multiple provisions of the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule when it collected information from approximately 179,000 children.

On March 26, 2012, the Federal Trade Commission issued a new privacy report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report charts a path forward for companies to act in the interest of protecting consumer privacy.

In his introductory remarks, FTC Chairman Jon Leibowitz indicated his support for Do Not Track stating, “Simply put, your computer is your property; no one has the right to put anything on it that you don’t want.” In later comments he predicted that if effective Do Not Track mechanisms are not available by the end of this year, the new Congress likely would introduce a legislative solution.