June 2009

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient.

On June 4, the FTC reported a proposed settlement with Sears Holding Management Corporation of a complaint that Sears had failed to meaningfully disclose to customers the extent of the information it was collecting through its online market research software.  The FTC claimed that this failure to disclose constituted an “unfair or deceptive act” under the Federal Trade Commission Act. 
 

The Ohio Court of Appeals, in State v. Wolf, No. 08-16, slip op. (Ohio Ct. App. 5d April 28, 2009), recently upheld application of Ohio’s computer crime law to an employee who used his work computer to engage in criminal conduct (solicitation of a dominatrix-prostitute). While this holding may seem uncontroversial, another aspect of the decision might open the door to imposing criminal liability on employees for violating employer computer use policies.

Wolf was a Shelby City Wastewater Treatment Plant employee. The plant superintendent discovered nude photographs on Wolf’s work computer while performing routine maintenance. The superintendent notified police, who discovered that Wolf used the city-owned computer to solicit a prostitute, visit pornographic websites and upload nude photographs of himself during work hours.  At trial, the jury found him guilty of soliciting prostitution, theft in office and unauthorized use of a On appeal, Wolf challenged the trial court decisions overruling his motion for acquittal on both the charge of theft in office and the charge of unauthorized access to a computer. The Court of Appeals agreed that the trial court should have acquitted on the theft in office charge, but ruled that Wolf’s use of the office computer was unauthorized under Ohio law.

Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy  by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially differs” from the address the CRA has on file for that consumer. The Address Discrepancy Rule then requires users of consumer reports to develop and implement written policies and procedures to respond to receipt of a discrepancy notice. There are two components to the policies required by the Rule: the first relates to the user’s evaluation of the address discrepancy; the second relates to the user’s potential obligation to report the consumer’s address to the CRA.

The European Commission is considering modifying the standard contractual clauses (hereafter “SCCs”) established on December 27, 2001 and used by data controllers to transfer personal data to data processors located outside the EU. The new SCCs may introduce more flexibility in processing services and better reflect new business practices.

Two months after Congress mandated notification for the breach of unsecured protected health information (PHI), the Secretary of Health and Human Services (HHS) defined what it means to be “unsecured.” As required by Section 13402 of the HITECH Act, H.R. 1, 111th Cong. (1st Sess. 2009) (which was part of the American Recovery and Reinvestment Act of 2009), the Secretary issued guidance and a request for comments on the technologies and methodologies rendering information unusable, unreadable or indecipherable. 74 Fed. Reg. 19006 (Apr. 27, 2009) (to be codified at 45 C.F.R. pts. 160, 164).