Privacy Law Blog : August 2011

Home > August 2011

Proskauer Lawyers Help Secure Victory for DNA Privacy Rights

Posted on August 29, 2011 by Brendon Tavelli

On August 25, 2011, the Massachusetts Appeals Court, in a case of first impression, ruled that the state crime lab’s retention of an individual’s DNA sample beyond the limitations promised to him by the police when they took the voluntary sample state a claim for invasion of privacy, and for violation of the state’s Fair Information Practices Act (“FIPA”). The court’s clear holding that DNA is private information in which citizens have a reasonable expectation of privacy; that the government may not unilaterally determine how long it will retain such information, but must justify that decision; and that the state must honor limitations on consent volunteered by police officers in collecting such information, are all matters of first impression in Massachusetts.

Tags: DNA, Invasion of Privacy, Massachusetts, fair information practices act

India Issues Clarification of Recent Privacy Rules

Posted on August 24, 2011 by Paresh Trivedi

As mentioned in a prior post on this blog, earlier this year the Indian Ministry of Communications and Information Technology issued new privacy and data security rules under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the “Privacy Rules”). The strict consent requirements relating to the collection and sharing of sensitive personal data or information seemed to threaten the viability of India’s successful outsourcing industry and affect the data collection practices of non-Indian companies who are otherwise in compliance with data security and privacy requirements in their home jurisdictions. On August 24, 2011, the Ministry issued a release clarifying certain aspects of the Privacy Rules which will undoubtedly cause the Indian outsourcing industry and non-Indian companies to breathe a sigh of relief.

Tags: India, Indian Privacy Rules, International, data security, outsourcing, privacy

"Illinois-ed" About the Lack of Useful Information in Breach Notices? Illinois Amends Breach Notice Law to Specify Notice Content, Cooperation

Posted on August 24, 2011 by Brendon Tavelli

On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state’s breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.

Tags: Illinois, Security Breach Notification Laws, amendment, legislation, security breach

Massachusetts AG Says Having a WISP is Not Enough to Comply With Massachusetts Data Security Regulations

Posted on August 23, 2011 by Amy Crafts

The Massachusetts Attorney General's Office and Belmont Savings Bank have agreed to resolve allegations that Belmont Savings Bank has violated the Commonwealth's stringent data security regulations (see our post about 201 CMR 17.00 here) through an Assurance of Discontinuance, which has been filed in Massachusetts state court (see document here). Belmont Savings Bank has agreed to pay a civil penalty of $7,500 and has also agreed to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General's Office, was likely incinerated by the bank's waste disposal company.

Tags: 201 CMR, Assurance of Discontinuance, Belmont Savings Bank, Data Privacy Laws, Data Privacy Laws, Massachusetts, WISP

Emerging Electronic Receipt Option Requires Creative Thinking for Retailers under State Law

Posted on August 19, 2011 by Andrew Hoffman

Recently, several large retail chains have started offering customers the option to receive electronic receipts for in-store purchasers, as the New York Times reports. For instance, a cashier may ask a customer for his or her email address at check-out and then email the receipt to the customer. Paperless receipt programs offer retailers new and exciting marketing opportunities—for instance, adding a retail store purchaser’s email address to the company’s customer relationship management database, even if that customer never shops online. But with these new opportunities come potential liabilities from old laws that were not written with this new technology in mind.

Tags: Direct Marketing, check-out, crm, customer relationship management, email, paperless, receipt, retail privacy, retailer, song-beverly

FTC Fines First Mobile App Developer for COPPA Violation

Posted on August 18, 2011 by Charley Lozada

On Monday, the Federal Trade Commission (FTC) announced that mobile application developer W3 Innovations, LLC (d/b/a Broken Thumbs Apps), has agreed to pay a fine of $50,000 in order to settle charges that it collected and disclosed personal information from children under the age of 13 without first notifying parents of information-collection policies or obtaining verifiable parental consent, in violation of the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule (16 C.F.R. Part 312). This was the first FTC case involving mobile applications, commonly known as "Apps."

Tags: Children's Online Privacy Protection Act, FTC Enforcement

Breach Notification Obligations In All 50 States?

Posted on August 16, 2011 by Kristen J. Mathews

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them? How could that be, you ask? Because Texas said so. (Does that surprise you?)

Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Texas's amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota).

Tags: Security Breach Notification Laws, Texas, breach, notification, response, state

What's new in Europe?

Posted on August 16, 2011 by Cecile Martin

While the European Commission is seeking to update its 15-year-old Directive regarding the protection of personal data, several regulations have been passed to strengthen privacy rights in Europe.

First, the European Union’s Article 29 Working Party has decided to define more clearly what is considered genuine consent for the processing of personal data. According to its opinion issued on July 14, 2011, consent requires the use of mechanisms that leave no doubt on the data subject’s intention to authorize. As such, in the Working Party’s view, only affirmative statements or actions, not mere silence or inaction, are able to constitute a valid consent. It is incumbent upon data controllers to prove that they have obtained genuine consent; the data subject is not required to rebut any presumption of consent in the controller’s favor.

Tags: CNIL, European Union Data Protection Directive, France, International, whistleblower

No Report; No Pay

Posted on August 5, 2011 by Robyn Sterling

On December 17, 2008, Wellpoint Companies terminated the employment of one of its enrollment and billing department managers for a failure to report a suspected violation of the company’s privacy policy for information protected under HIPAA, and on July 19, 2011, the Connecticut Court of Appeals released an opinion that supported the denial of unemployment benefits to that individual for failure to report.

Tags: Data Breaches, HIPAA