November 2011

On November 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced details of its HIPAA Privacy and Security Audit Program. The OCR pilot program calls for approximately 150 audits of covered entities, which audits are intended to address privacy and security compliance, and assist OCR in assessing and identifying best practices as well as risks and vulnerabilities for health care entities. Although the pilot program is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

The Federal Trade Commission has announced a settlement agreement with ScanScout, Inc., an online advertising network alleged to have made misleading statements in its privacy policy which omitted to disclose ScanScout’s use of Flash cookies. The settlement terms require ScanScout to implement various conspicuous (i.e., not hidden in the privacy policy) notices regarding behavioral tracking and opt-out mechanisms that are reflective of recent FTC guidance and developing industry standards. Companies engaging in behavioral tracking (using Flash cookies or otherwise) may look to the terms of this settlement agreement for color on what the FTC wants to see in terms of consumer notices and choices.

Plaintiff customers in litigation stemming from Hannaford Brothers, Co.’s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs’ claims for negligence and implied contract should survive Hannaford’s motion to dismiss because plaintiffs’ reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine law. While this case, Anderson v. Hannaford Brothers, Co., may be read narrowly to apply only to circumstances involving actual theft and misuse of customers’ data, plaintiffs’ lawyers, who for years have made unsuccessful claims for damages following data security breaches, will likely attempt to broaden this holding to apply at least to other mitigation costs incurred by plaintiffs.

The Federal Trade Commission recently announced its settlement with the operator of www.skidekids.com concerning allegations that the operator violated the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) by collecting personal information about children without obtaining parental consent. For Skid-e-kids, the FTC’s settlement means taking remedial measures; an injunction; and a $100,000 civil penalty. For the rest of us, the settlement is a good reminder that the FTC is staunchly committed to protecting children’s privacy. So when it comes to collecting personal information from children online, it’s important to do it right . . . or not at all.