Privacy Law Blog : Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient.

On June 4, the FTC reported a proposed settlement with Sears Holding Management Corporation of a complaint that Sears had failed to meaningfully disclose to customers the extent of the information it was collecting through its online market research software.  The FTC claimed that this failure to disclose constituted an “unfair or deceptive act” under the Federal Trade Commission Act. 
 

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

A new Nevada law, S.B. 227, will require entities doing business in that state to beef up their protections of personal information. Previously, we wrote about Nevada’s personal information encryption law. See our blog post here. The current law requires encryption of any personal information transmitted electronically (other than by facsimile). But S.B. 227, which becomes effective on January 1, 2010, will require encryption of all personal information leaving the “logical or physical controls of the data collector,” including electronic data on a “data storage device.”

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

The UK Information Commissioner Office ("ICO", the UK data privacy agency) has recently issued an informative code of practice to assist companies collecting personal data so that they can better draft clear privacy notices to data subjects about how the company intends to use personal data, and especially when such data is considered to be of a confidential or sensitive nature. The published guidelines are subject to a consultation period and will be finalized after the consultation period ends, on April 3, 2009.

In issuing the guidelines, the ICO made clear that privacy polices were essential to reassure companies’ potential and existing customers that that the privacy of their data is taken seriously.

The principal purpose of the guidelines is to remind companies that they must inform all data subjects about:

• the transfer of data to other companies and overseas;
• the duration of storage;
• the measures taken to ensure the security of the personal data;
• the possibility to object to direct marketing;
• who to contact if there is a complaint.

In promulgating the guidelines, the ICO reminded the companies of their obligations under the EU Data Protection Directive of 1995, which provides that all personal data must be processed "fairly and lawfully."

At a time when data breaches and online marketing have become increasingly common, it is essential that UK companies issue transparent policies about the collection, use, sharing, and security of personal data.

Jeremy Mittman in Proskauer's Los Angeles office contributed to this post.

• Email This
• Print
• Comments
• Trackbacks

On Thursday, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) revised and postponed -- for the second time -- its comprehensive data security regulations. The new deadline for all covered entities to achieve full compliance with the Massachusetts regulations is January 1, 2010. This fixed deadline replaces a tiered-compliance schedule established by OCABR in November 2008 that would have given covered entities until May 1, 2009 to install certain data security safeguards, including encrypting personal information on laptops, and until January 1, 2010 to implement more aggressive security measures. (See our prior post here.)

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

Businesses holding personal information of Massachusetts residents have at least one thing to be thankful for this holiday season.  As reported here, Massachusetts earlier this year established strict standards for protection of personal information about Massachusetts residents. Those standards include encryption of electronic data when stored or transmitted and were set to take effect January 1, 2009.

In light of current economic conditions, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) delayed the general compliance deadline until May 1, 2009 – the same date the FTC’s new red flag rules take effect (as reported here, here and here).  The OCABR also extended a number of other related deadlines, which are listed in the OCABR’s announcement available here.

• Email This
• Print
• Comments
• Trackbacks

The September 2008 issue of "A Moment of Privacy," a monthly e-newsletter brought to you by the Privacy and Data Security Practice Group of Proskauer Rose, LLP, has been released. 

This month's question was "I understand that Massachusetts’ new information security rule reaches beyond what other states require. What do these new rules mean for my company?'"

Past issues of A Moment of Privacy are also available.

• Email This
• Print
• Comments
• Trackbacks

A Nevada law requiring encryption of customer personal information goes into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970 (2007). While the legislation is short in length, it is potentially wide-ranging in scope. In particular, the legislation requires any "business in this State" to encrypt an electronic transmission (other than via facsimile) of "any personal information of a customer" to "a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission." Id.

 

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

A host of state laws require that companies take measures to protect the confidentiality of the Social Security Numbers that they possess regarding employees and consumers. But Connecticut’s new law, “AN ACT CONCERNING THE CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS,” requires more. 

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

On June 10, Connecticut Governor M. Jodi Rell signed into law a bill to safeguard Social Security numbers and other personal information. The law imposes a civil penalty of up to $500,000 on violators. The new law takes effect October 1, 2008. 

The new law penalizes any individual or business that intentionally fails to protect personal information.  “Personal information” includes Social Security numbers, driver’s license numbers, and account numbers for insurance policies, credit card numbers and bank accounts. Individuals and businesses are subject to civil penalties of $500 per violation, up to $500,000 for any single event. The law imposes the same penalty for intentional failure to “destroy, erase or make unreadable” personal information during disposal of records. It does not, however, impose fines on negligent or unintentional violators, nor does it apply to public entities.        

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities. Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

http://www.csoonline.com/article/217027/CSO_Disclosure_Series_What_s_Next_with_Disclosure_Legislation_

 

• Email This
• Print
• Comments
• Trackbacks

US employers are sometimes required for diversity purposes to collect data regarding the race and ethnicity of their employees.  However, collection of such “sensitive” data may infringe EU data protection laws under Article 8 of the EU Data Protection Directive.  This blog post is designed to provide some basic information about Article 8 and its exceptions.  It relates only to the collection of sensitive data from EU-based employees and does not address cross-border data transfer issues.

 

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

 

Earlier this year, CNIL, the French Data Protection Agency, issued a ruling that changed the confidentiality treatment accorded to employee evaluations under French law. CNIL ruled that employees must be able to review any evaluations written about them by their employers. The CNIL issued the ruling after receiving several complaints from employees of an (anonymous) multinational company, which refused to divulge the employees’ evaluations to employees upon request.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks

Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements.  In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779.  That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers.  The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.  

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks (1)