Data Privacy Laws : Privacy Law Blog

Illinois Attorney General Issues Information Security and Security Breach Notification Guidance

Posted on February 1, 2012 by Robyn Sterling

The Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach. Recently, the Office of Illinois Attorney General Lisa Madigan issued guidance that provides tools to assist entities in preventing, preparing for and responding to data security breaches. The guidance suggests that entities assess the amount of personal information on file, reduce the amount of personal information available within the entity, protect the information accordingly and train employees to properly manage the information. In order to respond quickly and efficiently to a data security breach, the guidance encourages entities to create and implement an incident response plan that includes the PIPA notice requirements.

For additional information about the Information Security and Security Notification Guidance, click here.

Tags: Data Privacy Laws, Illinois, guidance, information, personal, state

EC Proposal For New Data Protection Regulation

Posted on January 27, 2012 by Peta-Anne Barrow

The European Commission (the “EC”) has announced its anticipated comprehensive reform of EU data protection rules, intended to strengthen online privacy rights and boost Europe's digital economy. The proposal is intended to update and modernize the principles enshrined in the 1995 Data Protection Directive. If approved, unlike the current rules which give each of the 27 member states of the EU (the “member states”) some flexibility as to how the 1995 Data Protection Directive is implemented in their jurisdiction, the new law would apply directly so that there would be an entirely uniform set of data protection standards across the EU.

Key changes include...

Tags: Data Privacy Laws, Data Protection Act, EU, European Commission, European Union, online privacy rights

Massachusetts Data Security Regulations: Deadline To Update Service Provider Contracts Is Fast Approaching

Posted on January 26, 2012 by Amy Crafts

The deadline for compliance with a key requirement of the Massachusetts Data Security Regulations is only a month away. By March 1, 2012, contracts must require that certain service providers implement and maintain appropriate security measures to protect personal information. This alert summarizes the requirements that will become effective as of March 1, 2012.

Read the entire article.

Tags: Data Privacy Laws

Massachusetts Federal Judge Says ZIP Code is Definitely Maybe "Personal Identification Information" . . . Implores Parties to Seek State Court Certification.

Posted on January 12, 2012 by Brendon Tavelli

In an extension of the spate of litigation surrounding California’s Song-Beverly Credit Card Act and other laws like it, the U.S. District Court for the District of Massachusetts in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012), followed the California Supreme Court’s lead (see our blog post here) in ruling that ZIP codes are “personal identification information” within the meaning of Mass. Gen. Laws, ch. 93, § 105(a). The court refused to apply the California Supreme Court’s reasoning that the term “address” in § 105(a)’s definition of PII encompassed individual components of an address, and instead relied on a shaky analogy to PIN code to conclude that “a ZIP code can indeed be PII under section 105(a).” Id. at 12. The court nonetheless dismissed the plaintiff’s putative class action because she failed to allege any legally cognizable harm as a result of Michaels’ collection of her ZIP code in connection with a credit card transaction. The decision is a strange one for a variety of reasons, not the least of which is the court’s insistence on setting the stage of a David vs. Goliath type showdown at the outset of its opinion only to bounce the “little guy” right out of the arena, but here goes …

Tags: Data Privacy Laws, Massachusetts, Song-Beverly Credit Card Act, personal identification information, transaction form, zip code

Do I really have to obtain consent from all my customers to make a change to my privacy policy?

Posted on December 9, 2011 by Kristen J. Mathews

"Do I really have to obtain consent from all my customers to make a change to my privacy policy? No one else seems to be following that rule."

We get this question all the time. It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent of their users. (In other words, they add a new offering to their service that expands their use or sharing of consumer data, and they default their users into the new offering.) Sometimes they back off temporarily when faced with media backlash or Congressional or regulatory scrutiny, but the pattern nonetheless persists in the long term. Sometimes we scratch our heads in wonder, since the FTC has taken the position in countless actions for over a decade that if you make a material, adverse, retroactive change to your privacy policy, you need to obtain consent from consumers to apply your new policy to the data you collected under your old policy.

Tags: Data Privacy Laws, FTC, FTC Enforcement, Facebook, Online Privacy, Privacy Policy, material adverse retroactive change

Filers Beware! Court of Appeal Rejects CNIL-approved Whistleblowing System

Posted on October 27, 2011 by Cecile Martin

In a decision dated September 23, 2011, the Court of Appeal of Caen suspended the implementation of a whistleblowing system that had been previously authorized by the French Data Protection Agency (CNIL) because, in the court’s view, the system infringed on the individual and collective rights and liberties of the company’s employees.

Tags: CNIL, Data Privacy Laws, data privacy, whistleblowing system

ZIP-lined Out of Court: Williams-Sonoma Obtains Dismissal of New Jersey ZIP Code Collection Suit

Posted on October 4, 2011 by Brendon Tavelli

On September 26, Judge William Walls of the U.S. District Court for the District of New Jersey ruled that a putative class action lawsuit against home goods retailer Williams-Sonoma failed to state a claim under New Jersey law. In Feder v. Williams-Sonoma Stores, Inc., the plaintiff sought damages for purported violations of New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”) after a Williams-Sonoma employee allegedly required the plaintiff to provide her zip code as part of a credit card transaction. The TCCWNA prohibits, among other things, the offering, entering into, giving or displaying a written consumer contract or notice “which includes any provision that violates any clearly established legal right of a consumer” under New Jersey or Federal law. In somewhat confusing fashion, the plaintiff’s complaint alleged that the electronic credit card transaction forms into which Williams-Sonoma enters consumers’ zip codes constituted consumer contracts that were subject to TCCWNA and that the collection of consumer zip codes on such forms violated the TCCWNA.

Tags: Data Privacy Laws, New Jersey, dismiss, litigation, personal information, zip code

Recent Amendments to Russian Data Protection Law Further Clarify International Data Transfer Rules

Posted on September 9, 2011 by Jeremy Mittman

On July 25, Russian President Dmitry Medvedev signed into law an amendment to the Russian data protection law, "On Personal Data". The new amendments are effective as of July 1, 2011. Of special significance, the amendments provide further clarification regarding the transfer of personal data to individuals or entities located outside of Russia. Prior to the recent amendments, before transferring personal data from Russia to, for example, the United States, in the absence of obtaining prior written consent, a company needed to determine whether the United States (or another country, as the case may be) possessed data protection laws that provided an "adequate" level of protection. However, the old Russian law provided little clarification as to which countries qualified under that standard, or how a company should go about deciding which countries qualified.

Tags: Data Privacy Laws

Massachusetts AG Says Having a WISP is Not Enough to Comply With Massachusetts Data Security Regulations

Posted on August 23, 2011 by Amy Crafts

The Massachusetts Attorney General's Office and Belmont Savings Bank have agreed to resolve allegations that Belmont Savings Bank has violated the Commonwealth's stringent data security regulations (see our post about 201 CMR 17.00 here) through an Assurance of Discontinuance, which has been filed in Massachusetts state court (see document here). Belmont Savings Bank has agreed to pay a civil penalty of $7,500 and has also agreed to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General's Office, was likely incinerated by the bank's waste disposal company.

Tags: 201 CMR, Assurance of Discontinuance, Belmont Savings Bank, Data Privacy Laws, Data Privacy Laws, Massachusetts, WISP

Let us tell you how we see this going down: White House publishes cybersecurity legislative proposal

Posted on May 18, 2011 by Brendon Tavelli

On May 12, 2011, the Obama Administration released its legislative proposal concerning cybersecurity. The proposal comes almost two years after the President identified cyber threats and protecting our digital infrastructure as “one of the most serious economic and national security challenges we face as a nation” in his Cyberspace Policy Review. The Administration’s legislative proposal includes a number of proposals to update existing federal cybersecurity laws and regulations in order to protect the Nation against cyber threats. The stated focus of the proposal is to shore up cybersecurity measures to protect the American people, the Nation’s critical infrastructure, and the Federal Government’s networks and computers while providing a framework for safeguarding individual privacy and civil liberties.

Tags: Cyber Security, Data Privacy Laws, White House, data breach, data security, legislation

French Data Protection Agency Restricts the Scope of the Whistleblowing Procedures: Multinational Companies Need to Make Sure They Are Compliant

Posted on December 15, 2010 by Cecile Martin

By a decision dated October 14, 2010, and published on December 8, 2010, the French Data Protection Agency (known under the acronym CNIL) revised the deliberation that it issued on December 8, 2005.

At that time, the CNIL had issued a deliberation to reach a compromise between the United States’ Sarbanes-Oxley (“SOX”) requirements and French law. According to Article 1 of that deliberation, companies were authorized to adopt whistleblowing systems implemented in response to French legislative mandates, regulatory internal control requirements (e.g. regulations governing banking institutions), or the whistleblowing requirements of the SOX Act. According to Article 3 of the 2005 deliberation, alleged wrongdoings not encompassed within these core areas may be covered by the whistleblowing system only if vital interests of the company or the physical or psychological integrity of its employees were threatened.

Tags: 'whistleblowing', CNIL, Data Privacy Laws, France, data protection

What Do You Really Need to Know About the FTC's Recent Report on Privacy?

Posted on December 8, 2010 by Kristen J. Mathews

Yesterday, we blogged about the FTC’s report released last week, “Protecting Consumer Privacy in an Era of Rapid Change.” But if the FTC’s recommendations become requirements, how would they change what the typical company is doing today?

Tags: Data Privacy Laws, FTC, behavioral, information, opt-in, opt-out, personal, policies, privacy, report

French Data Protection Agency Issues Guidelines to Help Companies Strengthen the Security of their Data Processing

Posted on October 25, 2010 by Cecile Martin

To assist companies to comply with European data protection laws, in particular those implemented in France, the French Data Protection Agency (known as “CNIL”) recently issued a set of guidelines organized by topic which provide elementary precautions to be taken by data controllers in several subject areas, including what types of conduct are prohibited as well as the CNIL’s recommendations in these areas.

Tags: ''French, ''data, CNIL, Data Privacy Laws, data, data privacy, data protection, processing'', protection'', security''

Sanctions for Lazy Disposal Require Drug Store Chain to Re-"Rite" its Data Security Policies and Procedures

Posted on August 5, 2010 by Brendon Tavelli

Rite Aid has agreed to pay $1 million to resolve allegations that it violated the Health Insurance Portability and Accountability Act (“HIPAA”) by pitching pill bottles and prescription information into publicly accessible dumpsters near Rite Aid stores. According to the Department of Health and Human Services’ resolution agreement, released on July 27, Rite Aid must implement a three-year corrective action program, which includes the adoption of revised policies and procedures concerning the disposal of sensitive health-related information, employee training programs related to the revised policies and procedures and penalties for employees that fail to comply with them.

Tags: Data Privacy Laws, FTC, HHS, HIPAA, health information, personal information, settlement

Massachusetts Data Security Regulations: Your Company May Not Be Located There, But If Your Customers Are, You Need to Comply

Posted on June 11, 2010 by Natalie Newman

As we've discussed in prior posts, newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach. The regulations are national and international in scope, as they apply to all companies – wherever located-- using personal data of Massachusetts residents.

Although the deadline for compliance with the Regulations – March 1, 2010 – has come and gone, many companies – both within Massachusetts, but particularly outside of Massachusetts – are not yet, in fact, compliant. These companies are finding themselves in a position of playing "compliance catch-up." Even companies that were compliant with applicable law prior to the enactment of the Regulations are obligated to review where they stand in light of these new requirements.

In an article just published by the Washington Legal Foundation, we review the requirements of the Massachusetts law and Regulations, including the required written information security program, constraints on third-party providers and vendors, and enforcement mechanisms, among other topics. "The Bay State Raises the Bar on Personal Data Security: Are You in Compliance?," by Jeffrey D. Neuburger and Natalie Newman is available here.

Tags: Data Privacy Laws, Massachusetts, data privacy, data security, data security breach, privacy, regulations

Everybody Likes Free Stuff: Draft Privacy Legislation Seeks To Enhance Consumer Protections Without Disrupting Ad-Supported Internet Business Model

Posted on May 18, 2010 by Brendon Tavelli

A draft Congressional bill released Tuesday, May 3 aims enhance consumer privacy protections both online and offline and establish a national framework for the collection, use and security of consumer information, superseding state law requirements regarding the collection, use and disclosure of the information it covers. The draft legislation, sponsored by Congressmen Rick Boucher (D, Va.) and Cliff Stearns (R, Fla.), recognizes the importance of online advertising in supporting free online content and services and attempts to extend privacy protections without disruption of this business model. The bill's sponsors have requested comments on the draft by June 4th, and stakeholder meetings may also be scheduled to discuss the draft and receive comments.

Click here to learn more about the draft legislation, and stay tuned for updates as the comment period proceeds.

Tags: Boucher, Congress, Data Privacy Laws, Stearns, federal, legislation, marketing, online

Application of New Massachusetts Data Security Regulations to Out-of-State Businesses

Posted on May 12, 2010 by Amy Crafts

Massachusetts’s new data security regulations, effective as of March 1, 2010, currently set forth the country’s most stringent requirements for protecting data. Extending beyond what is required by other states, Massachusetts specifies that, for example, covered entities must implement a written information security program and must encrypt personal information that will be transmitted over the Internet, or that is kept on laptops and other portable devices. Massachusetts regulators and enforcement agencies would likely make the following three arguments that out of state entities must also comply with the new regulations.

Tags: Data Privacy Laws

French Data Protection Agency Issues Recommendations Regarding Employees' Personal Data that Companies in France May Collect To Minimize the Impact of Swine Flu on Business Continuity

Posted on September 21, 2009 by Cecile Martin

In anticipation of the Swine Flu and the consequences that it may have upon the continuity of the business of companies, the French Data Protection Agency (known under the acronym "CNIL") recently issued recommendations regarding employers’ collection of employee data in connection with their swine flu business continuity programs.

The French government has strongly recommended that companies set up a plan for the continuity of their businesses in case of pandemic flu. Indeed, in case of pandemic, the French authorities anticipate significant degrees of absenteeism among employees and a possible paralysis of certain companies if they are not sufficiently prepared.

Tags: Data Privacy Laws, data security, swine flu

Massachusetts' Revised Data Security Regulations Extend Deadline (Again) and Soften Some Requirements

Posted on August 17, 2009 by Kristen J. Mathews

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts' data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010. (Previous to an earlier extension, the compliance deadline was May 1, 2009.)

The revised regulations emphasize their “risk-based” approach, enabling persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information, and need. These changes were primarily intended to ease the burden of the regulations on small businesses that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program. That said, the changes apply to all business, not just small businesses.

Tags: 201 CMR 17.00, Data Privacy Laws, Massachusetts, STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH, data security, regulations

European Privacy Law And Social Networking

Posted on July 7, 2009 by Cecile Martin

With social networking sites proliferating across international boundaries, privacy and data protection concerns are becoming increasingly relevant. With these concerns in mind, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted an opinion on online social networking on June 12, 2009.

As noted by the Working Party, the personal information a user posts online combined with the data outlining the user’s actions and interactions with other people can create a rich profile of that person’s interests and pose major risks such as identity thefts, loss of employment or business opportunities. In this new era of social networking, no longer are even the most secretive organizations free from the public eye. Just last Sunday, a British tabloid published revealing photos, taken off of a social networking website, of the soon-to-be chief of the country’s foreign intelligence service, MI6.

The opinion focuses on how the operation of social networking sites can meet the requirements of EU data protection legislation, and advises social network service (hereafter “SNS”) providers what measures must be in place to ensure compliance. Companies that make applications for or utilize social networking sites should be mindful of their obligations under EU law, as well.

An SNS is defined as an online communication platform which enables individuals to join or create networks of like-minded users. Usually, these services invite users to provide personal data, post their own material, and interact with other contacts who use the service. Well-known examples would include Facebook, Twitter, and MySpace. Under the EU’s 1995 Data Protection Directive (95/46/EC) (the "Directive), SNS providers are considered data controllers, which are subject to several of the Directive’s provisions, even if their headquarters are outside the European Economic Area. Among their obligations:

Security and Default Privacy Settings – Data controllers must take technical and organizational measures that will maintain the security of the users. The Working Party recommends that SNS providers offer default privacy settings that restrict viewing the user’s profile to self-selected contacts.

Information to be Provided by SNS – SNS providers must inform users of their identity and their purposes in using personal data. The Working Party recommends that providers inform users of the privacy risks both to users and third parties of uploading information. If third party information or pictures are uploaded, it should be done with that individual’s consent. They should also provide information and adequate warning to users about privacy risks when uploading data on the SNS.

Sensitive Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health, or sex life may only be published with the explicit consent from the data subject or if he has made the data public himself. It is therefore incumbent upon the SNS to make it clear that answering any questions regarding such sensitive data is completely voluntary.

Processing Data of Non-Members – SNS providers may not use independently gathered information to create profiles for those who are not members of the service.

Third Party Access – When SNS providers offer additional applications on their service by third parties, or make their service available on third party hardware (mobile phones) or software (outside websites), they should ensure that the third parties only have access to necessary personal data and provide a mechanism whereby users can report concerns about applications.

Legal Grounds for Direct Marketing – Marketing activity by SNS providers is permissible, but it must comply with the Data Protection and ePrivacy Directives.

Retention of Data – Personal data of users should not be kept after their accounts are deleted. When a user is inactive for a period of time, his profile should become invisible to the outside world and eventually the user should be notified that the data will be deleted.

Respecting the Rights of Users – Members and non-members whose information is processed by an SNS should have rights to access, correct, and delete their data. Further, because data is not to exceed the purposes for which it is being collected, SNS providers should consider giving users the choice of using pseudonyms in place of their real names.

Protecting Children – SNS providers should be especially attentive to protecting the data of minors. The Working Party recommends not asking minors for sensitive data in subscription forms, not directly marketing to minors, ensuring the prior consent of parents before subscribing, having suitable degrees of separation between communities of children and adults, and providing adequate age verification software.

Users of social networking sites are considered data subjects rather than data controllers, so they are generally exempt from the above responsibilities. However, this is not always the case. When a user processes personal data for more than purely personal or household activity, he or she is no longer covered by the so-called “household exemption” that excepts him or her from the Directive’s mandates. Examples of non-personal activity are using the SNS on behalf of a company or association, using the SNS mainly as a platform to advance commercial, political, or charitable goals, or having a high number of contacts, some of whom he may not actually know. When this occurs, the user assumes the full responsibilities of a data controller.

Thus, companies that do not operate an SNS may still governed by the Directive merely by virtue of using the service. Where the company is collecting personal information (e.g. through applications or otherwise), it should take heed of the foregoing recommendations, such as getting consent from parties before publishing their personal information and images, only using necessary personal data, deleting personal information after an account has been removed, and having a mechanism users can employ to voice privacy concerns about the application.

Proskauer summer associate Adam Freed contributed to this post.

Tags: Data Privacy Laws, EU Data Directive, European Union Data Protection Directive, data protection, personal data, personal information, privacy, social networking

FTC Tells Sears That Consumer Disclosures Must be More Conspicuous

Posted on June 30, 2009 by Kristen J. Mathews

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy. However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient.

On June 4, the FTC reported a proposed settlement with Sears Holding Management Corporation of a complaint that Sears had failed to meaningfully disclose to customers the extent of the information it was collecting through its online market research software. The FTC claimed that this failure to disclose constituted an “unfair or deceptive act” under the Federal Trade Commission Act.

Tags: Behavioral Marketing, Data Privacy Laws, FTC Enforcement, Online Privacy, Spyware

What Happens in Vegas Really Does Stay in Vegas (Unless It Is Encrypted)

Posted on June 19, 2009 by Brendon Tavelli

A new Nevada law, S.B. 227, will require entities doing business in that state to beef up their protections of personal information. Previously, we wrote about Nevada’s personal information encryption law. See our blog post here. The current law requires encryption of any personal information transmitted electronically (other than by facsimile). But S.B. 227, which becomes effective on January 1, 2010, will require encryption of all personal information leaving the “logical or physical controls of the data collector,” including electronic data on a “data storage device.”

Tags: Data Privacy Laws, data, data collector, data security, data storage device, doing business, encryption, personal information, physical controls

UK Data Protection Authority Publishes Draft Guidelines for Implementing Privacy Policies

Posted on February 19, 2009 by Cecile Martin

The UK Information Commissioner Office ("ICO", the UK data privacy agency) has recently issued an informative code of practice to assist companies collecting personal data so that they can better draft clear privacy notices to data subjects about how the company intends to use personal data, and especially when such data is considered to be of a confidential or sensitive nature. The published guidelines are subject to a consultation period and will be finalized after the consultation period ends, on April 3, 2009.

In issuing the guidelines, the ICO made clear that privacy polices were essential to reassure companies’ potential and existing customers that that the privacy of their data is taken seriously.

The principal purpose of the guidelines is to remind companies that they must inform all data subjects about:

the transfer of data to other companies and overseas;
the duration of storage;
the measures taken to ensure the security of the personal data;
the possibility to object to direct marketing;
who to contact if there is a complaint.

In promulgating the guidelines, the ICO reminded the companies of their obligations under the EU Data Protection Directive of 1995, which provides that all personal data must be processed "fairly and lawfully."

At a time when data breaches and online marketing have become increasingly common, it is essential that UK companies issue transparent policies about the collection, use, sharing, and security of personal data.

Jeremy Mittman in Proskauer's Los Angeles office contributed to this post.

Tags: Data Privacy Laws, data privacy, data protection

Massachusetts Regulators Postpone Compliance Deadline and Issue Revised ID Theft Regulations

Posted on February 13, 2009 by Brendon Tavelli

On Thursday, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) revised and postponed -- for the second time -- its comprehensive data security regulations. The new deadline for all covered entities to achieve full compliance with the Massachusetts regulations is January 1, 2010. This fixed deadline replaces a tiered-compliance schedule established by OCABR in November 2008 that would have given covered entities until May 1, 2009 to install certain data security safeguards, including encrypting personal information on laptops, and until January 1, 2010 to implement more aggressive security measures. (See our prior post here.)

Tags: 201 CMR 17.00, Data Privacy Laws, Massachusetts, OCABR, Regulation, data security, encryption, personal information

MA Delays Implementation of Information Protection Standards

Posted on November 26, 2008 by Proskauer Rose LLP

Businesses holding personal information of Massachusetts residents have at least one thing to be thankful for this holiday season. As reported here, Massachusetts earlier this year established strict standards for protection of personal information about Massachusetts residents. Those standards include encryption of electronic data when stored or transmitted and were set to take effect January 1, 2009.

In light of current economic conditions, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) delayed the general compliance deadline until May 1, 2009 – the same date the FTC’s new red flag rules take effect (as reported here, here and here). The OCABR also extended a number of other related deadlines, which are listed in the OCABR’s announcement available here.

Tags: Data Privacy Laws, Massachusetts, data privacy

MA Issues New Rules for the Protection of Personal Information

Posted on September 30, 2008 by Kristen J. Mathews

The September 2008 issue of "A Moment of Privacy," a monthly e-newsletter brought to you by the Privacy and Data Security Practice Group of Proskauer Rose, LLP, has been released.

This month's question was "I understand that Massachusetts’ new information security rule reaches beyond what other states require. What do these new rules mean for my company?'"

Past issues of A Moment of Privacy are also available.

Tags: Data Privacy Laws

Leaving Las Vegas . . . IF Encrypted

Posted on September 24, 2008 by S. Montaye Sigmon

A Nevada law requiring encryption of customer personal information goes into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970 (2007). While the legislation is short in length, it is potentially wide-ranging in scope. In particular, the legislation requires any "business in this State" to encrypt an electronic transmission (other than via facsimile) of "any personal information of a customer" to "a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission." Id.

Tags: Data Privacy Laws, Nevada, electronic transmission, encrypt, encryption, secure system of the business

CT's New SSN Law Is Third 0f Its Kind

Posted on August 7, 2008 by Kristen J. Mathews

A host of state laws require that companies take measures to protect the confidentiality of the Social Security Numbers that they possess regarding employees and consumers. But Connecticut’s new law, “AN ACT CONCERNING THE CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS,” requires more.

Tags: Data Privacy Laws, SSN, social security number

New Connecticut Law Threatens $500,000 Penalty for Privacy Violations

Posted on July 7, 2008 by Proskauer Rose LLP

On June 10, Connecticut Governor M. Jodi Rell signed into law a bill to safeguard Social Security numbers and other personal information. The law imposes a civil penalty of up to $500,000 on violators. The new law takes effect October 1, 2008.

The new law penalizes any individual or business that intentionally fails to protect personal information. “Personal information” includes Social Security numbers, driver’s license numbers, and account numbers for insurance policies, credit card numbers and bank accounts. Individuals and businesses are subject to civil penalties of $500 per violation, up to $500,000 for any single event. The law imposes the same penalty for intentional failure to “destroy, erase or make unreadable” personal information during disposal of records. It does not, however, impose fines on negligent or unintentional violators, nor does it apply to public entities.

Tags: Connecticut, Data Privacy Laws, Social Security numbers, data disposal, data retention, data security, personal information

SEC Seeks to Better Protect Investors' Privacy With Proposed Amendments to Regulation S-P

Posted on March 17, 2008 by Scott J. Carpenter

In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities. Continue Reading...

Tags: Data Privacy Laws, Financial Privacy, Gramm-Leach-Bliley Act, Regulation S-P, SEC, broker-dealers, investment companies

Proskauer's Tanya Forsheit Gives Web Exclusive Interview on Pending Data Breach Legislation

Posted on February 19, 2008 by Scott J. Carpenter

http://www.csoonline.com/article/217027/CSO_Disclosure_Series_What_s_Next_with_Disclosure_Legislation_

Tags: California, Data Privacy Laws, Disclosure, Laws, breach, data, legislation, notification, privacy, security

Focus on the EU and France -- Can US Employers Collect Sensitive Data about Their Employees Resident in the EU?

Posted on December 12, 2007 by Cecile Martin

US employers are sometimes required for diversity purposes to collect data regarding the race and ethnicity of their employees. However, collection of such “sensitive” data may infringe EU data protection laws under Article 8 of the EU Data Protection Directive. This blog post is designed to provide some basic information about Article 8 and its exceptions. It relates only to the collection of sensitive data from EU-based employees and does not address cross-border data transfer issues.

Tags: Data Privacy Laws

French Data Protection Agency Rules that Employees Are Entitled to View Their Evaluations

Posted on October 3, 2007 by Cecile Martin

Earlier this year, CNIL, the French Data Protection Agency, issued a ruling that changed the confidentiality treatment accorded to employee evaluations under French law. CNIL ruled that employees must be able to review any evaluations written about them by their employers. The CNIL issued the ruling after receiving several complaints from employees of an (anonymous) multinational company, which refused to divulge the employees’ evaluations to employees upon request.

Tags: Data Privacy Laws

Proposed California Legislation Would Require Retailers to Dispose of Personal Information Within 90 Days

Posted on April 27, 2007 by Proskauer Rose LLP

Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements. In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779. That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers. The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.

Tags: California, Data Privacy Laws, breach notification, legislation, privacy, retailers