COPPA Violations? Cop a Settlement for $3 Million

Posted on May 18, 2011 by Kevin Khurana

Playdom, Inc., an online game company owned by Disney Enterprises, Inc., and Playdom’s Chief Executive Officer, Howard Marks (the “Defendants”), agreed to pay $3 million to settle charges brought by the Federal Trade Commission (“FTC”) that they violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting, using and disclosing the personal information of children under the age of 13 without their parents’ prior, verifiable consent.  According to the FTC’s settlement announcement, the $3 million settlement is the largest civil penalty ever for a COPPA violation.

The FTC’s complaint, filed May 11, 2011, alleged that the Defendants operated 20 “virtual world” gaming websites and that when children registered on the websites, the Defendants collected children’s personal information, like their ages and email addresses. Between 2006 and 2010, around 403,000 children registered for Defendants’ general audience websites, while an additional 821,000 users registered for www.ponystars.com, the Defendants’ website directed to children. Once registered, children could create their own personal profile pages, which included things like name, location, email address and instant messaging information. The FTC claimed that the Defendants failed to provide sufficient notice on their websites of what information they collected from children and how they used and disclosed such information. The FTC also claimed that the Defendants failed to provide direct notice to the children’s parents of their collection, use and disclosure practices with regard to such information and failed to obtain parents’ verifiable consent to their practices.   

The FTC’s complaint also alleged that the Defendants failed to adhere to the promises set forth in their privacy policy, specifically, that they would neither collect the email addresses of children without parental consent, nor permit children under the age of 13 to post personal information on their websites.

It is worthy to note that Playdom took ownership of the websites when it acquired Acclaim Games, Inc. in May 2010 and Disney subsequently acquired Playdom in August 2010. Although most of the violations occurred when Acclaim Games was operating independently, its acquirers ended up getting stuck with the tab. 
Tags: , , , , , , , ,

FTC Says Scoot, Rascal! Rascal Scooters Penalized $100,000 for Calling Consumers on the Do Not Call Registry

Posted on April 28, 2011 by Kevin Khurana

On April 21, 2011, the Federal Trade Commission (FTC) and Electronic Mobility Corporation (d/b/a Rascal Scooters) entered into a settlement agreement pursuant to which Rascal Scooters agreed to pay $100,000 as a civil penalty to settle a complaint filed by the FTC alleging that Rascal Scooters violated the FTC Act (15 U.S.C. § 44) and the FTC’s Telemarketing Sales Rule (16 C.F.R. 310) (TSR). At the center of the FTC’s complaint was the allegation that Rascal Scooters and its owner, Michael Flowers, made more than three million unsolicited sales calls since 2003 to consumers on the Do Not Call Registry who submitted their contact information to Rascal Scooters through its “Win a Free Rascal” sweepstakes.

As background, the Telemarketing Sales Rule allows a company to call a consumer on the Do Not Call Registry if the company has an “established business relationship” with the consumer and the consumer has not otherwise opted out of receiving calls from the company. What Rascal Scooters failed to consider, however, was that an “established business relationship” does not arise from the submission of a sweepstakes entry form. Rather, an “established business relationship” only exists if a consumer has purchased a company’s goods or services within the 18 month period immediately preceding the call or if a consumer inquires or submits an application regarding a company product or service within the 3 month period immediately preceding the date of the call. 

In addition to the $100,000 penalty, Rascal Scooters is only allowed to call consumers if it has their consent in writing or if there is an actual “established business relationship” and is subject to ongoing monitoring and reporting requirements to ensure its compliance with the settlement order.

 

It is important to note that the penalty imposed could have been (and can be) much greater than $100,000. Pursuant to the settlement order, Rascal Scooters is subject to a $2 million penalty that is currently suspended due to its inability to pay.   The $2 million will become due immediately if it is revealed that the company misrepresented its inability to pay.

Tags: , , , , , ,

Cignet Proves That It Is Bad To Violate The HIPPA Privacy Rule, But Worse To Ignore HHS

Posted on February 28, 2011 by Proskauer Rose LLP

Cignet Health (Cignet), which operates four health centers in Maryland, is a little lighter in the wallet after the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) found that Cignet violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - $4.3 million lighter, to be exact.

This penalty marks the first civil money penalty imposed by HHS for violations by a “covered entity” of the HIPAA Privacy Rule. In the past, HHS has primarily worked with covered entities to settle the violations and obtain agreement to changes in practices. The civil monetary penalty imposed upon Cignet is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which modified HIPAA.

HHS news release, part of the penalty stems from Cignet’s denying 41 patients their right to access their medical records when requested between September 2008 and October 2009. Under HIPAA, a covered entity must provide access to a patient who requests such access to his or her medical record within 30 days of the request, subject to various exceptions and limited rights to extend such time period. (Numerous state laws include similar obligations that health care providers provide a patient with access to his or her own records, often within shorter time frames than is required by HIPAA.) Thirty-eight separate complaints of such denial of access had been filed with OCR, pursuant to which OCR began its investigation of Cignet. HHS has indicated that $1.3 million of the $4.3 million penalty is attributable to this denial of access to a patient’s records.  

Notably, out of the over 50,000 complaints of alleged HIPAA Privacy Rule violations that OCR has resolved, the denial of a patient’s access to his or her own records has been the third most cited reason for such a complaint every year since 2003, when compliance with the Privacy Rule was first legally required. But every other such complaint of denial of access was informally resolved with OCR. According to various news reports, Cignet never attempted to informally resolve the complaints with OCR.

In Cignet’s case, $3 million of the penalty is attributable to OCR finding that Cignet repeatedly failed to respond to various requests from OCR for more than a year (March 17, 2009 to April 4, 2010), resulting in per-day penalties, up to the maximum permissible penalties per year pursuant to applicable enforcement rules. Under HIPAA, covered entities are required to cooperate with HHS investigations. Even after Cignet finally produced the applicable patient records to HHS (in response to a federal court order), Cignet’s cooperation was limited in that it produced records relating to thousands of patients in addition to the 41 at issue. In various communications from OCR during the course of the investigation and the initial proposal of penalties, Cignet was notified of its rights to offer defenses and mitigating factors, and subsequently, of its rights of appeal. Cignet never exercised any of its rights.

The lesson to be learned from Cignet is that if you violate the HIPAA Privacy Rule, be prepared to pay, but if you fail to cooperate with OCR investigations into such violations, be prepared to pay even more (potentially 200% more). The question remains as to whether or not the extent of this fine is a true example of a new approach to enforcement of HIPAA, or whether Cignet’s ignoring official inquiries, failing to pursue informal resolution and not exercising its rights under HIPAA warranted unusual measures.
Tags: , , , , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

U.K. ICO May Impose Fines for Data Breaches

Posted on May 27, 2008 by Proskauer Rose LLP

A new Act of Parliament gives the United Kingdom’s Information Commissioner’s Office (ICO) the authority to impose monetary penalties for misuse of personal data in violation of section 55 of the Data Protection Act of 1998 (DPA).

For some years, the ICO has had only limited means of securing compliance with section 55 of the DPA, which makes it a criminal offense to knowingly or recklessly obtain or disclose personal data without consent. While the ICO has had the power to take action against individuals who violated section 55, the imposition of a penalty was left to the courts.

All this changed on May 9, 2008 with the enactment of the Criminal Justice and Immigration Act. The Act grants the ICO the power to impose fines directly for violations of section 55 of the DPA. This increase in the ICO’s authority mirrors that of other U.K. regulators like the Financial Services Authority, which in 2001 obtained the power to impose fines on banks and other financial institutions for data security failures.

Proskauer summer associate Noemi Blasutta contributed to this post.
Tags: , , , , , , , , , , , , ,