Data Privacy Laws

Subscribe to Data Privacy Laws via RSS

On September 26, Judge William Walls of the U.S. District Court for the District of New Jersey ruled that a putative class action lawsuit against home goods retailer Williams-Sonoma failed to state a claim under New Jersey law. In Feder v. Williams-Sonoma Stores, Inc., the plaintiff sought damages for purported violations of New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”) after a Williams-Sonoma employee allegedly required the plaintiff to provide her zip code as part of a credit card transaction. The district court’s decision supports what many people hope will continue to be the case, i.e., that it will be a challenge for plaintiffs’ lawyers to successfully transplant the California Supreme Court’s recent decision in Pineda v. Williams-Sonoma, Inc. (see our blog post here) into other jurisdictions.

          On July 25, Russian President Dmitry Medvedev signed into law an amendment to the Russian data protection law, "On Personal Data".  The new amendments are effective as of July 1, 2011.  Of special significance, the amendments provide further clarification regarding the transfer of personal data to individuals or entities located outside of Russia.  Prior to the recent amendments, before transferring personal data from Russia to, for example, the United States, in the absence of obtaining prior written consent, a company needed to determine whether the United States (or another country, as the case may be) possessed data protection laws that provided an "adequate" level of protection.  However, the old Russian law provided little clarification as to which countries qualified under that standard, or how a company should go about deciding which countries qualified.

The Massachusetts Attorney General’s Office and Belmont Savings Bank have agreed to resolve allegations that Belmont Savings Bank has violated the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) through an Assurance of Discontinuance, which has been filed in Massachusetts state court (see document here). Belmont Savings Bank has agreed to pay a civil penalty of $7,500 and has also agreed to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General’s Office, was likely incinerated by the bank’s waste disposal company.

On May 12, 2011, the Obama Administration released its legislative proposal concerning cybersecurity. The stated focus of the proposal is to shore up cybersecurity measures to protect the American people, the Nation’s critical infrastructure, and the Federal Government’s networks and computers while providing a framework for safeguarding individual privacy and civil liberties.

By a decision dated October 14, 2010, and published on December 8, 2010, the French Data Protection Agency (known under the acronym CNIL) revised the deliberation that it issued on December 8, 2005.
At that time, the CNIL had issued a deliberation to reach a compromise between the United States’ Sarbanes-Oxley (“SOX”) requirements and French law. According to Article 1 of that deliberation, companies were authorized to adopt whistleblowing systems implemented in response to French legislative mandates, regulatory internal control requirements (e.g. regulations governing banking institutions), or the whistleblowing requirements of the SOX Act. According to Article 3 of the 2005 deliberation, alleged wrongdoings not encompassed within these core areas may be covered by the whistleblowing system only if vital interests of the company or the physical or psychological integrity of its employees were threatened.

To assist companies to comply with European data protection laws, in particular those implemented in France, the French Data Protection Agency (known as “CNIL”) recently issued a set of guidelines organized by topic which provide elementary precautions to be taken by data controllers in several subject areas, including what types of conduct are prohibited as well as the CNIL’s recommendations in these areas.

Rite Aid has agreed to pay $1 million to resolve allegations that it violated the Health Insurance Portability and Accountability Act (“HIPAA”) by pitching pill bottles and prescription information into publicly accessible dumpsters near Rite Aid stores. According to HHS’ resolution agreement, released on July 27, Rite Aid must implement a three-year corrective action program, which includes the adoption of revised policies and procedures concerning the disposal of sensitive health-related information, employee training programs and procedures and penalties for employees that fail to comply with them. Rite Aid also entered into a separate, but related settlement with the FTC to resolve allegations that the company failed to live up to promises made in its privacy policy.