Privacy Law Blog

Kristen J. Mathews

Subscribe to all posts by Kristen J. Mathews

DC Court Sides with the ABA – No Red Flag Rules for Lawyers

The U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission’s Red Flags Rules cannot be enforced against lawyers, saying that the FTC’s interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s … Continue Reading

Since when does a legal entity have “privacy” rights?

Since the Third Circuit said so, in its September 22, 2009 decision in AT&T v. Federal Communications Commission (No. 084024). Most privacy practitioners would not consider a legal entity to have privacy rights. Rather, a legal entity may have trade secrets or contractual confidentiality protections. However, in its novel holding, the Third Circuit found that … Continue Reading

HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning … Continue Reading

Update: Maine’s Marketing to Minors Law Found Likely to Be Unconstitutional

The first lawsuit challenging Maine’s Act to Prevent Predatory Marketing Practices Against Minors has concluded.  The District of Maine issued a Stipulated Order of Dismissal on September 9, stating that there is a likelihood that the statute is "overbroad and violates the First Amendment", and putting third parties "on notice" that a private suit "could … Continue Reading

Massachusetts’ Revised Data Security Regulations Extend Deadline (Again) and Soften Some Requirements

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts’ data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.) The revised regulations emphasize … Continue Reading

Maine Makes Marketing Minors “Predatory”

In mid-September, Maine’s “Act to Prevent Predatory Marketing Practices against Minors” is scheduled to take effect.  Due to the lack of a scienter element in several of the requirements of this new law, this Act could have far-reaching consequences for all businesses that engage in direct marketing or that sell or transfer personal information to … Continue Reading

WEP vs WPA – What You Need to Know

In the context of wireless network security, we hear a lot about WEP vs WPA, but these technologies are not widely understood, especially among attorneys. WEP and WPA are two alternative ways to secure a wireless network from unauthorized interception, and WPA is more secure than WEP. In fact, researchers have reported consistently for several … Continue Reading

FTC Tells Sears That Consumer Disclosures Must be More Conspicuous

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient. On June … Continue Reading

What elementary school did you go to?

I don’t know, but I could probably find out.  There is an increasing amount of discussion within the information security industry about whether the use of “security questions” to unlock forgotten passwords is a sound practice.  Many web sites ask users to answer personal questions upon registration, so that those questions and answers can be … Continue Reading

Red Flag Rules Blindside Retailers, But Extension of Compliance Deadline Helps

Last month, we blogged about whether the Red Flag Rules apply to medical care providers.  According to the FTC, they may also apply to retailers. The Federal Trade Commission’s recently released “how-to” guide says that the Red Flag Rules apply to “retailers that offer financing or help consumers get financing from others, say, by processing credit applications.” However, most … Continue Reading

Red Flag Rules Leave Health Care Industry Wondering

The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know. The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and … Continue Reading

“Address Book Harvesting” Issues to Contend With

More and more companies have been considering engaging in marketing campaigns that involve “address book scraping,”  in which a user is asked to import his contacts (i.e., the e-mail addresses he has stored in his e-mail account address book) into his social networking Web site or other online service so that a message can be … Continue Reading

Privacy Issues When “Computing in the Cloud”

When a company is considering using cloud computing in its IT infrastructure, there are some privacy issues that need to be addressed. While the value of cloud computing certainly holds much promise, companies wishing to make the leap into the cloud would be well advised to consider the potential privacy issues.  Cloud computing, in its … Continue Reading

One Reputable Retailer Takes a $7M Hit On Text Messages

On September 10, 2008, Timberland Company, an outdoor clothing and shoe merchant, along with co-defendant ad agencies GSI Commerce Inc. (“GSI”) and AirIt2Me Inc. (“AirIt2Me”), settled charges brought under the Telephone Consumer Protection Act (“TCPA”) arising from unsolicited text messages advertising Timberland’s holiday sale.  Pursuant to the settlement, Timberland must employ best practices in future … Continue Reading

MA Issues New Rules for the Protection of Personal Information

The September 2008 issue of “A Moment of Privacy,” a monthly e-newsletter brought to you by the Privacy and Data Security Practice Group of Proskauer Rose, LLP, has been released. This month’s question was “I understand that Massachusetts’ new information security rule reaches beyond what other states require. What do these new rules mean for … Continue Reading

CT’s New SSN Law Is Third 0f Its Kind

A host of state laws require that companies take measures to protect the confidentiality of the Social Security Numbers that they possess regarding employees and consumers. But Connecticut’s new law, “AN ACT CONCERNING THE CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS,” requires more. … Continue Reading

New CAN-SPAM Rule Gives Long-Awaited Answers

On May 12, 2008 the Federal Trade Commission issued its long awaited final set of rules under the CAN-SPAM Act of 2003 (the “Act”). The rule: Modifies the term “sender” with respect to multi-advertiser e-mails; Clarifies the opt-out request process; Defines the term “person”; and Clarifies the meaning of “valid physical postal address” of the … Continue Reading

Emerging Standards For Mobile Marketing

Many B2C companies are beginning to explore marketing to consumers’ wireless devices using text messaging (“SMS,” or “short message service”) and MMS messaging (“Multi-media Messaging Service”). They may even target their promotions based on where the recipient is physically located using the wireless device’s GPS technology. They also may target their promotions to teens and tweens. What legal issues should … Continue Reading