Kristen J. Mathews

Subscribe to Kristen J. Mathews's Posts

Since the Third Circuit said so, in its September 22, 2009 decision in AT&T v. Federal Communications Commission (No. 084024).

Most privacy practitioners would not consider a legal entity to have privacy rights. Rather, a legal entity may have trade secrets or contractual confidentiality protections. However, in its novel holding, the Third Circuit found that a corporation (AT&T) was protected by an exemption in the Freedom of Information Act (FOIA) that applies to “unwarranted invasions of personal privacy.” Specifically, FOIA exempts “records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information … could reasonably be expected to constitute an unwarranted invasion of personal privacy…”(emphasis added). This exemption, combined with FOIA’s definition of “person” to include legal entities, enabled AT&T to successfully argue that a corporation has a right to privacy. (After all, the court said, “it would be very odd indeed for an adjectival form of a defined term not to refer back to that defined term.”) As a result, AT&T’s competitors have not been able to obtain information about an FCC investigation of AT&T regarding AT&T’s alleged overcharging of some of its customers.

Whether this ruling will be followed in other FOIA cases, or used to expand the concept of privacy rights under other statutes, remains to be seen. For now, when submitting information to regulators in connection with investigations, companies should consider submitting such information as confidential, since doing so could help the company to later challenge attempts by competitors or other third parties to obtain such information from the regulator under FOIA.

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts’ data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.)

The revised regulations emphasize their “risk-based” approach, enabling persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information, and need.  These changes were primarily intended to ease the burden of the regulations on small businesses that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program.  That said, the changes apply to all business, not just small businesses.

In mid-September, Maine’s “Act to Prevent Predatory Marketing Practices against Minors” is scheduled to take effect.  Due to the lack of a scienter element in several of the requirements of this new law, this Act could have far-reaching consequences for all businesses that engage in direct marketing or that sell or transfer personal information to third parties, even if the business does not have knowledge that the information regards a minor.

In the context of wireless network security, we hear a lot about WEP vs WPA, but these technologies are not widely understood, especially among attorneys.

WEP and WPA are two alternative ways to secure a wireless network from unauthorized interception, and WPA is more secure than WEP. In fact, researchers have reported consistently for several years that it is relatively easy to break into a WEP-secured wireless network. For that reason, as discussed further below, industry standards as well as regulators require that WPA (instead of WEP) be used to secure wireless networks that are used to transmit sensitive information such as credit card numbers. Nonetheless, many companies are still using WEP.

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient.

On June 4, the FTC reported a proposed settlement with Sears Holding Management Corporation of a complaint that Sears had failed to meaningfully disclose to customers the extent of the information it was collecting through its online market research software.  The FTC claimed that this failure to disclose constituted an “unfair or deceptive act” under the Federal Trade Commission Act.