On November 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced details of its HIPAA Privacy and Security Audit Program. The OCR pilot program calls for approximately 150 audits of covered entities, which audits are intended to address privacy and security compliance, and assist OCR in assessing and identifying best practices as well as risks and vulnerabilities for health care entities. Although the pilot program is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

The Federal Trade Commission has announced a settlement agreement with ScanScout, Inc., an online advertising network alleged to have made misleading statements in its privacy policy which omitted to disclose ScanScout’s use of Flash cookies. The settlement terms require ScanScout to implement various conspicuous (i.e., not hidden in the privacy policy) notices regarding behavioral tracking and opt-out mechanisms that are reflective of recent FTC guidance and developing industry standards. Companies engaging in behavioral tracking (using Flash cookies or otherwise) may look to the terms of this settlement agreement for color on what the FTC wants to see in terms of consumer notices and choices.

Plaintiff customers in litigation stemming from Hannaford Brothers, Co.’s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs’ claims for negligence and implied contract should survive Hannaford’s motion to dismiss because plaintiffs’ reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine law. While this case, Anderson v. Hannaford Brothers, Co., may be read narrowly to apply only to circumstances involving actual theft and misuse of customers’ data, plaintiffs’ lawyers, who for years have made unsuccessful claims for damages following data security breaches, will likely attempt to broaden this holding to apply at least to other mitigation costs incurred by plaintiffs.

The Federal Trade Commission recently announced its settlement with the operator of www.skidekids.com concerning allegations that the operator violated the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) by collecting personal information about children without obtaining parental consent. For Skid-e-kids, the FTC’s settlement means taking remedial measures; an injunction; and a $100,000 civil penalty. For the rest of us, the settlement is a good reminder that the FTC is staunchly committed to protecting children’s privacy. So when it comes to collecting personal information from children online, it’s important to do it right . . . or not at all.

FrostWire LLC (a P2P file-sharing software company) agreed to change the default privacy settings on its mobile and desktop applications and agreed to clearly disclose its applications’ content sharing options pursuant to a settlement agreement with the FTC which resulted from claims by the FTC that FrostWire’s content sharing practices violated the FTC Act.

In a recent decision, the Ninth Circuit held that “the ECPA unambiguously applies to foreign citizens.” In Suzlon Energy Ltd. v. Microsoft, Suzlon Energy demanded Microsoft to produce emails from the Hotmail email account of an Indian citizen imprisoned abroad. The district court held that the Electronic Communications Privacy Act (“ECPA”) prohibited Microsoft from producing the documents even though the individual was not a U.S. citizen. The Ninth Circuit affirmed.