On September 4, 2008, in American Bankers Association v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008), the Ninth Circuit Court of Appeals revived part of the California Financial Information Privacy Act (“S.B. 1”), allowing consumers to opt-out of certain information-sharing activities between financial institutions and their affiliates. Previously, in the 2005 case American Bankers Ass’n. v. Gould, 412 F.3d 1081 (9th Cir. 2005), the Ninth Circuit ruled that the state statute was preempted by provisions of the Fair Credit Reporting Act (“FCRA”) regarding affiliate sharing of “consumer report” information.  The recent 2-1 decision preserves consumers’ rights under California law to restrict affiliate data-sharing related to non-consumer report information.

Section 214 of Fair and Accurate Credit Transactions Act (“FACTA”) was enacted to amend the Fair Credit Reporting Act (the “Act”) to give consumers the right to restrict certain entities from using certain information received from their affiliates to make solicitations to that consumer unless the consumer has been provided (1) “clear and conspicuous” notice that the consumer’s information will be shared for such purposes, and (2) an opportunity to opt out of having such information shared for such purposes.
On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration issued a joint final rule (along with the Federal Trade Commission (FTC) and the Securities and Exchange Commission(SEC), which separately adopted and proposed, respectively, similar regulations) under the amended Act (the “Affiliate Marketing Rule” or “Final Rule,” codified at 12 C.F.R. Parts 41, 222, 334, 571 and 717) governing the use of specific consumer information obtained by covered entities from their affiliates for certain marketing purposes.
The Affiliate Marketing Rule became effective on January 1, 2008, and compliance by covered entities is required by October 1, 2008.

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.

Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.

There have been 449 data breaches reported in media in 2008, according to the Identity Theft Resource Center’s 2008 Data Breach List.  That number exceeds the 2007 year-end total, and counts as only one breach even massive incidents such as the Hannaford Bros. breach.  Note that some of the breaches

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential.