The FTC has released a proposed breach notification rule in connection with personal health records, as part of its obligations under the new privacy provisions of the HITECH Act.

In addition, HHS has issued proposed regulations and request for comments on the HITECH Act. The HHS document addressed the meaning of “unsecured” in connection with the breach notification requirements under the HITECH Act.  Essentially, the categories of “secured” information involve encryption and “destroyed” information. In the document, HHS also seeks comments on several significant issues related to the new breach notification requirements.

Tresa Baldas of the National Law Journal has written a very interesting article on online behavioral.  The article, Advertiser tracking of Web surfing brings suits Class action filed; guidelines issued, focuses on a number of key issues related to online behavioral advertising. In her article, Ms. Baldas notes my observastions that additional changes in this area are very likely:

“The current position is still self-regulation,” Klosek tells her clients. “But expect considerable focus on regulation and potential changes in the next 12 to 18 months.”

On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation issued a revised version of the Commonwealth’s new data security regulations on the Standards for the Protection Personal Information of Residents of the Commonwealth, as set forth in 201 CMR 17.00 (the “Regulations”).  The Regulations impose very strict – and specific – data security requirements for all businesses processing personal information.  The new version of the Regulations makes two major changes and one clarification.

Read the rest of this entry »

In a 55 page report, the FTC has issued revised behavioral advertising guidelines.  The revised guidelines, which are not a significant departure from the prior guidelines, have been widely criticized by privacy advocates, who had been pushing for more regulation in this growing area.

The revised guidelines are set forth below, with the new changes marked. Again, it must be emphasized that the principles below are mere guidelines for self-regulation and do not require any company to comply with any or all of them.
Read the rest of this entry »

On January 7, 2009, legislation was introduced in the New York State Assembly that would prohibit the sale, lease, or exchange of consumers’ e-mail addresses or other personally identifiable information obtained online without providing the applicable consumer with (i) clear and conspicuous notice of the collection of the information and (ii) the ability to opt-out of the sale or lease of the information.  “Personally-identifiable Information”, as used in the proposed law, is defined broadly to include, but not be limited to, a person’s social security number, date of birth, current and prior addresses and a mother’s maiden name.

The proposed legislation, New York Assembly Bill 272, which is in the Assembly Consumer Affairs and Protection Committee, would grant the state attorney general authority to enforce the law. Under the proposed legislation, violators would be subject to fines of up to $1,000 per violation.

On Wednesday, January 21, 2009, the Obama administration posted a policy document that outlines a strategy to protect the country’s information networks and to expand research and investment into cybersecurity. The proposed cyber security strategies are included within a broader policy document on homeland security, made available on the web site of the Whitehouse.
Read the rest of this entry »

The proposed American Recovery and Reinvestment Bill of 2009 (”ARRA”), a massive proposal, contains significant provisions concerning the security and privacy of health related information. If passed, the legislation, would result in drastic changes in the US health care system and have a major impact on companies that collect, use, disclose and otherwise process health related information.
Read the rest of this entry »

Behavioral advertising, which can be understood as the tracking of a consumer’s activities on line in order to deliver advertising targeted to the consumer’s specific interest, is a significant growth area. More and more companies are adopting some form of behavioral advertising into their marketing programs.

Behavioral advertising has, however, also raised important privacy concerns. As a result, at the end of 2007, the Federal Trade Commission (“FTC”) released a set of proposed principles to guide the development of self regulation in the area of online behavioral advertising. These guidelines were released after the FTC hosted a town hall meting focused specifically on behavioral advertising.
Read the rest of this entry »

The entertainment industry’s efforts to crack down on illegal downloaders recently suffered a blow when the European Court of Justice (“ECJ”) ruled that, due to privacy concerns, internet service providers (“ISPs”) cannot be compelled to disclose the identities of alleged file sharers. The ECJ concluded that the laws of the European Community do not allow for the forced disclosure of information that could lead to the discovery of the identities of file sharers. The decision can be perceived as a setback for the music industry which, to date, has used such information to file lawsuits against individuals believed to be engaging in illegal file swapping and downloading.

The ECJ’s consideration of the issue arose out of a Spanish case involving Promusica, a Spanish nonprofit organization that represents musical and video producers. Promusica had asked the Spanish courts to order Telefonica to disclose the identities and physical addresses of certain individuals to whom Telefonica provided internet services. The group had been seeking the identities of individuals it believed to be engaged in illegal file swapping and planned to use that information in connection with civil law suits.

Through appeals, the case made its way to the ECJ, which ruled that: “Community law does not require the member states, in order to ensure the effective protection to copyright, to lay down an obligation to disclose personal data in the context of civil proceedings.”
In addition to serving as a setback to the music industry in its pursuit of illegal file swappers, the decision also raises interesting questions. In rendering a clear decision, the court also acknowledged that member states must balance “the right to respect for private life on the one hand and the rights to protection of property and to an effective remedy on the other.” In fact, the court’s decision left the door open for countries to implement rules to allow for the sharing of such records – as long as the rules balance the need for privacy.