Updates

This chart provides information regarding security breach notification legislation which has been enacted in U.S. jurisdictions. The chart was last updated on April 8, 2010 to reflect Mississippi's enactment of a data breach notification law effective July 1, 2011 and Washington state's amendment to its existing law effective July 1, 2010.

Employers are learning the hard way that gaining access to private employee information during workplace investigations can lead to lawsuits, liability and headaches.

The Federal Trade Commission (FTC) recently adopted important changes to the agency’s Guides Concerning the Use of Endorsements and Testimonials in Advertising.  The Guides now directly apply to product endorsements through nontraditional media, such as blogs.

The FTC recently extended the enforcement deadline for the Red Flags Rule until November 1, 2009. The Rule was originally scheduled to go into effect on November 1, 2008, but on Wednesday, July 29, 2009, the FTC announced that it was delaying enforcement for the third time because a number of industries and entities within the FTC’s jurisdiction still expressed confusion and uncertainty about what types of entities would be subject to the Rule and what the Rule actually required of covered entities.

On June 25, 2009, the Department of Energy (DOE) announced that $3.4 billion in federal grants will be available through the Smart Grid Investment Grant Program (SGIG) and an additional $615 million will be available under the separate Smart Grid Demonstration Program (SGDP).  Funding for these programs was provided in the American Recovery and Reinvestment Act.

A report commissioned by the Office of the Privacy Commissioner of Canada concludes that Canada's Personal Information Protection and Electronic Document Act ("PIPEDA") applies to Second Life, a massively multiplayer online game ("MMOG") operated by Linden Lab, which is based in San Francisco, California.

This update is to inform you of two notable developments in the area of data security and privacy.  One is revisions to the Massachusetts Data Protection Regulations, and the other is an FTC Staff Report with guidance applicable to those engaged in online behavioral advertising and to Web site operators that collect online data generally.

As of January 3, 2009, a new law enacted in New York will limit employers' use of employees' Social Security Numbers (SSNs). 

On December 11, 2008, the Federal Trade Commission (the "FTC") issued a press release describing a $1 million settlement with Sony BMG Music Entertainment ("Sony Music") over charges that it violated the Children's Online Privacy Protection Act (COPPA).

The Federal Trade Commission recently proposed changes to the agency’s Guides Concerning the Use of Endorsements and Testimonials in Advertising. The Guides will now explicitly apply to advertising through nontraditional media, such as blogs.

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) has extended to May 1, 2009 its deadline for businesses and others to comply with its new data security regulations.

On Wednesday, October 22, 2008, the FTC announced that it has suspended enforcement of its new "Red Flag Rules" for combating identity theft for a period of six months, which gives entities that are subject to the rule until May 1, 2009 to implement their written "Red Flag Programs."

The Federal Trade Commission recently issued a final Discretionary Rule under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM).

As the news is increasingly filled with reports of identity theft and the data security breaches experienced by large retailers such as TJX, several groups are expressing concerns about the safety of sensitive consumer data.

Since December 2006, more than 100 putative class action suits have been filed in federal court against a broad spectrum of retailers alleging violations of the Fair and Accurate Credit Transactions Act ("FACTA") of 2003 (15 U.s.C. § 1681 et seq.). The suits allege these companies "willfully" violated FACTA by generating electronic customer credit or debit card receipts containing prohibited information, and seek awards of what some courts have described as "annihilating" statutory damages in the $100 million to $1 billion range, plus punitive damages and attorneys’ fees.

Enterprise-wide electronic data systems now routinely allow businesses to accomplish in a moment what a generation ago would have been an unimaginably difficult task. While novel and transformative technology continues to revolutionize the workplace, it also introduces frightening vulnerabilities and new legal challenges.

E-mail, for instance, is the most ubiquitous form of communication in the modern American workplace. It is also the single most fruitful source of evidence in litigation. Indeed, corporate executives attribute 34% of ongoing litigation to e-mail. Despite many businesses having broad “electronic communications policies” that allow them to monitor employee e-mail some courts are starting to find that employees may have a right to privacy in e-mail communications sent using their employer’s email systems, particularly where employers are lax in enforcing their electronic communications policy.

The Federal Trade Commission ("FTC") has charged seven companies with violating the Controlling the Assault of Non-Solicited Pornography And Marketing ("CAN-SPAM") Act for actions of their marketing affiliates. Under affiliate marketing programs, companies do not e-mail consumers directly, but pay others to send messages on their behalf to drive Internet traffic to Web sites. Typically, affiliates collect a commission for each sale that results from a click-through to a merchant's Web site. Under the CAN-SPAM Act, companies that initiate the e-mail by paying others to send it on their behalf are liable for illegal spam sent by their affiliates.

According to the Federal Trade Commission (FTC), a company that fails to provide adequate security for customer credit card and personal information is engaging in an unfair practice in violation of Section 5 of the FTC Act. On June 16, 2005, the FTC settled just such a case against BJ's Wholesale Club, Inc., a large warehouse store operator. According to the FTC, BJ's did not provide reasonable security for its customers' sensitive information, which resulted in the loss of personal credit card information and fraudulent transactions from counterfeit credit cards totaling around $13 million.

In 2002, California enacted the nation's first security breach notification law (SB 1386), which required businesses to notify California residents if computer systems were compromised and personal information disclosed. Personal information is defined as a person's name in combination with an unencrypted social security number, driver's license number, or financial account or credit card number with an accompanying access code.

Effective June 1, 2005, pursuant to the Federal Trade Commission's ("the FTC") Disposal Rule enacted under the federal Fair and Accurate Credit Transactions Act ("FACT Act"), businesses will be required to properly destroy or erase all consumer information that is derived from a consumer credit report before discarding it. The purpose of the Disposal Rule is to reduce the risk of identity theft and other consumer harm from improper disposal of such records. The federal Disposal Rule follows the trend set by statute in a number of states, such as California, that require businesses to shred or erase consumer information before disposing of it.

On September 21, 2004, the Federal Communications Commission ("FCC") released an Order establishing a 15-day "safe harbor" provision for autodialed calls made to wireless numbers that have recently been ported from wireline service. http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-04-204A1.doc. Under this new rule, the FCC will not impose a penalty for placing autodialed or prerecorded message calls where such calls are made to a wireless number ported from wireline service within the previous 15 days so long as the number is not already on the national Do-Not-Call registry or the caller's company-specific Do-Not-Call list.

Gateway Learning Corporation ("Gateway"), seller of the "Hooked on Phonics" brand of products, has reached a proposed settlement of charges brought against it by the Federal Trade Commission ("FTC") about its privacy practices. The FTC alleged that Gateway misrepresented how it would use personal information collected from customers through its Web site, www.hop.com. The agency also claimed that, because Gateway made material changes to its privacy policy without satisfactory notice and applied them retroactively without opt-in consent, Gateway had engaged in unfair and deceptive acts and practices in violation of Section 5(a) of the FTC Act.

California Senate Bill 1386, which goes into effect July 1, 2003, establishes notification requirements regarding security breaches that involve the compromise of personal information. The statute applies to state agencies and persons or businesses conducting business in California that maintain or license electronic personal information.

The last stage of Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") is set to take effect on January 1, 2004. PIPEDA already covers federally regulated entities in Canada and will now apply to the collection, use, or disclosure of personal information in the course of any commercial activity in Canada.

A recent consent decree issued by the Federal Trade Commission ("FTC") concerning Eli Lilly and Company ("Lilly") underscores the principle that company representations concerning the protection and integrity of personal information collected creates liability for even inadvertent disclosures. A company making such representations had better have the employee training, internal procedures and auditing to back up such promises. This update discusses the steps companies should consider in light of the FTC enforcement action and settlement. The FTC's complaint against Lilly and settlement are available at http://www.ftc.gov.

When was the last time you updated your privacy policy? Does your privacy policy contain all the disclosures it should to meet industry standards? Over the past year, the Federal Trade Commission ("FTC") has taken several enforcement actions against Web sites for violation of consumer privacy laws, and many state regulators and private litigants have followed suit.