corporate counsel’s records retention … · · 2013-02-05formation about privacy and security...

IN THIS ISSUE:

Letter from the Editor 1

Privacy Regulation in the United

States 1

I. U.S. Online Privacy Regulation 1

II. Speci�c Areas of Regulation 10

LETTER FROM THE EDITOR

Dear Subscribers,This issue of the CORPORATE COUNSEL'S RECORDS

RETENTION REPORT features an excerpt from InternetDistribution, E-Commerce and Other Computer RelatedIssues: Current Developments in Liability On-Line,Business Methods Patents and Software Distribution,Licensing and Copyright Protection Questions, an articlewritten by Mr. Andre R. Jaglom. Mr. Jaglom is a member ofthe New York City firm of Tannenbaum Helpern Syracuse &Hirschtritt LLP and is a nationally-recognized expert in thefield of distribution law. We are grateful to Mr. Jaglom for hispermission to share his insights on privacy regulation in theUnited States.

Sincerely,Nick J. Vizy

Senior Attorney Editor

PRIVACY REGULATION IN THE UNITED

STATES

By Andre R. Jaglom*

I. U.S. ONLINE PRIVACY REGULATION

A. FEDERAL TRADE COMMISSION REGULATION

Events in recent years suggest that the American laissez-faire approach to consumers' privacy has been evolving.1 TheFederal Trade Commission has become the principal federal

* Mr. Jaglom is a member of the New York City firm ofTannenbaum Helpern Syracuse & Hirschtritt LLP. The assis-tance of Jason B. Klimpl, an associate at the firm, is gratefullyacknowledged.

(c) Andre R. Jaglom 1993, 1994, 1995, 1996, 1997, 1998, 2000, 2002,2003, 2005, 2006, 2007, 2008, 2010, 2011, 2012. All Rights Reserved.

FEBRUARY 2013 � ISSUE 182

CORPORATE COUNSEL’SRECORDS RETENTIONREPORT

Mat #41311788

agency enforcing privacy concerns, under itsmandate to regulate unfair or deceptivepractices. The FTC in June 1998 issued ‘‘Pri-vacy Online: A Report to Congress’’ (hereafter,the ‘‘1998 Privacy Report’’).2 That report assertsas four core principles of fair informationpractice: ‘‘that consumers be given notice of anentity's information practices; that consumersbe given choice with respect to the use and dis-semination of information collected from orabout them; and that the consumers be givenaccess to information about them collected andstored by an entity; and that the data collectortake appropriate steps to insure the securityand integrity of any information collected.’’3

A similar FTC report to Congress in 2000emphasized the same four key elements knownas the Fair Information Practice Principles.4

These four principles also led to the FTC'sFebruary 2009 Self Regulatory Principles forOnline Behavioral Advertising and the imple-mentation of the ‘‘Do Not Track’’ mechanism in2010 (described below). According to the FTC,‘‘behavioral advertising is the tracking of aconsumer's activities online—including thesearches the consumer had conducted, the Webpages visited, and the content viewed—in order

to deliver advertising targeted to the individualconsumer's interests.’’5 The Self-RegulatoryPrinciples also include four key principles: (i)every Web site where data is collected for be-havioral advertising should provide a clear,consumer-friendly, and prominent statementthat data is being collected to provide adstargeted to the consumer and give consumersthe ability to choose whether or not to havetheir information collected for such purpose;(ii) any company that collects or stores con-sumer data for behavioral advertising shouldprovide reasonable security for that data andshould retain data only as long as is necessaryto fulfill a legitimate business or law enforce-ment need; (iii) companies should obtain affir-mative express consent from affected consum-ers before using data in a manner materiallydifferent from promises the company madewhen it collected the data; and (iv) companiesshould only collect sensitive data for behavioraladvertising if they obtain affirmative expressconsent from the consumer to receive suchadvertising.6

And, in March 2012, the FTC and Obamaadministration both called on Congress tocodify and establish a ‘‘Consumer Privacy Billof Rights.’’7 The proposed Bill of Rights articu-lates seven broad principles to address onlineprivacy challenges:

E Individual Control. Consumers have aright to exercise control over what per-sonal data companies collect from themand how they use it.

E Transparency. Consumers have a right toeasily understandable and accessible in-formation about privacy and securitypractices.

E Respect for Context. Consumers have aright to expect that companies will collect,use and disclose personal data in waysthat are consistent with the context inwhich consumers provide the data.

CORPORATE COUNSEL'S RECORDS RETENTION REPORTFEBRUARY 2013 | ISSUE 182

K2013 Thomson Reuters. All rights reserved.

CORPORATE COUNSEL’S RECORDS RETENTION REPORT(ISSN 1098-0261) is published monthly by Thomson Reuters, 610Opperman Drive, P.O. Box 64526, St. Paul, MN 55164-0526.POSTMASTER: send address changes to CORPORATE COUN-SEL’S RECORDS RETENTION REPORT, 610 Opperman Drive,P.O. Box 64526, St. Paul, MN 55164-0526.This publication was created to provide you with accurate and au-thoritative information concerning the subject matter covered;however, this publication was not necessarily prepared by personslicensed to practice law in a particular jurisdiction. The publisheris not engaged in rendering legal or other professional advice andthis publication is not a substitute for the advice of an attorney. Ifyou require legal or other expert advice, you should seek the ser-vices of a competent attorney or other professional.

For authorization to photocopy, please contact the CopyrightClearance Center at 222 Rosewood Drive, Danvers, MA 01923,USA (978) 750-8400; fax (978) 646-8600 or West’s CopyrightServices at 610 Opperman Drive, Eagan, MN 55123, fax (651)687-7551. Please outline the speci�c material involved, the numberof copies you wish to distribute and the purpose or format of theuse.

2 K 2013 Thomson Reuters

E Security. Consumers have a right to secureand responsible handling of personal data.

E Access and Accuracy. Consumers have aright to access and correct personal datain usable formats, in a manner that is ap-propriate to the sensitivity of the data andthe risk of adverse consequences to con-sumers if the data is inaccurate.

E Focused Collection. Consumers have aright to reasonable limits on the personaldata that companies collect and retain.

E Accountability. Consumers have a right tohave personal data handled by companieswith appropriate measures in place to as-sure they adhere to the Consumer PrivacyBill of Rights.

However, given the current partisan atmo-sphere in Washington, D.C., the prospects ofCongress passing such legislation remain un-clear; consumers may have to rely on industrygroup standards and FTC enforcement actionto protect online privacy. 8

B. FTC ENFORCEMENT ACTIONS AND

DEVELOPMENTS

In 2001, then FTC Chairman Timothy Murisoutlined the FTC's current and future privacyinitiatives and announced the FTC's plan toincrease resources devoted to protecting con-sumer privacy by 50%.9 Among the issues onthe FTC's pro-privacy agenda are enforcing theprivacy promises posted on Web sites,10 investi-gating complaints of U.S. companies failing toprovide privacy protections they had promisedunder the European Safe Harbor Principlesand encouraging strong security for personalinformation collection.

FTC activities have included an announce-ment that, in the absence of clear statements tothe contrary, a company's online privacy policywould be considered to apply equally to a com-pany's offline collection and use of data, 11 and

its settlement of charges against two companiesthat collected personal data from high schoolstudents and sold them to commercial market-ers despite promises not to do so.12

The FTC has also acted against GatewayLearning Corp., the publisher of ‘‘Hooked onPhonics,’’ for changing its privacy policy to al-low it to share customers' personal information,in violation of an explicit promise in its formerpolicy, and then applying the looser standard tocustomers without affording them the opportu-nity to opt out. The settlement forbids Gatewayfrom applying changes to its privacy policyretroactively without the affirmative opt-inconsent of the affected customers, and to dis-gorge the $4,600 it gained from renting itscustomer data.13

In early 2002, the FTC settled an actionagainst Eli Lilly and Co. for alleged inadver-tent violation of its privacy policy.14 A Lilly em-ployee had unintentionally sent an e-mail to allsubscribers to a Prozac-related e-mail service,placing their e-mail addresses in the ‘‘To:’’ field,and thereby making the addresses visible to all.The FTC charged that Lilly's inadequate inter-nal security procedures rendered its privacypolicy deceptive. The settlement requiredimplementation of a security program to protectconsumer's personal information from reason-ably foreseeable threats to its security, confi-dentiality or integrity and from unauthorizedaccess, use or disclosure.

Also in 2002 the FTC settled charges withMicrosoft that alleged that it had misled con-sumers as to the security and privacy of per-sonal information in its Passport online authen-tication system.15 While no actual securitybreaches had been found in the FTC's investiga-tion, the security claims that Microsoft hadmade were not substantiated—a standard likethat for any advertising claims. Similarly, whenretailer Guess Inc. failed to block a well-knownsecurity hole on its Web site, exposing some200,000 customer names and credit card num-

CORPORATE COUNSEL'S RECORDS RETENTION REPORT FEBRUARY 2013 | ISSUE 182

3K 2013 Thomson Reuters

bers to those who know how to exploit thevulnerability, the FTC brought charges thatGuess had violated its privacy policy, whichclaimed that credit and numbers were ‘‘storedin an unreadable, encrypted format at alltimes.’’ Guess settled, agreeing to adopt a com-prehensive security program, including inde-pendent audits.16 A similar case was settled in2004 by Tower Records and Petco Animal Sup-plies, with a similar security program requiredby the FTC.17 And in December 2005, DSW,Inc., the shoe retailer settled charges by theFTC that security failures that gave hackersaccess to customer credit card and checking ac-count data were an unfair practice in violationof the FTC Act.18 Perhaps the most notorioussecurity breach involved data broker Choice-Point Inc. in early 2005, in which criminalsgained access to tens of thousands of names andassociated personal information. In early 2006,ChoicePoint settled with the FTC, agreeing topay a $10 million fine and establish a $5 mil-lion fund for consumer redress, as well as toimplement procedures to ensure that consumerdata is released only to those with a permis-sible purpose under the Fair Credit ReportingAct, and to establish a comprehensive data se-curity program with biennial third party auditsfor 20 years. And in May 2006, the FTC settledwith a real estate services company that hadpromised to maintain ‘‘physical, electronic andprocedural safeguards’’ to protect consumerdata, but then threw consumer loan applica-tions in a dumpster and failed to maintain ade-quate computer security, thereby allowing ahacker to gain access to the company's com-puter network where consumer informationwas stored. The settlement required adoptionof a comprehensive security program an bien-nial independent audits over a 20-year period.19

In 2008 the FTC took action against Life isGood, Inc. (‘‘LIG’’) in connection with its failureto deliver on promises made in its online pri-vacy statement. Specifically, LIG promised tostore consumer data in a ‘‘secure file.’’ In prac-

tice, however, LIG failed to encrypt the infor-mation and a hacker was able to steal sensitivepersonal data on thousands of consumers. Afteran investigation, the FTC filed a complaint20

against LIG, alleging it engaged in deceptivepractices. While LIG settled21 with the FTC, theaction further underscores the Commission'sactive role in the preservation of online con-sumer information security.

Similarly, in 2008 the FTC also took actionagainst TJX—the parent company of T.J. Maxxand Marshalls—for its ‘‘failure to employ rea-sonable and appropriate security measures toprotect personal information. . ..’’22 TJX's al-leged failure to develop sufficient securitymeasures (such as limiting access to its net-work, using stronger passwords and firewalls,and conducting security investigations) led to ahacker obtaining tens of millions of credit anddebit card numbers, resulting in millions of dol-lars in fraudulent charges. As a consequence,the FTC claimed TJX engaged in unfair acts orpractices in violation of § 5(a) of the FederalTrade Commission Act.23 The action resulted ina settlement, pursuant to which TJX hasagreed, among other things, to be subject to 20years of independent security monitoring. No-tably, the TJX action was coordinated with theattorneys general of 39 states.24 The breach alsoresulted in private class action suits.25

In 2009, the FTC ordered Sears to destroy allof the customer data that it had collectedthrough the unfair use of online trackingsoftware.26 According to the FTC, Sears failedto adequately disclose the scope of its trackingsoftware's data collection. Although Sears cus-tomers were warned that software would tracktheir browsing, the software actually trackedthe customers' browsing on third-party Websites and collected personal information trans-mitted during secure sessions. Sears settled thecase with the FTC and agreed to inform usersclearly and prominently, before downloadingany software, what data would be collected. The



Sears settlement represents ‘‘a warning shot tocompanies that thought their privacy policiesprotected them’’ and indicates a significantshift in the FTC's enforcement policies.27 Morerecently, in an FTC action that was settled withLifeLock, Inc., the FTC outlined particularpreventive security measures that LifeLockfailed to take, which the FTC may deem stan-dard protocol going forward.28

In 2010, the FTC settled charges with Dave& Busters stemming from the FTC's accusa-tions that the company left 130,000 consumers'credit and debit card information vulnerable tohackers, resulting in fraudulent charges.29Specifically, the company allegedly failed todetect and prevent unauthorized access to itsnetwork, monitor and filter outbound data traf-fic, and use available security measures to limitaccess to its computer networks. As a conditionof the settlement, Dave & Busters agreed to putinto place a comprehensive information secu-rity program. Moreover, the company mustobtain professional audits every other year forten years to ensure the security of its systems.

Also in 2010, the FTC intervened in a bank-ruptcy case where customer data collectedonline was in the process of being sold in viola-tion of established privacy policies and reacheda settlement precluding disclosure.30 In a sepa-rate FTC action, the agency mandated a seriesof data security procedures for three resellersof consumer reports that failed to safeguardadequately consumers' personal information ontheir clients' networks, suggesting that compa-nies are not only responsible for security lapsesin their own networks, but may also be respon-sible for lapses on their customers' networks,at least where the companies fail to take ap-propriate steps to secure the personal informa-tion they maintain and sell.31 Additionally, themicro-blogging service Twitter agreed to imple-ment a new security program and submit to asecurity audit from a third party as part of asettlement agreement with the FTC over secu-

rity breaches the company experienced in2009.32

And as of April 2010, the FTC is investigat-ing whether various companies' online market-ing programs violated § 5 of the FTC Act. First,an official Netflix contest—which allowed con-testants access to 480,000 ‘‘anonymous’’ Netf-lix's users' data—was under investigation be-cause some of the competitors were able toidentify certain users based upon their viewinghistories and preferences.33 Then-FTC Commis-sioner Pamela Jones Harbour indicated thatthe FTC will be more actively involved in com-bating companies' privacy-violating onlinemarketing programs in the future. And as ofMarch 2011, Google has agreed to settle withthe FTC over its Google Buzz social networkingprogram, which automatically made users'Gmail and chat contacts public and created dif-ficulty and uncertainty among users as to howthey could limit the sharing of their personalinformation and opt to leave the socialnetwork.34 The landmark settlement was thefirst time the FTC has required a company toimplement a comprehensive privacy programto protect the privacy of consumers'information.35 The FTC complaint also allegedthat Google misrepresented its treatment ofpersonal information from the European Union,and that it falsely claimed to adhere to the SafeHarbor principles of the US-EU Safe Harborprivacy framework. The proposed settlementbars Google from future privacy misrepresenta-tions (including as to compliance with theUS-EU Safe Harbor privacy framework), re-quires it to implement a comprehensive privacyprogram, and calls for regular, independentprivacy audits for the next 20 years.36 Similarly,in December 2011, Facebook agreed to settleFTC charges of deceptive trade practices stem-ming from the company's sharing of user infor-mation without consent. Under the terms of thesettlement, Facebook agreed to make substan-tial changes to its privacy policies and to un-dergo related audits for 20 years.37 In late 2011



the FTC also settled charges with ScanScoutafter alleging that the company's privacy policycontained false and misleading statements.Specifically, ScanScout's privacy policy statedthat users could opt-out of receiving cookies,which was accurate with respect to traditionalHTTP cookies, but not Flash cookies.38 The FTCseems to be seeking to promote online consumerprivacy through enforcement actions targetingdeceptive or misleading privacy policies.

The FTC has required designated personnelto be responsible for information security,identification of security risks, implementationof security safeguards to control those risks andongoing monitoring of the security program foreffectiveness.39 Similar approaches appear inthe information security guidelines adopted asRecommendations by the Organization for Eco-nomic Cooperation and Development Councilon July 25, 200240 and the FTC's final ruleestablishing information security standards forcustomer information under the Gramm-Leach-Bliley Act,41 discussed below in § I.I.3.b.iii., andthe HIPAA security standards, discussed belowin § I.I.3.c.

Another FTC Rule, effective in 2005, requiresbusinesses and individuals to destroy all pri-vate consumer information (whether in elec-tronic or paper form) obtained from creditbureaus and other information sources forcredit, leasing or employment purposes.42 In2007, the FTC proposed guidelines urgingadvertisers to disclose voluntarily the extent towhich they monitor online conduct and person-alize ads using that data.43

In 2010, the FTC proposed the implementa-tion of a ‘‘Do Not Track’’ mechanism so thatconsumers can choose whether to allow the col-lection of data regarding their online searchingand browsing activities.44 This ‘‘Do Not Track’’mechanism is intended to simplify consumerchoices about, and make more transparent toconsumers, the information practices of Website operators as to personal information they

collect about consumers and their online activ-ity for advertising or other purposes. The reportcalls for companies to include reasonable secu-rity for consumer data, limited collection andretention of such data, and reasonable proce-dures to promote data accuracy. Moreover, thereport states that consumers should be pre-sented with choice about the collection andsharing of their data at the time and in thecontext in which they are making decisions,and not after having to read long, complicateddisclosures that they often cannot find.45

These developments demonstrate that a com-pany's consumer privacy initiatives cannotbegin and end with the issuance of a privacypolicy. First, the company must do what itsays—the privacy policy is an enforceablepromise. Even in the face of a subpoena, acompany may not be permitted to disclosecustomer data, at least without notice and anopportunity to opt out.46

Second, businesses must actively review andmonitor their offline and online privacy pro-grams and take appropriate measures to pre-clude unauthorized access to or disseminationof its customers' private information, eveninadvertently. The Yale University admissionsdatabase, protected in 2002 only by the ap-plicants' social security number, and thus ac-cessible to a wayward Princeton admissions of-ficer,47 seems plainly inadequate, for example.Another area of concern is outsourced dataprocessing. The experience of one medical tran-scription firm is illustrative of the risks. Tran-scription services outsourced by the Universityof California San Francisco Medical Center,and then subcontracted twice more, found theirway to Pakistan, where a transcriber who as-serted she had not been paid for her servicesthreatened to post patient records on the Inter-net if she was not paid.48

The law of privacy thus has developed toinclude a requirement for data security, in theform of an ongoing process of risk assessment,



development of a security program to addressthe risks identified, monitoring and testing toensure effectiveness, and continual review andadjustment in light of changes in risksidentified. The program should be auditedregularly, and must include oversight of anythird party service providers who are given ac-cess to private information.49

Finally, recognizing that security will neverbe perfect, plans to respond when breaches oc-cur are essential. The FTC itself acknowledgesthat ‘‘breaches can happen. . ..’’50 A DeloitteTouche Tohmatsu survey found in 2006 that78% of the world's top 100 financial servicesfirms suffered a security breach from outsidethe organization in the last year,51 and anothersurvey found that 84% of 642 large North Amer-ican organizations suffered a security incidentin the previous year.52 A study released in 2009by the Ponemon Institute found that 85% of thebusinesses surveyed had been the victim ofsome form of data breach, which was an in-crease of 25% from the 2008 study.53 The Po-nemon Institute also conducted a study thatconcludes that the average organizational costof a data breach in 2010 increased to $7.2 mil-lion and cost companies an average of $214 percompromised record, compared to $204 in2009.54 Furthermore, a recent analysis basedon information provided by the Privacy Clear-inghouse, a nonprofit that tracks publicly dis-closed U.S. data breaches, concludes that therewas nearly a 200% increase in data breaches inthe United States from 2009 to 2010.55 And an-other study by the nonprofit Identity TheftResource Center shows that 51% of publiclyreported data breaches disclosed the totalnumber of records compromised, and showed atotal of 16.1 million records breached, notincluding the half of all reported data breachesthat failed to reveal the number of compromisedrecords.56 Plans to deal with a breach need toinclude notification of affected customers incompliance with state breach notification laws,discussed below, as well as remedial steps to be

taken, such as offering free credit monitoringservice. The FTC also advises that businessesdesignate a senior staff member to coordinateand implement a breach response plan.57

The Federal Communications Commission(the ‘‘FCC’’) and the Commerce Departmenthave also addressed privacy and cybersecurity.The FCC recently announced the creation of a‘‘Cybersecurity Roadmap’’ to identify vulner-abilities to communications networks and todevelop countermeasures and solutions in prep-aration for, and in response to, cyber threatsand attacks.58 Such a Roadmap was recom-mended in the FCC's National Broadband Planas an ‘‘initial step’’ toward cybersecurity. Mean-while, the Commerce Department unveiled itsown privacy framework, which proposes cre-ation of a ‘‘Privacy Policy Office’’ within theDepartment to develop more comprehensivepolicies for personal data protection, a fine-tuning of current privacy protections, and FTCenforcement of voluntary industry codes ofconduct.59

C. STATE PRIVACY PROTECTION

Privacy regulation is not limited to the fed-eral level. The states have entered the arena aswell, both with new legislation and enforce-ment actions. In 2002, for example, Minnesotaand North Dakota enacted new privacy laws.The Minnesota statute requires internet ser-vice providers to inform Minnesota customersif they plan to disclose personal information,including e-mail and physical addresses, tele-phone numbers and Web sites that the cus-tomer visited, what the information would beused for, and how the customer could act toprevent the disclosure, whether on an opt-outor opt-in basis.60 North Dakota voters over-whelmingly voted in June 2002 to repeal a 2001law allowing financial institutions to sharecustomer data unless the customer opted out,reinstating an opt-in regime in which advancepermission to share information was required.61Alaska, California, Connecticut, Illinois and



Vermont have also adopted financial privacylegislation,62 although the Fair and AccurateCredit Transactions Act of 2003 (the FACTAct),63 enacted in December 2003, revises thefederal Fair Credit Reporting Act and containsprovisions preempting state consumer protec-tion laws in certain areas, including identitytheft.64 The FTC and the Board of Governors ofthe Federal Reserve System have adopted jointinterim final rules that establish December 31,2003, as the effective date of the provisions ofthe FACT Act that preempt state laws,65 whilemany of the substantive provisions of the FACTAct may not become effective until as late asDecember 2004.

The FACT Act is intended to provide a uni-fied approach to dealing with identity theft andconsumer protection issues to replace a web ofvarying state laws. However, the disparity ineffective dates between the preemption provi-sions and the substantive provisions of theFACT Act has led to a potential gap in theprotection of consumers in states that alreadyhad consumer protection laws similar to thosecontained in the FACT Act. For example, Cali-fornia gives identity theft victims the right toplace a security alert on their credit report toprevent further fraudulent activity.66 The FACTAct contains a comparable provision67 and thusarguably preempts the victim's rights underthe California law, which would leave Califor-nia consumers with no right under either stateor federal law to place an alert on their creditreport until that provision of the FACT Act goesinto effect in June 2004.68

California was the first state to address thesecurity of customer information in a law thatbecame effective July 1, 2003.69 All businesses(including individuals) that do business in Cal-ifornia must notify California residents of anysecurity breaches to their unencrypted personalinformation, defined as name and any combina-tion of social security number, driver's licensenumber, account number or debit or credit card

number. After the ChoicePoint security breach,a spate of state legislative proposals wereintroduced.70 Similar breach notification billshave been passed in most states.71 Some stateshave gone further and specifically require thatbusinesses use encryption to protectinformation.72 And, under Texas' recently en-acted breach notification law, consumer notifi-cation obligations apply not only to affectedTexas residents, but also to residents of otherstates that have not enacted their own breachnotification laws.73 The private bar has gotteninto the act, with at least one negligence actionfiled against a health care firm for negligencein failing to safeguard healthcare records.74Moreover, the First Circuit has held that, underMaine law, the reasonably foreseeable costs ofmitigating potential losses stemming from adata breach (such as credit monitoring and pay-ment card replacements costs) could constituterecoverable damages in support of a negligenceand breach of implied contract action against abusiness suffering a breach.75

More recently, Massachusetts enacted regu-lations that became effective on March 1, 2010,considered by many to be the most comprehen-sive and far-reaching security laws imposed onbusinesses by a state. The Standards for theProtection of Personal Information of Residentsof the Commonwealth (the ‘‘Regulations’’) wereenacted to protect the security and confidential-ity of the ‘‘personal information’’ of Massachu-setts residents.76 Not unlike other states' secu-rity laws, the Regulations require businesses toimplement a comprehensive written securityprogram and encrypt all personal informationthat is stored on portable devices, transmittedover public networks and transmittedwirelessly.77 Further, the Regulations requirethat the businesses implement and maintainadministrative, technical and physical safe-guards that are tailored to the business' size,the amount of stored data, the amount of re-sources available to the business, and the needfor security and confidentiality of both con-



sumer and employee information.78 These safe-guards include, but are not limited to: designat-ing employees to maintain the securityprogram; identifying and assessing reasonablyforeseeable risks to security and confidentialityof records; imposing disciplinary measures forviolations; preventing terminated employeesfrom accessing records; implementing restric-tions and oversight of third-party service pro-viders; implementing reasonable restrictionson physical access to records; and, regularlyreviewing the security program and upgradingthe safeguards when necessary. These Regula-tions are significant to businesses outside ofMassachusetts because they apply to all busi-nesses ‘‘that own, license, store or maintainpersonal information about a resident,’’ regard-less of where any such business may belocated.79 Therefore, even though a businessmay not be located or have a presence in Mas-sachusetts, it may still be required to complywith the Regulations if it has employees orcontractors that are residents ofMassachusetts.

These developments highlight the impor-tance of effective planning to prevent securitybreaches, and to respond to them in accordancewith applicable law if they do occur. The exis-tence of such a policy may serve to protectagainst liability even where certain securityprecautions are absent. A federal district courtin Minnesota dismissed a case in which a stu-dent loan company was charged with failure toencrypt customer data that was stolen. Thecourt found that the firm's written securitypolicy and proper safeguards to protect cus-tomer information indicated that the companyhad acted with reasonable care despite the lackof encryption.80

Another California law, the California Finan-cial Institution Privacy Act (S.B.1) requirescustomer opt-in by California residents beforefinancial institutions may disclose customerdata to unaffiliated third parties, one of severalstiffer standards than those of the opt-out

regime of the federal Gramm-Leach-Bliley Act,discussed below.81 The California Online Pri-vacy Act of 2003 (A.B. 68) requires online busi-nesses that collect personally identifiable infor-mation from California residents to post aprivacy policy and inform customers aboutwhat data will be collected and how it will beused, with a private right of action providedfor.82 And under the California Song-BeverlyAct, businesses may not request and recordpersonal identification information of custom-ers when they make a purchase, other than in-formation set forth on their credit cards.83

These California laws may encourage a waveof lawsuits stemming from companies' mishan-dling of sensitive personal information. Thus,in Ruiz v. Gap,84 the plaintiff applied online fora position with Gap for which he supplied hissocial security number. One year later, Gap an-nounced that two laptops containing nonen-crypted personal data—including plaintiff's in-formation—were stolen from a third-partyvendor with whom Gap had contracted. Theplaintiff filed a class action suit against Gap,asserting violations of the California CivilCode.85 The court held that the plaintiff hadestablished standing based on the risk of futureharm. The court so held notwithstanding theNinth Circuit's pronouncement that to ‘‘conferstanding, the threat of future injury must becredible rather than remote or hypothetical.’’86

On the enforcement side, DoubleClick, an on-line advertising company, settled an investiga-tion by ten state attorneys general by acceptingtight privacy restrictions and paying $450,000to cover the States' investigative costs. Double-Click had tracked users' Web-surfing by meansof cookies—small files placed on the user's com-puter—allowing it to select the ads to displaybased on the user's preferences. The settlementrequires DoubleClick to give users access totheir profiles maintained by DoubleClick andimposes restrictions on the use of the informa-tion it gathered.87 In 2002, California adopted



legislation, effective July 1, 2003, requiringfirms that conduct business in California to dis-close promptly any breaches of security affect-ing personal data of a California resident tothat resident.88 The new law provides for pri-vate actions for damages, and injunctive relief.

Victoria's Secret and Barnesandnoble.comboth settled charges brought by the New YorkAttorney General as a result of security gapsthat customers' personal information availableto third parties. Victoria's Secret had promisedthat its customer data was kept ‘‘in private fileson our server’’ protected by ‘‘stringent and ef-fective security measures.’’89Barnesandnoble.com paid $60,000 as a resultof a design flaw that allowed third party accessto customer accounts and personal data, andallowed them to make purchases using othercustomers' accounts.90 And Datron Media, ane-mail marketer that purchased information onsix million consumers from other companieswith knowledge of the companies' promises notto lend, sell or give out their information andthe used that information to send unsolicitede-mails, settled with the New York AttorneyGeneral in 2006, agreeing to pay $1.1 millionand to take steps to ensure privacy compliancein the future, including appointing a ChiefPrivacy Officer to oversee those efforts.91

In Indiana, the attorney general's office is su-ing health insurance giant WellPoint Inc., as-serting a $300,000 claim for waiting months tonotify customers that their medical records,credit card numbers and other sensitive infor-mation may have been exposed online in viola-tion of a state law that requires businesses toprovide notification of data breaches in a timelymanner.92

And, in an indication that the FTC and stateauthorities will cooperate in the privacy area,student survey firms simultaneously settledFTC and New York Attorney General chargesthat they deceptively gathered personal infor-mation from millions of students, claiming it

would be used for educational purposes, andinstead sold the information to commercialmarketers.93

II. SPECIFIC AREAS OF REGULATION

A. PRIVACY OF CHILDREN'S PERSONAL

INFORMATION—COPPA

As a result of the 1998 Privacy Report, theFTC recommended greater incentives for indus-try self-regulation and proposed legislationregulating the collection and use of informationfrom children. Such legislation was enacted in,the Children's Online Privacy Protection Act of1998 (‘‘COPPA’’),94 which required the FTC toissue regulations governing operators of Websites and online services who know they are col-lecting personal information from childrenunder the age of 13 and provided for enforce-ment actions by the FTC and state attorneysgeneral.

The FTC regulations,95 require a clear andprominent list on a Web site's home page andeach page where personal information is col-lected from children, stating the name andcontact information of each operator of the site,the types of personal information collected, howit is used and whether it is disclosed to thirdparties. The notice must state that a child'sparticipation in an activity may not be condi-tioned on disclosing more information than isreasonably necessary, and that a parent canreview a child's personal information, havesuch information deleted and refuse to permitfurther collection or use of the child's data. By2001, 91% of children's Web sites posted privacypolicies, compared with only 24% in 1998.96

The regulations adopted a sliding scale forparental consent, initially for two years, butlater extended to April 21, 2005. A reliablemethod of consent is required for activities thatpose the greatest risk to children, such asdisclosing personal information to third partiesor making it publicly available in chat rooms.



Examples of such methods include mailing orfaxing a signed printout, use of a credit card97

or a toll-free number, digital signatures, ande-mail with a PIN or password. For internaluses of information, such as marketing back tothe child, e-mail consent is sufficient, so long asadditional steps are taken to confirm that theparent is providing consent. Eventually, themore reliable methods of consent will be re-quired for all uses, unless the Commissiondetermines otherwise. Parents must be giventhe option of permitting the collection and useof the child's personal information withoutconsenting to disclosure to third parties. Therule also provides for certain exceptions to theprior consent requirement, and for a ‘‘safeharbor’’ program for industry groups who cre-ate self-regulatory programs approved by theCommission.

In May 1999, before issuance of the regula-tions, the FTC settled charges against LibertyFinancial Companies, Inc. alleging that thecompany solicited information from childrenand teenagers on the representation that theinformation would be totally anonymous, whenin fact it was maintained in a database inidentifiable form.98 The settlement prohibitedLiberty Financial from making misrepresenta-tions about its collection of personal informa-tion from children under 18, and from collect-ing personal information from children under18 if it knows the child does not have parentalconsent to provide it. The settlement furtherrequires prominent notice regarding the collec-tion and use of information, a procedure forobtaining verifiable parental consent and dele-tion of all information previously collected fromchildren.

In its first enforcement action under COPPA,the FTC imposed fines totaling $100,000.99 TheFTC has continued to be active in its protectionof children's privacy, filing four civil penalty ac-tions in 2001 to enforce COPPA and pursuingactive investigations on additional matters.100

The FTC settled a case against a companywhich was using its Web site to target younggirls and which, after having been warned,continued to collect information from underagegirls in violation of COPPA. The company paid$30,000 as a civil penalty and is barred perma-nently from committing future violations ofCOPPA.101

In April 2002, the FTC settled chargesagainst the Ohio Art Co., the makers of Etch-A-Sketch, alleging that it collected names, ad-dresses, e-mail addresses and birth dates fromchildren registering for ‘‘Etchy's BirthdayClub’’. Ohio Art instructed the children to ‘‘getyour parents or guardian's consent first,’’ butdid nothing to verify parental consent. The FTCalso charged that Ohio Art collected more infor-mation then was necessary for participation inthe ‘‘club’’ and that its privacy policy did notcomply with COPPA's requirements. The settle-ment required a $35,000 civil penalty and thedeletion of all personal information improperlycollected for the past two years.102

In 2003, Mrs. Fields Cookies and HersheyFood Corporation paid civil penalties of$100,000 and $85,000 respectively, to settlecharges of collecting personal information fromchildren without the necessary advance paren-tal consent and failing to post adequate privacypolicies, to provide direct notice to parents ofthe information collected and its intended use,and to provide parents a reasonable way toreview information collected from their chil-dren and prevent its further use. In particular,the Hershey site instructed children to havetheir parents fill out an online consent form,but took no steps to ensure that a parent actu-ally completed the form, and collected informa-tion from children even if a parent or guardiandid not submit information on the consentform.103 Similar actions against UMG Record-ings, Inc. and Bonzi Software, Inc. led to finesof $400,000 and $75,000 respectively, for fail-ure to obtain verifiable parental consent before



collecting personal information from childrenunder 13. The FTC found that collection ofbirthdays in the sites online registration pro-cess established actions knowledge of the col-lection of data from children under 13.104

In April 2003, the Electronic Privacy Infor-mation Center and other privacy and consumeradvocacy groups requested that the FTC inves-tigate alleged violations of COPPA byAmazon.com in its ‘‘Toy Store,’’ operated withToys R Us. The groups charged that whileAmazon's privacy policy restricts use of its Website to those over 18 unless a parent or guard-ian is involved, its Toy Store pages are aimedat children, using ‘‘colorful and childlike fonts,’’child models and ‘‘child-oriented cartooncharacters.’’105 The complaint asserted thatAmazon's site reflects numerous registered us-ers under 13 who provided names and e-mailaddresses, and some who posted names, ages,gender and street addresses, without comply-ing with COPPA. Amazon succeeded in per-suading the FTC that its site was not aimed atchildren and thus was not subject to COPPA,with the FTC finding that the vocabulary andlanguage on the site appeared to be directed toadults.106

In 2009, the FTC settled charges againstIconix Brand Group, Inc. (‘‘Iconix’’), an onlineapparel marketer. According to the FTC, Iconixviolated COPPA by knowingly collecting chil-dren's personal information without first ob-taining parental permission. As part of thesettlement, Iconix agreed to a civil penalty of$250,000, and provided a link to the FTC's Webpage on its Web sites.107

The FTC in 2011 settled charges againstskidekids.com (the ‘‘Facebook and Myspace forKids’’) stemming from its operator's collectionof personal information from approximately5,600 children without parental consent inviolation of COPPA.108 Specifically, the FTC al-leged that Skid-e-kids allowed children to reg-ister their birth date, gender, username, pass-

word and e-mail address without requesting aparent's e-mail address, in violation of COP-PA's requirement that Web site operators notifyparents and obtain their consent before collect-ing, using or disclosing personal informationfrom children under 13 years old.109

The FTC has also entered into its first settle-ment involving alleged violations of COPPA bya provider of iPhone and other mobileapplications. According to the FTC's complaint,W3 Innovations, LLC violated COPPA by un-lawfully collecting and disclosing personal in-formation of tens of thousands of children youn-ger than 13 without obtaining parentalconsent.110 Accordingly, mobile applicationproviders must also be cognizant of their obliga-tions under COPPA.

In addition to its formal actions, the FTC hasissued dozens of warning letters to the opera-tors of children's Web sites for noncompliancewith COPPA.111 It has also established a safeharbor program under COPPA, under whichindustry groups and others can request FTCapproval of self regulate guidelines to governparticipants, so that participating Web siteswould first be subject to discipline by the safeharbor program rather than FTCenforcement.112

In September 2011, the FTC announced pro-posed revisions to COPPA's implementingregulations. The proposed rules would, amongother things, expand the definition of ‘‘person-ally identifiable information’’ to include geoloca-tion information, photos, videos, IP addresses,and other information found on computer ormobile devices.113 The new regulations wouldalso create new data retention and deletionobligations, requiring data collectors to main-tain information only for the minimum amountof time necessary to complete the task for whichthe data was collected.114

Additionally, in February 2012 the FTC re-leased a staff report criticizing mobile applica-



tion stores and developers for failing to provideinformation that parents need to determinewhat data is being collected from their children,how it is being shared, and who will have ac-cess to it.115 According to the FTC report, MobileApps for Kids: Current Privacy Disclosures AreDisappointing, there are currently approxi-mately 500,000 apps in the Apple App Store and380,000 apps in the Android Market—com-pared to about a total of 600 available apps in2008—and young children and teens are in-creasingly embracing smartphone technologies.Accordingly, the report recommends:

E All members of the ‘‘kid app ecosystem—the stores, developers and third partiesproviding services—should play an activerole in providing key information toparents.

E App developers should provide data prac-tices information in simple and shortdisclosures. They also should disclosewhether the app connects with social me-dia, and whether it contains ads. Thirdparties that collect data also should disclo-sure their privacy practices.

E App stores also should take responsibilityfor ensuring that parents have basic infor-mation concerning data collection andsharing practices.

Finally, the report notes that industry partici-pants should take steps to convey their data col-lection practices in plain language and in aneasily accessible way on the small screens ofmobile devices.

B. FINANCIAL SERVICES—THE GRAMM-

LEACH-BLILEY ACT

1. PRIVACY REGULATION

The 1999 Gramm-Leach-Bliley Act, whichderegulated the financial services industry,imposed privacy regulations on any companythat engages in financial activities under the

Bank Holding Company Act of 1956. Theseactivities cover a broad range of companies,potentially including all companies that extendcredit to consumers. Title Five of the Act con-tains the Act's privacy provisions, which protectnonpublic personal information of naturalpersons (whether gathered offline or online),require disclosure of privacy policies in speci-fied areas and restrict the disclosure or sharingof such information with third parties.

This Act requires ‘‘financial institutions’’ toestablish privacy policies and disclose thesepolicies when they first begin a relationshipwith a customer and then yearly after that. Italso requires these institutions to give to cus-tomers the right to decide whether they wantto block the sharing of their confidential infor-mation with other third parties. In effect, theAct uses an ‘‘opt-out’’ provision for certainnonpublic information.

These financial institutions are uncondition-ally barred from sharing credit card or otheraccount numbers or access codes of customerswith third parties for the purpose of direct mail-ings, telemarketing or Internet marketing.‘‘Financial Institutions’’ are defined with re-spect to the guidelines in § 4(k) of the BankHolding Company Act. Activities includedwithin the Act include lending, insurance un-derwriting and sales, as well as securitiesunderwriting and sales. Companies engagingin these activities—not only banks—are subjectto these privacy provisions of the Gramm-Leach-Bliley Act. Indeed, the FTC sought toenforce the Act against lawyers who provideservices in areas such as real estate settle-ments, tax planning and tax preparation, al-though this position was rejected by thecourts.116

The provisions of the Act were phased in overtime. The Act gave most affected business sixmonths to issue and disclose their privacypolicies.

In addition, the Gramm-Leach-Bliley Act



designated specific federal regulatory agenciesto oversee the implementation of Title Five inparticular sectors of the financial industry. TheFederal Trade Commission has jurisdictionover financial institutions that are not other-wise regulated by another federal regulatorybody.117 The FTC final Rule on the implementa-tion of the Gramm-Leach-Bliley Act imposedthe requirements generally called for by theAct:

E A ‘‘financial institution’’ must provide toits customers a clear and conspicuous no-tice about its privacy policies andpractices. The notice must describe whenand where the ‘‘financial institution’’ maydisclose nonpublic information to unaffili-ated third parties.

E A ‘‘financial institution’’ must also provideto its customers a clear and conspicuousannual notice of its privacy policies.

E Finally, a ‘‘financial institution’’ mustprovide its customers with a reasonablechance to ‘‘opt out’’ of disclosures of theirnonpublic information to unaffiliated thirdparties. This opt out must be available atall times.

In December 2005, the major federal bankregulators, issued a Small Entity ComplianceGuide for their Interagency Guidelines Estab-lishing Information Security Standards.118 (TheCompliance Guide applies to all financial insti-tutions, not merely ‘‘small entities,’’ and indeedmay be followed by the FTC in its enforcementactions against even non-financial businessesunder the FTC Act, and so are worthy of reviewby all companies.)

2. FTC ENFORCEMENT

In June of 2000, the FTC entered into asettlement with two information brokers whoviolated § 5 of the FTC Act by ‘‘pretexting’’ (ly-ing about their identity to obtain private finan-cial information about individual consumers

from financial institutions) in a deceptivemanner. The proposed settlement barred thebrokers from engaging in future deceptive prac-tices and also prohibited them from ‘‘pretex-ting,’’ ‘‘except where permitted by the Gramm-Leach-Bliley Act.’’ In addition, the brokers wererequired to post a privacy policy on their Website, disclosing the information they arecollecting. This is one of the first reported casesto implement the Act in a forward-lookingsettlement. Over the following year the FTCexamined hundreds of Web sites and ads forcompanies offering financial services and is-sued over 200 warning letters and commencedseveral federal court actions for pretexting.

3. THE SAFEGUARDS RULE

As part of its implementation of the Gramm-Leach-Bliley Act, in May 2002, the FTC issuedfinal rules implementing § 501(b) of theGramm-Leach-Bliley Act (the ‘‘SafeguardsRule’’).119 The purpose of the Safeguards Rule isto establish standards relating to administra-tive, technical and physical information safe-guards as required by § 501(b) of the Gramm-Leach-Bliley Act. Such standards are intendedto ensure the security and confidentiality ofcustomer records and information, to protectagainst any anticipated threats or hazards tothe security or integrity of such records, and toprotect against unauthorized access to or use ofsuch records on information that could resultin substantial harm to a customer.

Pursuant to the Safeguards Rule, a financialinstitution must adopt a written informationsecurity program (‘‘ISP’’).120 With respect to itsISP, a financial institution must cover the fol-lowing five elements:

E Designate an employee or employees to co-ordinate the ISP;

E Conduct risk assessment to identify inter-nal and external risks to security, confi-dentiality and integrity of customer infor-



mation that could result in theunauthorized disclosure, misuse, altera-tion, destruction of such information.Moreover, the FTC considers three areasto be the ‘‘most relevant’’ when conductingrisk assessment: (i) employee training; (ii)information systems design, processing,storage, transmission and retrieval; and(iii) preventing, detecting and respondingto attacks, intrusions or system failures;

E Design an ISP and detail the plans tomonitor the ISP;

E Require third-party service providers thata financial institution has retained, bycontract, to implement and maintain in-formation safeguards; and

E Evaluate and adjust the ISP in light ofchanges to a financial institution's busi-ness operations or the results of its moni-toring and security tests.121

The fourth element requires a financial insti-tution to ensure that its third-party serviceprovider comply with the Safeguards Rule ifsuch a service provider receives a customer'snonpublic personal information.122 Pursuant tothe Safeguards Rule, a financial institutionmust require its service provider, by contract,to implement and maintain informationsafeguards. As such, a financial institution willhave to review an administrator's informationoperations and then negotiate and enter into acontract that obligates an administrator toadopt the same provisions under the Safe-guards Rule. How administrators will react tothis regulatory burden remain to be seen.

Financial institutions were required to imple-ment their ISPs by May 23, 2003.123 As such,financial institutions have the next sevenmonths to evaluate their operations and todevelop an ISP. Furthermore, there was a tran-sition rule for contracts entered into by June23, 2002, between financial institutions andthird-party service providers.124 This transition

rule gave financial institutions two years torequire their service providers, by contract, toimplement an ISP.125 Accordingly, financialinstitutions have until May 23, 2004, to bringservice contracts with administrators intocompliance with the Safeguards Rule. To assistfinancial institutions in complying with theSafeguards Rule, the FTC has issued guidanceon how to implement and monitor an ISP andon how to oversee a third-party service providerin the near future.126 The FTC has broughtcharges under the Safeguards Rule for failureto have reasonable protection for customers'sensitive information.127

Several financial regulatory agencies haveproposed regulations to govern financial insti-tution responses to breaches of customer infor-mation security.128 Financial institutions wouldbe required to develop response programs to ad-dress reasonably foreseeable risks to the secu-rity of its customer information, includingprocedures for notifying customers and regula-tory and law enforcement agencies of unautho-rized access to customer information that wouldresult in substantial harm or inconvenience, tocontain and control the situation, and to act tomitigate the harm to individual customers,including certain specified steps.

Finally, the FTC implemented new IdentityTheft Red Flag regulations under the FACT Acteffective as of December 31, 2010.129 The Iden-tity Theft Red Flag regulations require finan-cial institutions and creditors that hold con-sumer accounts to develop and implement anIdentity Theft Prevention Program for combat-ing identity theft in connection with new andexisting accounts. The Program must includereasonable policies and procedures for detect-ing, preventing, and mitigating identity theftand enable a financial institution or creditor to(i) identify relevant patterns, practices andspecific forms of activity that are ‘‘red flags’’signaling possible identity theft and incorpo-rate those red flags into the Program; (ii) detect



red flags that have been incorporated into theProgram; (iii) respond appropriately to any redflags that are detected to prevent and mitigateidentity theft; and (iv) ensure the Program isupdated periodically to reflect changes in risksfrom identity theft.130

4. THE SEC'S PROPOSED AMENDMENTS

In 2008, due to the increase in reported secu-rity breaches, the SEC proposed amendmentsto its privacy regulations131 under the Gramm-Leach-Bliley Act. The amendments would re-quire covered entities to develop and imple-ment privacy and record-keeping policiesrelating to customer data. The rule also re-quires such businesses to develop a prepared-ness plan for responding to breaches, whichmay include the duty to notify the Commissionand affected individuals immediately. Theproposed regulations indicate the SEC's desireto parallel similar protections mandated by theFTC.132

C. MEDICAL RECORDS—HIPAA

Privacy of individually identifiable health in-formation is regulated by the Health InsurancePortability and Accountability Act of 1996(‘‘HIPAA’’)133 and regulations promulgated un-der HIPAA. HIPAA regulates ‘‘covered entities,which include health care providers, healthplans and ‘‘health care clearinghouses’’134 thatmaintain or transmit health information usingelectronic media.

Under the original HIPAA regulations ad-opted at the end of the Clinton administration,use of an individual's health information re-quired the individual's consent, regardless ofthe use. Consent was required before medicaldata could be used for treatment, payment,marketing or a variety of other activities.135

Under revised regulations issued in August2002,136 the requirement of consent for treat-ment and reimbursement was eliminated, re-

placed by mere notice by the covered entity ofits disclosure policies. The Bush administra-tion argued that the consent requirement coulddelay treatment. Although consent is still nomi-nally required for marketing activities, the newregulations distinguish recommending treat-ment from marketing, a loophole exploited bypharmaceutical companies paying pharmaciesto send mailings advocating the use of alterna-tive proprietary drugs to patients that thepharmacy records indicate use competing prod-ucts, without the knowledge or consent of thepatients.137

In addition, HIPAA security standards, effec-tive April 21, 2005, require health care organi-zations to ensure the confidentiality, security,integrity and availability of electronic healthinformation and protect it against unautho-rized disclosure or use.138 Notwithstanding thedelayed effective date, these security regula-tions are likely to become the de facto standardfor compliance with the HIPAA privacyregulations.139 The regulations require adminis-trative, physical and technical safeguards andthe kind of ongoing risk assessment, policydevelopment and implementation, and ongoingrevision required by the GLB Safeguards Ruleand the FTC security requirements describedabove.140 In addition, the security rules imposeda duty to document any ‘‘security incident,’’such as an impermissible disclosure, to sanc-tion employees who violate HIPAA policies, andto mitigate adverse effects of the incident,which may include notice to affectedindividuals.141

Under President Obama's 2009 stimuluspackage, the American Recovery and Reinvest-ment Act (‘‘ARRA’’) and the Health InformationTechnology for Economic and Clinical HealthAct (‘‘HITECH’’), any entity covered by HIPAAthat suffers a breach of health information isrequired to notify all affected individuals nolater than 60 days after the discovery of such abreach.142 If the breach involved 500 or more



individuals, the entity is required to immedi-ately notify the Secretary of the Department ofHealth and Human Services (‘‘HHS’’). Wherethe breach affects fewer than 500 individuals,it must be appropriately logged and submittedto the Secretary annually. Furthermore, thegovernment's enforcement powers have beenexpanded to include compliance audits and themore robust pursuit of privacy and securitycomplaints and investigations.143 Penalties fornot complying with HITECH could subject acovered entity to as much as $50,000 per viola-tion, with a $1.5 million cap.144 For entities notcovered by HIPAA, such as vendors, ARRAprovides that any entity that suffers a breachof any size must notify the FTC, which will thennotify the HHS Secretary.145

Employee health plans are generally subjectto the privacy restrictions, although there areexceptions for fully insured plans and self-administered plans with fewer than 50participants. Where an employer is not a cov-ered entity, but its health plan is, it is importantto create appropriate firewalls to keep thehealth plan's information from the employer.

Recent developments show that HIPAA andits accompanying regulations are not toothlesstigers. HHS has conducted several data secu-rity operations, seeking to enforce the HIPAAstandards discussed above. In 2007, HHS con-ducted a ‘‘security audit’’ at Piedmont Hospitalin Atlanta.146 And on July 15, 2008, HHS en-tered into a settlement with Providence Health& Services resulting from Providence's ‘‘poten-tial violations’’ of HIPAA's requirements tosafeguard electronic patient data. The settle-ment—which requires the payment of $100,000and the adoption of a corrective action plan—resulted from the loss of laptops and discscontaining unencrypted medical records ofmore than 386,000 patients.147 More recently,CVS Caremark settled FTC charges based onits failure to implement reasonable and ap-propriate procedures for securing customer and

employee information, and also agreed to pay$2.25 million for HIPAA violations.148 In Febru-ary 2011, HHS also fined Cignet Health ofMaryland $4.35 million for HIPAA violations,most of which was attributable to the compa-ny's failure to cooperate with HHS'investigation.149

These HIPAA enforcement developmentsunderscore the growing importance of main-taining proper safeguards to protect electronicpatient data.

ENDNOTES:1This evolution in consumer privacy is fur-

ther evidenced by the fact that insurers offerCyberSecurity policies for the purpose of cover-ing losses arising from data security breaches.See, e.g., http://www.chubb.com/businesses/cs/chubb822.html.

2See www.ftc.gov/reports/privacy3/priv-23a.pdf.

31998 Privacy Report, at Executive Sum-mary (emphasis in original).

4See www.ftc.gov/reports/privacy2000/privacy2000.pdf; www.ftc.gov/reports/privacy2000/pitofskystmtonlineprivacy.html.

5FTC Staff Report: Self Regulatory Prin-ciples for Online Behavioral Advertising, Feb-ruary 2009, available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf.

6Id.7Consumer Data Privacy in a Networked

World: a Framework for Protecting Privacy andPromoting Innovation in the Global DigitalEconomy, the White House (February 2012),available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.

8For instance, several prominent Internetcompanies, including Google, Microsoft, andYahoo, have entered into an agreement to vol-untarily create a ‘‘Do Not Track’’ button to optout of behavioral tracking and block cookies.The agreement will be enforced by the FTC.Sasso, Google, Microsoft, Yahoo aim to defuseprivacy issue with ‘Do Not Track' button, TheHill (February 23, 2012), available at http://thehill.com/blogs/hillicon-valley/technology/212257-google-microsoft-yahoo-aim-to-defuse-privacy-issue-with-commitments.



9Protecting Consumers' Privacy: 2002 andBeyond: Remarks of FTC Chairman Timothy J.Muris, at The Privacy 2001 Conference, October4, 2001, available at http://www.ftc.gov/speeches/muris/privisp1002.htm.

10One example of such a case is noteworthybecause of its bankruptcy context. The FTCsued to enjoin the bankrupt Toysmart from sell-ing, in bankruptcy, its customers' personal in-formation in violation of its privacy policypromise never to share that information. FTCv. Toysmart.com, Civ. No. 00-1134-RGS (D.Mass., filed July 10, 2000). A settlement wouldhave permitted transfer of the customer data toa purchaser who bought the entire business;otherwise, the data was to be destroyed. Thebankruptcy court did not approve the settle-ment, finding it unduly restrictive, but left thedoor open for objections, the FTC once a poten-tial buyer was on the scene.

11See World Data Protection Report (BNA)(January 2002) at 17.

12National Research Center for College andUniversity Admissions, FTC No. 022 3005 (Oc-tober 2, 2002) reported in 83 Antitrust & TradeReg. Rep. (BNA) 316 (October 4, 2002).

13Gateway Learning Corp., FTC File No.042-3047, Trade Cas. (CCH) 15,617 (2004).

14In re Eli Lilly and Co., FTC No. 0123214(January 18, 2002) reported in World DataProtection Rep. (BNA) at 12.

1583 Antitrust & Trade Reg. Rep (BNA) 137,193 (2002). The European Commission had un-dertaken a similar investigation. ‘‘MicrosoftFaces European Commission Inquiry on Pri-vacy Concerns,’’ N.Y. Times (May 28, 2002) atp. C4.

16Guess?, Inc. and Guess.com, FTC DocketNo. C-11091 (July 30, 2003); see B. Tedeschi,‘‘F.T.C. Increases Focus on Privacy,’’ N.Y. Times(June 30, 2003), http://www.nytimes.com/2003/06/30/technology/30ECOM.html.

17‘‘Pet Shop's Data Security Breached OwnPrivacy Policy,’’ (November 19, 2004), http://www.out-law.com; MTS, Inc. d/b/a/ Tower Re-cords, FTC Docket No. C-4110 (June 2, 2004).

18FTC File No. 052-3096 (December 1, 2005),complaint, agreement, press release and re-lated documents available at http://www.ftc.gov/os/caselist/0523096/0523096.htm.

19Press Release, ‘‘Real Estate Services Com-pany Settles Privacy and Security Charge,’’Feederal Trade Commission (May 10, 2006),

available at http://www.ftc.gov/opa/2006/05/nationstitle.htm; Matter of Nations Titel Agency,Inc., Nations Holding Company and Christo-pher M. Likens, File No. 052 3117.

20In Re Life is Good, Inc., FTC Docket No.C-4218 (April 2008); complaint available at http://www.ftc.gov/os/caselist/0723046/080418complaint.pdf.

21Consent Order available at http://www.ftc.gov/os/caselist/0723046/080117agreement.pdf.The settlement includes 20 years of FTC moni-toring and oversight.

22See Complaint, In Re The TJX Companies,Inc., FTC Docket No. C-4227 (July 2008); agree-ment, press release and related documentsavailable at http://www.ftc.gov/os/caselist/0723055/index.shtm.

2315 U.S.C.A. § 45(a).24See http://www.ftc.gov/os/caselist/0723055/

index.shtm.25See Steptoe and Johnson, E-Commerce

Law Week (Feb. 10, 2007, May 12, 2007, October6, 2007 and December 8, 2007), available at http://www.steptoe.com; ‘‘Mass. AG leads multi-state probe into TJX breach,’’ ComputerWorld(Feb. 8, 2007), http://www.computerworld.com/action/article.do?command=viewArticleBasic=9010884=NLT_PM=8.

26In re Sears Holdings Management Corpo-ration, FTC Docket No. 082-3099 (June 2009);complaint, agreement, press release and re-lated documents available at http://www.ftc.gov/os/caselist/0823099/index.shtm.

27Fresh Views at Agency Overseeing OnlineAds, N.Y. Times (August 4, 2009), available athttp://www.nytimes.com/2009/08/05/business/media/05ftc.html. For an additional discussionof the potential changes in the FTC's enforce-ment policies under Mr. Vladeck, see An Inter-view With David Vladeck of the F.T.C., N.Y.Times (August 5, 2009), available at http://mediadecoder.blogs.nytimes.com/2009/08/05/an-interview-with-david-vladeck-of-the-ftc.

28See E-Commerce Law Week (March 20,2010), available at www.steptoe.com/E-CommerceLawWeek. According to the FTC, LifeLockengaged in a number of practices that failed toprovide appropriate security. Among them, theFTC said that LifeLock: ‘‘[c]reated an unneces-sary risk to personal information by storing iton the network and transmitting it over thenetwork and the internet in clear readable text;[f]ailed to require employees, vendors, and oth-



ers with access to personal information to usehard-to-guess passwords or to implement re-lated security measures, such as periodicallychanging passwords or suspending users aftera certain number of unsuccessful log-in at-tempts; [f]ailed to limit access to personal in-formation stored on or in transit through itsnetworks only to employees and vendors need-ing access to the information to perform theirjobs; [f]ailed to use readily available securitymeasures to routinely prevent unauthorized ac-cess to personal information, such as by install-ing patches and critical updates on its network;[d]id not adequately assess the vulnerability ofthe network and Web applications to commonlyknown and reasonably foreseeable attacks,such as SQL injection attacks; [f]ailed to employsufficient measures to detect and prevent un-authorized access to the corporate network orto conduct security investigations, such as byinstalling antivirus or anti-spyware programson computers used by employees to remotelyaccess the network or regularly recording andreviewing activity on the network; [d]id notimplement simple, low-cost, and readily avail-able defenses to commonly known and reason-ably foreseeable attacks; and [f]ailed, from atleast December 2006 until February 2007, tosecure paper documents containing personalinformation that were received by facsimile inan open and easily accessible area.’’ See Life-Lock, Inc., FTC File No. 072 3069 (2010); com-plaint available at http://www.ftc.gov/os/caselist/0723069/index.shtm.

29In the Matter of Dave & Busters, Inc., FTCFile No. 082 3153 (2010). The FTC's pressrelease concerning the settlement is availableat http://www.ftc.gov/opa/2010/03/davebusters.shtm.

30On August 3, 2010, in response to theFTC's concerns, the U.S. Bankruptcy Court forthe District of New Jersey approved the par-ties' settlement agreement that stipulated thatbankrupt XY magazine's personal data of500,000 to 1,000,000 subscribers would bedestroyed and not be subject to acquisition bythe purchaser. Kurana, ‘‘When You Wrote YourPrivacy Policy, Were you Thinking About ‘TheEnd'?’’ reported in Lexology (August 25, 2010)available at http://www.lexology.com/library/detail.aspx?g=d5409488-5030-4c00-97c7-55e78faea847.

31The three companies were SettlementOneCredit Corp, ACRAnet Inc., and StatewideCredit Services. In the Matter of ACRAnet, Inc.,File No. 0923088, documents available at ‘‘htt

p://www.ftc.gov/os/caselist/0923088/index/shtml.’’ See also ‘‘FTC Holds Consumer Report Resell-ers Responsible for ‘Downstream' DataProtection Failures’’ reported in Steptoe &Johnson LLP E-Commerce Last Week (Issue643, Week Ending February 12, 2011), avail-able at http://www.steptoe.com/publications-7399.html.

32 http://www.wired.com/threatlevel/2010/06/twitter-settles-with-ftc/; See also Kim andSerwin, ‘‘FTC Reaches a Settlement With Twit-ter Regarding Privacy Breaches,’’ reported inLexology (March 15, 2011), available at http://www.lexology.com/library/detail.aspx?g=1d403f94-38ec-4e71-a370-038283be5106. As an aside,in May 2010 a fake account which posted tweetsunder the name of ‘‘BPGlobalPR’’ was createdin Twitter. BP knows about the account and isnot happy about it, but a few of the tweets areavailable at http://bit.ly/btrTql.

33Id. Netflix has announced a settlement ofthe FTC's investigation and a class actionlawsuit stemming from the allegedly improperdisclosures.

34‘‘FTC Charges Deceptive Privacy Practicesin Google's Rollout of Its Buzz Social Network’’available at http://www.ftc.gov/opa/2011/03/google/shtm.

35Id.36Id.37‘‘Facebook Settles FTC Changes Over

Unfair and Deceptive Privacy Practices,’’ Step-toe & Johnson LLP E-Commerce Law Week (Is-sue 686, Dec.ember 10, 2011), available at http://www.steptoe.com/publications-7924.html.

38Bhargava and Heidelberger, ‘‘Online Ad-vertiser settles with FTC for Use of Flash Cook-ies without Adequate Disclosure,’’ Winston &Strawn LLP (Nov. 9, 2011), reported in Lexol-ogy, available at http://www.lexology.com/library/detail.aspx?g=a23af29d-a860-4a77-9557-58238f0695d0.

3983 Antitrust & Trade Reg. Rep (BNA) 137at 194.

40See www.oecd.org/document/42/0,2340,en_2649_201185_15582250_1_1_1_1,00.html.

41See www.ftc.gov/opa/2002/05/safeguardrule.htm.

4216 C.F.R. Part 682 (2005).43‘‘Online Behavioral Advertising—Moving

the Discussion Forward to Possible Self-Regulatory Principles,’’ Statement of the Bu-



reau of Consumer Protection (Dec. 20, 2007),available at http://www.ftc.gov/os/2007/12/P859900stmt.pdf.

44‘‘FTC Staff Issues Privacy Report OffersFramework for Consumers, Businesses, andPolicymakers’’ available at http://www.ftc.gov/opa/2010/12/privacy.shtm.

45In testimony before the Senate Committeeon Commerce, Science and Transportation, theFTC told Congress that, in response to the ‘‘DoNot Track’’ report, two of the major Internetbrowsers (Microsoft and Mozilla) have recentlyannounced the development of new choicemechanisms for online behavioral advertisingthat seek to provide increased transparency,greater consumer control, and improved ease ofuse. ‘‘FTC Testifies Before Senate CommerceCommittee on Privacy; Industry Efforts toImplement ‘Do Not Track' System Already Un-derway’’ http://www.bespacific.com.

46See Union Planters Bank, N.A. v. Gavel,2003 WL 1193671 (E.D. La. 2003), vacated andremanded, 369 F.3d 457 (5th Cir. 2004).

47See J. Schwartz, ‘‘Surveillance 101-Privacyvs. Security on Campus,’’ N.Y. Times, Week inReview (August 4, 2002).

48D. Lazarus, ‘‘A Tough Lesson on MedicalPrivacy: Pakistani Transcriber ThreatensUCSF Over Back Pay,’’ San Francisco Chroni-cle (October 22, 2003), http://sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2003/10/22/MNGCO2FN8G1.DTL.

49See T.J. Smedinghoff, ‘‘Trends in the Lawof Information Security,’’ World Internet L. Rep.(BNA) (August 2004) at 13.

50Protecting Personal Information—A Guidefor Business, FTC, available at www.ftc.gov/infosecurity/.

51D.Kaplan, ‘‘Three of four financial institu-tions suffered external breach in past year,’’ SCMagazine (June 14, 2006), http://www.scmagazineus.com/three-of-four-financial-institutions-suffered-external-breach-in-past-year/article/33528/.

52‘‘New Study Finds That More Than 84% ofNorth American Enterprises Suffered a Secu-rity Breach in Past Year,’’ CA Press (July 5,2006), http://www3.ca.com/press/PressRelease.aspx?CID=90751=en-us. See also, DataBreaches Have Surpassed Level for All of ‘07,Report Finds Washington Post (Aug. 26, 2008),available at http://www.washingtonpost.com/wp-dyn/content/article/2008/08/25/AR

2008082502496.html. According to the Wash-ington Post report, 449 U.S. businesses,government departments and educational insti-tutions have reported the loss or theft of con-sumer data thus far in 2008, compared with446 breaches for all of 2007.

5385 Percent of U.S. Businesses Breached,InternetNews.com (July 13, 2009), available athttp://www.internetnews.com/security/article.php/3829391/Report+73+Percent+of+US+Businesses+Breached.htm. More specifically, a recentdata breach of Heartland Payment Systems,Inc., a payment processor in New Jersey, hasaffected hundreds of financial institutions in 40states, as well as in Canada, Bermuda andGuam. See ‘‘More Than 150 Banks Affected ByHeartland Data Breach Thus Far,’’ Computer-World (February 11, 2009), available at http://www.computerworld.com/s/article/9127822/Web_site_More_than_150_banks_affected_by_Heartland_data_breach_thus_far. Similarly, RoyalDutch Shell recently suffered a massive databreach when its contact database for 176,000employees was copied and forwarded entitiesand individuals opposed to the company's ac-tivities in Nigeria. See ‘‘Shell Hit By MassiveData Breach,’’ The Register (February 15,2010), available at http://www.theregister.co.uk/2010/02/15/shell_data_loss.

54‘‘Report: 2010 U.S. cost of a Data Breach’’available at http://www.bespacific.com/mt/archives/026771.html#026771.

55Vernick, ‘‘Data Breach Report Card 2010:Data Breaches up 194%, Compromised RecordsDown 95%,’’ reported in Lexology (December 16,2010), available at http://www.lexology.com/library/detail.aspx?g=811c7c85-16af-43ee-b3ff-026e7807babb.

56 http://www.infosecurity-use.com/view/14910/us-racked-up-662-reported-data-breaches-in-2010/?elq_mid=12287

57Protecting Personal Information—A Guidefor Business, supra.

58FCC Seeks Comment on Creating a ‘‘Cy-bersecurity Roadmap’’ reported in Steptoe &Johnson LLP (Issue 619, Week Ending August14, 2010), available at http://www.steptoe.com/publications-7119.html.

59‘‘Commerce Department Releases Reporton Personal Data Security’’ reported in Steptoe& Johnson LLP (Issue 636, Week Ending De-cember 25, 2010), available at http://www.steptoe.com/publications-7321.html.

60Minn. Laws 2002, ch.395; for text see htt



p://www.spamlaws.com/state/mn.shtml.61N.D. Century Code § 6-08.1-01. See ‘‘North

Dakota Tightens Laws on Bank Data and Pri-vacy,’’ N.Y. Times, June 13, 2002 at A286.

62E.g., Vt. Dep't of Banking, Insurance, Se-curities & Health Care Admin., Banking Div'nRegulation B-2001-01 (Privacy of ConsumerFinancial and Health International Regula-tion). For text see http://www.bishca.state.vt.us/reg-bul-ord/privacy-consumer-financial-and-health-information-regulation. See J. 8.Lee,‘‘California Law Provides More Financial Pri-vacy,’’ N.Y. Times (August 29, 2003), http://www.nytimes.com/2003/09/28PRIV.html. See gen-erally J. Plummer, ‘‘Mandating Opt-In MayCause Consumers to be Left Out,’’ http://www.nccprivacy.org/online/CR0205.htm.

63Pub. L. 108-159.64The FACT Act's rules regarding identity

theft are commonly referred to as the ‘‘Red FlagRules.’’ In October 2008, the FTC announcedthat it would suspend enforcement of the RedFlag Rules to give creditors and financial insti-tutions additional time to initiate identity theftprevention programs. On October 30, 2009, theFTC further announced that it was delayingthe enforcement of the Red Flag Rules untilJune 1, 2010. See FTC Extends EnforcementDeadline for Identity Theft Red Flag Rules, FTCPress Release (October 30, 2009), available athttp://www.ftc.gov/opa/2009/10/redflags.shtm.

6516 C.F.R. § 602.1.66Cal. Civil Code § 1785.15.67FACT Act of 2003, Pub. L. 108-159, § 112.68See ‘‘Attorney General Lockyer Urges

Delay in Preempting State Laws ProtectingVictims of ID Theft,’’ Press Release of CA Officeof Atty. Gen., December 30, 2003 (as presidentof the National Association of Attorneys Gen-eral Bill Lockyer warned that the immediatestart of the FACT Act would leave consumersunprotected).

69California Civil Code § 1798.82.70See T. Zeller, Jr. ‘‘Breach Points Up Flaws

in Privacy Laws,’’ N.Y. Times, February 24,2005, http://www.nytimes.com/2005/02/24/business/24datas.html; Reuters, ‘‘LawmakersPromise Action on Identity Theft,’’ http://msl1.mit.edu/furdlog/docs/2005-02-24_reuters_lawmakers_id.pdf.

71Such laws have been enacted in Arizona,Arkansas, Alaska, California, Colorado, Con-necticut, Delaware, Florida, Georgia, Hawaii,

Idaho, Illinois, Indiana, Iowa, Kansas, Louisi-ana, Maine, Maryland, Massachusetts, Michi-gan, Minnesota, Missouri, Montana, Nebraska,Nevada, New Hampshire, New Jersey, NewYork, North Carolina, North Dakota, Ohio,Oklahoma, Oregon, Pennsylvania, Rhode Is-land, Tennessee, Texas, Utah, Vermont, Wash-ington, Wisconsin, Wyoming and WashingtonD.C. See E-Commerce Law Week (April 23,2005, May 5, 2005, June 11, 2005, June 23,2005, July 2, 2005, December 31, 2005, April 1,2006, May 6, 2006, June 15, 2006, January 6,2007, June 2, 2007, July 7, 2007, February 2,2008, May 17, 2008, and August 1, 2009), avail-able at www.steptoe.com. As of April 2011, theonly states without any breach notificationrequirement were Alabama, Kentucky, NewMexico and South Dakota. See E-CommerceLaw Week (October 8, 2009), available at http://www.steptoe.com; http://www.ncsl.org/default.aspx?tabid=13489. While several federal billshave been introduced, the only federal breachnotification legislation governs the VeteransAdministration. E-Commerce Law Week (Janu-ary 7, 2007). The EU has proposed a directiverequiring breach notifications. Proposal for aDirective of the European Parliament and theCouncil, COM (2007) 698, available at http://ec.europa.eu/information_society/policy/ecomm/doc/library/proposals/dir_citizens_rights_en.pdf.Although the EU has only proposed data breachnotification requirements, Germany recentlyamended the German Federal Data ProtectionLaw to require breach notification. SeeE-Commerce Law Week (October 15, 2009),available at www.steptoe.com. Other countriessuch as Canada and New Zealand, have issuedvoluntary breach notification guidelines. WorldData Prot.Rep. (BNA) (September, 2007).

72See, e.g., E-Commerce Law Week (Febru-ary 2, 2008) (discussing bills passed and pend-ing in Nevada, Massachusetts, Washington andMichigan), available at http://www.steptoe/publications-5118.html.

73Mathews, ‘‘Breach Notification Obliga-tions in All 50 States?’’, Proskauer Rose LLP(August 16, 2011), reported in Lexology, avail-able at http://www.lexology.com/library/detail.aspx?g=45e70f08-d093-435d-b120-908fc952e75c.

74See E-Commerce Law Week (February 12,2006), available at http://www.steptoe.com/publications-1305.html (reporting on class actioncomplaint by former patient against ProvidenceHealth System in Oregon Circuit Court, Mult-nomah County).

75Anderson v. Hannaford Bros. Co., 659 F.3d



151 (1st Cir. 2011), reported in ‘‘Data BreachMitigation Costs Can Constitute CognizableDamages,’’ Steptoe & Johnson LLP (Issue 682,Week Ending November 12, 2011), available athttp://www.steptoe.com/publications-pdf.html/pdf/?item_id=7887.

76201 CMR 17.00, et seq. Under the Regula-tions, personal information is defined as aresident's first name or initial and last name incombination with the resident's (a) social secu-rity number, (b) driver's license or state-issuedidentification card number, or (c) financial ac-count number, or credit or debit card number,with or without any required security or accesscode or password.

77Id.78Id.79Id.80D. McCullagh, ‘‘Judge: Firm not negligent

in failure to encrypt,’’ C|net news.com (Febru-ary 14, 2006), http://news.com.com/2100-1030_3-6039645.html.

81Calif. Financial Code, Division 1.2. (The9th Circuit held that provisions restrictingdisclosure to affiliates were preempted byfederal law. American Bankers Ass'n. v. Gould,412 F.3d 1081 (9th Cir. 2005).

82J. Vijayan, ‘‘First Online Privacy LawLooms in California,’’ ComputerWorld (June 28,2004), http://www.computerworld.com/printthis/2004/0,4814,94128,00.html.

83Interpreting the Song-Beverly Act, theCalifornia Supreme Court in Pineda v.Williams-Sonoma Stores, Inc., 51 Cal. 4th 524,120 Cal. Rptr. 3d 531, 246 P.3d 612 (2011) heldthat a customer's zip code was considered pro-tected personal information that could not becollected. See ‘‘Zip Code is ‘Personal Informa-tion' Under California Law,’’ reported in Lexol-ogy (March 4, 2011).

84Inc., 540 F. Supp. 2d 1121 (N.D. Cal. 2008),aff'd, 380 Fed. Appx. 689 (9th Cir. 2010).

85 § 1798.85 provides that ‘‘a person orentity may not . . . [r]equire an individual touse his or her social security number to accessan Internet Web site, unless a password orunique personal identification number or otherauthentication device is also required to accessthe Internet Web site.’’

86Hartman v. Summers, 120 F.3d 157, 160(9th Cir. 1997).

87‘‘DoubleClick Settles Privacy Inquiry,’’ N.Y.

Times (August 27, 2002) at C3.88Ch. 915, Statutes of 2002; Cal. Civ. Code

§ § 1798.29, 1798.82-.84.89J. Schwartz, ‘‘Victoria's Secret Reaches a

Data Privacy Settlement,’’ N.Y. Times (October21, 2003), http://www.nytimes.com/2003/10/21/technology/21priv.html.

90L. Rosencrance, ‘‘Barnesandnoble.com Hitwith Fine for Online Security Breach,’’ Comput-erWorld (April 30, 2004), http://www.computerworld.com/s/article/92804/Barnesandnoble.com_hit_with_fine_for_online_security_breach.

91Press Release, ‘‘Investigation RevealsMassive Privacy Breach,’’ Office of New YorkState Attorney General Eliot Spitzer (March13, 2006), available at http://www.ag.ny.gov/media_center/2006/mar/mar13a_06.html.

92See http://www.businessweek.com/ap/financialnews/D9J5JNK00.htm

93‘‘Student Survey Firms Settle ChargesFTC of Selling Data to Marketers,’’ 84 antitrust& Trade Reg. Rep. (BNA) 80 (January 31, 2003).

9415 U.S.C.A. § § 6501 et seq.9516 CFR Part 312 (1999); Trade Reg. Rep.

(CCH) No. 575 Part 2 (April 28, 1999).963 Web Operators Settle COPPA Charges

For Unauthorized Collection of Personal Data,80 Antitrust & Trade Reg. Rep. 2004 (BNA)(April 20, 2001), at 357.

97The use of a credit card as a method ofestablishing verifiable parental consent, 16CFR § 312.5(2) seems curious, given that chil-dren may carry supplemental credit cardsprovided by their parents, and in any eventrequiring a credit card number would appear tosacrifice some of the parent's privacy in thename of protecting the child's.

98Liberty Financial Companies, Inc. TradeCas. (CCH) 24,598 (1999).

99Henry Beck & Victoria Guest, Violationsof COPPA continue, The Nat'l L.J. (Aug. 20,2001) (the Web sites fined were girlslife.com,insidetheweb.com and bigmailbox.com).

100Protecting Consumers' Privacy: 2002 andBeyond: Remarks of FTC Chairman Timothy J.Muris, at The Privacy 2001 Conference, October4, 2001, located at http://www.ftc.gov/speeches/muris/privisp1002.htm.

101Manufacturer of Popular Girls' ToysSettles FTC Charges of Violating COPPA, 81Antitrust & Trade Reg. Rep. 2027 (BNA) (Oct.5, 2001).



10282 Antitrust & Trade Reg. Rep. (BNA) 365(April 26, 2002).

103‘‘FTC Receives Largest COPPA Penaltiesto Date in Settlements with Mrs. Fields Cook-ies and Hershey Foods,’’ FTC Press Release(February 27, 2003), http://www.ftc.gov/opa/2003/02/hersheyfield.html.

104‘‘UMG Recordings, Inc. to pay $400,000,Bonzi Software, Inc. to pay $75,000 to SettleCOPPA Civil Penalty Charges,’’ Federal TradeCommission (Feb. 18, 2004), http://www.ftc.gov/opa/2004/02/bonziumg.htm.

105Matter of Amazon.com, Inc., EPIC Com-plaint and Request for Injunction, Investiga-tion and for other Relief (April 22, 2003), http://www.epic.org/privacy/amazon/coppacomplaint.html; see also ‘‘Consumer Groups AccuseAmazon.com of Violating Children's OnlinePrivacy Act,’’ 84 Antitrust & Trade Reg. Rep.(BNA) 400 (April 25, 2002); L.J. Flynn, ‘‘NewEconomy,’’ N.Y. Times p. C4 (May 12, 2003).

106Trade Reg. Reports (CCH) No. 871, at 8(December 2004); D. McCullagh, ‘‘AmazonKeeps Kids' Data Under Wraps, RegulatorsSay,’’ CNetNews.com (November 29, 2004), http://news.com.com/2100-1038_3-5470145.htm1.

107In re Iconix Brand Group, Inc., FTCDocket No. 0923032 (October 2009); complaint,consent decree and news release available at http://www.ftc.gov/os/caselist/0923032/index.shtm.

108‘‘FTC Settles COPPA Violation ChargesAgainst Children's Social Networking Website,’’ Hunton & Williams LLP (November 9,2011), reported in Lexology, available at http://www.lexology.com/library/detail.aspx?g=f7a5b188-d28f-4e63-8b8e-2bf9c827e37a.

109Id.110‘‘FTC Settles COPPA Charges Against

Mobile Application Developer,’’ Steptoe & John-son E-Commerce Law Week (Issue 670, Aug. 20,2011), available at http://www.steptoe.com/publications-7746.html.

11182 Antitrust & Trade Reg. Rep. (BNA) 365(April 26, 2002).

112See, e.g., Privo, Inc., Trade Cas. (CCH)15,637 (2004). See also Press Release, ‘‘FTCSeeks Public Comment on Program to KeepWeb site Operators in Compliance With theChildren's Online Privacy Protection Rule,’’Federal Trade Commission (January 6, 2010),available at http://www.ftc.gov/opa/2010/01/isafe.shtm.

113Kardell, ‘‘FTC Will Propose Broader Chil-dren's Online Privacy Safeguards,’’ Ifrah PLLC(Dec. 22, 2011), reported in The National LawReview, available at http://www.natlawreview.com/article/ftc-will-propose-broader-children-s-online-privacy-safeguards.

114Id.115FTC Report Raises Privacy Questions

About Mobile Applications for Children, FTCRelease (February 23, 2012), available at http://ftc.gov/opa/2012/02/mobileapps_kids.shtm.

116New York State Bar Ass'n v. F.T.C.,2004-1 Trade Cas. (CCH) ¶ 74383, 2004 WL964173 (D.D.C. 2004), judgment aff'd, 430 F.3d457, 2005-2 Trade Cas. (CCH) ¶ 75050 (D.C.Cir. 2005).

117Other regulators include the SEC, theCFTC, the Comptroller of Currency, the Boardof Governors of the Federal Reserve System,the Board of Directors of the Federal DepositInsurance Corporation, the Directors of the Of-fice of Thrift Supervision, the Board of theNational Credit Union Administration, andstate insurance regulators. These agencieshave issued similar regulations.

118Available at http://www.federalreserve.gov/boarddocs/press/bcreg/2005/20051214/attachment.pdf.

119See Standards for Safeguarding CustomerInformation; final rule, 16 C.F.R. 314, availableat http://www.ftc.gov/privacy/glbact; ‘‘FTC Is-sues Financial Information Safeguards Rule,’’FTC Release (May 17, 2002). See also FederalTrade Commission—Business Alert, ‘‘Safe-guarding Customers' Personal Information: ARequirement for Financial Institutions,’’ avail-able at http://www.ftc.gov/bcp/conline/pubs/alerts/safealrt.htm. Again, other financial regula-tory agencies have similar rules, theInteragency Guidelines Establishing Stan-dards for Safeguarding Customer Information,12 C.F.R. part 30 app. B, part 208 app. D.2, part225 app. F, part 368 app. B, and part 570 app.B.

120See 16 C.F.R. 314.3(a).121See 16 C.F.R. 314.4(a)-(e).122See 16 C.F.R. 314.4(d)(2).123See 16 C.F.R. 314.5(a). See also FTC Com-

mentary to 16 C.F.R. 314. The Safeguards Rulewill take effect one year from the date on whichthe final rule is published in the Federal Regis-ter which was May 23, 2002. See FTC Commen-tary to 16 C.F.R. 314.



124See 16 C.F.R. 314.5(b). See also FTC Com-mentary to 16 C.F.R. 314. Contracts betweenfinancial institutions and nonaffiliated third-party service providers are given two years tobring service provider contracts into compli-ance with the Safeguards Rule as long as thecontract was in place 30 days after the date onwhich the final rule was published in the Fed-eral Register which was May 23, 2002. See FTCCommentary to 16 C.F.R. 314.

125See 16 C.F.R. 314.5(b). See also FTC Com-mentary to 16 C.F.R. 314.

126Federal Trade Comm'n, ‘‘Financial Insti-tutions and Customer Data: Complying withthe Safeguards Rule’’ (September 2002), avail-able at http://www.ftc.gov/bcp/conline/pubs/bspubs/safeguards.pdf.

127See Sunbelt Leading Services, Inc., TradeCas. (CCH) 15,678 (2004).

128Notice and Request for Comment, Inter-agency Guidance or Response Programs for Un-authorized Access to Customer Information andCustomer Notice, 68 Fed. Reg. 47954 (August12, 2003).

12916 CFR Part 681.130Id, reported in Hoffman, ‘‘Wide Range of

Businesses Must Implement ‘Red Flags' Pro-grams’’ (Lexology, May 18, 2010), available athttp://www.lexology.com/library/detail.aspx?g=f16f3cac-726e-4e12-b307-864d86352ed6.

131S.E.C. Reg. S-P132Reported in Steptoe & Johnson,

E-Commerce Law Week (March 22, 2008); 73Fed. Reg. 13692 (Mar. 13, 2008), available at http://www.sec.gov/rules/proposed/2008/34-57427.pdf.

133Pub.L.No.104-191, 110 Stat. 1936 (1996).134A health care clearinghouse is ‘‘a public or

private entity that processes or facilitates theprocessing of nonstandard run data elements ofhealth information into standard data ele-ments.’’ 42 U.S. § 1320(d)(2).

135One unintended consequence has been toimpede medical research, as researchers can nolonger review medical records to identify thosewho might benefit from a clinical trial, butrather must rely on patients' own physicians toinitiate such contacts. M.D. Baum & L. Rossi,‘‘Privacy Rule Builds Biomedical ResearchBottleneck, U. Pittsburgh Medical Center (Sep-tember 13, 2004), http://www.eurekalert.org/pub_releases/2004-09/uopm-prb091304.php.

13645 C.F.R. Parts 160 and 164. This may

include banks that process health care pay-ments. See ‘‘United States—Banks ProcessingPayments to Health Providers,’’ World DataProtection Rep. (BNA) 20 (January 2002).

137A. Zimmerman & D. Armstrong, ‘‘HowDrug Makers Use Pharmacies To Push PriceyPills,’’ Wall Street J., p.A1 (May 1, 2002).

13845 CFR Parts 160, 162, and 164 (2003).139B. Brevin, ‘‘New HIPAA Security Rules

Could Open Door to Litigation.’’ Computer-world, (February 20, 2003) http://www.computerworld.com/printthis/2003/0,4814,78684,00.html.

140See S. Weil, ‘‘HIPAA Security Rule: WhatIt Is & How to Comply With It,’’ Security Focus(March 1, 2004).

14145 C.F.R. Part 164; J.E. Arent, ‘‘UnitedStates: Risks and Responsibilities underHIPAA Following an Impermissible Disclo-sure,’’ World Data Protection Rep. (BNA) (April2004) at 25.

142See Pub. L. 111-5. See also E-CommerceLaw Week (February 28, 2009), available at www.steptoe.com/E-CommerceLawWeek; PressRelease, FTC Issues Final Breach NotificationRule for Electronic Health Information, FederalTrade Commission (August 17, 2009), availableat http://www.ftc.gov/opa/2009/08/hbn.shtm.Pursuant to HITECH, the notice must includea description of what happened, the date of thebreach, the date of discovery of the breach, thetypes of unsecured protected health informa-tion, steps the individual should take, steps theentity took or is taking to investigate and/ormitigate, and contact procedures for individu-als with more questions. See ‘‘FTC issues FinalRule on Notifying Consumers About Breachesof Electronic Health Records,’’ reported in Lex-ology (September 3, 2009), available at http://www.lexology.com/library/detail.aspx?g=07aeb5d8-ccab-48db-88bf-0e08e192d35e.

143HITECH also strengthens individuals'right of access to their electronic health records,and places limits on the use and disclosure ofprotected health information for marketingpurposes. Any Covered Entity must provide anindividual with access to such electronic infor-mation in form and format requested by the in-dividual upon 30 days' notice (unless the infor-mation is located off-site). See Hanna, Rangel,Setliff and Ward ‘‘HIPAA Security and PrivacyRules Modified for HITECH Act Provisions,’’reported in Lexology (August 2, 2010); see also‘‘HIPAA HITECH Regulations Proposed’’ re-



ported in Lexology (July 29, 2010), available athttp://www.lexology.com/library/detail.aspx?g=1a7cddb7-169e-4b7d-83df-a078ade02ed9.

144Mulhollan, ‘‘HIPAA Has Teeth—Part II’’reported in Lexology (June 10, 2010), availableat http://www.lexology.com/library/detail.aspx?g=e26e6e08-2968-48e4-9eed-2144f51f4dd4. Inaddition to fines, individuals are subject tocriminal penalties. A former UCLA HealthSystem employee, apparently disgruntled overan impending firing, was sentenced to fourmonths in federal prison after pleading guiltyin January 2010 to illegally snooping intopatient records, mainly those belonging tocelebrities. http://www.scmagazineus.com/health-worker-is-first-hipaa-privacy-violator-to-get-jail-time/article/168894.

145Similar to ARRA, a California law wentinto effect on January 1, 2009, requiring healthcare organizations in California to reportbreaches of patient data. In the first fivemonths that the law was in effect, there wereover 800 breaches reported. See New LawFloods California With Medical Data BreachReports, Wired (July 9, 2009), available at htt

p://www.wired.com/threatlevel/2009/07/health-breaches.

146See Feds Finally Put Teeth into HIPAAEnforcement, Computerworld (September 8,2008), available at http://www.computerworld.com/action/article.do?command=viewArticleBasic=325376.

147Corrective action plan, available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/.

148CVS Caremark Settles FTC Charges:Failed to Protect Medical and Financial Privacyof Customers and Employees; CVS PharmacyAlso Pays $2.25 Million to Settle Allegations ofHIPAA Violations, FTC Press Release (Febru-ary 18, 2009), available at http://www.ftc.gov/opa/2009/02/cvs.shtm.

149Elbon, ‘‘Covered Entities and AssociatesMust Take Heed of Recent HIPAA PrivacySanctions,’’ Bradley Arant Boult CummingsLLP (March 10, 2011), reported in Lexology,available at http://www.lexology.com/library/detail.aspx?g=1346490c-822f-4ed7-b005-6d36fc5bc60e.



corporate counsel’s records retention … · · 2013-02-05formation about privacy and security...

Documents