White House Releases Privacy Report and Calls For a Consumer Bill of Rights

Earlier today, Secretary of Commerce John Bryson and Federal Trade Commission Chairman John Liebowitz outlined the Obama administration’s strategy for ensuring “consumers’ trust in the technologies and companies that drive the digital economy.” On the heels of their announcement, and although it is dated January 2012, the Department of Commerce released a long-awaited report entitled “Consumer Data Privacy in a Networked World, A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” the administration’s roadmap for privacy legislation and regulation in the years ahead.

The announcement and privacy blueprint envisions a comprehensive and integrated framework for data protection, rather than the current sector-patchwork-quilt approach, and is comprised of four key pillars: (1) a consumer privacy bill of rights; (2) a multi-stakeholder process and approach dealing with how such a bill of rights would apply in a business context; (3) more effective enforcement; and (4) greater commitment to harmonization and cooperation in the international community.

The Report outlines the seven principles of its proposed Consumer Privacy Bill of Rights and, although calling for legislation and regulation to codify and memorialize these rights, also sets out consumer privacy standards that companies are asked to immediately and voluntarily adopt in a cooperative public-private partnership. These seven principles are:

  1. Individual Control Through Choice
  2. Greater Transparency
  3. Respect for Context
  4. Secure Handling
  5. Access & Correction Rights
  6. Focused Collection
  7. Accountability

The Report notes that a company’s adherence to the voluntary codes will be viewed favorably by the FTC in any investigation or enforcement action for unfair and deceptive trade practices. By implication, a company that does not adopt and follow these principles might be used as evidence of a violation of Section 5 of the FTC Act, even if federal legislation is not passed on the subject. The FTC is expected to soon release its Final Staff Report on Consumer Privacy that will be consistent with the Obama administration’s proposed Framework Report. The report reinforces the administration’s commitment to international harmonization, and also touches upon the role state attorneys general in the United States can play. While we are still reviewing the details – and more will likely be forthcoming from the administration in the weeks and months ahead – Legal Bytes will keep you on top of these developments as they arise.

You can read the entire report right here: Consumer Data Privacy in a Networked World, A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.

These are developments that affect all businesses, domestic and multi-national, global and local, consumers and regulators. The complexity and challenges of compliance should not be underestimated, nor should the administration’s commitment to follow the roadmap outlined. Rimon has teams of lawyers who have experience and follow developments in privacy and data protection, from prevention and policy to compliance and implementation. If you want to know more, need counsel, need help navigating, or if you require legal representation in this or any other area, feel free to call me, Joseph I. (“Joe”) Rosenbaum, or any of the Rimon lawyers with whom you regularly work.

MMA Releases Mobile App Privacy Guidelines – Appy Days Are Here Again

A few days ago (October 17), the Mobile Marketing Association released its MMA Mobile Application Privacy Policy, which the MMA asserts is the first industry guideline to deal with data protection and privacy specifically related to mobile and wireless applications. The guideline being made available for comment is slated to be finalized sometime after November 18, 2011, when the MMA’s comment period is scheduled to close. The press release notes that there are currently more than 425,000 iPhone/iPad apps available from Apple’s App Store, and more than 200,000 available for Android.

The document is intended to deal with some of the basic privacy principles and text that developers should consider incorporating into mobile apps to let consumers know how their data is collected and used, as well as information regarding confidentiality and the security of information that becomes available when a consumer installs and uses a mobile app. Obviously, legal disclaimers and disclosures and issues related to privacy and data protection are quite jurisdiction-specific, and compliance will always require consultation with legal counsel to be sure mobile, and all other online and other applications and processes, conform to the legal requirements of each jurisdiction that applies to consumers for that application or process.

Rimon’s offices around the world are open, coordinating with our Advertising Technology & Media law practice group, ensuring that lawyers knowledgeable in data protection and privacy, as well as in mobile technology and marketing, are available to help you. As always, if you want to know more about how lawyers who understand can help your business, feel free to contact me, Joe Rosenbaum, or any of the Rimon attorneys with whom you regularly work.

Payment Card Industry Takes a Swipe at Virtual Security

Someone in the payment instrument, payment processing, or payment systems environment must be living under a rock if he or she has not heard of or been affected by the Data Security Standards (DSS), or “PCI-DSS” as it has been referred to in the industry, promulgated and released by the Security Standards Council of the Payment Card Industry Association (PCI). Although the original impetus for the credit-card-driven security standards was combating identity theft and credit card fraud in the wake of the data breaches and compromised (or potentially compromised) databases containing sensitive consumer payment account information, the standards have become the de facto starting point for any compliance security standard in the payment industry.

Last week, the PCI Security Standards Council released new comprehensive guidelines for PCI compliance in virtual card holder data environments dealing with consumer payment system and payment transaction security in a virtual environment. Rimon lawyers who work in this area consistently and who have a wealth of experience with information security and financial services, have put together a client alert entitled: "Is the PCI Security Standards Counsel Preparing for Cloudy Weather?"

Credit, debit and prepaid cards; smart cards and chip cards; gift cards and stored value cards; co-branded cards and loyalty rewards programs; corporate cards, fleet cards and purchasing cards; data protection and privacy; information security, identity theft and data breaches; micro, digital and virtual payment systems – E Commerce; The Fair Credit Reporting Act; Regulation E; Regulation Z; Credit Card Act of 2009 (see Credit Card Act of 2009: Act I, Scene 1 or just search the Legal Bytes blog)! Do any of these terms apply to you? Talk to us. It’s what we do. Contact any of the lawyers listed in the Alert, contact me, or contact the lawyer at Rimon with whom you routinely work, and we will make sure we help you or connect you to someone at Rimon who will be happy to do so.

Sens. Kerry & McCain Introduce Commercial Privacy Bill of Rights Act

Sens. John Kerry (D-Mass.) and John McCain (R–Ariz.) have introduced a bill in Congress to legislatively enable a statutory bill of rights for consumers with respect to commercial privacy. You can read the full text of the Commercial Privacy Bill of Rights Act of 2011 (PDF), and Rimon will have a more complete analysis for your reading enjoyment soon; but the bill clearly intends to require that as little data about an individual is collected as possible, and give individuals a right to know how their information is being used. At first reading, the bill does not provide a private right of action, but does contemplate a self-regulatory program, perhaps a nod to the industry initiative that is highlighted in a recent Legal Bytes posting “OBA Self-Regulatory Initiative Gets Boost from Yahoo! & Google.” You can search for privacy, behavioral advertising and/or self-regulatory on our site and you will find more about this on the Legal Bytes blog.

It may be too early to tell just how much faith Congress has in the industry initiative. That said, it would seem somewhat foolish – given that the FTC and many Congressional leaders have argued for and applauded industry self-regulatory measures – not to afford an industry-sponsored, dynamic, self-regulatory program, a chance to work. As we’ve seen so many times before, along with the technology, consumers’ expectations of privacy, their tastes, commercial needs and sensitivities often change rapidly.

As always, if you need guidance for your advertising and marketing efforts, or privacy and data-protection counsel from lawyers who have experience and resources aligned to deal with these issues every day, feel free to call me, Joseph I. (“Joe”) Rosenbaum, or any of the Rimon attorneys with whom you regularly work.

Mobile Marketing & Privacy – Gnus from DataGuidance

In connection with an announcement by the Mobile Marketing Association, Joe Rosenbaum was interviewed by London-based, Rita Di Antonio, Journalist and Editor of DataGuidance (and Managing Editor of Data Protection Law & Policy), a publication of Cecile Park Publishing Ltd. You can read the article online “MMA to discuss ‘comprehensive mobile privacy guidelines’ during January forum”, or download your own copy in PDF Format.

Privacy & Data Security Bills After the Midterm Elections

The midterm elections will likely result in a shift of political power within the House of Representatives. The resultant divided government is likely to impact the current ambitious privacy and data security legislative agenda. Rimon Washington D.C. Data Privacy, Security & Management attorneys Judith Harris, Christopher Cwalina, and Amy Mushahwar have published an analysis of their predictions for 2011 legislative priorities as the incoming crop of legislators move from campaign mode to governance. Please see their article in Information Security.

HITECH Means High Stakes in First-Ever State HIPAA Lawsuit

Yesterday, the Attorney General of the State of Connecticut filed suit against the Connecticut subsidiary of Health Net, charging it with violations of the privacy and security requirements of HIPAA. The action, filed yesterday in the United States District Court in Connecticut, comes on the heels of a security breach involving medical records and Social Security numbers. The suit also names United Health Group Inc. and Oxford Health Plans LLC, who acquired Health Net of Connecticut but who were not involved in the data breach.

If you forgot, last year the Health Information Technology for Economic and Clinical Health Act (HITECH), for the first time authorized individual state attorneys’ general to enforce the security and data privacy regulations under HIPAA, and this appears to be the first such action.

The lawsuit claims that Health Net in Connecticut failed to provide adequate security for the medical and financial records of hundreds of thousands of enrolled individuals, and failed to notify them promptly in connection with the breach. The breach, which took place last May, involved the disappearance of a computer hard drive. Health Net eventually reported the breach, posting a notice on its website and starting a staggered process of mailing letters to consumers November 30, 2009, almost six months after the security breach. For those of you involved in the collection, handling, maintenance, or use of personal, financial and medical information covered by HIPAA, new federal rules under the HITECH Act require “timely” notification of certain breaches, rules that have a compliance deadline of February 22, 2010.

Health Net attributed the delay in reporting to its inability to determine exactly what was on the computer hard drive that disappeared, thus not being sure if a notice was even required. One can only surmise that the mere fact that Health Net didn’t know what information was contained on a removable computer hard drive made its reasoning less than satisfactory to the Connecticut State Attorney General. Although Health Net appears to have conceded that the data was not encrypted, it did indicate that the data should not be visible without the use of specific software. However, Kroll Inc., a computer forensic firm retained by Health Net to investigate the breach, reported the data could be viewable with commonly available software.

Privacy, security and data protection of non-public, personally identifiable and sensitive information (e.g., health, financial data) are increasingly subject to stricter rules and regulations. The use of the Internet and web, making digital information more susceptible to undetected duplication, transmission and access – not to mention the obvious fact that carrying millions of pages of records would be impossible, while walking out with a single hard disk or CD-ROM on which the same data and information has been scanned or stored in digital form – can be virtually undetectable.

Do you know of any law firm that has a team of privacy and data security, identity theft and data breach legal professionals? A firm that has health care, financial services and insurance specialists, as well as lawyers steeped in digital technology, information security and e-commerce? A firm that has transactional, regulatory compliance and policy-oriented lawyers who can audit current practices and policies, assist in developing mechanisms needed to satisfy regulatory requirements, and provide legal support to help avoid a legal problem, and also regulatory, compliance and litigation professionals who can represent and defend clients if a problem arises? Now you do – Rimon. If you need more information, contact me, Joseph I. (“Joe”) Rosenbaum, or Mark Melodia or Paul Bond, or the Rimon attorney with whom you regularly work, if you need legal advice, information or support on this subject.

Rimon DC Office Hosting Next FCBA Privacy/Data Security & Legislative Committees Meeting

Rimon will host the next brown bag lunch meeting of the Federal Communications Bar Association’s joint Privacy/Data Security and Legislative Committees. The meeting will be held on October 13, 2009 between 12:00 noon – 2:00 p.m. at Rimon’s Washington, D.C. offices (1301 K Street, NW, Suite 1100 East Tower). The Committees will discuss the legislative priorities for the 111th Congress with special emphasis on behavioral marketing and data security legislation. The following speakers are confirmed to-date: Amy Levine, Legislative Counsel to Congressman Rich Boucher; and Paul Cancienne, Legislative Aide to Congresswoman Mary Bono Mack. We also have invited staff from the U.S. Senate. Please RSVP to Desiree Logan at dlogan@rimonlaw.com to attend.

Are You Behaving Badly? Global Regulation of Behavioral Marketing

On Wednesday, September 30, 2009, from 12 noon – 1 p.m. (U.S. EDT), Rimon will be hosting a teleseminar as part of its “Doing Business Globally” series. Entitled Global Regulation of Behavioral Marketing, this seminar will be presented by Rimon partners Douglas J. Wood and Joseph I. Rosenbaum from New York, and Gregor Pryor from London. The seminar will explore the legal implications to advertisers, marketing professionals and brands associated with the labyrinth of global regulation increasingly applicable, or newly enacted, in connection with the targeting of consumers — on and off the web — through behavioral marketing.

Privacy and consumer groups object to such sophisticated techniques, fearful it further erodes what little privacy protection remains. Regulators are concerned such practices may violate privacy and data protection laws, or worse, are simply not covered by existing law and regulation. Marketers respond that such advances allow for a far more efficient, consumer-friendly marketplace, and that self-regulation has been a successful model in the advertising industry for more than 30 years. In this interconnected, networked age of social networking and global communication, understanding the implications and the legal and regulatory landscape is critical for every advertising professional and marketer, and the brands they represent. The camps remain far apart. Advertising industry associations call for self-regulation, recently releasing a report entitled Self-Regulatory Principles for Online Behavioral Advertising. Only about two months later, as previously reported in Legal Bytes, a coalition of 10 consumer advocacy and privacy groups released a fresh call for new regulation in a report referred to as a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions. The dividing lines remain drawn, tensions remain high, and the balance unclear – perhaps because the technology environment keeps rewriting the rules of engagement. Want to know more? Don’t miss this informative presentation.

Join us for this exciting and timely Rimon Teleseminar. You can view the Invitation to obtain more information, or go right to the Registration page. We look forward to your participation.

Self-Regulatory Online Behavioral Advertising Principle No. 4: Data Security

The Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, recently released its Self-Regulatory Online Behavioral Advertising Principles. When we announced these principles, we also promised to provide you with a bit more detail regarding each of these principles, which are listed below; so here is a brief summary of the fourth – Data Security. For reference, the seven enumerated principles are:

The Data Security principle requires entities to provide reasonable security for, and limited retention of, data collected and used for online behavioral advertising purposes. Consistent with the FTC standard, entities must maintain appropriate physical, electronic and administrative safeguards based upon the sensitivity of the data. Further, data collected and used may not be retained any longer than necessary to fulfill a legitimate business need (e.g., testing and auditing) or as required by law. In addition, the principle sets forth the steps that service providers (e.g., entities that provide Internet service, toolbars, web browsers or comparable desktop applications) must take in connection with data collection and use, including alteration, anonymization or randomization (e.g., hashing) of personally identifiable information; enhanced notice and disclosure at the time the data is collected; and the protection of the non-identifiable nature of data shared with non-affiliates. Under the Data Security principle, service providers will be held accountable for compliance with these principles in connection with their collection and use of data for online behavioral advertising purposes. Thanks to Stacy Marcus for her analysis.

We can now also report to you that yesterday a coalition of 10 consumer and privacy advocacy groups (i.e., Center for Digital DemocracyConsumer Federation of America, Consumers UnionConsumer WatchdogElectronic Frontier FoundationPrivacy LivesPrivacy Rights ClearinghousePrivacy Times, U.S. Public Interest Research Group, and The World Privacy Forum, has released a draft of their own principles, in the form of a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and SolutionsLegal Bytes will have a more detailed report for you on this new development in the next day or two, and in the meantime – or any time – feel free to contact me, Stacy Marcus, or any of the Rimon attorneys with whom you regularly work.