The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Lawsuit Filed Against Maine’s Predatory Marketing Practices Law

On Wednesday, a lawsuit was filed seeking a preliminary injunction to enjoin Maine’s Predatory Marketing Practices law from going into effect on September 12, 2009.  As discussed in our August 13 entry, this law would prohibit knowingly collecting health related information or personal information for marketing purposes from a minor without parental consent.  In addition, a later provision prohibits using that information for marketing purposes, apparently even if done without knowledge of the age of the individual or even if marketers obtain parental consent. 

The lawsuit alleges that this law violates the First Amendment and the Commerce Clause, and is preempted by the Children’s Online Privacy Protection Act.  The suit was brought by the Maine Independent Colleges Association, the Maine Press Association, and Reid Elsevier, Inc., and was filed in the U.S. District Court of Maine.


Leave a comment

FTC and HHS Issue Healthcare Notice of Breach Rules Under The American Recovery and Reinvestment Act of 2009

On August 17, 2009  the Federal Trade Commission (FTC) issued its final rule and on August 19, 2009 the Department of Health and Human Services (HHS) issued its interim final rule, both relating to notification of individuals when their health information is breached.  The regulations are the result of requirements under the American Recovery and Reinvestment Act of 2009 (ARRA), with the HHS more specifically required under the Health Information Technology for Economic and Clinical Health (HITECH) Act, a part of ARRA.  The HHS regulations apply to covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates.  The FTC’s rule, the Health Breach Notification Rule (Health Breach Rule), applies to both vendors of personal health records (PHR) – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records.


Continue reading

Leave a comment

Massachusetts Amends Data Security Regulations and Extends Compliance Deadline

On August 17, 2009 the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) announced that it has amended its regulations to protect personal information of residents of the Commonwealth, 201 CMR 17.00 ("Data Security Regulations").  The Data Security Regulations were to be effective as of January 1, 2010, but with this latest amendment the compliance deadline has been extended to March 1, 2010.   Although the press release focuses on the effect the Data Security Regulations could have on small businesses, the amendments and extension apply to all businesses that "own or license" personal information about a resident of the Commonwealth.  The apparent primary purpose of the amendments is to take more of a risk-based approach to security, which is reflected throughout the revisions.  The OCABR has scheduled a hearing on September 22, 2009 at 10:00 a.m. in Room No. 5-6, Second Floor, Transportaion Bldg, 10 Park Plaza, Boston, MA 02116 for interested parties to provide oral or written testimony regarding 201 CMR 17.00 and will accept written comments until the close of business on September 25, 2009 at the offices of the OCABR, 10 Park Plaza, Suite 5170, Boston, MA 02116, Attn: Jason Egan, Deputy General Counsel, or e-mailed to

Continue reading

Leave a comment

Maine’s Predatory Marketing Practices Law

The effective date of Maine’s "Act to Prevent Predatory Marketing Practices Against Minors" (the "Act"), September 12, 2009 is quickly approaching.  The Act continues to be a large source of concern for businesses and marketers.

The Act prohibits knowingly collecting health related information or personal information for marketing purposes from a minor without parental consent.  Although "minor" is not defined within the Act, based on other Maine statutory provisions presumably this means anyone under 18.  The Act defines "personal information" as individually identifiable information, such as a minor’s name, address, social security number, or driver’s license number.  However, as written there are inconsistencies in the Act.  A later provision prohibits using that information for marketing purposes even if marketers obtain parental consent.

Based on the breadth of the Act and its potential application to email, direct mail, and text marketing, it will affect businesses and marketers outside of Maine as well as in Maine.  Additionally, the Act provides a private right of action, so violations of the Act could result in a serious consequence.

Speculation has grown as the effective date approaches that the law will be challenged.  For now, however, businesses and marketers should consider what steps they should and can take in order to comply with the Act.

Leave a comment

Twitter – Mass Appeal But Vulnerable to Mass Attacks

Last Thursday, Twitter was rendered virtually inoperable for several hours by cyber attacks.  Although other social media sites like Facebook were also affected, they were able to fend off the attacks without major interruption to their users.  The New York Times reported that this attack was an extension of the ongoing conflict between Georgia and Russia, and may have been directed at a professor in Georgia.  On Friday, Twitter acknowledged that the attacks "appear to have been geopolitical in motivation."  But on Tuesday, another attack occurred, again causing major access problems for Twitter users.  Given the popularity of Twitter, not just among individuals but also among a growing number of companies, one has to wonder if these attacks (and possible future attacks) will cause users to re-evaluate the usefulness of Twitter’s services.