The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Court Reconsiders Retail Liability in Hannaford Breach Case

U.S. District Court Judge D. Brock Hornby, who is overseeing a Maine data breach case involving a 2007-2008 breach of the Hannaford Brothers supermarket chain, has reversed his earlier decision to dismiss a class-action lawsuit against Hannaford Brothers.   

Maine law covering breaches allows consumers to recover damages if the merchant’s negligence caused a direct loss to the consumer’s account.  Judge Hornby is asking the state’s Supreme Court whether "time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?” If the Supreme Court decides that such losses do merit compensation, it may eliminate some of the protections that have shielded retailers from legal liability for data breaches. 

Leave a comment

Schwarzenegger Explains Veto

Schwarzenegger issued a statement explaining his veto of Senate Bill 20, a bill that would imposed additional requirements on entities issuing data breach notifications.   According to his statement the bill was unnecessary because "there is no evidence that there is a problem with the information provided to
consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do
anything with the notices."

A copy of his statement is available at:


Leave a comment

Governor Schwarzenegger Vetoes Data Breach Legislation

Governor Schwarzenegger vetoed state Senator Joe Simitian´s (D-Palo Alto) Senate Bill 20, which would have imposed additional requirements on businesses and state agencies that experience a breach of security.

If adopted into law, the bill would have required that consumers be provided with a plain language description of the data loss incident, including the timing of the incident and the type of personal information exposed. Senate Bill 20 also would have directed data holders to submit a copy of the notification letter to the state Attorney General´s office if more than 500 California residents were affected in a single incident.

State Senator Simitian was quoted as saying “I’m surprised as well as disappointed by the Governor’s veto . . .There was no opposition to the bill in its final form. This was a common sense step to help consumers.” 

An article about this development is available at

Leave a comment

Congressional Activity on FTC Red Flags Rule

Late Thursday, October 8 Rep. John Adler (D-N.J.) introduced H.R. 3763, a bill to provide for an exclusion from Red Flag Guidelines for certain businesses.

H.R. 3763 would require the FTC to promulgate regulations that would enable businesses to apply for, and receive, an exemption from the rule if the FTC determines that the business:

  • is individually acquainted with all of its customers;
  • only performs services in or around the residences of its customers; or
  • has not experienced incidents of identity theft and identity theft is rare for businesses of that type.

The bill also would exempt health care, legal or accounting practices with fewer than 20 employees.

A business would lose its exemption if the exclusions criteria ceases to be applicable.

The House Financial Services Committee is expected to mark-up the bill on October 14, although there has been some talk here in Washington that the legislation is on a fast track to be brought directly to the House floor for a vote.

A copy of the bill is available here:


Leave a comment

FTC Takes Additional Safe Harbor-Related Enforcement Actions

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program.  In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed.  The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program.  The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program.

More information is available here and here.

Leave a comment

HHS Posts Breach Notice Reporting Form

The Department of Health and Human Services (“HHS”) has posted to its website a notification form that may be used to report breaches of unsecured protected health information to the agency.  Although some state agencies requiring notice of a breach employ a standard reporting form, the form issued by HHS has several unique features and requests more information than a typical breach reporting form.  Some interesting features of the form include:

  • The form may be used to report both breaches affecting 500 or more individuals, as well as breaches affecting fewer than 500 individuals, although the former must be notified to the agency within 60 days of discovery and the later need only be logged over the course of the year and reported to the agency on an annual basis.
  • The form requires that, if the breach occurred "at or by" a business associate, that business associate must be identified by name and contact information must be provided.  The form is, however, required to be completed by the covered entity.
  • The form requires a description of the breach and provides drop-down lists to facilitate the description of the type of breach (e.g., theft, loss, improper disposal, etc.), the location of the "breached information" (e.g., laptop, desktop computer, network server, etc.) and the type of PHI affected (e.g., demographic information, financial information, clinical information or "other").
  • The form further requests a description of the safeguards that were in place prior to the breach and a description of actions taken in response to the breach, again via selection from a drop-down list.  Actions taken in response to the breach also may be described in narrative form.
  • The form requires completion of an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights ("OCR") may be required to release information provided via the form pursuant to the Freedom of Information Act, that some of the information will be posted to HHS’s web site, and that OCR will use the information to provide an annual report to Congress, as required by the HITECH Act.
  • The form also may be used to submit an "initial breach report" or an "addendum to previous report," implying that covered entities could submit the form based on then-available information and later file an addendum, which may be necessary in some cases to avoid missing the 60-day reporting deadline.

The form, which is intended to be submitted electronically, includes all of the required elements specified by the HITECH Act and HHS’s implementing regulations.  HHS also has provided instructions for completing the form.

Leave a comment

Report Finds America Rejects Targeting Setting-Up Policy Debate

In its announcement that it would convene a series of public roundtables to address developing privacy issues, the Federal Trade Commission requested empirical data on consumer privacy expectations. In response to that request, researchers at the University of California at Berkeley and the University of Pennsylvania have released a study entitled "Americans Reject Tailored Advertising." Survey data reported in the study found that 66% of Americans reject targeted advertising online; 86% reject such ads when told they are made possible through online data collection. The study also makes the case that Americans would like much stricter laws governing the data collected online and higher penalties for failures to comply.

To read more about the report click here, here and here.  A copy of the report is available here.