On January 25, 2011, the 112th Congress introduced its first data security-related bill—the Cybersecurity and American Cyber Competitiveness Act (S. 21). The bill is co-sponsored by Senate Majority Leader Harry Reid and several Senate Committee leaders, including Senators Leahy, Levin, Bingaman, Kerry, Rockefeller, Lieberman, and Feinstein. The bill seeks to safeguard critical technology infrastructure from cyber attacks and protect individual privacy by improving identity theft prevention measures, guarding against personal information abuse, and seeking to promote international cooperation to combat cyber threats. More information regarding S. 21 is available in a statement released by the bill’s co-sponsors.
In early January 2011, Canadian consumers brought a class action against Google regarding a privacy breach caused by Google’s Buzz social networking and messaging tool. The lawsuit, filed in the Manitoba Court of Queen’s Bench alleged that Google breached consumers’ privacy because the Buzz tool’s default settings allowed users to view private profile information about other users without consent. Under Canadian privacy law, consumers may collect up to $5,000 per consumer in damages for each privacy breach.
On January 25, 2011, the United States House of Representatives Committee on the Judiciary’s Subcommittee on Crime, Terrorism, and Homeland Security (“Crime Subcommittee”) held a hearing regarding Internet service providers’ (“ISP”) and web hosting companies’, such as social-networking sites, data retention policies. According to a representative from the Department of Justice, who testified at the hearing, ISPs’ disparate data retention policies hamper criminal investigations and other law enforcement and prosecutor initiatives. The Department of Justice has recommended that Congress create mandatory data retention requirements to help facilitate law enforcement and prosecutor activities. No specific legislation was proposed during the Crime Subcommittee hearing; rather, legislators, and agency and industry representatives explored the need for data retention requirements.
Privacy advocates have questioned the implication of mandatory data retention requirements that would require entities to maintain sensitive consumer data, such as personally identifiable Internet address information, email, instant messaging correspondence, and what Web pages users visit. For example, past data retention legislation would have required certain Internet companies to maintain Internet protocol addresses for two years. These data retention proposals conflict with recent agency privacy-protection suggestions advocating the storage of less consumer data, such as the Federal Trade Commission’s proposed privacy framework, which suggests that businesses should “retain consumer data for only as long as they have a specific and legitimate business need to do so.”
More information regarding the Crime Subcommittee’s hearing is available here.
The FTC announced today that it extended the deadline to comment on its preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers" until February 18. Several organizations had requested this extension due to the size and complexity of the report.
To file comments electronically, click here.
Today, the Supreme Court issued its decision in NASA v. Nelson, a case relating to employee privacy. The Court unaminously ruled (excluding Justice Kagan, who recused) that the federal government has broad latitude to ask questions about the background of independent contractors who work at government facilities.
The Ninth Circuit had previously ruled that the background checks at issue were too invasive of individual privacy because they asked about drug treatment and counseling within the previous year, and asked open-ended questions about the individual’s employment suitability. The backgound check policy at issue was developed after the 2001 terrorist attacks.
Writing for the Court, Justice Alito stated that "the challenged portions of [the forms] consist of reasonable, employment-related inquiries that further the Government’s interest in managing its internal operations." The Court rejected arguments that the Government’s inquiries violated a constitutional right to informational privacy.
The full opinion is available here.
Mark your calendars for Data Privacy Day – January 28, 2011. Countries around the world are hosting events in honor of Data Privacy Day (or Data Protection Day). This year is the thirtieth anniversary of the date on which the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature by the Council of Europe on January 28, 1981. Some highlights include:
– Panel Discussions around the world. For example, the Council of Europe and European Commission are hosting a joint high-level meeting in Brussels (registration due January 24). Google is opening its Washington, DC offices for Google breakfast and a panel discussion called “The Technology of Privacy: When Geeks Meet Wonks.”
– Local government initiatives – for example, the California Office of Privacy Protection will be launching a social media site: www.privacy.ca.gov.
– Happy Hours in many local areas on January 27, 2011, hosted by the International Association of Privacy Professionals (IAPP).
On January 7, 2010, the U.S. Supreme Court granted the petition for writ of certiorari filed by the State of Vermont seeking to overturn the decision from the Second Circuit which held that Vermont’s prescription confidentiality law was unconstitutional.
The section of the Vermont law at issue in the appeal, codified at 18 V.S.A. § 4631, prohibits the sale, license, or exchange for value of prescriber-identifiable data for marketing or promoting a prescription drug unless the prescriber consents. The Vermont legislature passed the law in 2007, intending to protect public health, to protect prescriber privacy, and to reduce health care costs.
The law was challenged by companies, commonly referred to as “data miners,” which purchase information regarding prescriptions from pharmacies, including the prescriber’s name and address, the name, dosage, and quantity of the drug, the date and place the prescription is filled, and the patient’s age and gender. The data miners aggregate this information and sell it to pharmaceutical research and manufacturing companies to assist in their marketing efforts to prescribing physicians. The law was also challenged by the Pharmaceutical Research and Manufacturers of America.
The Second Circuit overturned the district court’s decision, 631 F. Supp. 2d 434 (D. Vt. 2009), upholding the Vermont law as a constitutional restriction of commercial speech. The Second Circuit determined that the Vermont law did not pass intermediate scrutiny under Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n, 447 U.S. 557 (1980) because the Vermont law did not “advance the state’s interests in public health and reducing costs in a direct and material way” and there were less speech-restrictive means which Vermont could have used.
The Second Circuit’s decision created a split with the First Circuit, which had previously upheld similar laws from New Hampshire (IMS Health Inc. v. Ayotte, 550 F.3d 42 (2008)) and Maine (IMS Health Inc. v. Mills, 616 F.3d 7 (2010)).
According to a statement from Vermont Attorney General, the case, Sorrell v. IMS Health Inc., No. 10-779, will likely be argued in April of this year and decided before the end of the Court’s term in June.
In the last two weeks of 2010, President Obama signed the following three acts addressing privacy:
Red Flags Program Clarification Act of 2010
President Obama signed the “Red Flag Program Clarification Act of 2010,” S. 2987, (“Clarification Act”) on December 18, 2010, which became Public Law No: 111-319. The Clarification Act narrows the definition “creditor” under the Fair Credit Reporting Act (FCRA) by adding a definition to Section 615(e), 15 U.S.C. § 1681m(e), to address issues with the breadth of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flag Rule”).
The FTC’s Red Flag Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act, under which the FTC and other agencies were directed to draft regulations requiring “creditors” and “financial institutions” with “covered accounts” to implement written identify theft prevention programs to identify, detect and respond to patterns, practices or specific activities—the so called “red flags”—that could indicate identify theft. The FTC interpreted the definition of “creditor” to include entities that regularly permit deferred payment for goods and services, which included lawyers, doctors, and other service providers not typically considered to be “creditors.” This interpretation led to lawsuits by professional organizations, including the American Bar Association, the American Medical Association, and the American Institute of Certified Public Accountants, challenging the FTC’s position that the Red Flags Rule should apply to its members.
The Clarification Act limits the definition of creditor to entities that regularly and in the ordinary course of business: (i) obtain or use consumer credit reports, (ii) furnish information to consumer reporting agencies, or (ii) advance funds to or on behalf of a person. The definition of creditor specifically excludes creditors that “advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” However, the Clarification Act also allows the definition of creditor to be expanded by rules promulgated by the FTC or other regulating agencies to include creditors which offer or maintain accounts determined to be subject to a reasonably foreseeable risk of identity theft.
S. 2987 was introduced and by Senator John Thune (R-S.D.) and co-sponsored by Mark Begich (D-Alaska) on November 30, 2010, and the Senate unanimously approved the bill the same day. An identical companion bill was introduced in the House, H.R. 6420, by Representatives John Alder (D-N.J.), Paul Broun (R-Georgia), and Michael Simpson (R-Idaho) on November 17, 2010. S. 2987 passed the House on December 7, 2010.
The FTC had previously delayed enforcement of the Red Flags Rule several times, most recently in May 2010 when it delayed enforcement through December 31, 2010. The FTC’s Red Flags Rule website, http://www.ftc.gov/redflagsrule, notes that the FTC will be revising its Red Flags guidance to reflect the Clarification Act changes.
Social Security Number Protection Act of 2010
President Obama also signed the “Social Security Number Protection Act of 2010,” S. 3789, on December 18, 2010, which became Public Law No: 111-318. S. 3789 was introduced by Senator Dianne Feinstein (D-Cali.) and co-sponsored with bipartisan support, including Senator Judd Gregg (R-N.H.). The Act aims to reduce identity theft by limiting access to Social Security numbers, according to a statement from Senator Feinstein.
The Act prohibits any federal, state, or local agency from displaying Social Security numbers, or any derivatives of such numbers, on government checks issued after December 18, 2013. The Act also prohibits any federal, state or local entity agency from employing prisoners in jobs that would allow access to Social Security numbers after December 18, 2011.
S. 3789 unanimously passed in the Senate on September 28, 2010, and passed in the House by voice vote under suspension of its rules on December 8, 2010.
Truth in Caller ID Act of 2009
On December 22, 2010, President Obama signed into law the “Truth in Caller ID Act,” S. 30, which became Public Law No: 111-331. The Caller ID Act is intended to combat the problem of caller ID “spoofing” where identity thieves alter the name and number appearing as caller ID information in an attempt to trick people into revealing personal information over the phone.
The Caller ID Act amended Section 227 of the Communications Act of 1934, 47 U.S.C. § 227, to make it illegal to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud or cause harm. However, the Caller ID Act specifically prohibits anything in it from being construed as preventing or restricting any person from using caller ID blocking.
The Federal Communications Commission (“FCC”) is required to prescribe regulations to implement the Act within six months. The Caller ID Act specifically exempts law enforcement activity and caller ID manipulation authorized by court order, and it also allows the FCC to define other exemptions by regulation.
The FCC can impose civil forfeiture penalties of up to $10,000 per violation, or $30,000 for each day of continuing violation, up to a cap of $1,000,000 for any single act or failure to act. Willful and knowing violations of the Caller ID Act can result in criminal penalties including the same monetary penalties and up to a year in prison.
S. 30 was introduced by Senator Bill Nelson (D-Fla.) on January 7, 2009, and passed in the Senate on February 23, 2010. The bill was approved in the House on December 15, 2010 by voice vote under suspension of its rules. S. 30 was very similar to H.R. 1258 introduced by Representatives Eliot Engel (D-N.Y.) and Joe Barton (R-Tex.) and passed by the House on April 14, 2010, according to a statement released by Representative Engle.