On January 25, 2011, the 112th Congress introduced its first data security-related bill—the Cybersecurity and American Cyber Competitiveness Act (S. 21). The bill is co-sponsored by Senate Majority Leader Harry Reid and several Senate Committee leaders, including Senators Leahy, Levin, Bingaman, Kerry, Rockefeller, Lieberman, and Feinstein. The bill seeks to safeguard critical technology infrastructure from cyber attacks and protect individual privacy by improving identity theft prevention measures, guarding against personal information abuse, and seeking to promote international cooperation to combat cyber threats. More information regarding S. 21 is available in a statement released by the bill’s co-sponsors.
In early January 2011, Canadian consumers brought a class action against Google regarding a privacy breach caused by Google’s Buzz social networking and messaging tool. The lawsuit, filed in the Manitoba Court of Queen’s Bench alleged that Google breached consumers’ privacy because the Buzz tool’s default settings allowed users to view private profile information about other users without consent. Under Canadian privacy law, consumers may collect up to $5,000 per consumer in damages for each privacy breach.
On January 25, 2011, the United States House of Representatives Committee on the Judiciary’s Subcommittee on Crime, Terrorism, and Homeland Security (“Crime Subcommittee”) held a hearing regarding Internet service providers’ (“ISP”) and web hosting companies’, such as social-networking sites, data retention policies. According to a representative from the Department of Justice, who testified at the hearing, ISPs’ disparate data retention policies hamper criminal investigations and other law enforcement and prosecutor initiatives. The Department of Justice has recommended that Congress create mandatory data retention requirements to help facilitate law enforcement and prosecutor activities. No specific legislation was proposed during the Crime Subcommittee hearing; rather, legislators, and agency and industry representatives explored the need for data retention requirements.
Privacy advocates have questioned the implication of mandatory data retention requirements that would require entities to maintain sensitive consumer data, such as personally identifiable Internet address information, email, instant messaging correspondence, and what Web pages users visit. For example, past data retention legislation would have required certain Internet companies to maintain Internet protocol addresses for two years. These data retention proposals conflict with recent agency privacy-protection suggestions advocating the storage of less consumer data, such as the Federal Trade Commission’s proposed privacy framework, which suggests that businesses should “retain consumer data for only as long as they have a specific and legitimate business need to do so.”
More information regarding the Crime Subcommittee’s hearing is available here.
The FTC announced today that it extended the deadline to comment on its preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers" until February 18. Several organizations had requested this extension due to the size and complexity of the report.
To file comments electronically, click here.
Today, the Supreme Court issued its decision in NASA v. Nelson, a case relating to employee privacy. The Court unaminously ruled (excluding Justice Kagan, who recused) that the federal government has broad latitude to ask questions about the background of independent contractors who work at government facilities.
The Ninth Circuit had previously ruled that the background checks at issue were too invasive of individual privacy because they asked about drug treatment and counseling within the previous year, and asked open-ended questions about the individual’s employment suitability. The backgound check policy at issue was developed after the 2001 terrorist attacks.
Writing for the Court, Justice Alito stated that "the challenged portions of [the forms] consist of reasonable, employment-related inquiries that further the Government’s interest in managing its internal operations." The Court rejected arguments that the Government’s inquiries violated a constitutional right to informational privacy.
The full opinion is available here.
Mark your calendars for Data Privacy Day – January 28, 2011. Countries around the world are hosting events in honor of Data Privacy Day (or Data Protection Day). This year is the thirtieth anniversary of the date on which the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature by the Council of Europe on January 28, 1981. Some highlights include:
– Panel Discussions around the world. For example, the Council of Europe and European Commission are hosting a joint high-level meeting in Brussels (registration due January 24). Google is opening its Washington, DC offices for Google breakfast and a panel discussion called “The Technology of Privacy: When Geeks Meet Wonks.”
– Local government initiatives – for example, the California Office of Privacy Protection will be launching a social media site: www.privacy.ca.gov.
– Happy Hours in many local areas on January 27, 2011, hosted by the International Association of Privacy Professionals (IAPP).
On January 7, 2010, the U.S. Supreme Court granted the petition for writ of certiorari filed by the State of Vermont seeking to overturn the decision from the Second Circuit which held that Vermont’s prescription confidentiality law was unconstitutional.
The section of the Vermont law at issue in the appeal, codified at 18 V.S.A. § 4631, prohibits the sale, license, or exchange for value of prescriber-identifiable data for marketing or promoting a prescription drug unless the prescriber consents. The Vermont legislature passed the law in 2007, intending to protect public health, to protect prescriber privacy, and to reduce health care costs.
The law was challenged by companies, commonly referred to as “data miners,” which purchase information regarding prescriptions from pharmacies, including the prescriber’s name and address, the name, dosage, and quantity of the drug, the date and place the prescription is filled, and the patient’s age and gender. The data miners aggregate this information and sell it to pharmaceutical research and manufacturing companies to assist in their marketing efforts to prescribing physicians. The law was also challenged by the Pharmaceutical Research and Manufacturers of America.
The Second Circuit overturned the district court’s decision, 631 F. Supp. 2d 434 (D. Vt. 2009), upholding the Vermont law as a constitutional restriction of commercial speech. The Second Circuit determined that the Vermont law did not pass intermediate scrutiny under Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n, 447 U.S. 557 (1980) because the Vermont law did not “advance the state’s interests in public health and reducing costs in a direct and material way” and there were less speech-restrictive means which Vermont could have used.
The Second Circuit’s decision created a split with the First Circuit, which had previously upheld similar laws from New Hampshire (IMS Health Inc. v. Ayotte, 550 F.3d 42 (2008)) and Maine (IMS Health Inc. v. Mills, 616 F.3d 7 (2010)).
According to a statement from Vermont Attorney General, the case, Sorrell v. IMS Health Inc., No. 10-779, will likely be argued in April of this year and decided before the end of the Court’s term in June.