Monthly Archives: June 2011

OIG Urges Inclusion of General IT Security Controls in HIT Standards

By Anna Kraus & Rachel Grunberger As we reported previously, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) recently issued two reports that highlight continuing concerns over how best to ensure the privacy and security of electronic health information.  Earlier this week, we provided more detail on the OIG’s report … Continue Reading

FTC Seeks Comment on Aristotle’s COPPA Safe Harbor Application

The Children’s Online Privacy Protection Act (“COPPA”) provides a safe harbor for companies that comply with FTC-approved self-regulatory guidelines.  Since COPPA’s enactment, the FTC has approved proposals submitted by CARU, ESRB, TRUSTe, and Privo, Inc.   Aristotle, which operates the Integrity suite of age and identity verification services, recently filed an application with the FTC to become an FTC-approved safe harbor program.  … Continue Reading

OIG Finds CMS Oversight of the HIPAA Security Rule Insufficient to Ensure Covered Entity Compliance

By Anna Kraus & Rachel Grunberger In a previous post, we highlighted two reports recently issued by Department of Health and Human Services (HHS) Office of Inspector General (OIG), which criticize HHS’s oversight of health information privacy and security.  In today’s post, we provide greater detail regarding one of those reports (Nationwide Rollup Review of … Continue Reading

Supreme Court Strikes Down Vermont Law Restricting Use of Prescriber-Identifiable Data

Today, in a 6-3 decision, the U.S. Supreme Court struck down a Vermont law restricting the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors.  In so holding, the Supreme Court found that speech in aid of pharmaceutical marketing is a form of expression protected by the First Amendment.   … Continue Reading

Flurry of Privacy Bills Introduced in Congress; More to Come?

In light of the number of privacy and data security-related bills currently being considered by Congress, we thought it might be helpful to provide a roundup of the legislation introduced or circulated to date: Comprehensive privacy legislation: BEST PRACTICES Act, H.R. 611 (Rep. Rush): introduced Feb. 10, 2011.  Referred to the House Subcommittee on Commerce, … Continue Reading

U.S. Chamber of Commerce Hosts Event on Challenges to the Free Flow of Electronic Commercial Information

by Katie Keith On June 16, 2011, the United States Chamber of Commerce organized a forum for business leaders addressing challenges to the free flow of electronic commercial information. Panelists included academics, government officials, and policy and privacy directors from Google, AT&T, GE, Citigroup, and IBM. The event was moderated by leaders from the Commerce … Continue Reading

European Regulators Continue to Struggle With New Cookie Rule

In 2009, Directive 2002/58/EC, the so-called ePrivacy Directive, was amended.  The deadline for EU Member States to implement the revised Directive in their national laws was May 25, 2011, but very few Member States met the deadline and even today, almost one month after the deadline, discussions remain ongoing in most national parliaments.  The implementation efforts … Continue Reading

Rep. Bono Mack Circulates Data Security Bill in Advance of Subcommittee Hearing

by David Fagan, Libbie Canter, and Josephine Liu The House Subcommittee on Commerce, Manufacturing and Trade held a hearing yesterday on draft data security legislation authored by Chairwoman Mary Bono Mack (R-CA).  The hearing was very well attended with significant substantive engagement by Subcommittee members on both sides of the aisle — an indication that the … Continue Reading

Commerce Department Requests Comments on Proposed Cybersecurity Codes of Conduct

The Commerce Department is calling for the creation of nationally recognized, voluntary codes of conduct to help strengthen cybersecurity protections for online businesses.  The Department issued its recommendations in a green paper on “Cybersecurity, Innovation and the Internet Economy,” which was released on June 8, 2011.  As noted in today’s Federal Register, the Department will … Continue Reading

Working Party 29 Issues New Opinion on Prevention of Money Laundering and Terrorist Financing

Earlier this week the European group of national data protection authorities, collectively the Working Party 29 (“WP 29”), released a new opinion on data protection issues relating to the prevention of money laundering and terrorist financing.  The new paper features a slew of new recommendations from the WP 29 that are designed to enhance privacy … Continue Reading

FTC Launches Online Advertising Review

by Rob Sherman and Allison Ray The FTC’s recent announcement [PDF] that it will update its decade-old guidance on online advertising—known as Dot Com Disclosures [PDF]—has inspired animated industry discussion. In its request for comments, the FTC highlighted that forums for online advertising that we take for granted today — such as social media and … Continue Reading

Regulators Take Aim at Social Networking Privacy

Over the past few weeks, online publishers have seen regulators’ focus on privacy in the social media context reach the boiling point.  Just this week, Politico reported that FTC Chairman Jon Leibowitz confirmed in a letter to Sen. Mark Pryor that “FTC staff are carefully monitoring the privacy and security issues associated with social networking … Continue Reading

House Subcommittee Holds Data Security Hearing

Yesterday, the House Subcommittee on Commerce, Manufacturing and Trade held its second hearing on data security in the past month.  The hearing featured the testimony of top executives from Sony and Epsilon, companies that recently have been the victims of large-scale cyber attacks.  The hearing focused mainly on the specifics of the recent attacks, the … Continue Reading

House Energy & Commerce Committee Outlines Privacy Agenda

The House Energy and Commerce Commerce has announced plans for a “comprehensive review” of privacy and data security regulation.  The announcement explained that the “first phase” of the Committee’s review would be devoted to an assessment of the need for data security legislation.  The committee will then consider what Chairman Fred Upton referred to as “the … Continue Reading

Illinois Bill Would Require Specific Contents for Breach Notification Letters

The Illinois legislature has passed a bill that would require data owners to include specific information in a letter notifying an Illinois resident of a data breach affecting that resident’s personal information.  The bill, which still must be signed by Governor Pat Quinn, would require notice letters to include “(i) the toll-free numbers and addresses … Continue Reading

California Senate Again Rejects “Social Networking Privacy Act”

For the second time in a week, the California Senate has voted down “The Social Networking Privacy Act” (S.B. 242), a bill that would have required social networking services to, among other things, restrict the sharing of information by default, establish a process for new users to configure privacy settings during registration, and remove all … Continue Reading

India’s New Privacy Rules: Potential Impact on Outsourcing Arrangements

By Shamma Iqbal and Helena Marttila This April, the Indian government quietly passed the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the “Rules”). Among other things, the Rules require written consent for the processing of “sensitive personal information” in India and that organizations processing personal information in … Continue Reading

Swiss Privacy Law Halts Google’s StreetView — But Is Unlikely To Affect Photojournalism

The recent decision of the Swiss Federal Tribunal (EDÖB v Google, Trib. Admin. Fed.) against Google Street View has raised new and important questions for many industries, not least for other enterprises that use photography of individuals in countries subject to data protection laws based on the EU model. In the Google case, the Swiss … Continue Reading