California Supreme Court Says Zip Codes are PII-Really. (As California Goes, So Goes the Nation? Part Two)
Thinking hard about how business and consumer interests can be harmonized by effective and privacy/security-friendly policies and practices? We thought so. Worried that zip codes might be treated as personal information in this country? Probably not. All that may be changing. In a ruling already attracting criticism and attention from some high profile privacy bloggers, the California Supreme Court ruled Thursday, in Pineda v. Williams-Sonoma, that zip codes are "personal identification information" for purposes of California's Song-Beverly Credit Card Act, California Civil Code section 1747.08, reversing the Court of Appeal's decision that we discussed last year. For those of you who may be wondering, yes - the statute provides for penalties of up to $250 for the first violation and $1,000 for each subsequent violation, and does not require any allegations of harm to the consumer. California has already seen dozens, if not hundreds, of class action lawsuits around the Song-Beverly Credit Card Act. The Court's interpretation of "personal identification information" as including zip codes is likely to spark a new round of class action suits. California retailers should carefully consider the Pineda decision in crafting and updating their personnel policies and training programs with respect to collection of information during credit card transactions.
Continue Reading...Health Net Agrees to $250,000 Fine and "Corrective Action Plan" to Settle Loss of PHI
It didn't take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement. Indeed, Heath Net of the North East, Inc. and its various related affiliates (collectively, “Health Net”) consented to a Stipulated Judgment (Civ. No. 3:2010CV-00057(PCD)), available here, with the Connecticut Attorney General's Office and the State of Connecticut (the “Judgment”), which stands as the first example of a state Attorney General independently enforcing HIPAA violations since the HITECH Act authorized state attorneys general to do so.
Continue Reading...Mastercard Changes to their PCI Compliance Rules
Under Mastercard's new rules concerning merchant level definitions, apparently companies that were previously level 4 merchants (and did not have to do a PCI assessment unless requested by their acquiring bank) have been converted to level 3 merchants (which do need to conduct at least a self assessment). More details here.
Mastercard announces fine regime for PCI non-compliance: details here from Branden Williams of Verisign: LINK.
Nevada's Security of Personal Information Law Post Five: Remedies, Penalties and Enforcement
The following FAQs address the remedies, penalties and enforcement of Nevada's Security of Personal Information Law. The rest of the FAQ is linked to here.
Continue Reading...Maine Privacy Law Applies Stringent Limits to Collection of Personal Information of Minors
A new Maine law gets serious about data collection and marketing to minors. The key portion of the law:
§ 9552. Unlawful collection and use of data from minors 1. Unlawful collection. It is unlawful for a person to knowingly collect or receive health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent of that minor's parent or legal guardian. 2. Unlawful use. A person may not sell, offer for sale or otherwise transfer to another person health-related information or personal information about a minor if that information: A. Was unlawfully collected pursuant to subsection 1; B. Individually identifies the minor; or C. Will be used in violation of section 9553. § 9553. Predatory marketing against minors prohibited A person may not use any health-related information or personal information regarding a minor for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product. Use of information in violation of this section constitutes predatory marketing.
The law provides for a private right of action with possible recoveries up to $750 per violation in damages, as well as civil penalties:
3. Civil violation; penalty. Notwithstanding the penalty provisions of Title 5, section 209, each violation of this chapter constitutes a civil violation for which a fine may be assessed of: A. No less than $10,000 and no more than $20,000 for a first violation; and B. No less than $20,000 for a 2nd or subsequent violation
The law takes effect on September 12, 2009.
