Tag Archives: privacy enforcement

The Long Reach of the GDPR

The Long Reach of the GDPR This is a wake-up call for those who think the new EU General Data Protection Regulation (GDPR), which will be enforced starting in May 2018, is not a serious compliance issue outside Europe.  Here’s why you should care: Your European partners, affiliates, or customers will have to ensure that … Continue Reading

New HIPAA/HITECH Rules Implementation Roadmap: Countdown Begins to September 23, 2013 Compliance Deadline

Last week marked the effective date of the Department of Health and Human Services (HHS) Office of Civil Rights comprehensive modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (“the Rules”).  The arrival of the effective date commences the 180-day period for covered entities to come into compliance with most of the Rule’s … Continue Reading

Data Breach at New York Utility Prompts Enforcement Action and Industry-Wide Data Security Review

By Boris Segalis and Nihar Shah In January 2012, two consolidated New York state utilities, New York State Electric & Gas and Rochester Gas and Electric (collectively, “NYSEG”) experienced a data security incident that affected approximately 1.8 million utility customers. According to the notification letter that NYSEG sent to customers, unauthorized access to NYSEG systems containing  … Continue Reading

NLRB Issues Report on Employer Social Media Policies

The National Labor Relations Board (“NLRB”) recently issued another report analyzing provisions of six different employer social media polices.  As we have previously discussed, these periodic NLRB reports provide guidance for how to draft and apply policy provisions that attempt to restrict or guide employees’ use of social media.  Specifically, in the latest report, among … Continue Reading

The FTC MySpace Settlement: A Reminder to Say What You Do & Do What You Say

  Once again, the Federal Trade Commission (“FTC”) has settled with a social networking platform regarding deceptive and misleading privacy practices. Following settlements with Twitter, Inc. in June 2010, Google, Inc. in March 2011, and Facebook, Inc. in November 2011, on Tuesday, the FTC reached a similar agreement with MySpace LLC (“MySpace”) over its failure to … Continue Reading

FTC Looks to Link Do-Not-Track, Big Data Privacy Concerns; Seeks Solutions

Nowadays, a news story on privacy is out of place if it doesn't mention Do-Not-Track (known as "DNT") or Big Data. While these hot topics represent key concerns for privacy professionals, advocates and regulators, there is no clear agreement on what they mean or how to address the privacy issues they raise. In this post, we consider recent developments on these topics, including how the Federal Trade Commission has sought to focus on and connect these new issues. DNT or DNC DNT is in the midst of a multi-faceted identity crisis, starting with a disagreement over the definition of DNT. Self-regulatory organizations and the advertising industry assert that DNT stands for "Do Not Target," referring to the use of consumer data for the purposes of targeted advertising. The FTC, buoyed by privacy advocates, appears to take the view that DNT means not only "Do Not Target" but also "Do Not Collect" (DNC). FTC Commissioner Brill elaborated at the 2012 IAPP Summit that she doesn't view the current DNT efforts as entirely sufficient because the choice DNT offers does not give consumers appropriate protection against what Brill characterized as "limitless, unmitigated" data collection. But Brill does not argue for wholesale implementation of DNC, and has indicated that the details of the implementation of DNT/DNC will continue to remain a key focus for the FTC. … Continue Reading

EPIC Alleges Epic FTC Fail In Google Saga; We Review the Complaint

On February 8, 2012, the Electronic Privacy Information Center (EPIC) asked the Federal District Court for the District of Columbia to compel the Federal Trade Commission (FTC) to enforce the terms of the agency's Google Buzz privacy settlement with Google. EPIC seeks to compel the FTC to stop Google's planned consolidation of user data from across the company's services into a single profile for each user under a single privacy policy. EPIC has alleged that the proposed changes and the way Google seeks to implement the changes violate the Google Buzz consent order. The District Court will hear the case before March 1, 2012. In this post, we discuss the highlights of EPIC's complaint, Google's response and lessons learned. … Continue Reading

NLRB Issues Second Report Reviewing Social Media Enforcement Actions

On January 25, 2012 the National Labor Relations Board (“NLRB”) Office of the General Counsel released a report summarizing fourteen cases that were before the NLRB concerning the “protected and/or concerted nature of employees’ social media postings and the lawfulness of employers’ social media policies and rules” (“Report”). The Report followed up on an earlier report … Continue Reading

FTC Takes on Super Cookies

On November 8, 2011, the Federal Trade Commission announced that an online advertiser, ScanScout, agreed to settle FTC charges that it deceptively used “Flash” cookies (also known as super cookies) to track consumers online. As explained by Wired, unlike traditional browser cookies, Flash cookies are not controlled by privacy controls in a Web browser. That … Continue Reading

Nonprofit Must Rehire Employees Axed for Facebook Complaints

In the first decision of its kind, a National Labor Relations Board (“NLRB” or the “Board”) Administrative Law Judge recently ruled on September 2, 2011 that a nonprofit organization unlawfully discharged employees for complaining about their jobs on Facebook. As we have previously discussed on our blog, the NLRB has been very aggressive in enforcing employees’ … Continue Reading

Russia Data Protection Enforcement Update – Administrative Charges Follow Breach

It is being reported that Moscow prosecutors conducted an investigation into whether several websites that were involved in data breaches earlier this year violated the country's data protection law. As a result of the breaches, names, contact information and order histories of Internet magazine subscribers (including adult-themed publications) became available on Internet search engines, including Russian-language Yandex. Without naming the websites, the report states that the prosecutors have filed administrative charges against two Internet magazines as a result of the investigation. … Continue Reading

NLRB Report Reviews Social Media Enforcement Actions

On August 18, 2011, the Associate General Counsel of the National Labor Relations Board ("NLRB" or the "Board") issued a report analyzing the Board's recent social media enforcement actions. The report seeks to provide guidance to employers that want to ensure that their social media policies appropriately balance employee rights and company interests. … Continue Reading

Russia Amends Federal Data Protection Law; Privacy Enforcement on the Rise

Last week, the upper house of Russia's federal legislature approved amendments to the country's federal data protection law. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute's data subject consent provisions.The amended law will come into force when it is published in the official newsletter. … Continue Reading

NLRB Social Media Enforcement Article in LawyersUSA Quotes Partner Boris Segalis

The LawyersUSA article discusses the recent enforcement actions the National Labor Relations board has taken to assert and protect employees’ right to discuss working conditions, including through social media. The article also suggests steps employers may take to navigate the evolving legal landscape. Please visit the InfoLawGroup blog for more on NLRB privacy enforcement. … Continue Reading

FCRA Violations Result in $1.8 Million FTC Penalty

The Federal Trade Commission announced today that Teletrack, Inc. has agreed to pay $1.8 million to settle charges that the company sold credit reports for marketing purposes, in violation of the Fair Credit Reporting Act (FCRA). According to the FTC's complaint, Teletrack sells credit reports and other services to businesses that mainly serve financially distressed consumers. Teletrack's business customers include pay day lenders, rental purchase stores and non-prime rate auto lenders. These businesses use Teletrack's credit reports to decide whether and on what terms to extend credit to their customers. … Continue Reading

Mobile Location Privacy Opinion Adopted by Europe’s WP29

On May 16, 2011, EU's Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services. WP29 is comprised of representatives from the EU member states' data protection authorities (DPAs), the European Data Protection Supervisor and the European Commission. WP29's mandate includes (i) giving expert advice to the EU member states regarding the implementation of European data protection directives, and (ii) promoting uniform implementation of the directives in all EU state members as well as in Norway, Liechtenstein and Iceland. WP29's opinions, therefore, carry significant weight in the interpretation and enforcement of data protection laws by European DPAs. Not surprisingly, WP29 has concluded that geolocation data is "personal data" subject to the protections of the European data protection framework, including the EU Data Protection Directive 95/46/EC. The Working Party also determined that the collection, use and other processing of geolocation data through mobile devices generally requires explicit, informed consent of the individual. Below are the highlights of the opinion. … Continue Reading

FTC Enforcement Update: “Virtual Worlds” Operators Settle Children’s Privacy Violation Charges; Pay $3M Fine

On May 12, 2011, the Federal Trade Commission announced that the operators of 20 online virtual worlds have agreed to pay $3 million to settle charges that they violated the Children's Online Privacy Protection (COPPA) Rule by collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents' prior consent. The FTC noted that this settlement is the largest civil penalty for a violation of the FTC's COPPA Rule. … Continue Reading

FTC Privacy Enforcement Update: Two Companies Allegedly Failed to Protect Sensitive Employee Data

On May 3, 2011, the Federal Trade Commission announced that Ceridian Corporation and Lookout Services, Inc. agreed to settle the FTC's allegations that the companies failed to safeguard their business customers' employee personal information. Ceridian's services include payroll processing, payroll-related tax filing, benefits administration and other human resource services for business customers. Lookout provides a web-based computer product that is designed to help employers comply with their obligations under federal law to complete and maintain a U.S. Citizenship and Immigration Services Form I-9 about each employee in order to verify that the employee is eligible to work in the United States. … Continue Reading

Federal Privacy Enforcement Update: SEC Fines Executives for Privacy and Security Violations

As we have reported previously on our blog, federal agencies, including the FTC, NLRB and EEOC have been very active in taking action against privacy and information security violations. This trend continues with the Securities and Exchange Commission's (SEC's) recent announcement of a settlement with three former executives a brokerage firm (GunnAllen Financial, Inc.). The SEC alleged that the former executives violated the Commission's Privacy Rule and Safeguards Rule (Regulation S-P) and aided and abetted the firm in violating these rules. This enforcement action marks the first time the SEC assessed financial penalties against individuals charged solely with violating Regulation S-P. … Continue Reading

FTC Takes a Big Step in Privacy Enforcement with Google Buzz Settlement

The Google Buzz settlement that the Federal Trade Commission announced on March 30, 2011 is the latest in the line of the Commission's numerous Section 5 actions related to privacy and data security violations. The Google Buzz settlement, however, is unique in several important ways. The settlement represents (i) the first FTC settlement order has requires a company to implement a comprehensive privacy program to protect the privacy of consumers' information, and (ii) the Commission's first substantive U.S.-EU Safe Harbor framework enforcement action. Let's dive in (make sure to read the "Action Item" at the conclusion of the post!). … Continue Reading

Kerry Releases Draft of “Privacy Bill of Rights”

A week after the Senate held a hearing on the state of online consumer privacy, Senator John Kerry (D-Mass) has published a draft of the "Commercial Privacy Bill of Rights Act of 2011." The Act, co-sponsored by Senator John McCain (R-Ariz.), directs the FTC to make rules requiring certain entities that handle information covered by … Continue Reading

Senate Committee Holds Hearing on the State of Online Consumer Privacy

On March 16, 2011, the U.S. Senate Committee on Commerce, Science, and Transportation held a full committee hearing on the state of online consumer privacy. The hearing was the first in a series of hearings the Committee will hold on consumer privacy in the 112th Congress. The hearing focused on online commercial practices that involve … Continue Reading
LexBlog