Late last week Senator Richard Blumenthal (D-CT) introduced the Personal Data Protection and Breach Accountability Act of 2011, S.1535, that if ultimately passed would levy significant penalties for identify theft and other "violations of data privacy and security," criminalize as felonies the installation of software that collects "sensitive" PII without clear and conspicuous notice and consent, and specifies requirements that companies collecting or storing the online data of more than 10,000 individuals adhere to data storage guidelines, including auditing the information security practices of contractors and third party business entities. Penalties include up to $10,000 per violation per day up to a maximum of $20,000,000 per violation per individual.
The Federal Trade Commission announced today that Teletrack, Inc. has agreed to pay $1.8 million to settle charges that the company sold credit reports for marketing purposes, in violation of the Fair Credit Reporting Act (FCRA). According to the FTC's complaint, Teletrack sells credit reports and other services to businesses that mainly serve financially distressed consumers. Teletrack's business customers include pay day lenders, rental purchase stores and non-prime rate auto lenders. These businesses use Teletrack's credit reports to decide whether and on what terms to extend credit to their customers.
The UK Information Commissioner's Office announces new rules for website cookies, which will normally require explicit user consent.
As reported by Dan Or-Hof, Manager of the Information Technology, Internet and Copyright group at the Israeli law firm of Pearl Cohen Zedek & Latzer, in a first of its kind decision, the Tel-Aviv district court ruled on November 30, 2010 that a subscriber of cellular services does not have a general right to have his phone records deleted.
Mexico has joined the ranks of more than 50 countries that have enacted omnibus data privacy laws covering the private sector. The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) (the "Law") was published on July 5, 2010 and took effect on July 6. IAPP has released an unofficial English translation. The Law will have an impact on the many US-based companies that operate or advertise in Mexico, as well as those that use Spanish-language call centers and other support services located in Mexico.
Today the Senate Judiciary Committee approved two federal data security bills, Senator Leahy's S. 1490, the Personal Data Privacy and Security Act, and Senator Feinstein's S. 139, the Data Breach Notification Act. Of course, there have been dozens of proposed federal breach notification bills over the past several years, from both sides of the aisle. Senator Leahy's office issued this statement earlier today. While we cannot predict the fate of S. 1490 and S. 139, and we will have future occasion to comment on the bills in more detail, Tanya and I wanted to highlight a few notable provisions now.