As reported by Dan Or-Hof, Manager of the Information Technology, Internet and Copyright group at the Israeli law firm of Pearl Cohen Zedek & Latzer, in a first of its kind decision, the Tel-Aviv district court ruled on November 30, 2010 that a subscriber of cellular services does not have a general right to have his phone records deleted.
On December 1, 2010, the Federal Trade Commission issued a preliminary report entitled "Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers". The report proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services.
On November 30, 2010, the Federal Trade Commission announced a settlement with EchoMetrix, Inc. with respect to charges that the company failed to adequately disclose its privacy practices. EchoMetrix sells software that allows parents to monitor their children's online activities. The FTC alleged that the company engaged in a deceptive act or practice in violation of Section 5 of the FTC Act by failing to inform parents that the information the software collected about their children would be disclosed to third parties for marketing purposes.
The Federal Trade Commission's latest delay in enforcing the Identity Theft Red Flags Rule is slated to expire on December 31, 2010. This fifth delay, which the FTC announced on May 28, 2010, was requested by members of Congress, who had been working to respond to the outcry over the FTC's broad interpretation of the Rule. In the latest legislative initiative, on November 17, 2010, representatives Adler (D-NJ), Broun (R-GA) and Simpson (R-IN) advanced a bill (HR 6420) that seeks to limit the scope of the FTC's Red Flags Rule by amending the Fair Credit Reporting Act's (FRCA's) definition of "creditor."
Many of you probably read earlier this month that California's Office of Administrative Law approved the California Department of Insurance's proposal to repeal certain privacy regulations. The California changes actually have greater significance than may be apparent on a quick glance. Although rarely noted in the media coverage, State insurance privacy regulations across the country (not just in California) find their roots in the federal Gramm Leach Bliley Act, so California's decision to make such changes provides a helpful illustration of the extraordinarily complex and confusing web of privacy regulation that governs even small organizations in this country. Also, California's move with respect to these changes contravenes the conventional wisdom that California is a renegade pro-consumer state when it comes to privacy regulation. Many of our followers have asked me to break down this newest California development, so here goes.
A recently released IC3 fraud advisory for businesses, entitled "Corporate Account Take Overs," addresses the growing problem of criminals targeting small- to medium-sized businesses (SMB's), local municipalities and school districts for bank account takeovers. The take overs culminate in costly and potentially ruinous "cyberthefts" where accounts are subject to a series of wire transfers or ACH payments that empty part or all of the account's funds to overseas banks.
During the final week of October and beginning of November, I attended two privacy events that were set far apart geographically and philosophically: the Data Protection Commissioners Conference in Jerusalem and the ad:tech conference in New York City. The Jerusalem event had a decidedly pro-privacy flavor, while at ad:tech businesses showcased myriad ways for monetizing personal information. Both conferences posed interesting questions about the future of privacy, but as a privacy lawyer I was more interested in learning and observing than engaging in the privacy debates. The events' apparently divergent privacy narratives made me ponder where a privacy lawyer may fit on the privacy continuum between these two great cities.
Several news outlets are reporting today on the November 15, 2010 argument before the U.S. Court of Appeals for the D.C. Circuit on the applicability of the Federal Trade Commission's Identity Theft Red Flags Rule.The relevant part of the Rule implements Section 114 of the Fair and Accurate Credit Transactions Act (FACTA) and requires certain creditors to develop and maintain an identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft. The FTC has taken the position that attorneys and law firms are within the scope of the Rule's definition of "creditor" to the extent they allow clients to pay for legal services after the services are preformed. The ABA successfully challenged the applicability of the Rule to attorneys before the D.C. District Court. The FTC appealed that ruling.
Several important privacy issues were in the news in the first half of this week. Here's our take on these stories, which covered online data collection, employee privacy and legislative battles about the future of privacy.
Today, the Federal Trade Commission announced the launch of a business center portal to help businesses understand and comply with privacy and information security requirements that the FTC enforces. The new portal provides centralized access to the FTC's privacy and information security regulations, enforcement actions and guides. The main portal also offers information about compliance with advertising, credit, telemarketing and myriad other requirements. A series of short videos explain what businesses need to know to comply, and the business center blog offers latest compliance tips and information.
A panel of the Ninth Circuit last week released an opinion in DSPT Int'l, Inc. v. Nahum, 2010 WL 4227883, (CV-06-00308-ODW)(Oct. 27, 2010), that's worth a brief review for its various holdings in a "cybersquatting" trademark and domain name dispute. What's interesting about this case? For starters the different result the Court reached under the Anticybersquatting Consumer Protection Act (the "ACPA") versus what would have occurred had a Uniform Domain-Name Dispute Resolution (UDRP) procedure been followed.
Earlier today, the European Commission released documents setting out the road map for revision of the European data protection rules, including the EU Data Protection Directive 95/46/EC. The strategy is based on the Commission's position that an individual's ability to control his or her information, have access to the information, and modify or delete the information are "essential rights that have to be guaranteed in today's digital world." The Commission set out a strategy on how to protect personal data while reducing barriers for businesses and ensuring free flow of personal data within the European Union.
A draft release of a 90-page Proposed Security Assessment and Authorization for U.S. Government Cloud Computing was distributed by the White House CIO Council yesterday, curiously numbered a 0.96 release.
Last week, we joined privacy regulators, practitioners and industry representatives from around the world in Jerusalem for the 32nd International Conference of Data Protection and Privacy Commissioners. On numerous panels, conference participants engaged in lively discussions about privacy compliance and enforcement as well as the future of privacy in light of evolving consumer expectations and advances in technology that tracks and identifies individuals.
One issue still bobbing below the social networking surface is disclosure of trade secrets, such as a client/customer list, through use of social networking. With seemingly everyone, including us here at the Info Law Group, connecting to business associates and potential and actual clients, the question is not academic.
Scott Blackmer provides a "discovery" checklist for global enterprises handling personal data from multiple jurisdictions, as well as advice on a global approach to privacy compliance and risk management.
As of late there has been a great deal of news and discussion concerning "web scraping." Web scraping is the practice of using computer software to extract information from a website. In short, a wealth of information exists on the Internet and companies of all stripes are interested in collecting it from websites, compiling and combining it, and using it to further their business.Scraping raises a multitude of legal issues, including issues related to privacy and security intellectual property, and laws concerning unauthorized access to computers and trespass to chattels (in fact, the overlapping issues raised by scraping represent a very good example of what we call "information law"). Many companies attempt to stop scraping of their websites from occurring in the first instance. This can be achieved by implementing technologies such as CAPTCHA (which are becoming ubiquitous) that are intended to ensure that a human is entering the website rather than a computer software program or bot. If technologies like CAPTCHA are evaded by scrapers, some websites might pursue an action under the anti-circumvention provisions of the Digital Millennium Copyright Act (the "DMCA"). The DMCA provides for potential statutory penalties and even criminal sanctions for violations of its anti-circumvention provisions. This post explores how the DMCA might be used in this context and looks at some cases addressing whether circumvention of CAPTCHA (and similar protocols) might result in violation of, and liability under, the DMCA.