2010 arguably was a breakout year for consumer privacy in the U.S., but the year also brought about significant changes to the legal landscape of employee privacy. Federal and state court decisions, state legislation and agency actions suggest that the U.S. may be moving towards a greater level of privacy protection for employees. Employers are well-advised to consider these developments in reviewing and revising policies that affect the privacy of their employees.
I hope you will tune in Monday, January 31, 2011, 8-9 am Pacific (11-12 Eastern), to Privacy Piracy, audio streaming on www.kuci.org (or locally in Southern California on KUCI 88.9 FM in Irvine, CA). Mari Frank will interview me on hot topics in information law and compliance.
The Ninth Circuit's recent analysis in MDY v Blizzard Entertainment examined contributory/vicarious ("secondary infringement") copyright issues, the "essential step" defense, the important and often highly disputed contractual covenant versus copyright license issue, and last, but certainly not least, the DMCA's role. I recommend you read the full opinion to gain the complete picture, but for this post we'll be focusing on the copyright covenant vs. copyright license issues and touching on the DMCA's role.
ICANN decided Friday to postpone approval of procedures for organizations to propose new generic top-level domains (gTLDs). Companies anticipating the need to protect trademarks in a potentially large number of new gTLDs will have at least a few more months to understand and weigh in on the proposals, and to brace themselves for successive rounds of sunrise filings and domain name disputes as new gTLDs are introduced.
The Blog of Legal Times is reporting that late on December 7, 2010 the House of Representatives passed a bill on a voice vote that amends the definition of "creditor" in the Fair and Accurate Credit Reporting Act (FCRA) and, as a result, dramatically limits the scope of the Red Flags Rule. The House bill is identical to the legislation enacted by the Senate last week. We previously covered in detail on our blog both the House bill and the Senate bill.The legislation has the effect of largely limiting the applicability of the Red Flags Rule to financial institutions and entities commonly understood to be "creditors". It will generally exclude from the Rule's scope organizations whose "credit" activities are limited to providing a product or service and allowing customers to pay for the product or service at a later time. The legislation leaves open the possibility that the FTC would bring various types of creditors within the scope of the Rule through rulemaking. However, it sets a procedural threshold for expanding the scope of the Rule and appears to require the determination to be specific to the type of creditor. "When I think of the word 'creditor,' dentists, accounting firms and law firms do not come to mind," said Rep. John Adler (D-N.J.), speaking on the House floor.
Last week, the U.S. Senate adopted by unanimous consent a bill (S. 3987) that would limit the scope of the Federal Trade Commission's Red Flags Rule by amending the Fair Credit Reporting Act's (FCRA's) definition of "creditor." The Senate bill is identical to the bipartisan House proposal we covered in detail in our blog on November 22, 2010.Both bills have been referred to the House Committee on Financial Services. Given that the House and Senate are now on the same page with respect to the Red Flags Rule, there is a good chance that this proposal will become law before the FTC begins enforcing the Rule on December 31, 2010. The bills seek to largely limit the applicability of the Red Flags Rule to entities commonly understood to be "creditors". They would generally exclude from the Rule's scope organizations whose "credit" activities are limited to providing a product or service and allowing customers to pay for the product or service at a later time.
Last week the Federal Trade Commission (FTC) released its anticipated preliminary 122-page staff report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (the "Report"), which we covered in brief immediately following its release. In this part 1 of our review, and in following parts, we dig into specifics of the Report's proposed framework, with a eye toward examining rationales for the various proposals as well as analysis on the potential effects going forward on practices and data policies.
As reported by Dan Or-Hof, Manager of the Information Technology, Internet and Copyright group at the Israeli law firm of Pearl Cohen Zedek & Latzer, in a first of its kind decision, the Tel-Aviv district court ruled on November 30, 2010 that a subscriber of cellular services does not have a general right to have his phone records deleted.
On December 1, 2010, the Federal Trade Commission issued a preliminary report entitled "Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers". The report proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services.
On November 30, 2010, the Federal Trade Commission announced a settlement with EchoMetrix, Inc. with respect to charges that the company failed to adequately disclose its privacy practices. EchoMetrix sells software that allows parents to monitor their children's online activities. The FTC alleged that the company engaged in a deceptive act or practice in violation of Section 5 of the FTC Act by failing to inform parents that the information the software collected about their children would be disclosed to third parties for marketing purposes.
The Federal Trade Commission's latest delay in enforcing the Identity Theft Red Flags Rule is slated to expire on December 31, 2010. This fifth delay, which the FTC announced on May 28, 2010, was requested by members of Congress, who had been working to respond to the outcry over the FTC's broad interpretation of the Rule. In the latest legislative initiative, on November 17, 2010, representatives Adler (D-NJ), Broun (R-GA) and Simpson (R-IN) advanced a bill (HR 6420) that seeks to limit the scope of the FTC's Red Flags Rule by amending the Fair Credit Reporting Act's (FRCA's) definition of "creditor."
Many of you probably read earlier this month that California's Office of Administrative Law approved the California Department of Insurance's proposal to repeal certain privacy regulations. The California changes actually have greater significance than may be apparent on a quick glance. Although rarely noted in the media coverage, State insurance privacy regulations across the country (not just in California) find their roots in the federal Gramm Leach Bliley Act, so California's decision to make such changes provides a helpful illustration of the extraordinarily complex and confusing web of privacy regulation that governs even small organizations in this country. Also, California's move with respect to these changes contravenes the conventional wisdom that California is a renegade pro-consumer state when it comes to privacy regulation. Many of our followers have asked me to break down this newest California development, so here goes.
A recently released IC3 fraud advisory for businesses, entitled "Corporate Account Take Overs," addresses the growing problem of criminals targeting small- to medium-sized businesses (SMB's), local municipalities and school districts for bank account takeovers. The take overs culminate in costly and potentially ruinous "cyberthefts" where accounts are subject to a series of wire transfers or ACH payments that empty part or all of the account's funds to overseas banks.
During the final week of October and beginning of November, I attended two privacy events that were set far apart geographically and philosophically: the Data Protection Commissioners Conference in Jerusalem and the ad:tech conference in New York City. The Jerusalem event had a decidedly pro-privacy flavor, while at ad:tech businesses showcased myriad ways for monetizing personal information. Both conferences posed interesting questions about the future of privacy, but as a privacy lawyer I was more interested in learning and observing than engaging in the privacy debates. The events' apparently divergent privacy narratives made me ponder where a privacy lawyer may fit on the privacy continuum between these two great cities.
Several news outlets are reporting today on the November 15, 2010 argument before the U.S. Court of Appeals for the D.C. Circuit on the applicability of the Federal Trade Commission's Identity Theft Red Flags Rule.The relevant part of the Rule implements Section 114 of the Fair and Accurate Credit Transactions Act (FACTA) and requires certain creditors to develop and maintain an identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft. The FTC has taken the position that attorneys and law firms are within the scope of the Rule's definition of "creditor" to the extent they allow clients to pay for legal services after the services are preformed. The ABA successfully challenged the applicability of the Rule to attorneys before the D.C. District Court. The FTC appealed that ruling.