MODEL PRIVACY FORMS RELEASED
In November, eight federal regulatory agencies announced the release of a standard model privacy notice form and a no opt out model privacy notice form. The model privacy forms are designed to help consumers understand how their information is collected and shared by financial institutions. The model privacy forms comply with the requirements for a financial institution to notify consumers of the institution's information sharing practices and provide consumers with an opportunity to opt out of certain practices pursuant to the Gramm-Leach-Bliley (GLB) Act.
FTC SCHEDULES A SERIES OF PRIVACY ROUNDTABLES
In September, the FTC announced a series of privacy roundtable events planned for 2010. The purpose of the roundtables is to explore the privacy challenges created by “social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses.” The FTC posted an agenda for the first event scheduled for December 7, 2009 and has made the event available to the public via webcast, which should be available here on the day of the event.
The Center for Democracy and Technology has urged the FTC to use these roundtable discussions to create a full set of fair information practice principles for a stronger privacy protection framework that is not built on the current structure of notice and choice.
TRENDING TOWARDS STRICTER PROTECTION LAWS
In February, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) (1) expanded HIPAA privacy obligations to include certain businesses that provide services to health care providers, (2) created breach notifications obligations for businesses subject to HIPAA, and (3) directed the Department of Health and Human Services to, essentially, adopt encryption standards for protected health information.
A survey of state breach notification laws, last updated in July 2009, reported that forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition to the breach notification laws, Nevada and Massachusetts both have privacy laws taking effect in 2010 that, to differing degrees, require businesses to encrypt personally identifying information.
In October 2009, the California legislature, which enacted the first breach notification law in the United States in 2003, attempted to enact Senate Bill 20 enhancing the existing breach notification law to impose additional burdens on businesses. The bill was vetoed by Governor Schwarzenegger.
In November, the U.S. Senate Judiciary Committee approved two bills that would enhance privacy protection requirements for businesses: S 139, a federal breach notification law; and S 1490, a federal law requiring businesses to develop privacy protection plans.
While Schwarzenegger blocked the California bill and these two federal bills may not make it out of the Senate, these developments suggest that every company should have a plan in place to deal with keeping data both private and secure, and outlining how to effectively respond to breach notification requirements.
If you have any comments or questions regarding this publication or would like additional information please contact one of the following attorneys: