Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts' data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.)

The revised regulations emphasize their “risk-based” approach, enabling persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information, and need.  These changes were primarily intended to ease the burden of the regulations on small businesses that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program.  That said, the changes apply to all business, not just small businesses.

 

• Email This
• Print
• Comments
• Trackbacks

In Hernandez v. Hillsides, Inc., S147552 (Aug. 3, 2009) [pdf], the California Supreme Court unanimously held that the mere placement of a hidden video camera in an employee's office could constitute an invasion of privacy, even if the camera was never actually used to record the employee.  Under the specific facts of the case, however, the Court ultimately found no liability because the intrusion was relatively minor, limited and justified, but California employers should be aware that the use of hidden surveillance cameras without notice or warning in "semi-private" office space is likely to produce an actionable claim for invasion of privacy in many cases. 

• Email This
• Print
• Comments
• Trackbacks

In mid-September, Maine’s “Act to Prevent Predatory Marketing Practices against Minors” is scheduled to take effect.  Due to the lack of a scienter element in several of the requirements of this new law, this Act could have far-reaching consequences for all businesses that engage in direct marketing or that sell or transfer personal information to third parties, even if the business does not have knowledge that the information regards a minor.

• Email This
• Print
• Comments
• Trackbacks

In the context of wireless network security, we hear a lot about WEP vs WPA, but these technologies are not widely understood, especially among attorneys. 

WEP and WPA are two alternative ways to secure a wireless network from unauthorized interception, and WPA is more secure than WEP. In fact, researchers have reported consistently for several years that it is relatively easy to break into a WEP-secured wireless network. For that reason, as discussed further below, industry standards as well as regulators require that WPA (instead of WEP) be used to secure wireless networks that are used to transmit sensitive information such as credit card numbers. Nonetheless, many companies are still using WEP.

• Email This
• Print
• Comments (1)
• Trackbacks

On July 9, 2009, Missouri Governor Jay Nixon signed House Bill 62 ("HB 62”), making the Show-Me State the 45th state with an information security breach notification law on the books. The new law takes effect on August 28, 2009. But Missouri’s new law isn’t the only new data breach notification requirement on the horizon. Amendments to existing data breach notice laws in three other states, Texas, Maine and North Carolina, will also become effective soon.

• Email This
• Print
• Comments
• Trackbacks

The Federal Trade Commission (“FTC”) announced today that, for the third time, it will delay enforcement of the Red Flags Rule until November 1, 2009 – a year after the original November 1, 2008 compliance deadline. In delaying enforcement yet again, the Commission stated that it intends to engage in an “expanded business education campaign” in which the staff will “redouble its efforts to educate [businesses] about compliance.” Such a campaign is designed to “clarify whether businesses are covered by the Rule and what they must do to comply.” The delay does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

• Email This
• Print
• Comments
• Trackbacks

The popularity of crime dramas on primetime television schedules has made certain aspects of genetic testing commonplace and uncontroversial.  However, as science continues to advance at an exponential rate, and as technology and innovation have invaded the realm of individual privacy rights, individuals’ genetic make-up are likely the next frontier.

At least 32 states have genetic privacy laws on the books.  These states have taken steps to protect genetic information beyond the protections given to other types of health information.  This is referred to as “genetic exceptionalism,” which calls for special protections for genetic information due to its predictive, personal and familial nature and other unique characteristics.  Generally speaking, state genetic privacy laws restrict parties (such as insurers or employers) from taking a particular action without consent.  These laws cover a broad range of issues, including:

• Requiring personal access to genetic information;
• Requiring consent for performing tests, obtaining or accessing genetic information, retaining genetic information, and/or disclosing genetic information;
• Defining genetic information or DNA samples as personal property; and
• Providing for specific penalties for genetic privacy violations.

• Email This
• Print
• Comments
• Trackbacks

In January 2009, we reported on the postponement of a controversial federal regulation resulting from a legal challenge filed by Proskauer Rose on behalf of several trade organizations, including the U.S. Chamber of Commerce. The rule, the result of an executive order signed by then-President George W. Bush, requires most federal contractors and subcontractors to verify their employees’ work eligibility using the Department of Homeland Security’s E-Verify system. On July 8, 2009, President Barack Obama’s Administration announced its plan to go forward with the rule. Immediately after this announcement, the U.S. Senate approved legislation that would codify the rule into law.

• Email This
• Print
• Comments
• Trackbacks

On July 7, 2009, the U.S. District Court for the Southern District of New York ruled that the Federal Fair Credit Reporting Act (“FCRA”) preempted an identity exposure plaintiff’s state law claims for, among other things, negligence, breach of contract, and violation of the New York Deceptive Trade Practices Act (“DTPA”).

• Email This
• Print
• Comments
• Trackbacks