On June 10, the state of Connecticut enacted a new law requiring safeguards on the paper and electronic storage of personal information.  The new law, which takes effect October 1, 2008, may regulate any entity that stores credit card numbers, other account numbers, social security numbers, and other personally identifiable information.

According to a Privacy and Security Alert published by Peter Adler of Pepper Hamilton LLP:

To comply with the safeguard provisions of the Connecticut law, businesses will be required to classify the data they handle, identifying which of the data is personal information and map the flow of the personal information as it is received, processed, stored, transmitted and discarded. . . .  Personal information must by rendered unreadable before disposal. Simply erasing hard drives and other electronic media will not be sufficient, as erasure does not guarantee that electronic information is no longer recoverable.

For more details about the law and the full alert, click here.

The Federal Trade Commission (FTC) recently issued new rules under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (better known as the CAN-SPAM Act).  The new rules clarify, among other things, that the Act covers emails sent by non-profit organizations.  The rules also impose specific requirements on identification of the sender.

Rob Auritt and Sharon Klein of Pepper Hamilton LLP recently wrote a Privacy and Security Alert that describes the new rules in detail.  For example, according to the Alert:

The new rule makes clear that forcing a receipient to visit multiple web pages or providing any information other than an e-mail address and/or a recipients opt-out preferences is a violation of the Act.

To read the full Alert, click here.

My colleague Peter Adler is hosting an online webinar on compliance with information security requirements such as HIPAA, GLBA, FISMA, the FTCA, state laws on privacy and notice of breach laws and private contractual standards such as the Payment Card Industry Data Security Standard (PCIDSS).   The discussion will include a unified approach to security compliance that leads to simultaneous compliance with multiple laws and regulations.

The webinar is scheduled for June 4 at 8:00 am EDT.   For details on how to register, click here.

Privacy and security are meant to work in tandem - so why have they grown apart?  My colleague Peter Adler examines this question in the April 2008 isssue of the Journal of the American Health Information Management Association.    As Peter states in the article:

Privacy and security regulations were intended to work together to effectively protect health information. In most covered entities, that hasn’t happened due to a number of historical and organizational reasons. But organizations that can integrate their security and privacy compliance efforts make the most of their resources and boost the effectiveness of their programs. In some instances, this may mean a reorganization of security and privacy roles and reporting structures. In others, it may start with the revitalization of a flagging HIPAA committee.

For the full article, with tips for coordinating privacy and security efforts, click here.

A recent data security breach at the related Hannaford and Sweetbay grocery chains raised questions about what is required to comply with the PCI standards.  To some readers, the questions included:  What are the PCI data security standards, and do they have the effect of law?  Read the rest of this entry »

In October 2007, the Federal Communications Commission issued an order banning the use of exclusivity clauses in multichannel video service contracts between video service providers (e.g., cable companies) and multiple dwelling units (e.g., apartments and other multi-family dwellings).  The order stated that “exclusivity clauses that bar competitive entry harm competition and broadband deployment.”

On March 19, 2008, the FCC issued an order that extended the ban to include exclusivity clauses for telecommunication service provider contracts.  Thus, in residential, multiple tenant environments, telecommunication service contracts now also must be non-exclusive.  (Commercial MTEs are still subject to a prior , similar ban issued in 2000. )

To the extent that existing contracts require exclusivity, the FCC order states that the exclusivity clause may not be enforced.

The rule also clarifies that hotels are not “tenant” environments and thus are not subject to the ban. 

Today’s note relates to HR issues:  specifically, e-mail usage policies.  Companies with unionized employees should review a December 2007 National Labor Relations Board (NLRB) decision which ruleed that an employer’s e-mail system is private, and that employees have no statutory right to use the e-mail system for union business — even if other, non-business e-mail is permitted.

My colleague Mike Canavan has prepared a detailed review of the NLRB decision in The Guard Publishing Company d/b/a The Register-Guard and Eugene Newspaper Guild.  To review Mike’s analysis of the decision, click here. 

It’s a new year, and it’s time for a new set of business goals and milestones for 2008.  One of those goals should include a review of your company’s employee policy manuals to determine whether they advise employees of the consequences of engaging in extracurricluar activities that can harm your company.  Personal, out-of-office Internet usage should rank high on the list of potentially harmful activities.  In the pre-Web 2.0 past, employees who were frustated after a bad day at the office might have griped about it to a friend, but the discussion was limited and relatively harmless.  Today, employees are putting more and more personal information on the web.  MySpace, YouTube, Friendster, blogs, and chat room postings, all allow individuals to invite public comment on any topic they choose — including work.  These actions leave can permanent “digital footprints” about your employees’ activities. 

In fact, “Digital Footprints” is the subject of a study profiled in the Sunday, December 30 issue of The New York Times.  In the study, the Pew Internet and American Life Project looked back at 2000, when 82% of respondents were concerned about their personal information being located in the Internet.  In contrast, in 2007 60% of respondents expressed no concern about having left personal information online. 

In the United States, most employees are employed “at will”, so in most an employee who posts company secrets or negative information online can be terminated regardless of the company’s policy.  However, publishing an internet usage policy can inform employees of the risks associated with this issue and deter them from taking action in the first place.  In addition, a policy that covers out-of-office activities can provide a basis for termination where a basis is needed.

So check your policies - and have a happy new year!

The recent news about the availaibility of “Wikiscanner,” a website that allows users to see who edits various Wikipedia entries, serves as a reminder that Internet monitoring to protect a company’s business can include a wide array of activities.  Many companies have marketing staff to monitor and edit Wikipedia entries for descriptions of a company’s products - as well as entries for the company itself. 

The news also serves as a reminder that Internet monitoring should be a part of the IP protection strategy for any company that derives value from its brands, copyrightable works or technology.  Online policing is a multi-faceted activity.  Depending on the nature of the IP to be protected, monitoring activities can be directed to: 

• chat rooms, message boards and blogs for discussions relevant to a company’s technology or brands;
• auction and resale sites for counterfeit goods and trademark infringement;
• audio, video, text and file sharing sites;
• phishing and other activities where an emailer or website poses as another company.

Several service providers offer software that automates at least some the monitoring activities, although it’s always best to include humans in the review, especially those who are familiar with the company’s IP so that they can recognize potentially problematic activity.  In addition, companies should be careful about how and when to initiate enforcement activities against online piracy, as in many cases a “cease and desist” letter can trigger adverse publicity or even a lawsuit.  Because of this, online monitoring should be a coordinated effort between a company’s legal counsel and marketing team.