Category Archives: Electronic Communication

Court action against FCC’s “net neutrality” rules could change rules of Internet service

The “open” nature of high-speed Internet service in the United States may be at risk based on a new appeals court ruling that struck down the Federal Communication Commission’s “net neutrality” regulations.

Since 2010, the FCC regulations, known as the “Open Internet Order,” have prohibited broadband service providers (ISPs) from blocking access to lawful content. as well as from blocking applications that compete with the  provider’s service offerings. The Order also prohibits providers of fixed broadband service (i.e., non-mobile broadband) from unreasonably discriminating in transmitting lawful Internet traffic, such as by granting preferred status or speeds to websites that are affiliated with the provider or who pay a fee to the provider.

The Court’s decision in Verizon v. Federal Communications Commission struck down most of the Open Internet Order.  In particular, the Court said that the FCC went beyond its regulatory authority in imposing the anti-blocking and anti-discrimination rules on ISPs.

Notably, the Court did not say that the FCC could never impose such rules on ISPs. Instead, the Court found issue with the way that the FCC imposed the rules on ISPs. Specifically, the Court faulted the FCC for creating rules that could be considered common carrier obligations and then imposing them on ISPs that were not considered to be “common carriers” under the Communications Act.

The Court did uphold the Order’s requirement that ISPs disclose to consumers accurate information about their network management practices, performance and commercial terms of service.  So, although an ISP can now block or slow a particular website, it must disclose that practice to its subscribers.

The FCC is expected to appeal the decision.  Alternatively, the FCC could attempt to re-write the rules within the guidelines of the decision. Either way, it will be interesting to see whether any broadband service providers change the way that they deliver services to consumers. Under the Court’s ruling, an ISP who is also a cable service provider could block or slow certain over-the-top services so long as they disclose that fact to subscribers. An ISP could charge a higher fee for access to certain sites, or perhaps a reduced fee to consumers who are  willing to accept a more limited scope of the World Wide Web.   Alternatively, some ISPs may use the Court’s ruling as an opportunity to attract new consumers by pledging to make all sites freely available without blocking or discrimination.

Either way, consumers are likely to see changes in their broadband service soon based on the new ruling.

New Data Breach 411 app helps companies navigate data breach laws

It’s a general counsel’s worst nightmare. Sensitive data. Gone. Stolen by faceless thieves who breached the company’s seemingly secure network.DataBreach411-2

As my partner Scott Vernick of Fox Rothschild recently stated:  “Data breaches can severely impact a company’s reputation and have debilitating consequences to businesses big and small.”

A new mobile phone app launched by the Fox Rothschild Privacy and Data Security Practice provides a guide to swift damage control in situations like this. The app—called Data Breach 411—can help companies who are affected by a breach navigate the various laws and regulations relating to data breaches. Currently, 46 states have laws in place addressing how organizations should prepare for and respond to the loss or theft of data.

According to Vernick:  “Our app is a ‘one stop shop’ for in-house counsel and privacy officers to instantly access the relevant state-specific details on what they need to do, who they need to notify, when and how. The ability to access these state rules at your fingertips can make all the difference in terms of what’s at stake for an organization: loss of reputational integrity, public trust and business, and time-consuming and costly remediation efforts.”

Information available via the Data Breach 411 app include:

  • State Security Breach Statutes: An alphabetical listing of the states that have data breach laws in place and links to all the relevant notification statutes.
  • HIPAA/HITECH Statutes: Breach notifications rules and other pertinent information related to the loss or theft of personal health information.
  • Resources: Links to credit agencies and credit monitoring services as well as the FTC website. Also, a section on COPPA – the Children’s Online Privacy Protection Act – and relevant information surrounding the mining of data on minors. This section also includes links to Fox’s Privacy Compliance & Data Security Blog and its HIPAA, HITECH and Health Information Technology Blog.

The Data Breach 411 app is currently available for free in the iTunes Store. An Android version will be available soon. To download the app, click here.

Does your website privacy policy describe how you handle “do not track” requests? If not, read this . . .

A new California state law is prompting businesses around the country to update their website privacy policies to more fully describe how the business handles certain customer data.

California’s Online Privacy Protection Act (CalOPPA) already required any commercial website or online service that collected personally-identifiable data from California residents to post a privacy policy. The new law amends CalOPPA to mandate that privacy policies explicitly describe how the website or service will respond to “do not track” requests from users.

My partner Mark McCreary prepared a detailed summary of the CalOPPA amendment and its additional disclosure requirements.  Mark’s summary is available via this link.

Federal Trade Commission issues new “.com Disclosures” guidance for online advertising

On March 13, 2013,  the FTC updated its “.com Disclosures” guidance document for online disclosures to address new issues resulting from the expanding use of smartphones and other mobile devices for advertising purposes.

Originally published in 2000, the FTC guide addresses how companies who are engaged in online advertising should provide the various disclosures that are required by the laws that the FTC enforces. These disclosures include those required to prevent a claim that a particular advertisement is misleading or deceptive.   Examples include: Continue reading

FTC proposes update to children’s online privacy rules

The Federal Trade Commission (FTC) has proposed an updated set of online privacy rules to address the use of new technologies — including mobile technologies – by children under the age of 13.  The original rules, issued in 2000 to implement requirements of the Children’s Online Privacy Protection Act (COPPA), require operators of commercial websites and online services directed to children under age 13 to:

  • post a privacy policy describing how the site handles children’s personal information;
  • provide direct notice to parents and obtain verifiable parental consent before collecting children’s personal information;
  • give parents the option to allow the operator to collect and use a child’s information, but not disclose it to third parties;
  • give parents access to their child’s personal information for review and/or deletion;
  • give parents the opportunity to prevent further use of the information; and
  • maintain the confidentiality, security, and integrity of information collected from children.

Changes proposed in the new rule include:

  • an expanded definition of “personal information” that includes substantially all information that can be used for online profiling or directed behavioral advertising – including geo-location information, instant messaging user IDs, voice over IP (VOIP) identifiers, video chat user IDs, and tracking cookies;
  • a requirement that key information be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy;
  • new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s identification is deleted promptly after verification is done;
  • a requirement that website operators ensure that service providers or others to whom they disclose a child’s personal information implement reasonable procedures to protect it, retain the information for only as long as is reasonably necessary, and properly delete the information; and
  • a requirement that self-regulatory “safe harbor programs” audit their members at least annually and report the results of those audits to the FTC.

The FTC will accept comments on the proposed rules through November 28, 2011.

Social Media Use in Doctor / Patient Communications

My colleague Rebekah Monson recently co-authored an article discussing the growth of social media as a tool for doctor/patient communications.  Although this use of social media requires careful consideration so that private information is not Tweeted, Facebooked, or otherwise make available for public view, Rebekah points out that

Social media is a powerful tool that can be used effectively and efficiently for peer, patient, and family communication, as well as a vehicle for learning, as part of patient education, graduate medical education (GME), and continuing medical education (CME). . . .The Internet is replete with lay opinions and medical misinformation. Surgeons who use social media have a unique opportunity and non-legal responsibility to critically review and correct this misinformation.

The full text of Rebekah’s article can be found here.

 

 

HIPAA privacy violations result in penalties exceeding $4.3 million

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced its first-ever civil monetary penalty against a health system for alleged violations of the HIPAA privacy rule.  The penalty of over $4.3 million, which was levied against Cignet Health, was followed by OCR’s announcement of a $1 million settlement resolving a HIPAA privacy complaint against certain entities affiliated with Mass General. 

My colleague Rebekah Monson recently published an article describing the actions that resulted in penalties, as well as the penalty calculation methods.  As Rebekah notes in the article:

While the Cignet case could be considered to be an isolated and extreme example, the type of HIPAA breach in the Mass General case is not unusual. The timing of the two announcements, significant penalties, and three-year [corrective action plan] (for Mass General) may signal OCR’s plans to use the HITECH-increased penalties as an enforcement tool.

The full text of the article is available here.

Advanced IP Forum for Advertising Counsel scheduled for April 2011

The American Conference Institute is hosting new seminar that is tailored to help companies learn how to avoid advertising-related pitfalls that can weaken a company’s brand and expose the company to intellectual property litigation.  The new seminar, titled Advanced IP Forum for Advertising Counsel, will feature speakers from leading media and brand-driven companies, along with counsel who represent them.  Topics of the seminar will include:

  • strategies for resolving conflicts and avoiding patent litigation when advertising using new technologies;
  • sidestepping copyright landmines:  what the DMCA, YouTube and Hulu mean to brand media strategies;
  • licensing negotiation strategies for new media; and
  • best practices for combatting widespread IP infringement on the Internet.

The seminar will be held in New York City on April 27-28, 2011, with optional workshops on April 29.  (Full disclosure:  I am one of the speakers at the seminar.  I will discuss strategies for avoiding patent infringement claims when using new advertising technologies.) 

For more details, visit the ACI website.  Early bird registration pricing is available through February 28.

California rules that retailers may not record ZIP codes for credit card transactions; new lawsuits follow

The California Supreme Court recently ruled that ZIP codes are “personal identification information” under the state’s credit card consumer protection statute.  Accordingly, the Court ruled retailers may not collect and record ZIP codes from consumers as a condition to completing a credit card transaction. 

Just a few days later, several law firms in San Francisco and Los Angeles filed class action lawsuits against major retailers, seeking damages for alleged violations of the California law.

First enacted in 1971, the Song-Beverly Credit Card Act prohibits California retailers from Continue reading

Due Diligence 101: can customers’ personally identifiable information be transferred?

When performing due diligence in connection with a merger or acquisition, one item that should not be overlooked is the target company’s privacy policies.   If the business of the target relies on account holders, subscribers, or others who provide the business with personally identifiable information, a seller who ignores the target’s privacy policies may find itself purchasing a business with no ability to access the existing customer base.

This issue was recently highlighted when the Federal Trade Commission sent a warning letter to the potential purchaser of XY Magazine in a bankruptcy proceeding.  XY Magazine was a gay male youth-oriented magazine and website that, according to the FTC letter, collected “a substantial amount of personal information from its members and subscribers, including names and street addresses.”   The magazine and website touted an “Amazing Privacy Policy” and assured subscribers and members that “we never share your information with anybody”.  The FTC’s warning letter stated that transfer of customer data in a bankruptcy proceeding would contradict the privacy statements and constitute unfair or deceptive trade practices, resulting in a possible violation of Section 5 of the FTC Act

The purchaser ultimately acquired the assets, but only after entering into a consent order in which the parties agreed to destroy all personally identifiable information before the asset transfer.

The FTC warning should serve as a reminder that purchasers should carefully review privacy policies as part of their intellectual property due diligence.  In addition, companies with a goal of being acquired should review their privacy policies to ensure that the policies will allow a successor to continue the business with the existing customer base.