Statute

Editor's Note: Our initial report on the much anticipated demise of this Maine law was a bit premature. The bill is expected to pass but is a few weeks from its final demise. Our deepest apologies for this error. We are redoubling our strive for excellence. Corrected posting is below.

A controversial Maine law passed last year that banned the use of personal information about minors for marketing purposes is close to being repealed.  The new Maine law that would take its place is much more narrowly tailored to prohibit use of information collected online from minors for the purpose of marketing pharmaceuticals.

If you are a retailer with brick-and-mortar stores in California and accept credit cards for payment, take note.  You may want to take a few simple steps to avoid liability for an increasing number of claims under an old law that has received a lot of recent attention.  Plaintiffs have filed several recent class action lawsuits in California against major retailers for alleged violations of California's Song-Beverly Credit Card Act (the "Act").  The Act places certain restrictions on merchants that accept credit cards.  In general, the law prohibits or limits a merchant's ability to request and record personal identification information concerning the cardholder.  Examples of personal identification information include the cardholder's address and telephone number.

Today, the Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") filed its final amendments to the state's data security regulations, which impose specific requirements on entities for safeguarding the personal information of Massachusetts residents. The OCABR will make its amendments public next Monday, but has already stated that it didn't make any major changes and only clarified language regarding contracts between persons who own or license personal information and third-party service providers. The updated regulations are scheduled to take effect on March 1, 2010.

Attorney General Janet Mills of Maine announced that she will not prosecute companies that violate a recently-enacted, controversial law that bans the use of personal information about minors for marketing purposes.  The bill is expected to be reviewed for amendment during Maine's next legislative session convening in January.

On July 1, 2009, new data breach notification laws will go into effect in Alaska and South Carolina. Generally, they require notification of data breaches that result in unauthorized disclosure of personal information (PI) about residents of their respective states. Notably, South Carolina joins a short list of other states (including California, North Carolina, Illinois, Maryland, Delaware, Ohio, and Louisiana) that provide a private right of action to individuals who are not notified as required by the statute. This post summarizes each. For more information about these statutes and a complete summary of all state data breach notification laws, see the Perkins Coie "Security Breach Notification Chart."

Nevada has amended its data security law to require businesses that transfer personal information on hardware or mobile storage devices outside the "logical and physical controls of the data collector or its data storage contractor" to encrypt the information. Previously, Nevada's law only required encryption for non-fax electronic transmissions of personal information. The amended law also includes a technical standard for encryption, requires businesses that accept credit or debit cards to meet the payment card industry data security standards (PCI DSS), and contains an immunity provision. The law, S.B. 227, will go into effect on January 1, 2010.

On May 22, 2009, President Obama signed into law the Credit Card Act of 2009 (formerly, the Credit Cardholders' Bill of Rights Act), which establishes new federal requirements on fees, expiration dates, and conspicuous disclosure of key terms for gift cards, gift certificates and open-loop prepaid cards.

In Party City Corp. v. Superior Court of San Diego County, the California Court of Appeals held that zip codes are not "personally identifying information" under California's Song-Beverly Credit Card Act.

A Connecticut law effective October 1, 2008, requires businesses, including employers, to describe protections for Social Security numbers in a privacy policy. The law also creates duties to safeguard broader categories of personal information. Personal information must be protected from misuse by third parties and destroyed, erased or made unreadable before disposal. Similar general data protection and disposal requirements already exist in several states including, California and Texas.

More states are regulating required data security standards. A Nevada law requiring businesses to encrypt electronic transmission containing personal information goes into effect October 1, 2008. The Massachusetts' Office of Consumer Affairs and Business Regulation (OCABR) has also issued new regulations, the Standards for The Protection of Personal Information of Residents of the Commonwealth, that require the implementation of a comprehensive information security program, including encryption of personal information. The OCABR has extended to May 1, 2009, its deadline for businesses and others to comply with its new data security regulations. Obligations to encrypt portable devices, other than laptops, and to obtain written certifications from third-party service providers are extended to January 1, 2010.

The House of Representatives is considering a new law designed to protect employees from being monitored while they are changing clothes. If passed, the Employee Changing Room Privacy Act, introduced last week by Rep. Robert E. Andrews (D-N.J.) and Rep. Tom Petri (R-Wis.), would prohibit an employer from engaging in "video monitoring or audio monitoring of an employee … when the employee is in a restroom facility, dressing room, or any other area in which it is reasonable to expect employees of the employer to change clothing."

Apparently thinking that a strong offense was the best defense to copyright infringement claims for making copyrighted music available for sharing over the Internet, the defendant counterclaimed that the plaintiffs' (music and recording companies) investigation constituted trespass, computer fraud and invasion of privacy. The court granted Plaintiffs' motion to dismiss each of the above mentioned counterclaims.

The Office of the Privacy Commissioner of Canada has published guidance for organizations for notifying customers when a privacy breach occurs. A privacy breach is the result of an unauthorized access to or collection, use or disclosure of personal information in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA) or similar provincial privacy legislation. The guidance is just that, guidance, and neither PIPEDA nor any other law in Canada currently requires notice for a breach. However, it is expected that the guidance will serve as the basis for amending PIPEDA in the near future. The Commission also published a checklist for organizations to use in evaluating the need to provide notice. The checklist is a handy outline of considerations for dealing with security breaches.

Two recent data disposal cases serve as a fresh reminder to businesses of the need to ensure that proper destruction protocols are in place as part of an overarching cradle-to-grave data protection program. Effective data protection programs must sufficiently address not only the initial collection, use and disclosure of personal information but also effective procedures to properly store or dispose of personal information once it is no longer needed.

6th Cir. Ct. of Appeals, No. 03-2012 (9/28/06)
In a case of apparent first impression, the U.S. Court of Appeals for the Sixth Circuit has held that the Cable Communications Policy Act does not apply to broadband Internet services provided by a cable provider. Under the Sixth Circuit's holding, the statute's privacy provisions do not prevent ISPs from collecting personally identifiable information about their users.