Privacy Matters Now – Second Quarter 2011
In this issue:
- Privacy Matters Now
- Firm News
Privacy Matters Now
For the past year, we have been advising clients to review their privacy policies and procedures as the time has been coming where the standards of data protection and accountability will increase. That time has arrived. “Privacy by Design,” a concept developed by our Canadian friends up north, has become the mantra for making the protection of personally identifiable information (“PII”) part of the integral operation of a business. Last week, Senator John Kerry announced that he will be introducing privacy legislation, the “Commercial Privacy Bill of Rights Act of 2011,” for Senate approval. Materially, the proposed Act expands the definition of information that is covered and provides the Federal Trade Commission (the “FTC”) with rulemaking and enforcement authority. Thus, businesses that are covered by the Act will face severe penalties for failure to comply.
The Act defines the information that is covered as PII as well as “unique identifier information” (“UII”) and “any information collection in connection with PII or UII that may be used to identify an individual.” This broad definition includes geographical addresses, email addresses that include the name of the individual (i.e. john.smith@mymail.com), personal telephone numbers, and credit card numbers. Additionally, and as is significant for any business that conducts online marketing or business, unique personal identifiers such as cookies, user ID’s, processor serial numbers or device serial numbers, if used to identify a specific individual, as well as biometric data (fingerprints and retinal scans), birth dates, and places of birth, are all considered to be covered information under the Act. Evidently, almost all information that is normally collected by a business that sells to consumers will be covered by the Act.
The Act will apply to “covered entities,” which are defined as “any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12 month period.” It requires opt-in and opt-out options for specific types of transactions, reasonable access by individuals to their “covered information,” and limits access of third parties to “covered information” unless the individual has agreed to permit such access.
Finally, the FTC has been granted the right to issue rules on enforcement and to issue monetary penalties of up to $3 million, depending on the nature of the violation. Enforcement will be by state attorneys general, as well as by the FTC. Clearly, the government is not messing around.
The time has come for all business which collects consumer information to take privacy seriously, and to be proactive. The old adage of “an ounce of prevention is worth a pound of cure” definitely applies!
Firm News
OlenderFeldman LLP is pleased to announce that Michael J. Feldman is now a Certified Information Privacy Professional (“CIPP”) by the International Association of Privacy Professionals (“IAPP”). The IAPP is widely recognized as the leading association of privacy professionals, and Michael’s certification will bolster our services that focus on data privacy and information security issues. Our Firm can help clients (i) determine where they collect data and what types of data they maintain; (ii) develop compliance programs to mitigate risks associated with maintaining that data; (iii) respond to actual or alleged security breaches; (iv) defend against administrative or private actions, lawsuits, or claims associated with alleged non-compliance; and (v) enforce our clients’ rights with respect to alleged breaches of security and data management by outsourced vendors.
OlenderFeldman LLP and Acentris LLC will be participating in the Seventh Annual Internet Retailer Conference & Exhibition (“IRCE”) June 14th – June 17th in San Diego www.irce.com. IRCE is the world’s largest e-Commerce event, and Kurt D. Olender will be speaking on data privacy and compliance.
