Third/Fourth Quarter 2010

In This Issue:


I. Online and Consumer Privacy

A.
B.
C.
D.

II. Communications Privacy

A.
B.

III. Liability Shields and Content Protection

A.
B.
C.
D.
A.
B.

V. Workplace Privacy

A.
B.

VI. Healthcare Privacy

A.
B.
D.

VII. International Privacy Issues

A.
B.

 


A. Self-Regulatory Program for Online Behavioral Advertising Launches

Leading media associations, including AAF, ANA, DMA, IAB, 4A’s, and NAI, recently announced the launch of an advertising option icon that alerts individuals when they are visiting a website where their data is collected for behavioral advertising purposes. The icon is intended to assist companies engaged in online behavioral advertising in providing the clear disclosures to consumers regarding behavioral advertising practices as outlined in the Self-Regulatory Principles for Online Behavioral Advertising released in 2009. The Self-Regulatory Principles were issued in response to FTC Principles calling on the industry to provide consumers with both notice and choice about when information is being used for online behavioral advertising – defined as tracking of a consumer’s activity across multiple websites to serve advertisements. In other words, tracking behavior on one website to serve advertising content on another – unrelated – site. Entities participating in the new program may use the icon and one of three phrases: “Why did I get this ad?”, “interest Based Ads”, or “Ad Choices.” When a consumer clicks on the icon, they will be taken to a disclosure statement regarding the company’s data-collection practices, as well as provided with the opportunity to opt-out of having their information collected for online behavioral advertising purposes. At this time, however, the opt-out process is in beta testing stage. The fee to use the icon is $5,000 per year.

TIP: The FTC is paying close attention to the practices of online behavioral advertisers. Companies should work with their online and marketing teams to determine if they are engaging in online behavioral advertising practices, and if so, determine what steps they will take to meet the FTC Principles of notice and choice.

[Top]

 

B. Flash Cookie Class Action Lawsuit Settles

In a series of class action lawsuits filed in California this year, the popular third party advertising service providers Quantcast Corp. and Clearspring Technologies Inc. were accused of violating various privacy laws. In particular, the complaints filed against the companies alleged that they used Flash cookies, which would regenerate even if a user deleted all cookies, and that the regeneration was without the user’s knowledge. While admitting no liability, the companies promised that they had stopped using cookie technology and would not use it in the future. The companies also agreed to set up a $2.4 million settlement fund, and to work with the Network Advertising Initiative to include a prohibition in the NIA Guidelines against use of Flash cookies.

TIP: Companies should assess whether they – or their third party service providers – use Flash cookies, and if so, consider ceasing use of such cookies. While the settlement terms are not binding on others, this lawsuit suggests that we may start to see an industry shift away from use of Flash cookies.

[Top]

 

C. FTC Recommends Sweeping Changes to Privacy Approach, DOC Issues Report

In early December, the FTC issued a preliminary report to Congress indicating that it believes there should be a fundamental shift in the approach to privacy. Instead of its traditional notice and harm-based analysis, the FTC now contemplates a three-pronged process for businesses, namely (1) adopting privacy protections at every stage of a business operation, (2) providing consumers with streamlined choice for “uncommon” uses of information and (3) giving better transparency about data practices. More information about the FTC Report is included in our special alert. Shortly after the report was released, the Department of Commerce issued its own report, calling for inter alia, revitalizing the fair information practice principles by including simpler privacy notices and commitments to limit data use; encouraging the adoption of voluntary, privacy codes of conduct on an industry-by-industry basis through adoption of a Privacy Policy Office within the DOC; and adoption of nationally-consistent data breach notification rules.

TIP: 2011 will likely bring many changes in the privacy regulation. Companies can get prepared by putting their “privacy house” in order through steps like analyzing what information they collect, how they use it, how long they keep it, with whom it is shared, and how it is protected. Organizations can also get involved by providing comments directly to the FTC (due in January), or through industry-specific organizations.

[Top]

 

D. Child Web Monitoring Software Company Settles with FTC

EchoMetrix Inc., maker of Sentry software, has settled with the FTC over allegations that it failed to properly disclose to parents that if they purchased and installed the Sentry child-monitoring software on their children’s computers, the software would also track and provide information about their children to marketers. According to the complaint, disclosure about the tracking activity was contained in a privacy policy appended to the End User Software Agreement. The language itself, according to the FTC, was very vague, indicating only that information would be used “to customize advertising and content you see . . . [and] conduct research,” and was found 30 paragraphs down from the start of the document. And, when asking users to accept the EULA and privacy policy, the user was only shown the first 9 lines. As part of the settlement, EchoMetrix agreed not to disclose information collected through Sentry to marketers and to destroy information already collected. The settlement also provided for standard record-keeping requirements, and gave the FTC the ability to monitor EchoMetrix’s compliance.

TIP: The FTC is giving increased scrutiny to programs that collect and monitor consumer information. Companies should take care when engaging in such activities, and review with counsel whether any activities should be altered to lessen potential liability.

[Top]


A. TRO Issued Against Robocall Operations

The Federal Trade Commission recently obtained a temporary restraining order against a telemarketing company that used robocalls to offer allegedly worthless credit card interest rate-reduction programs. The FTC alleged that the company defrauded approximately 13,000 consumers out of almost $13 million through the robocall operation. The FTC’s complaint stated that the robocall operation violated the FTC’s Telemarketing Sales Rule for failing to obtain written permission from consumers prior to making the robocalls, and violated the FTC Act for misrepresentations contained within the calls.

The FTC obtained a similar TRO in June 2010 against a company that made more than 370 million robocalls in a year. In that case, the FTC alleged that the defendants violated the FTC’s telemarketing rules by using robocalls to contact consumers without the consumer’s written permission, calling consumers on the National Do Not Call Registering, failing to connect to a live person when a consumer answers, and failing to honor the company-specific do not call list. The director of the FTC’s Midwest Regional Office stated that “telemarketers need to understand that blasting consumer with ’robocall’ pitches is no longer legal. Unless you have someone’s consent up-front and in writing to receive a robocall, just don’t do it.”

TIP: Remember that the use of robocalls (pre-recorded messages) and automatic dialers is highly regulated, and generally requires written permission from the consumer you are calling.

[Top]

 

B. Journalist Reinstated After Being Fired for Twitter Comments

A journalist for Radio Free Asia –a Washington D.C.-based news organization – was recently reinstated following an arbitration with his employer over his termination for numerous Twitter posts. In his posts, the journalist voiced his frustration about criticisms he had received from the subjects of an article he had written. RFA insisted that they had cause for letting the journalist go, in particular that his unprofessional and inappropriate tweets violated company policy and amounted to insubordination. RFA further accused the journalist of violating his code of journalistic ethics by becoming personally involved with the subjects of his story and attacking them over Twitter. An arbitrator found that instructions from his supervisor about the amount of information the journalist was allowed to post on Twitter were unclear. Furthermore, the arbitrator found that it was actually RFA’s actions that exacerbated the situation, thus ending in the journalist’s decision to take his debate onto Twitter.

TIP: To ensure that companies can enforce their social media policies, they should take steps to make sure that they are clear and that employees are aware of their terms and understand their requirements.

[Top]


A. Liability Found for Unauthorized Use of Self-Portrait Photography

The Middle District of Florida recently found Televised Visual X-ography, an adult film production company, liable for the unauthorized use of an individual’s self-portrait photograph on the cover of one of its DVDs. The plaintiff had posted the photo she took of herself at age 14 to a Web site called deviantArt and Televised Visual X-ography downloaded the photograph for use in connection with one of its DVDs. In addition to finding in favor of the plaintiff on her claim of copyright infringement, the court found that the use of the photograph constituted image misappropriation under Florida law. The court awarded damages for reputational harm and awarded $100,000 in compensatory damages “for the humiliation and mental anguish caused by the defendant’s defamatory use of her self-portrait” in connection with pornography. The court awarded a total of $129,173.20 in damages. Because the plaintiff had not registered her copyright in the photograph prior to the infringement, she did not qualify for statutory damages or attorney’s fees for the copyright infringement.

TIP: Even if you have obtained permission from the copyright owner to use a particular image in commercial advertising, be sure that you have also obtained permission from all individuals appearing in the image.

[Top]

 

B. Lawsuit Alleging Unfair Competition Continues, Despite CDA

Zynga, a game developer that creates games for social networking sites like MySpace and Facebook, was sued for engaging in false advertising for its in-game advertising practices. In Zynga games, users are able to engage in certain activities to earn “virtual currency,” which allows the user to purchase online goods, unlock new levels of the game, or otherwise make the games more enjoyable. Currency can also be obtained by participating in third-party offers. In one such third-party offer, according to the complaint, a consumer provided her cell phone number and unwittingly subscribed to a fee-based, monthly text message subscription. Users who discovered these types of charges on their phone bills were met with hurdles as they attempted to cancel the service and/or obtain a refund. Zynga argued that the case should be dismissed because it was a publisher of third party content –i.e., the special offers being made in its games – and as such shielded under Section 230 of the Communications Decency Act (CDA). The court declined to dismiss the case, noting that based on the facts alleged, it was possible that Zynga was more than a mere publisher of the offers, but may also have helped develop – in whole or in part – the offers in question.

TIP: Online companies that publish third party content can be shielded from liability under the CDA, but only if they avoid participating in the creation of the content. When publishing other companies’ content it is important to keep this potential shield in mind before becoming involved in the creation of the other entity’s content.

[Top]

 

C. Manufacturer’s DMCA Notices Sent to eBay May Have Violated Law

A furniture manufacturer was enjoined from sending Digital Millennium Copyright Act (DMCA) take-down notices to eBay regarding its competitor’s products. The manufacturer notified eBay that a competing furniture manufacturer was selling infringing furniture, and requested that the auctions be removed from eBay’s website. The competitor sued the manufacturer, claiming that the take-down notices were in violation of the DMCA. The California court agreed, noting that that the manufacturer’s pending copyright applications claimed the works were sculptures or 3-D artwork or ornamental designs. The court indicated that it believed the content of the copyright application was utilitarian, and as such, it was not likely that material was protectable nor that a copyright registration would issue. The court indicated that the manufacturer knew –or should have known – the limits of copyright protection, and that the manufacturer impermissibly sought protection of the “industrial design” of furniture. Accordingly, the court enjoined the manufacturer from submitting take down notices to eBay stating that the competitor’s auctions of furniture violated the manufacturer’s intellectual property rights.

TIP: Before sending a DMCA take down notice, a company claiming copyright rights should ensure that it does indeed have such rights.

[Top]

 

D. DMCA “Safe Harbor” Protection Upheld for YouTube

A United States District Court for the Southern District of New York recently found that YouTube was entitled to “safe harbor” protection under the Digital Millennium Copyright Act (DMCA) against all of Viacom’s direct and secondary copyright infringement claims. Viacom sued YouTube for direct and contributory copyright infringement based on uploads of their copyrighted content to YouTube. Viacom argued that YouTube had actual knowledge of the infringing material and encouraged the uploading of such material to the website, and therefore YouTube was not eligible for the “safe harbor” provisions of the DMCA which provide immunity against copyright claims against an interactive service provider when the service provider. In holding that YouTube was entitled to safe harbor protection, the court concluded that “mere knowledge of prevalence of such activity in general is not enough. . . to let knowledge of a generalized practice of infringement in the industry, or of a proclivity of users to post infringing materials, impose responsibility on service providers to discover which of their users’ postings infringe a copyright would contravene the structure and operation of the DMCA.”

TIP: It seems like the DMCA provides strong immunity for copyright infringements for websites who meet all of the requirements of its safe harbor: (1) register an agent with the copyright office, (2) post a takedown policy and (3) quickly take down any materials that are claimed to be infringed in accordance with the DMCA rules.

[Top]

 


A. Indiana AG Sues for Delayed Breach Notice

The Indiana Attorney General has filed a complaint against health insurer WellPoint, Inc., alleging that the company failed to provide timely notification of a data breach to affected state residents and the Attorney General’s office in violation of the Indiana data breach notice statute. The AG seeks $300,000 in civil penalties. According to the complaint, WellPoint left insurance applications of some 32,000 Indiana residents unsecured on its website, which applications contained social security numbers, financial information, and health records. WellPoint was notified by a health care insurance applicant that the records were publically available on February 22, 1010. According to the complaint, WellPoint unsuccessfully attempted to contact that applicant ten days later, but allegedly did not investigate further, and did not begin notifying affected individuals and the Indiana AG of the breach until approximately 120 days after it was made aware of the breach. The complaint alleges that this time frame is in violation of the Indiana data breach notification statute, which requires notification of a breach without “unreasonable delay.”

TIP: This case underscores the importance of being prepared in the event of a data breach. Companies should have in place a plan for notification, and be prepared to act quickly in the event that they become aware of a potential breach.

[Top]

 

B. FTC Ends Enforcement Inquiry Into Google Street View Wi-Fi data Collection

Google’s collection of data from unsecured wireless networks during its Street View Mapping project was widely reported on this summer. In particular, Google announced in May that while taking pictures of real world locations to support its Google Maps’ street view functionality, it also collected the contents of communications sent over unsecured wireless networks. Information collected included complete emails, URLs, and passwords. Google claimed that the collection was inadvertent, resulting from parts of an experimental software program, and that it did not use any of the data collected. The FTC began an investigation, but in October of this year announced that it was closing the investigation since, according to a statement from the FTC, Google had announced improvements to its internal processes to address privacy concerns, including appointing a director of privacy for engineering and product management; adding core privacy training for key employees; and incorporating a formal privacy review process into the design phases of new initiatives. The letter also noted that Google made assurances to the FTC that it has not used any of the data collected and will delete it as soon as possible.

TIP: Companies may from time to time find that they engage in inadvertent data collection, and such collection may result in regulatory investigations and potential enforcement actions. Steps should thus be taken to assess the amount and type of personally identifiable information an organization collects.

[Top]

 

C. Potential Theft of Personal Data Insufficient For Breach Claims

The U.S. Court of Appeals for the Ninth Circuit affirmed a lower court ruling that the theft of personal data, without actual identity theft, was insufficient to support a negligence, breach of contract or unfair competition claim under California law. In the case, an individual applying for a job with a large retailer provided his social security number during the application process. A laptop containing his social security number was then stolen from a third party vendor of the retailer. Upon discovering the breach, the job applicant filed a class action lawsuit alleging that the theft of the laptop with his personal data constituted negligence, breach of contract and unfair competition under California law. The trial court ruled, and the Ninth Circuit affirmed, that while the plaintiff had reason to be aggrieved and concerned based on the potential exposure of his personal data, the heightened risk of future identity theft did not constitute appreciative, non-speculative present harm necessary to support a negligence or contract claim. Furthermore, the Court of Appeals agreed with the district court that the plaintiff lacked standing under California’s unfair competition statute because he did not suffer actual injury that was cognizable under the statute.

TIP: Companies who suffer a data breach should think about the very real possibility that class action lawsuits alleging failure to protect data may be filed, and should consider steps to lower risks such as helping individuals avoid actual harm. For example, to help avoid identity theft, companies could offer credit monitoring services.

[Top]

 


A. NLRB Sues For Termination Under Company Social Networking Policy

The National Labor Relations Board filed a complaint in October on behalf of an employee that claims to have been terminated pursuant to an overbroad social networking policy. The complaint alleges that the employee was terminated from her job after criticizing her supervisor on Facebook after her supervisor had denied her request for representation in an investigatory interview. The employee, along with several other employees, is accused of posting criticisms of her supervisor on Facebook in violation of the company’s social networking policy. The company’s policy prohibits employees from making disparaging, discriminatory, or defamatory comments with discussing the company or the employee’s superiors, co-workers and/or competitors. The NLRB claims that the social networking policy infringes on the employees right to engage in concerted activities. The NLRB has previously outlined a four part test to determine the appropriate scope of corporate social media policies, which takes into account the place of discussion, the subject matter, the nature of the posts or communications, and whether the posts or communications were provoked by an unfair labor practice. This case is set to be heard January 25, 2011.

TIP: When drafting a social media policy it is important to clearly define what types of behavior will result in disciplinary action and to ensure that your policy is not violating any employee rights under applicable law.

[Top]

 

B. Search of Text Messages on City-Issued Pagers Found Acceptable

In a unanimous decision, the Supreme Court ruled this summer that a city’s search of an employee’s text messages on city-issued pagers was reasonable under the Fourth Amendment. The city provided pagers to its employees and stated that text messages would be treated like emails, so employees should have no expectation of privacy or confidentiality when using the pagers. A supervisor later told the employees that he did not intend to audit the employees’ text messages if the employees paid for their usage that exceeded the department’s monthly character limit set in place by the contract with the service provider. However, after several months of certain employees’ exceeding their character limits, the city reviewed the transcripts of the pager messages in order to determine whether the employees’ texts were being sent for personal or work-related reasons. In its investigation, the city discovered that Quon, a SWAT team member, had been using his pager to send personal and sexually explicit messages, and he was consequently disciplined. Quon filed suit alleging that the city had violated his Fourth Amendment rights. On appeal, the Supreme Court overturned the Ninth Circuit Court of Appeals’ decision finding that the search was reasonable. In affirming the decision, the Supreme Court focused on the fact that the employer’s search was motivated by a legitimate work-related purpose: to see if the employee was using too much bandwidth. The scope was reasonable because review of the transcripts was “an efficient and expedient way” to effectuate this purpose. Notably, the Court did not resolve the issue of whether Quon had a reasonable expectation of privacy in the messages. Despite the fact that this case arose in the context of a public employer/employee relationship and was decided with reference to the Fourth Amendment, the decision remains relevant to private sector employers who seek to avoid liability based on privacy rights violations. Justice Kennedy, writing for the majority, noted that employee monitoring is “regarded as reasonable and normal in the private-employer context.” Although the Court was cautious to narrowly limit its decision, the case will, nonetheless, serve as a guidepost for other courts who address this increasingly important and pervasive issue.

TIP: In order to deal with emerging technology and a blurring of the line between personal and professional uses of these technologies, employers should have in place clear and consistent privacy policies to protect themselves in the event that legal issues about privacy rights arise.

[Top]

 

C. New Illinois Law Restricts use of Applicants’ Credit History

The Employee Credit Privacy Act, signed by Illinois Governor Pat Quinn in August, prohibits Illinois employers from requesting, inquiring about or using the credit history of a prospective or current employee. Illinois employers will no longer be allowed to use the credit history of an employee or prospective employee in making determinations on employment, recruitment, discharge or compensation. There are certain exceptions to the new legislation, including that employers in industries dealing with banking, insurance, trade secrets, or state and national security are exempted from the prohibition. In limited circumstances, employers may also access credit checks for positions where state or federal law requires bonding or other security covering an individual holding the position. Additionally, employers may still conduct thorough background checks that do not include information related to credit history. The law is aimed at protecting individuals whose credit histories have been negatively impacted by the current economy.

TIP: Employers in Illinois should take proactive measures in order to ensure compliance with this new legislation going into effect on January 1, 2011.

[Top]

 

D. Ninth Circuit Finds Employers/Executives Have Protection from Anonymous Posters

The Ninth Circuit denied writs of mandamus appealing the District Court of Nevada’s order to disclose the identities of anonymous online posters in a case involving two competitor companies, Quixtar, Inc. and TEAM, LLC. Two of Quixtar’s former employees left Quixtar to form TEAM, and several lawsuits ensued. Quixtar asserted claims against TEAM for tortious interference, alleging that TEAM had orchestrated an Internet smear campaign via anonymous postings and videos that disparaged Quixtar and its business practices. During the civil discovery process, the Online Content Manager of TEAM refused to testify regarding his knowledge of the authors of statements from five different blogs, which contained comments such as “Quixtar currently suffers from systemic dishonesty.” The district court ordered TEAM’s Online Content Manager to testify regarding his knowledge of the identity of the anonymous online speakers. The Ninth Circuit noted that it had not “previously considered First Amendment claims of an anonymous, non-party speaker on the Internet in a circumstance involving commercial speech.” The Ninth Circuit then began its analysis by explaining the constitutional significance of First Amendment protection for anonymous speech and noted that “[a]nonymous online speech is an increasingly important issue in the commercial context, particularly in light of the ubiquity of the internet.” Significantly, the court rejected the varied approaches taken by other courts, in finding that the proper inquiry in these cases is whether the anonymous speech is political, religious or literary. If the anonymous speech is commercial, as it was here, then the court should apply a balancing test, weighing the anonymous speaker’s First Amendment rights against the “need for relevant discovery.” The court left it open to lower courts to fashion the appropriate scope and procedures for the disclosure of the identity of anonymous speakers.

TIP: Although it remains unclear how future courts will resolve this issue, the bar has been lowered by the Ninth Circuit for employers to unmask the identities of anonymous speakers online where the speech is commercial in nature.

[Top]

 

E. Canadian Employee Termination For Facebook Postings Ok’d By CA Labor Board

The British Columbia Labour Relations Board ruled that two employees could be terminated for posts on their Facebook accounts regarding their employer and supervisors. The posts contained references to the supervisors’ sexual activities, and suggested taking violent action against these supervisors. Additionally, the postings made disparaging statements about the employer, and encouraged others not to conduct business with the employer. The Canadian provincial labor board concluded that the employees were insubordinate, and the posts created a hostile work environment for co-workers and supervisors, and that the posts were likely to harm the company’s reputation. As such, the termination was acceptable.

TIP: This ruling suggests that companies may be able to take action against employees for their behavior in social media, at least when that behavior directly discusses the workplace. Companies should use caution and consult with legal counsel first, however, before taking any such actions.

[Top]

 

A. Prison Time for Hospital Worker Who Accessed Patients’ Medical Files

A California federal court judge sentenced a former employee of the UCLA Healthcare System to four months in prison for illegally accessing patients’ medical files. The former employee, Huping Zhou, previously had pleaded guilty to four misdemeanor counts alleging violations of the HIPAA privacy rule for accessing patients’ records without authorization. He reportedly is the second person in the U.S. sent to prison for violating the HIPAA provision. The facts of the plea agreement showed that defendant Zhou had accessed hundreds of medical records over a three-week period, including those of various celebrities and his supervisors, after he had received notice that UCLA intended to fire him for job-performance-related reasons unrelated to unauthorized access to health care records. The U.S. Attorney’s Office has said it has multiple other ongoing HIPAA privacy investigations involving UCLA and other major healthcare systems in California.

TIP: Be aware that violations of HIPAA for accessing patients’ health care records can result in misdemeanor criminal charges.

[Top]

 

B. Lawsuit Challenges Application of Red Flags Rule to Physicians

The American Medical Association (“AMA”) and other health care groups have filed a suit in the federal court in Washington, D.C. challenging the Federal Trade Commission’s application of its “red flags” rule to physicians. The FTC’s “red flags” rule requires creditors to monitor red flags, or warning signs, for possible identity theft. The term “creditors” is broadly defined by the FTC to include many types of organizations such as law firms, utility companies, automobile dealerships, and health care practices. The AMA and the other plaintiffs contend that the application of the “red flags” rules to physicians constitutes unjustified federal regulation of medicine, treating medical practices like banks, credit card companies, and mortgage lenders. The federal district court in Washington, D.C. previously barred the FTC from applying the “red flags” rule to attorneys, after a lawsuit was filed by the American Bar Association. That decision was appealed by the FTC. The AMA and other health care practice plaintiffs are seeking a similar result, contending the FTC’s actions are arbitrary, capricious, and contrary to the law. The plaintiffs are encouraging physicians to comply with the “red flags” rule while the litigation is pending, and the AMA has provided online resources to do so.

TIP: If you are a physician or part of a health care practice which may be subject to the FTC’s “red flags” rule, you should be aware that this lawsuit has not yet been resolved (although as we reported the FTC has agreed, generally, to delay enforcement of the Red Flags Rule until December 31, 2010).

[Top]

 

C. Health Care Company Pays $375,000 Fine to Connecticut Insurance Department

Health care insurance and services company Health Net agreed to pay a $375,000 fine to resolve an enforcement action by the Connecticut Department of Insurance regarding a 2009 data breach. The settlement arose from Health Net’s discovery that a computer disk drive with unencrypted data was missing from a company office. Health Net subsequently informed officials in four states that the disk contained health, financial and other personally identifiable data concerning approximately 1,500,000 current and former Health Net members, including over 500,000 Connecticut residents. The Connecticut Insurance Commissioner charged that Health Net failed to adequately protect members’ personal information, and did not timely notify either state officials or the affected members about the breach. The settlement also requires Health Net not to pass on to its members any of the costs associated with the breach. Earlier this year, Health Net also had agreed to pay $250,000 to the Connecticut Attorney General to resolve alleged HIPAA violations for the same data breach. That agreement was the first state Attorney General settlement since the AGs were authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act to pursue alleged HIPAA violations in federal court.

TIP: Be aware that state AGs now have authority to pursue HIPAA violations in federal court under the HITECH Act, and that state insurance commission privacy claims also may be brought against health insurers based on the same allegations.

[Top]

 

D. New AMA Policy on Physicians’ Use of Social Media

The American Medical Association (AMA) has issued a new policy regarding professionalism in the use of social media. The new policy first acknowledges the expanding use of social media on the Internet by medical students and physicians which allows them to communicate and share information quickly and easily. However, the policy encourages physicians to manage online content to better protect patient privacy, maintain physician-patient confidentiality, and maintain professionalism. The policy emphasizes that physicians should be cognizant of the standards for patient privacy and confidentiality that must be maintained in all environments. The policy also urges physicians to routinely monitor their own posted material to ensure personal and professional information is both accurate and appropriate. If physicians interact with patients on the Internet, the policy states that physicians must maintain appropriate patient-physician professional boundaries. Where necessary to maintain these standards, the policy also urges physicians to consider separating personal and professional online content. The AMA policy also takes the position that, when physicians see unprofessional content posted by colleagues, they have a responsibility to bring the content to the colleagues’ attention so it can be removed or other appropriate action be taken. If the unprofessional content is not addressed or “significantly violates” professional norms, the policy states the physician should report the matter to the appropriate authorities.

TIP: If you are a physician, be sure to carefully monitor all of your professional and personal social media content. Especially if you are an AMA member, be sure to note the policy’s statements regarding the responsibility of physicians to report unprofessional content in certain circumstances.

[Top]

 


A. European Commission Proposes Amendments to Data Protection Directive

The European Commission has proposed amendments to its Data Protection Directive in order to account for developing technologies and to harmonize the approach that its 27 member states take to privacy and data protection. The proposed revisions suggest providing individuals with stronger data protection rights, including increasing protection for all individuals; increasing transparency so individuals know how and by whom their data is collected, how it will be used, and what their rights are if they want to access, rectify or delete their data; providing individuals with control over their personal data by allowing them to access, rectify, delete or block their data; providing consumers with informed consent as to use of personal data collected from them; protecting sensitive personal data; creating more stringent remedies for infringement of data protection rules, including criminal sanctions and the ability to bring an action before the national courts; and providing broader breach notification requirements that would expand the requirements from just the telecommunications industry to other areas. The Commission’s strategy also includes strengthening the role of member states’ data protection agencies, streamlining data transfers outside the EU and facilitating cooperation with countries outside of the EU to maintain high standards of global data protection levels and consistency. Among other things, the Commission has stressed that it is looking to encourage more use of the Codes of Conduct for self-regulation and may introduce an accountability principle into the Directive that would require data controllers to take responsibility for the protection for personal data. Comments on the proposed revisions are just by January 15, 2011 and the Commission expects to actually amend the Directive by June 2011.

TIP: Companies that collect information from EU residents, or work with third parties that operate in EU countries should be aware that the requirements as outlined in the 15 year old Data Privacy Directive may be changing. Interested parties are encouraged to submit comments before the January 15, 2011 deadline.

[Top]

 

B. Canada Passes Spam Law

Joining most other nations, Canada this month passed an anti-spam law that regulates not only the sending of email and text messages, but also “similar accounts” on such social networking sites such as Twitter and Facebook. The law allows regulators to set the implementation time-table, which as of yet has not been announced.

TIP: Marketers who send messages to individuals in Canada should be aware that new requirements may be coming soon.

[Top]

 


If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

CHICAGO LOS ANGELES

Liisa M. Thomas
(Advertising)

(312) 558-8121

Steven D. Atlee
(Litigation)
(213) 615-1827
Julie Bauer
(Litigation)
(312) 558-5973 Anna S. Masters
(Labor and Employment)
(213) 615-1711
Monique Bhargava
(Advertising)
(312) 558-3732    

Stephen P. Durchslag
(Advertising)

(312) 558-5288

NEW YORK

 

Christine A. Edwards
(Financial Services)

(312) 558-5571

Virginia R. Richard
(Intellectual Property)
(212) 294-4639

Brian D. Fergemann
(Advertising)

(312) 558-8024

   

Delilah B. Flaum
(Health Care, Litigation)

(312) 558-8922

PARIS  

Jason W. Gordon
(Advertising)

(312) 558-6145

Sébastian Ducamp
(Employment, Litigation)
33 0(1) 53 64 82 08

Brian L. Heidelberger
(Advertising)

(312) 558-5897

Blaise Deltombe
(Employment, Litigation)
33 0(1) 53 64 82 31

Mary Hutchings Reed
(Advertising)

(312) 558-5721

Nathalie Hadjadj-Cazier
(Intellectual Property)
33 (0)1 53 64 81 50
Michael Melbinger
(Employee Benefits)
(312) 558-7588 Gwendaline Sarrat
(Intellectual Property)

33 (0) 1 53 64 82 47

Robert H. Newman
(Advertising)

(312) 558-8125

   
Michael Philipp
(Financial Services)
(312) 558-5905 SAN FRANCISCO  
Tim Rivelli
(Litigation)
(312) 558-5817 David S. Bloch
(Intellectual Property, Litigation)
(415) 591-1452

Cardelle B. Spangler
(Labor & Employment, Litigation)

(312) 558-7541

Andrew P. Bridges
(Intellectual Property)
(415) 591-1482

Marc H. Trachtenberg
(Advertising)

(312) 558-7964

Kimberly E. Eckhart
(Intellectual Property)
(415) 591-6805

Amanda C. Wiley
(Associate)

(312) 558-8795

Jennifer A. Golinveaux
(Intellectual Property, Litigation)
(415) 591-1056
LONDON Becky L. Troutman
(Intellectual Property)
(415) 591-1401
Zoë Ashcroft
(Corporate, Financial)
44 (0)20 7105 0025    
Danvers Baillieu
(Litigation, Financial)

44 (0)20 7105 0017

WASHINGTON, D.C.  
Barry Vitou
(Corporate, Financial)

44 (0)20 7105 0018

Marion K. Goldberg
(Health Care)
(202) 282-5788
 

   
       

Attorney Advertising Materials

If you no longer wish to receive the Privacy and Technology Client Bulletin from Winston & Strawn LLP, please click here. You may also email us at IPUpdate@winston.com or write us at Winston & Strawn LLP, Attention: Business Development Clerk, 35 West Wacker Drive, Chicago, IL 60601.

These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.

Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).

© 2010 Winston & Strawn LLP