Privacy

This Note addresses the legal and contractual considerations relating to privacy and security under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the context of cloud computing. The Note includes specific contract provisions that should be considered when negotiating or evaluating a contract with a cloud provider.

This Note discusses common cyber attack scenarios and sets out actions that companies can take to prevent or respond to attacks, including developing a cyber attack response plan. It also addresses the chief compliance officer's role in preventing and containing attacks and law enforcement referrals, and civil and criminal actions companies can pursue against attackers.

A Note discussing the federal CAN-SPAM Act's requirements for commercial e-mails, its enforcement and best practices for compliance.

This Practice Note describes the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for protecting the privacy of personal health information. It includes a description of the entities and types of health information covered by the Privacy Rule, an overview of individual privacy rights and a discussion of the permitted and prohibited uses and disclosures of health information.

A Practice Note discussing privacy considerations in the context of mobile applications (apps), including liability risks associated with mobile app information collection and practices for addressing those risks. This Note provides an overview of how mobile apps use technology to collect information about and track end users, identifying key differences between mobile apps and websites in terms of how they collect and store end-user information and end users' ability to control that collection and storage. It also discusses the legal framework governing mobile app privacy, including FTC rulemaking, guidance and enforcement actions.

This Note provides an overview of privacy issues in employment, which may arise in various contexts, such as background checks, drug testing, e-mail and other electronic surveillance and tracking by GPS. Invasion of privacy claims are highly fact-intensive and largely dependent on state law. This Note contains information that is general and not jurisdiction-specific.

A policy for employers that wish to allow their employees to use their own smartphones, tablets or other mobile devices for work either while at the office or during nonworking hours. This policy can be incorporated into an employee handbook or used as a stand-alone policy document. This Standard Document applies only to private workplaces and is jurisdiction neutral. State or local law may impose additional or different requirements, but this document will be useful and relevant to employers in every state. This Standard Document has integrated notes with important explanations and drafting tips.

A sample form to be provided by an individual to a covered entity authorizing the covered entity to use or disclose protected health information for certain purposes. This authorization is designed to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) but does not address any applicable state law requirements. This Standard Document has integrated notes and important explanations and drafting tips. This Standard Document is in the process of being updated for final HIPAA regulations issued in January 2013.

A sample Business Associate Policy to be adopted by a covered entity to set out its policies and procedures for addressing business associate contract requirements imposed by the Health Insurance Portability and Accountability Act of 1996. This Standard Document has integrated drafting notes with important explanations and drafting tips. This Standard Document is in the process of being updated for final HIPAA regulations issued in January 2013.

A sample form from an individual to a covered entity acknowledging that the individual received the covered entity's Notice of Privacy Practices, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This form does not address any applicable state law privacy requirements. This Standard Document has integrated notes with important explanations and drafting tips.

A model mobile application (app) privacy policy for use by an online business for the collection, storage, use and disclosure of personal information, including for the purpose of selling goods or services to users of the business's mobile application, or for contacting users with direct marketing information. This Standard Document has integrated notes with important explanations and drafting tips.

A model website privacy policy for use by an online business in connection with the collection, storage, use and disclosure of personal information, including for the purpose of selling goods or services to users of the site, or for contacting users with direct marketing information. This Standard Document has integrated notes with important explanations and drafting tips.

These standard clauses provide resolutions that covered entities can use to appoint a privacy and security officer as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These standard clauses include integrated notes with important explanations and drafting tips.

Form of risk factor relating to cyber security that may be inserted into a public company's annual and periodic reports, registration statements or private placement offering documents. This document provides sample language describing risks arising from information security, including the impact of a potential or actual material network breach and steps taken to reduce risk exposure. These Standard Clauses have integrated notes with important explanations and drafting tips.

Standard clauses approved for the purposes of Directive 95/46/EC for the transfer of personal data to data controllers in third countries that do not ensure an adequate level of protection as set out in the Annex to  Decision 2004/915/EC. This Standard document has been adapted by PLC IPIT & Communications from the original text available at the EUR-Lex Website with the permission of the Publications Office of the European Union. © European Communities, http://eur-lex.europa.eu/ Only European Union legislation printed in the paper edition of the Official Journal of the European Union is deemed authentic.

This Checklist describes relevant legal obligations and common gaps in information security compliance pertaining to personal information of individuals.

A Q&A guide to data protection in Finland. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

On April 24, 2013, Practical Law Company and Matthew A. Karlyn of Cooley LLP presented Essentials of Software as a Service (SaaS) Contracts: What to Include and What to Leave Behind, a one hour webinar on the key negotiating points, provisions and pitfalls of SaaS agreements. You can access the recorded webinar here. Click here to download webinar slides.

A Q&A guide to data protection in the UK. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to privacy in the UK (England and Wales). The Q&A guide gives a high-level overview of privacy rules and principles, including what national laws regulate the right to respect for private and family life and freedom of expression; to whom the rules apply and what privacy rights are granted and imposed. It also covers the jurisdictional scope of the privacy law rules and the remedies available to redress infringement. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in India. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

An expert Q&A with Christine A. Williams of Perkins Coie LLP on the HIPAA privacy and security issues related to moving personal health information to cloud storage.

A Q&A guide to data protection in Australia. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in China. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A guide to data protection in Germany. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in Japan. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in Poland. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in South Africa. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in Thailand. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in the Czech Republic. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

This tool enables subscribers to search the Country Q&A in the Data Protection multi-jurisdictional guide by question and jurisdiction. Simply select the questions and the jurisdictions that you are interested in and click the "submit" button. Please note that the law stated dates for each jurisdiction covered may not be the same. To check the law stated dates for each jurisdiction, please visit the individual article.

The European Commission published a proposed new data protection framework for the EU on 25 January 2012. The proposed legislation not only reflects the change in the way personal data is used, but also the change in public opinion about how it should be used. The new framework proposes, among other things, that data controllers can no longer rely on implied consent in the processing of personal data and that data subjects have the right to be forgotten. This article discusses the current and future position of data protection legislation in the EU. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in Austria. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in Hungary. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in Luxembourg. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in the Qatar Financial Centre (QFC). This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in the Dubai International Financial Centre (DIFC). This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

A Q&A guide to data protection in the United States. This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies. To compare answers across multiple jurisdictions, visit the data protection Country Q&A tool. This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.

Online behavioral advertising programs, which target consumers based on their interests and preferences, have recently faced enhanced scrutiny from consumer advocates and regulators. This article explores the evolving legal and self-regulatory landscape of online behavioral advertising, and outlines key practical considerations for companies.

A guide to recent developments and proposed changes in the regulation and enforcement of consumer privacy and data security.

This article is part of the PLC multi-jurisdictional guide to data protection law. For a full list of contents visit www.practicallaw.com/dataprotectionhandbook. The production and disclosure of documents showing a company's relations with other parties is usually not intended, though this may be important in legal proceedings. Data protection laws have introduced new potential tools to obtain documents and gather information outside legal proceedings. This article examines the grounds for these requests under Swiss law and the rights under the Swiss Data Protection Act.

A Q&A guide to data protection law in Greece.

A discussion of key changes to the Children's Online Privacy Protection Rule that become effective July 1, 2013.

This Legal Update describes key due diligence and contractual considerations for companies considering entering into arrangements with third-party service providers involving the transfer or sharing of personal information.

The EU’s Article 29 Working Party has adopted an opinion (04/2013) on the data protection impact assessment template for smart grid and smart metering systems (WP205) in the energy sector.

The FTC has issued an updated set of FAQs regarding the Children's Online Privacy Protection Act (COPPA) Rule which aims to help website operators, mobile app developers, plug-ins and advertising networks operating on child-directed websites, and online services prepare for the upcoming Rule changes.

In Sams v. Yahoo! Inc., the US Court of Appeals for the Ninth Circuit affirmed the district court's order dismissing the plaintiff's class claims against Yahoo! for its alleged violation of the Stored Communications Act arising from Yahoo!'s disclosure of the plaintiff's basic subscriber information to the government after Yahoo was served with allegedly invalid subpoenas.

The Department of Commerce's International Trade Administration (ITA) has issued guidance clarifying the US-EU Safe Harbor Framework and how it applies to the transfer of personal data from the EU to the US via cloud computing. Significantly, the ITA does not view cloud computing as an entirely new business model or as presenting unique issues for the Safe Harbor.

New Mexico recently enacted the No Social Media Access for Employers Act (SB 371), which prohibits employers from requesting or requiring that a prospective employee provide a password or access to the prospective employee's social networking account.

The Article 29 Working Party has published its Opinion 03/2013 on purpose limitation (WP 203), which provides guidance for the principle's practical application under the Data Protection Directive (1995/46/EC) and includes recommendations with regard to the ongoing review of the EU data protection framework.

The US Department of Commerce has issued a notice of inquiry concerning its evaluation of incentives aimed to promote participation in a voluntary program to support the adoption by operators and owners of critical infrastructure of the Cybersecurity Framework.

The FTC has approved a final order settling charges that Epic Marketplace, Inc. used "history sniffing" to secretly and illegally determine whether millions of consumers had visited various websites, including web pages relating to sensitive medical and financial issues.

In Eagle v. Morgan, the US District Court for the Eastern District of Pennsylvania granted partial summary judgment in a case involving an employer's alleged wrongful access to and control of a former employee's LinkedIn account. The court granted summary judgment to the employer on the plaintiff's Computer Fraud and Abuse Act (CFAA) and Lanham Act claims, but allowed the plaintiff's state law claims to proceed. This case highlights the importance of instituting and maintaining social media policies addressing the ownership of social media accounts during and following employment.

The FTC issued a staff report which highlights key issues consumers and companies face as they adopt mobile payment services.

The FTC is seeking public comment on a proprosed consent order applicable to HTC America, Inc.

In Ashland Hospital Corp. v. Service Employees International Union, District 1199, the US Court of Appeals for the Sixth Circuit held that the defendant labor union did not violate the TCPA when it made robocalls on labor issues to area residents and allowed the residents to choose to be patched through to the direct extension of an executive involved in the dispute, resulting in hundreds of calls to the executive.

The Payment Card Industry Security Standards Council (PCI SSC) published the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users. The guidelines highlight the factors and risks that merchants should address to protect card data when using mobile devices to accept payments.

The Payment Card Industry (PCI) Security Standards Council (SSC) released a supplement to the payment card industry data security standards (PCI-DSS) addressing the use of cloud technologies and considerations for PCI-DSS controls in cloud computing environments.

A recent opinion of the Supreme Court of California held that the Song-Beverly Credit Card Act (Song-Beverly Act) does not apply to online transactions in which a product is downloaded electronically. The decision helps to clarify when personal identification information can be collected under the Song-Beverly Act.

The Federal Trade Commission has issued a staff report that recommends ways for participants in the mobile marketplace to improve mobile privacy disclosures. It also issued a business guide providing app developers with recommendations for approaching mobile app security.

The Department of Health and Human Services (HHS) has issued model business associate agreement provisions reflecting final privacy, security, breach notification and enforcement rules under the Health Insurance Portability and Accountability Act (HIPAA).

On January 10, 2012, President Obama signed the Video Privacy Protection Act Amendments Act of 2012. The Act amends provisions of the federal criminal code to allow video tape service providers to receive advance consent over the Internet to disclose consumers' personally identifiable information.

On December 28, 2012, in Kirch v. Embarq Management Co., the US Court of Appeals for the Tenth Circuit affirmed a district court's ruling that an internet service provider did not violate the Electronic Communications Privacy Act of 1986 when it allowed a third-party online advertising company access to its users' clickstream information to conduct a test for directing online advertising to potentially interested users.

On December 10, 2012, the Federal Trade Commission (FTC) released a report, Mobile Apps for Kids: Disclosures Still Not Making the Grade, detailing the results of the FTC's second survey of kids' mobile apps. The report finds that little progress has been made toward informing parents of what they need to know to determine what data mobile apps collect from their kids, how the data is shared or who will have access to it.

This Law Firm Publication by Jackson Lewis LLP discusses New York's new law safeguarding Social Security Numbers (SSN). Under Section 399-ddd of New York’s General Business Law, effective December 12, 2012, a person may not be required to disclose or furnish his SSN for any purpose. The new law applies to employers and certain other entities in the state. Businesses must review their practices relating to employees, customers and other individuals in situations where all or a part of the SSN is involved. An SSN includes not only the nine-digit number issued by the Social Security Administration, but also any number derived from the SSN, unless the number is encrypted.

The FTC published an interim final rule on identity theft red flags. This rule makes the Red Flags Rule consistent with the Red Flags Program Clarification Act of 2010.

This Legal Update provides employers considering a Bring Your Own Device to Work (BYOD) policy with guidance and drafting tips.

On October 17, 2012, the FCC released a Report and Order establishing a Public Safety Answering Point Do-Not-Call Registry as part of the Middle Class Tax Relief and Job Creation Act of 2012.

The FCC's revised prerecorded telemarketing rules, initially announced on February 15, 2012, have received final approval from the Office of Management and Budget and will go into effect on the effective dates announced by the FCC.

In Retail Ventures v. National Union Fire Insurance Co., the US Court of Appeals for the Sixth Circuit affirmed that companies may successfully seek coverage for losses resulting from cyber liability and data breach under traditional general liability, professional liability, or commercial crime insurance policies.

The Payment Card Industry (PCI) Security Standards Council, a global, open-industry organization focusing on payment security standards, released a best practices guide for mobile software developers that addresses mobile payment acceptance security.

This Law Firm Publication by Jackson Lewis LLP discusses new restrictions on requests for Social Security Numbers signed into law by New York Governor Andrew Cuomo on August 14, 2012. The new law will limit certain entities, including employers, from requiring individuals to disclose their Social Security Numbers for any purpose. Exceptions to the rule are provided for fraud investigations and criminal record checks, among other purposes. Employers and other entities who violate the law may be subject to civil penalties. The law becomes effective December 12, 2012.

Illinois Governor Pat Quinn signed into law HB 3782, which bars employers from requesting login information or demanding access to employees' and applicants' accounts on social networking websites. The law is scheduled to take effect on January 1, 2013.

In WEC Carolina Energy Solutions v. Miller, the US Court of Appeals for the Fourth Circuit held that an employer failed to state a claim against a former employee under the Computer Fraud and Abuse Act (CFAA) where the employee allegedly used confidential information to help the employer's competitor. The employer authorized the employee to access the information, but argued that the employee's unauthorized use of the information violated the CFAA. The Fourth Circuit held that the CFAA only prohibits unauthorized access to information stored on a computer.   

The Article 29 Data Protection Working Party has adopted an opinion setting out the data protection risks and concerns associated with cloud computing and making a series of recommendations on how to mitigate them.

On June 15, 2012, the Connecticut governor signed legislation amending Connecticut's data security breach notification law (Conn. Gen. Stat. § 36a-701b). The amended law goes into effect on October 1, 2012.

The Federal Trade Commission has announced proposed settlements with two different businesses over charges that each had separately violated the FTC Act by failing to implement reasonable and appropriate data security measures. Each business allegedly permitted peer-to-peer (P2P) file-sharing software to be installed on its corporate computer systems, making sensitive customer information available to the P2P networks.

On May 29, 2012, the US Court of Appeals for the Ninth Circuit ruled that a parent has a federal constitutional right to privacy in her child's death images. The court reasoned that this right of privacy is protected both by Fourteenth Amendment substantive and procedural due process because of its dual roots in common and statutory law. However, because the challenged disclosure was not made by a person who was a public official at the time of disclosure, the Ninth Circuit affirmed the district court's order of summary judgment dismissing the plaintiff's Section 1983 claim.

The FTC announced an agreement with Myspace to settle charges that Myspace misrepresented its protection of users' personal information and its compliance with the US-EU Safe Harbor Framework. The FTC complaint alleged that Myspace's actions were deceptive acts or practices that violated Section 5(a) of the FTC Act.

In addition to the controversial Cyber Intelligence Sharing and Protection Act (CISPA), the US House of Representatives approved three other cybersecurity bills on April 26 and 27, 2012. The bills include the Federal Information Security Amendments Act, the Cybersecurity Enhancement Act of 2011 and the Advancing America's Networking and Information Technology Research and Development Act.

On April 10, 2012, the US Court of Appeals for the Ninth Circuit issued an en banc decision in US v. Nosal, holding that employees who are authorized to access their employer's computers but use them in violation of company computer-use policy cannot be prosecuted for a federal crime under the Computer Fraud and Abuse Act.

The Federal Communications Commission's (FCC) Consumer and Governmental Affairs Bureau has announced that it is seeking public comment on whether opt-out confirmation text messages violate the Telephone Consumer Protection Act (TCPA) or the FCC's rules. The request is in response to SoundBite Communications, Inc.'s February 16, 2012 petition seeking an FCC declaration on the legality of opt-out texts.  Comments are due by April 30, 2012.

The Federal Trade Commission has announced a settlement with RockYou, Inc., an online game provider, over charges that RockYou violated the FTC Act by misrepresenting its safeguards for protecting consumer information and violated the Children's Online Privacy Protection Act Rule by collecting children's information without proper notice and parental consent.

The French data protection authority CNIL has sent a list of 69 questions to Google Inc on various aspects of its data protection procedures.

On March 6, 2012, the US Court of Appeals for the Seventh Circuit issued an opinion on an interlocutory appeal in Sterk v. Redbox finding that Redbox cannot be found liable for statutory damages under the Video Privacy Protection Act for failing to destroy personal information because no injury actually occurred.

On February 28, 2012, in Katz v. Pershing, LLC, the US Court of Appeals for the First Circuit affirmed a district court decision that a plaintiff lacked Article III standing to sue a financial services company for breaching common law rights and for violation of a state consumer protection law by failing to provide adequate data security measures and prevent the potential disclosure of her nonpublic personal information.

In a February 24, 2012 press release, the FTC annouced that it has approved Aristotle International, Inc.'s application to serve as a safe harbor program for implementing the Children's Online Privacy Protection Rule, the FTC rule that implements the Children's Online Privacy Protection Act.

The Obama Administration has released a Consumer Privacy Bill of Rights as part of a larger framework aimed at protecting consumer privacy. Additionally, the Adminstration announced the commitment of leading internet companies and online advertising networks to the use of Do Not Track technology in most major web browsers.

On February 15, 2012, the Federal Communications Commission (FCC) issued a Report and Order under the Telephone Consumer Protection Act of 1991 (TCPA) imposing new restrictions on autodialed and prerecorded telemarketing calls (robocalls).

The Federal Trade Commission (FTC) issued a sample letter warning mobile application marketers that their background screening applications could qualify as consumer reporting agencies under the Fair Credit Reporting Act (FCRA).

The California Attorney General has launched on online form for reporting data security breach notifications issued by businesses under California's breach notification law.  

The FTC has reached an agreement on a proposed consent order with Upromise, Inc. on charges that it deceptively collected consumers' personal information and failed to protect that information in the manner stated in its privacy policy. As part of the settlement, Upromise, Inc. agrees to clearly disclose its data protection practices and establish an information security program to be audited periodically by a third party for the next 20 years.

The US Department of Health and Human Services' (HHS) Office for Civil Rights is beginning audits this month of covered entities, including health plans, to ensure their compliance with the Health Insurance Portability and Accountability Act's (HIPAA) privacy and security standards. The audit program should serve as a reminder to health plans to pay close attention to HIPAA. HHS has informally indicated that in 2012 it plans to release omnibus guidance finalizing proposed HIPAA and related guidance.

An update on a lawsuit filed by the American Bar Association (ABA) to bar the FTC from applying its Red Flags Rule, which requires certain "creditors" to create identity theft prevention and mitigation programs, to attorneys.