Privacy Laws: 5 Areas for Businesses to Watch in 2012

“The world of identity theft and its legal consequences are not limited to big credit companies. Main street businesses, with online portals, or credit/payment card facilities of some kind are just as much at risk. And if the rhetoric doesn’t scare, then the numbers should as the Identity Theft Resource Center states the business sector increased to 41% of all the publicly reported breaches in 2009. As a result, all small businesses need to face the real danger of data breaches, which are not limited to malicious third parties, but can also arise from employee error.” (The Five Minute Guide To The FTC’s Red Flag Data Breach Rules by Wahab & Medenica LLC) 

Plus ça change… The more things change, goes the adage, the more they stay the same, and personal privacy considerations are no exception. For your reference, here are five areas of personal and consumer privacy that small businesses should continue to monitor in 2012.

1. Data Breaches

“A company must stand ready to respond once aware or informed of a possible or actual data incident or breach. There should be a mechanism for reporting a possible or actual data incident or breach, and employees should be sensitized to its importance. Time is of the essence in determining whether a data breach has occurred or is likely to occur, whether notification is required or advisable. If notification is required or advisable, then providing it must also be done quickly.” (Practical Steps in Responding to a Data Breach by Nick Akerman) 

“In addition to legal fees, companies that have experienced data breaches could potentially face fines from the Federal Trade Commission and state governments for violation of privacy laws… Indeed, a number of existing laws pertain to the protection and sharing of personal information, including the Federal Trade Commission Act (FTC Act), Gramm-Leach-Bliley Act, the Fair and Accurate Credit Transaction Act, and the Health Insurance Portability and Accountability Act (HIPAA). In addition, 46 states have laws which require businesses to notify consumers when PII has been lost or stolen.” (2011 — The Year of The Breach: Consumers, Companies, Insurers, and Legislators Stake Out Positions After Rash of Data Breaches by Zelle Hofmann Voelbel & Mason LLP) 

2. Employee Background Checks

“Employers who use a third party to gather background information and verify references must be sure to comply with the federal Fair Credit Reporting Act (FCRA). From its title, you may conclude that the FCRA only applies to traditional credit reports. It covers much more than that. The FCRA establishes detailed procedures that must be followed whenever a ‘consumer report’ or an ‘investigative consumer report’ is obtained for employment purposes. Consumer reports include such things as educational and employment histories, motor vehicle records, licenses and criminal background. Investigative consumer reports are consumer reports that are developed by interviewing people who may know the applicant or employee (such as checking references).” (Pre-Employment Background Checks: The Cure Can Be As Bad As The Disease by Warner Norcross & Judd) 

“Not surprisingly, the legal risks of making employment decisions using the Internet have become a real concern for businesses, especially when you consider that 54% of employers surveyed in 2011 acknowledged using the Internet to research job candidates. The actual number of employers using the Internet is probably higher, and sometimes companies may not even be aware that their employees are researching job candidates and factoring that information into their evaluations. This is yet another reason to establish an internal procedure for researching job candidates, and communicating your procedure to employees who are participating in the employment process.” (Legal Issues Surrounding Social Media Background Checks by Sheppard Mullin Richter & Hampton LLP) 

3. Data Collection

“Internet businesses targeting children must make parental consent a paramount concern in their operations. A business that overlooks parental consent risks substantial fines, harsh penalties and jeopardizing its viability. The FTC is making it clear that children are by no means off limits to businesses and can be used as information commodities… so long as businesses play by the rules, and obtain parental consent before tapping into this youthful resource.” (COPPA and the FTC: 2011 Update by Priore Law Group) 

“Plaintiffs in a federal lawsuit allege that the use of [foreign call] centers violates customers’ privacy and puts personal and financial information at risk. On August 3, 2011, three residents of Washington D.C. sued Bank of America over the alleged confidentiality and privacy risks caused by the transfer of their data to foreign call centers. On behalf of the class, the three plaintiffs allege that their financial data receives greater protection inside the United States than outside it.” (Does the Use of Foreign Call Centers Violate Privacy and Consumer Protection Laws? by Richik Sarkar) 

4. Privacy Policies

“Like all FTC orders settling charges of deception, the proposed order would prohibit Facebook from future misrepresentations. Specifically, the order would enjoin Facebook from express and implied misrepresentations about how it maintains the privacy or security of users’ information, including: (1) the extent to which a user can control the privacy of his or her information; (2) the extent to which Facebook makes user information available to third parties; and (3) the extent to which Facebook makes information accessible to third parties after a user has terminated his or her account.” (Proposed Settlement with Facebook Underscores the FTC’s Privacy Priorities by Morrison & Foerster LLP) 

“In the Spring of 2011, the FTC settled with Google after leveling charges that it violated its terms of service with respect to its unsuccessful social-networking platform ‘Buzz.’ … the FTC action against Google was not premised on the notion that the search engine’s practices were intrinsically invasive. Rather, the FTC charged that the company’s terms of service misled consumers into erroneously believing that they could opt out of the Buzz network.” (FTC Privacy Enforcement Targets ScanScout’s Failure to Toss Its Cookies by Sedgwick LLP) 

5. Personal Health Information

“In the old paper world before Health Insurance Portability and Accountability Act ([the Health Insurance Portability and Accountability Act]), people often guarded patient medical records with good old-fashioned common sense. So why, in this new regulated world of laptops, flash drives, mobile devices and electronic medical records, does it appear that patient medical information is less safe? The answer: Our HIPAA policies are stale and our workforce members receive training often created with a focus on paper medical records. In addition, the technology has not caught up with expectations of electronic health record systems to audit access in real time.” (Why You Need to Worry AGAIN about HIPAA: Seven Practical Tips in the New Electronic Age by Ober|Kaler) 

[California Senate Bill] 559 … offers broader protection than GINA by prohibiting discrimination based on genetic information in the additional areas of housing, business services, emergency medical services, licensing qualifications, life insurance coverage, mortgage lending, and participation in state-funded or state-administered programs. The bill amends the Fair Employment and Housing Act (FEHA) to prohibit employment and housing decisions based on genetic information. FEHA, as amended, also prohibits licensing boards from requiring any qualification based on genetic information, unless the practice is demonstrably job-related.” (California Adopts Genetic Anti-Discrimination Protections by Morrison & Foerster LLP) 


Follow Privacy Law updates on: LinkedIn | Twitter