Web-Tones

European Privacy Law And Social Networking : Privacy Law Blog. This post is a good indication why privacy on the internet is not only front and center as a national issue in the U.S. but is a concern internationally as well.

Online businesses need to start paying more attention to these issues, including (and especially) any health care sites. As a privacy attorney I have spent quite a bit of time lately reviewing in depth the FTC Red Flags Rules and the HITECH Act's impact on HIPAA.

I can assure readers that any lax enforcement of privacy laws on the part of government agencies is a thing of the past. The HITECH Act's Subtitle-D (Privacy) clearly transforms HIPAA from a paper tiger into one with visible teeth. Here's a brief summary of relevant changes to HIPAA under HITECH:

1. HHS Mandatory Audits
2. Business Associates are explicitly required to comply with HIPAA's Privacy and Security Rules.
3. State Attorney Generals are authorized to bring a civil action on behalf of residents.
4. Funds from civil fines will go into the coffers of HHS' Office of Civil Rights (this alone is a game changer).

The point is that across the board, whether it is HHS or the FTC, government agencies are increasingly becoming more aggressive in their enforcement actions. There is a regulatory freight train coming at then end of the tunnel unlike anything we have seen since Sarbanes-Oxley (aka SOX)..

FTC Tells Sears That Consumer Disclosures Must be More Conspicuous : Privacy Law Blog. Here's yet another indication of how the rules of the road may be changing with respect to privacy & security. Companies that want to collect the kind of "behavioral data" that Sears was allegedly collecting need to be much more aggressive in their privacy policy disclosures.

Simply taking the passive approach of burying disclosures in a privacy policy that nobody reads may not cut it anymore.

As a Privacy Attorney I obviously track these issues on a daily basis. But even the most casual Internet observer knows that privacy & data security are front page news. Look for the FTC to start sending a strong message to the online marketplace.

This is not your father's Internet.

Data Security is Serious Business. TJX, the company that owns TJ Maxx and other subsidiaries, gets hit with a $2.5M fine for data breaches of 100 million consumer credit card records that occurred in 2005-2006.

TJX did not admit any wrongdoing but agreed to implement industry standard data security practices. The real damage done, however, despite the fact that $2.5M is more than a slap on the wrist, is to TJX's "reputation value." I believe there may have been a (class action) lawsuit as well.

In short, data security is serious business and even small companies need to start paying attention.

Web Privacy Efforts Targeted - WSJ.com. This article is probably an indication that industry groups are becoming increasingly alarmed that if they do not take steps to better protect consumer privacy on the Internet then the U.S. Congress will step in to fill the void.

If the latter happens it will be the small operators that feel most of the compliance pain, making it harder for them to compete. That will likely lead to further consolidation and ultimately less competition--not necessarily a good thing for consumers.

Unfortunately, cooler heads are unlikely to prevail and we will end up with a heavy handed regulatory regime that makes legislators and consumer groups feel good, but does little to change things on the ground.

I am all for voluntary compliance and letting industry leaders attempt to set the standard.

EU Advisory Group Proposes Tighter Privacy Regulation On Social Networks. It seems like everyone is jumping on the privacy & data security bandwagon. Here an EC group wants tougher regulations on Social Networking Sites (SNS). We are likely to end up with some monstrous pieces of legislation (e.g. HIPAA) that are so complex only the "big boys" can afford to comply, and then only after some get "whacked" with a heavy fine.

As I have said often, I am all for privacy & data security. With respect to the latter, and if the HIPAA Security Rule is an example of what will emerge, we will end up with CIA type of security measures imposed on unsuspecting website owners, that will mostly be ignored by the majority of small businesses.

What is required is guidance and tools, and not just tough language that makes legislators feel like they have actually improved protection for consumers.

Is Privacy An Illusion? Facebook ‘Fans’ Claim Hack Exposes Private Profile Information (Update). Online businesses need to "wake up and smell the coffee." These privacy issues are not going away. Privacy and security are some of the hottest online legal issues--not necessarily because of the harm created but rather because the media has jumped all over it. Expect for that to continue.

Also expect the FTC, HHS (for HIPAA), and other agencies to step up their enforcement efforts. They are going to ride the wave and send a message while the getting is good.

You can bet on it.

Employers should look before they leap.. Employee non-compete clauses are not favored in CA and apparently an employer better have its ducks in a row before it brings a trade secret action without any evidence in that forum as well.

This particular employer had a bad day in court and it cost them $1.6M. With so many Americans out of work it may be the courts are once again becoming more sympathetic to an employee's right to earn a living. Sure, employers with cause should not hesitate in vigorously protecting their trade secrets, but make sure that there are solid grounds before bringing an action.

The Music Industry Will Need To Win More Than Just The Legal Arguments In Capital v. Thomas : Owners, Borrowers & Thieves 2.0. Sweden's Pirate Party gets a seat in the European Parliament as a result of Sweden's liberal view on copyright protection.

Whether or not you agree with the decision in the case that rallied the troops to vote the way they did, one fact is indisputable: the "kids" (18-24) got out and voted to make their voices heard. Surely the Internet played a significant role in this outcome because the case was widely renown internationally and it remains unclear what the unintended consequences might be for the music industry.

Now we have a US case going to trial: Capital v. Thomas. Six record companies have brought suit against Jamie Thomas for allegedly using a P-2-P network to share music files. Of the many cases brought by the music industry, apparently this is the one only that has gone to trial.

Whether the music industry is "right on the law" may not be as important as the fallout that comes from suing your customers--especially those with the most disposable income to purchase music. In short, this will be an interesting case to watch as much for its economic, social and political impact as for the outcome itself. The music industry will never return to the good 'ole days, so that question is "what does this portend for its future in its next incarnation?"

Just because you can do something from a legal perspective doesn't always mean that you should. In these days when we all have access to global communications instantly, the business impact of your legal strategy should not be something that is "willy/nilly" ignored. How much is your reputation worth to the market the buys what you sell?

Red Flags and Address Discrepancies FAQs : Privacy Law Blog. Good post here about the FTC "Red Flag" rules. Financial institutions are "covered entities" BUT what many eCommerce websites don't realize is that they are potentially covered entities as well. Why? For software-as-a-service site (SaaS) sites it may depend on whether they allow customers to make monthly or quarterly installment payments on the subscription price. If so, they may be considered a "creditor" under the rules. Ouuch. Most eCommerce sites probably have no idea that they might some liability under FACTA.

Privacy and data security continue to be hot topics and you can expect the FTC to become more aggressive in its enforcement activities.

Technology & Marketing Law Blog: Stop Saying "We Can Amend This Agreement Whenever We Want"!--Harris v. Blockbuster. One possible way to solve this problem, regarding unilateral modifications to a website terms of use contract, which for obvious reasons (as Eric points out) the courts do not like, is as follows (at least for sites that require you to login):

At "Login" force the user to click the I agree button once again and display the modified terms of use agreement. Yeah no one will read it, but at least there has been an "acceptance" that a court might buy. Your users might be a little annoyed but terms don't change that often.

What about people that stay logged in? When the terms have changed expire all sessions after they have been dormant for a certain period of time. The banks do this all the time. There are probably some holes in this strategy, but for certain kinds of popular sites it seems like it might work.

At least it appears to be better than the alternative from a legal perspective (i.e. better than just changing the terms unilaterally and posting a notice that the terms have changed). Obviously, none of this matters until a legal issue arises, but as Eric points out, you do not want a court to disregard otherwise valid and important clauses in the contract.