Though the National Association of Attorneys General (NAAG)
Presidential Initiative "
Privacy in a Digital Age" expired in June 2013 when a new
NAAG president took over, the state attorneys general have
maintained their sharp focus on all things privacy, with no signs
that that focus will shift anytime soon. Most recent case in point:
a $17 million settlement with Google related to Google's use of
tracking cookies on Safari browsers.
On November 18, 37 states and the District of Columbia announced
the settlement with Google, which resolves an
investigation that began in February 2012. Default settings on
Apple's Safari browser do not allow for tracking across
different websites. The investigation centered on whether
Google tricked the browser into allowing such tracking, ostensibly
in contradiction to the user's choice not to be tracked. Google
faced similar scrutiny from the FTC, which entered into a $22.5
settlement with the search engine giant late last year.
In addition to the $17 million payment, the state AG settlement
prohibits Google, without the express consent of an individual
user, from overriding that user's Internet browser's
setting to block tracking cookies. Google is also prohibited from
misrepresenting the extent to which a user can manage how Google
serves advertisements. Google must create and maintain a page that
control over cookies. This separate "Cookie Page"
must be maintained for five years.
Privacy investigations and enforcement actions are not just
handled through the multistate vehicle; individual states are
pursuing their own actions, scrutinizing website and mobile app
privacy policies, investigating data security breaches, and paying
close attention to how entities treat sensitive data like
children's information and health information. For example,
California has been particularly active in this area, releasing
mobile app best practices guidance earlier this year, which
followed on the heels of
enforcement actions filed against mobile application developers
Several states have also flexed their muscles in the health care
arena, enforcing data breach notification requirements for the loss
of protected health information under the Health Insurance
Portability and Accountability Act (HIPAA). Connecticut led the
charge in 2010, exercising the new enforcement authority granted to
the states under the HITECH Act, with a lawsuit against Health Net.
In 2012, both Massachusetts and Minnesota entered the arena with
investigations of their own. With this year's release of final rules under HITECH and a
renewed national focus on health care, we wouldn't be surprised
to hear about more states jumping into that privacy arena soon.
This article is presented for informational purposes only
and is not intended to constitute legal advice.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS).
The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).