St. Ledger-Roty & Olson LLP
Proud sponsor of 1410 Q Street: DC’s Innovation Hot Spot!

SLRNO wishes You Happy Holidays and Best Wishes for the New Year!

PRIVACY & INFORMATION LAW UPDATE
December 2010
Prepared by Karen L. Neuman

  • You are receiving this Update because of your interest in privacy, information management & security issues.
  • Not interested? Click here to unsubscribe
  • Know someone who might be interested in this Update? Please forward.
  • If someone forwarded this Update to you, subscribe to receive future Updates.
  • To learn more about our firm click here or about our privacy practice click here
  • This update is for informational, including advertising, purposes only and is not intended to be nor should it be considered to be legal advice.

In this Issue:
FEATURED ARTICLE: PRIVACY & THE APP ECONOMY
U.S. FEDERAL TRADE COMMISSION RELEASES CONSUMER PRIVACY REPORT
PRIVACY LEGISLATION & THE 112TH CONGRESS
BROADBAND INTERNET SERVICE PROVIDERS & PRIVACY REGULATION: STAY TUNED
PRACTICAL SUGGESTIONS FOR BUSINESSES THINKING ABOUT ADOPTING SOCIAL MEDIA
KAREN NEUMAN DISCUSSES PRIVACY & THE USE OF BIOMETRICS BY INSTITUTIONS OF HIGHER LEARNING

 

 

 

 

 

Featured Article:
Privacy & the App Economy

By Karen L. Neuman
Mobile applications have made a splashy debut across global platforms and will be a driver in the creation of a vibrant new economy. Consumers, business and other enterprises are able to access and download or deploy “Apps” over mobile devices, social networking platforms, web sites and browsers for entertainment and to perform a wide variety of functions and transactions. As a result, the App is replacing the website as we know it and spawning a thriving new ecosystem.

This ecosystem is currently inhabited by several key players, for example: the Venture Capital community that is funding the developers of new digital goods and services; device manufacturers, telecommunications carriers and platform service providers over which App developers make their products available; and cloud service providers that store digital products. All of these sectors are competing to secure their niche and monetize their products or services in the nascent App economy. To do so, each must identify and overcome a number of important challenges. For example, developers must address discoverability and distribution; carriers must decide how best to leverage ownership in their network infrastructure and longstanding customer relationships; and publishers and other content providers need to predict how Apps will be accessed in the future -- for example, through an App store or web browser.
Read more...

 

US Federal Trade Commission Releases Consumer Privacy Report
On December 1 the US Federal Trade Commission (FTC) released its long-awaited consumer privacy report. Released as a Preliminary Draft Staff Report and approved by a vote of 5-0, the document is the culmination of a series of “Privacy Roundtable” discussions convened by the agency last year in Washington, D.C. and Berkeley, California. In it the FTC proposes a “normative framework” with policy recommendations to Congress for protecting consumer privacy both on and off line. The proposed framework incorporates three core features: privacy by design, improved transparency, and improved consumer choice. Significantly, the report’s framework applies to the collection of data that can be "reasonably linked to a specific consumer, computer or other device."
Read more...

 

Privacy Legislation & the 112th Congress
The full impact of the 2010 mid-term elections on prospects for federal privacy legislation is still unfolding. One of the central figures in the effort to pass privacy legislation, Rick Boucher (D-VA), was defeated and is winding down his tenure as Chair of the House Subcommittee on Communications, Technology & the Internet in the lame duck Congress. High-ranking Republican Subcommittee members have indicated that privacy continues to be a concern. Nevertheless, it is unlikely that comprehensive privacy legislation in the new Republican-controlled House will get traction. That is because the economy, including deficit reduction and employment, will continue to be a principle focus in both Chambers, along with health care, homeland security and immigration reform.
Read more...

 

Broadband Internet Service Providers & Privacy Regulation: Stay Tuned
Despite recent legal and regulatory developments, Broadband Internet Service Providers should prepare for the possibility that they may be subject to new requirements for protecting customer privacy and data security.
Read more...

 

Practical Suggestions for Businesses Thinking About Adopting Social Media
The adoption and use of social media tools by business enterprises is increasing at a rapid pace. Corporate Facebook fan pages, Twitter accounts, YouTube channels and corporate blogs are fundamentally redefining internal and external corporate communications. This development has created new opportunities to promote a company’s brand, attract and engage customers or clients, and collaborate with employees and business partners. These same opportunities can also create legal risks resulting from a failure to adequately safeguard personal or sensitive employee, customer or enterprise data. Adopting social media tools without adequately evaluating legal risks could result in reputational and other business harms..
Read more...

 

Karen Neuman Discusses Privacy & the Use of Biometrics by Institutions of Higher Learning
On November 18, 2010 SLRNO Founding Partner Karen Neuman discussed legal risks associated with the use of biometric systems for identity management by higher education institutions during an Educause Live! Webinar. Noting that the emergence of biometrics technologies offers colleges and universities potential new tools for confirming identity for such functions as campus security, managing access to facilities and services, and online test-taking, the same technologies create legal and reputational risks that must be considered before implementation. Karen provided a framework for evaluating these risks – taking into account key federal, state, and European privacy laws, as well as common law. She concluded her remarks by offering some practical strategies for minimizing risk based on existing laws and regulations and emerging trends.

Back to Top


Featured Article:
Privacy & the App Economy
By Karen L. Neuman

Mobile applications have made a splashy debut across global platforms and will be a driver in the creation of a vibrant new economy. Consumers, business and other enterprises are able to access and download or deploy “Apps” over mobile devices, social networking platforms, web sites and browsers for entertainment and to perform a wide variety of functions and transactions. As a result, the App is replacing the website as we know it and spawning a thriving new ecosystem.

This ecosystem is currently inhabited by several key players, for example: the Venture Capital community that is funding the developers of new digital goods and services; device manufacturers, telecommunications carriers and platform service providers over which App developers make their products available; and cloud service providers that store digital products. All of these sectors are competing to secure their niche and monetize their products or services in the nascent App economy. To do so, each must identify and overcome a number of important challenges. For example, developers must address discoverability and distribution; carriers must decide how best to leverage ownership in their network infrastructure and longstanding customer relationships; and publishers and other content providers need to predict how Apps will be accessed in the future -- for example, through an App store or web browser.

Almost certainly, however, all of these business sectors will have to face a common challenge in the near future -- the looming governmental response (by US or International authorities, or both) to a perceived increase in the risk to individual and enterprise privacy posed by the collection, retention sharing and use of personal data when an App is accessed or downloaded. This perception of risk will probably escalate when technology enables individual data that is captured during the process of accessing and downloading an App (and perhaps embedded in Apps) to be transferred from one device to another in real time with a person’s movements. Some current or reasonably foreseeable examples include data about an individual’s home energy consumption captured in a smart grid App; personal health data captured in an individual’s electronic health record App; sales information captured in a company’s product management App; and an individual’s location captured in a social media App -- traveling with an individual from Smartphone, I-pod, tablet, or e-reader to vehicle, television or game console.

The privacy concerns posed by these and similar scenarios raise a number of interrelated questions, including: (1) What is the appropriate framework for managing and securing personal information? (2) Which entities in the business chain should bear legal responsibility for protecting privacy? (3) What tools should be given to users to manage their data? and (4) Whose laws and regulations should govern in the global marketplace?

In the US, it may be tempting to look to the existing approach for protecting privacy -- the linchpin of which has been fair information principles (FIPs) -- to predict a similar approach to privacy protection in the App economy. But the FIPs approach was implemented at a time when policymakers may not have perceived the extent, pace or global reach of technological innovation, the rapidly evolving methods for collecting personal data or commercial uses of data, or the advent of location- based technologies and services. In the current climate, policymakers might conclude that something more than a FIPs approach is required.

The FIPs framework currently operates alongside long-standing privacy laws and regulations that are both broad-based (e.g., the Telecommunications Consumer Privacy Act, (TCPA) the Stored Communications Act, the Privacy Act of 1974, and the Children’s Online Privacy Protection Act), and sector-specific laws (e.g., the FCC’s Customer Premises Equipment Rules, Cable Communications Act of 1984, the Health Insurance Patient Portability Act, Graham-Leach-Bliley Act, and Fair Credit Reporting Act). A common denominator of many of these laws is that they generally permit businesses to share customers’ personal information with “affiliates”. But in the App ecosystem, legally sufficient “affiliate” relationships may be less likely to exist. For example, a federal appeals court applying the TCPA to unsolicited commercial text messages recently concluded that the entry into a contractual relationship for a business purpose did not confer “affiliate” status within the meaning of the statute.

In the App economy, data collection may be more likely to occur when unaffiliated and distinct businesses interact with users at various points along the business chain. For example, developers might collect customer data through their software applications; platforms over which Apps may be accessed and downloaded may collect data independent of the App developer; ISPs may collect data when a user access and downloads an App over the carrier network; and mobile and other devices can collect data during an App’s use. Users may not understand who among these entities may be accessing their data. Regulators are starting to examine these scenarios to ascertain who should bear the risk, including legal obligations involving notice, consent, and safeguarding data.

Recent court cases reveal the inability of the law to keep pace with innovation, and illustrate the difficulty of applying dated laws to new and emerging technologies. Some federal courts have explicitly refrained from making sweeping privacy rulings in the absence of better information about the technology at issue and behavioral practices regarding use. Likewise, regulators in some instances have refrained from acting to create new rules for emerging online services to avoid impeding innovation. For example, after investigating online behavioral advertising practices, broader online privacy issues arising from social media and mobile communications, and the mobile marketplace in general, the FTC issued guidelines and reports, but fell short of calling upon Congress to enact new laws.

Experience demonstrates that even the most sophisticated, forward looking laws may not embody the kind of flexibility required to keep pace with technology innovation. Outdated approaches to protecting privacy in the App marketplace could not only prove cumbersome, but could stymie innovation at a time when the industry is still in its relative infancy.

One alternative for protecting privacy without inhibiting innovation would be to encourage government support for industry standards, best practices and self regulation that integrate a FIPs approach. Industry standards and best practices that are informed by existing rules and guidelines could be more readily modified to address privacy and information management or security concerns with the emergence of new devices, products and technologies. Self-regulation would also be beneficial to a fundamental segment of the App economy -- the App developers, many of whom have no experience with government regulation. Best practices and self-regulation could ensure the incorporation of privacy protections at the earliest stages of product development, an approach that regulators are already on record as promoting -- most recently in an FTC Staff draft privacy report.1 Integrating long established FIPs into industry self-regulation would bestow a familiar and tested framework on privacy protection to which all businesses operating in the App economy might be more likely to adhere. Finally, regulators already have powerful enforcement tools at their disposal that they can use to take action against bad actors.

The App economy is still in its very early stages. Proactively addressing privacy concerns through industry standards, best practices and self-regulation could minimize business and legal risk, instill confidence in consumers, and avoid potentially harmful regulation.

1Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policymakers, released December 1, 2010, available at: http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.

 

Back to Top


US Federal Trade Commission Releases Consumer Privacy Report
On December 1 the US Federal Trade Commission (FTC) released its long-awaited consumer privacy report. Released as a Preliminary Draft Staff Report and approved by a vote of 5-0, the document is the culmination of a series of “Privacy Roundtable” discussions convened by the agency last year in Washington, DC and Berkeley, California. In it the FTC proposes a “normative framework” with policy recommendations to Congress for protecting consumer privacy both on and off line. The proposed framework incorporates three core features: privacy by design, improved transparency, and improved consumer choice. Significantly, the report’s framework applies to the collection of data that can be "reasonably linked to a specific consumer, computer or other device."

The FTC is accepting public comments on the report through January 31, 2011 and plans to issue a final report later in the year.

Given the FTC’s limited rulemaking authority, Congressional action will be required to implement many of the report’s recommendations, including a “Do Not Track” registry for web- based marketing similar to the Do Not Call registry for telemarketers. FTC Chairman Jon Liebowitz first floated the concept during Congressional testimony in July. According to the report, a Do Not Track mechanism would likely take the form of a persistent identifier on consumers’ browsers, similar to a cookie, to enable users to “choose whether to allow the collection of data regarding their online searching and browsing activities”.

In addition, the report:

  • Urges businesses to refrain from retaining customer data (particularly location information) for longer than necessary to accomplish a specific business purpose.
  • Admonishes industry to refine self-regulatory initiatives to make privacy protection “more meaningful”.
  • Recommends that businesses adopt a ‘privacy by design’ approach to “build privacy protections into everyday business practices”, including providing reasonable measures for securing consumer data and ensuring data accuracy and limiting the collection of consumer data.
  • Recommends that businesses implement and enforce “procedurally sound” privacy practices throughout their organizations, including assigning personnel to oversee privacy, training employees, and conducting privacy reviews for new products and services.
  • Recommends that consumers be presented with choice about collection and sharing of their data in real time (instead of after having read “complicated” privacy notices). The report acknowledges that consumer consent may not be required for certain commonly accepted practices such as “product and service fulfillment, internal operations such as improving services offered, fraud prevention, legal compliance, and first-party marketing.”
  • Suggests considering standardized privacy notices. Recommends allowing consumers “reasonable access” to data that companies maintain about them, particularly for “non-consumer” facing entities such as data brokers.

Chairman Liebowitz emphasized in public remarks accompanying the report’s release that the FTC will continue using its enforcement authority to take action against companies that “cross the line” to violate consumer privacy, particularly in instances involving young children and teens. (The FTC is in the midst of a separate proceeding to review the Children’s Online Privacy Protection Act Rule).

It is unlikely that this report will result in an immediate change in the law or existing regulation – even in the event of renewed Congressional interest in expanding the FTC’s rulemaking authority. Nevertheless, the report’s release offers a useful roadmap to business for minimizing the risk of an FTC enforcement action. In addition, the report comes at a time of heightened focus on privacy concerns by regulators and lawmakers in many quarters. The FCC National Broadband plan reveals the FCC’s interest in ensuring that privacy concerns do not create obstacles to the adoption of broadband or cloud computing services. The House Subcommittee on Consumer Protection held a hearing to address privacy concerns the day after the report was released. The release of a US Commerce Department report that addresses online privacy is imminent.

If adopted, the FTC’s report could require businesses to significantly modify current privacy and data security policies. Now is the time to review current data collection, retention, sharing and use practices.

The report can be viewed at: http://www.ftc.gov/Os/2010/12/101201privacyreport.pdf.

 

Back to Top


Privacy Legislation & the 112th Congress
The full impact of the 2010 mid-term elections on prospects for federal privacy legislation is still unfolding. One of the central figures in the effort to pass privacy legislation, Rick Boucher (D-VA), was defeated and is winding down his tenure as Chair of the House Subcommittee on Communications, Technology & the Internet in the lame duck Congress. High-ranking Republican Subcommittee members have indicated that privacy continues to be a concern. Nevertheless, it is unlikely that comprehensive privacy legislation in the new Republican-controlled House will get traction. That is because the economy, including deficit reduction and employment, will continue to be a principle focus in both Chambers, along with health care, homeland security and immigration reform.

That said, Republicans and Democrats have already indicated that protecting consumer privacy will not be abandoned in the 112th Congress. Efforts will continue to focus on how to create an appropriate legal framework for regulating the online and off line data collection, sharing and use practices of companies doing business in the US. A central tension will involve whether to simply codify existing industry self-regulatory programs or more broadly define an appropriate role for the federal government, and spell out specific measures for protecting consumers’ privacy in the global online marketplace. Any effort to expand the federal government’s role will likely be limited to the following areas: 1) consumer privacy/children’s online safety, 2) cyber security, 3) Electronic Communications Privacy Act (ECPA) reform, and 4) electronic health record privacy.

With this in mind, here is what can be expected:

  • Hearings on the FTC’s recently released consumer privacy report. The report reflects the culmination of a series of “Roundtable discussions” convened by the agency during 2010 to address concerns about how the commercialization of personal information affects consumers. The report contains recommendations for improved industry self-regulation and a “do not track” option similar to the telemarketing do not call program. Portions of the report, including these two recommendations, could serve as a basis for legislation. The Department of Commerce will release its privacy report this month, which is expected to contain policy recommendations that are also likely be the subject of review and hearings.
  • ECPA Reform. Congress can be expected to continue efforts initiated in the current session to consider ECPA reform. The law, enacted in 1986, limits government access to wireline and certain electronic communications. ECPA enactment preceded the explosion of online services and products including social media, mobile communications and location based services. Recent court decisions applying ECPA to some of these services and products have noted the difficulty of applying outdated laws to new technologies, prompting calls from many quarters for ECPA reform.
  • Comprehensive Data Security Legislation. The drum beat of state data breach laws (forty-six states have data security laws of varying stringency), together with recent FTC data security rules, may have muted what had been a growing chorus advocating comprehensive data security legislation. Nevertheless, interest in data security remains unabated in the wake of well publicized data breaches across sectors and the increasing risk of identity theft -- particularly as commerce moves to mobile devices and applications. Interest in a more unified, as opposed to the current “siloed” approach to protecting consumer data could surface. At a minimum, targeted data security initiatives can be expected, including measures to 1) clarify the application of new rules to business, such as the FTC’s “Red Flags” rule that applies to businesses that extend credit to customers or defer payment for services; or 2) codify breach notification protocol in rules such as the FTC’s Health Data Breach Notification rule that applies to non-HIPPA covered entities.
  • Cyber Security Legislation. There appears to be strong bi-partisan support for passage of cyber security legislation in light of growing concerns about cyber security and terrorism. Passage of a cyber security law therefore appears likely during the 112th Congress. The process may incorporate proposals in measures pending in the current session into a new bill. Some of those proposals included providing the President with tools and resources needed to protect against or take action in the event of a cyber attack. For example, a Senate measure would have created an office of national cyber security and communications within the Department of Homeland Security to work with the private sector to combat threats to the cyber infrastructure. The Department of Defense and the Department of Homeland security recently entered into an agreement that contemplates creating an NSA office of cyber security within the White House. A significant part of the process will involve close congressional scrutiny of privacy and civil liberty concerns created by these or similar proposals, as well as questions concerning Executive “control” over the Internet in the event of a cyber attack. Considerable attention will also be devoted to defining which agencies will be responsible for adopting rules to implement privacy protections spelled out in a new cyber security law.
  • Personal Health Data Security. Congress can also be expected to look carefully at personal health data security in light of the ongoing push to integrate IT into the delivery of health care services, including digitizing medical records, the continued rollout and certification of electronic personal health care products, and the role of mobile devices in accessing patient data. Agency adoption of rules implementing various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act could trigger hearings to assess the sufficiency of privacy protections mandated under the HITECH Act and other statutes.

Regulatory Initiatives in Brief.

Any legislative preview would be incomplete without noting related federal agency initiatives. Businesses should expect that federal agencies will continue to be actively engaged in privacy and data security issues. The FTC will continue to play an important role in protecting consumer privacy, and the Department of Commerce report can be expected to inform consideration of policy changes.

In addition:

  • The creation of the Consumer Financial Protection Bureau (CFPC) by the Dodd-Frank financial reform law is expected to result in numerous privacy-related rulemaking proceedings. Critical issues will involve clarifying the roles of the CFPC and FTC in protecting consumer privacy.
  • The FCC can be expected to continue to address privacy issues related to cyber security to the extent those issues affect entities subject to its authority, including telecommunications carriers.
  • FCC Authority over Broadband ISPs. The ongoing tussle involving the FCC’s authority over ISPs and “net neutrality”, particularly in light of the DC Circuit’s Comcast decision, ultimately will have some bearing on the FCC’s authority to mandate privacy protections for broadband ISP services. Later this month, Chairman Genakowski will release new rules governing the extent to which the FCC can regulate broadband ISP providers. Instead of reclassifying broadband as a “Title II” service subject to common carrier regulation, as initially proposed, the agency will invoke its Title I ancillary authority over broadband services. Doing so is likely to mean that the FTC, not the FCC, will continue to be the lead agency addressing consumer privacy issues involving Broadband ISP services.
    It is unclear whether this approach will also apply to wireless broadband. Chairman Genachowski has expressed his view that there are differences between fixed and mobile broadband and that the FCC will “address anticonsumer behavior as appropriate.” Whether this includes addressing privacy and mobile broadband services remains to be seen. Following the public comment period, the agency can be expected to issue a final rule which will likely be challenged in court.
  • Children’s Online Privacy Protection Act (COPPA) Rule Review. One exception to the FTC’s limited rulemaking authority involves its mandate to promulgate and review rules implementing COPPA. This spring the FTC undertook a wholesale review of the COPPA rule. The agency seemed particularly focused on the risks to children’s privacy posed by social medial, mobile communications devices, and location-based services and applications. Contemplated changes to the rule include expanding the current definition of “personal information” to encompass persistent identifiers, improved age verification procedures, and changes to the current parental notification and consent scheme. It is possible that the proceeding could result in rule changes. All website operators, irrespective of whether they are directed exclusively to children, should keep apprised of the FTC’s activities and the possible release of a proposed rule or guidelines.
  • Privacy and the Smart Grid. On October 5 the Department of Energy (DOE) released a report following its inquiry into privacy and the Smart Grid. The report was prepared in response to certain recommendations included in the FCC’s National Broadband plan. It contains a number of findings about privacy risks created by the collection of granular information about utility customers by Smart Grid technologies, safeguards that should be implemented to protect against a breach of customer data captured by these technologies, and restrictions on utilities’ sharing of customer data with third parties for commercial or other purposes. These findings could be incorporated into potential congressional privacy legislation or federal agency rulemaking proceedings to address privacy and the Smart Grid.

 

Back to Top


Broadband Internet Service Providers & Privacy Regulation: Stay Tuned
Despite recent legal and regulatory developments, Broadband Internet Service Providers should prepare for the possibility that they may be subject to new requirements for protecting customer privacy and data security.

The Federal Communications Commission (FCC) has traditionally regulated the common carrier activities of Broadband ISPs, including imposing consumer protection obligations through longstanding Customer Proprietary Network Information (CPNI) rules. The FCC continues to enforce these rules, imposing significant fines for non-compliance. In addition, the agency is asserting a role in cyber security policy initiatives, including evaluating vulnerabilities that would expose the communications infrastructure to cyber attacks and appropriate responses. A significant aspect of the FCC’s involvement in cyber security will involve coordinating with other federal agencies, including the NSA and Department of Homeland Security, industry and other stakeholders to address privacy and data security issues posed by proposed cyber security countermeasures.

Tasked with broad consumer protection powers, including enforcement powers, the Federal Trade Commission (FTC) plays an active role in protecting consumer privacy. The agency has used its enforcement authority to initiate a number of high-profile enforcement actions against commercial website operators and other online service providers. It has also issued guidelines for behavioral advertising, recently released a comprehensive report on consumer privacy with numerous policy recommendations, and is in the midst of reviewing the Children’s Online Privacy Protection Act rule.

Many broadband ISP providers have historically been beyond the FTC’s reach under the Federal Trade Commission Act’s “common carrier exemption.” Under this exemption, broadband ISP services -- if offered as a common carrier service -- are subject to FCC regulation under Title II of the Communications Act.

Over the course of the last decade, however, a number of FCC decisions, including those that classified Broadband Internet access as an information service and removing the requirement that transmission be offered as a telecommunications service on a common carrier basis, significantly weakened the FCC’s ability to impose privacy and data security obligations for new broadband ISP services and applications.

In 2009, the FCC sought to reassert jurisdiction over broadband services whether or not offered as non-common or common carriage. The justification for doing so was rejected by the D.C. Circuit in the Comcast case, which involved an appeal of FCC sanctions against the company for allegedly discriminating against classes of service over its network. In response, the FCC appeared poised to reclassify Broadband ISP services as a Title II service. Doing so would have brought Broadband ISP privacy and data collection practices under FCC authority. The agency has all but abandoned that strategy. The telecommunications sector awaits the release of proposed rules that will assert Title I jurisdiction over Broadband ISPs, potentially opening the door for FTC assertion of jurisdiction over broadband ISP data collection security practices.

Apart from these FTC-FCC jurisdictional issues, there are increasing calls from many quarters, including the FCC, to develop a unified approach to privacy protection regulation, doing away with the current compartmentalized, sector-specific approach that is growing increasingly outdated with the roll out of new technologies and products that blur traditional jurisdictional distinctions. For example, the probable ability of ISPs to prioritize certain types of traffic or institute usage-based pricing may raise privacy issues that could fall between jurisdictional gaps. Similarly, the advent of location based services, raises uncertainty about regulatory responsibility for related privacy concerns.

All of this must be viewed in the context of the goals of the FCC’s National Broadband Plan. The FCC appears concerned that fears about the increased erosion of privacy and data security protections pose significant obstacles to increased broadband adoption and related services and applications, including cloud computing, mobile patient monitoring and health IT, distance learning and smart grid technologies. The FCC expressed concern that the transfer of personal or sensitive data from local networks and servers to those hosted by remote third parties raises numerous privacy and data security questions.

To further its agenda of promoting broadband adoption and innovation, the FCC has urged Congress to strengthen privacy and data security protections and implement the following recommendations:

  • The Congress, FTC and FCC should clarify the obligations of organizations that collect, use and monetize personal information or create digital profiles and clarify the relationship between users and their online identities; and
  • Congress should consider how to promote the development of identity providers to help consumers manage their online data.

The FCC also recommends:

  • The FCC and FTC should undertake a joint effort to require that consumers provide informed consent before broadband ISPs can share personal information with third parties;
  • The FCC should support broader national online security policy and coordinate with the FTC, the White House Cyber Office, and other federal agencies; and
  • The federal government should create an interagency working group to coordinate child online protection.

Finally, it should be noted that a number of federal agencies are currently examining privacy, including the Department of Commerce and the National Institute of Standards and Technology. The Department of Commerce will release a report this month following its inquiry into online privacy and innovation. Like the FTC consumer privacy report, the Department of Commerce report is expected to contain findings and recommendations that could be incorporated into new rules affecting broadband ISPs.

These developments are not likely to result in immediate regulation for Broadband ISPs. They do suggest, however, a strong likelihood that broadband ISPs will be confronted with new regulations that could add significant compliance costs to operations. Accordingly, these developments should be closely monitored and opportunities to affect the regulatory environment by filing comments and meeting with policymakers should be identified.

 

Back to Top


Practical Suggestions for Businesses Thinking About Adopting Social Media
The adoption and use of social media tools by business enterprises is increasing at a rapid pace. Corporate Facebook fan pages, Twitter accounts, YouTube channels and corporate blogs are fundamentally redefining internal and external corporate communications. This development has created new opportunities to promote a company’s brand, attract and engage customers or clients, and collaborate with employees and business partners. These same opportunities can also create legal risks resulting from a failure to adequately safeguard personal or sensitive employee, customer or enterprise data. Adopting social media tools without adequately evaluating legal risks could result in reputational and other business harms.

Regulated industries, including the financial services, health care and those subject to certain FTC rules and guidelines, must pay particular attention to uniquely sector-specific laws and regulations -- many of which predate modern communications technologies.

For example, the financial services industry has numerous record keeping requirements, including that companies retain records of their own communications and those of authorized representatives. Some of these rules can apply to communications using social media. The content of these communications typically triggers retention rules. Yet because social media communications are by nature interactive and distributed across the platform, third party postings could be attributable to the company. Questions may also arise about legal custody of those communications, including whether a communication is under the control of the financial services company, the platform provider or other persons. Similar issues can arise for other regulated or unregulated businesses.

Irrespective of whether a business is a regulated or unregulated entity, social media tools are a fact of workplace life. Therefore, businesses should implement policies and procedures to ensure appropriate management of and control over use of social media tools by personnel. An important first step is to create a social media policy.

Before creating a social media policy, a business should: 1) thoroughly evaluate industry-specific laws and regulations; 2) undertake a thoughtful assessment of its workplace culture and operations, including the computing environment and employee use of social media; and 3) have a clear sense of the customers, clients and business partners with whom it wishes to interact and the objectives of those social media interactions.

Businesses may want to consider creating different policies for different social media tools. This approach could involve creating a general social media policy with links to separate policies that apply narrowly to a specific tool. Other businesses may want to consider creating separate internal and external policies to reflect distinct uses.

A social media policy should include a number of important core components. It should:

  • Articulate at the outset that the policy represents a company’s official guidelines for social media use for employees and, if desired, contractors.
  • Require all persons authorized to speak for the company through social media to undergo appropriate training and specify any consequences for failure to do so.
  • Clearly specify who is authorized to speak for the company through social media.
  • Refer to and provide links to other key corporate policies, including those that protect corporate confidentiality, intellectual property and personal privacy.
  • Limit use of company communications devices and equipment for social media postings and place employees on unambiguous notice that they should have no expectation of privacy in workplace social media communications. (Ensure that managers or supervisors do not unintentionally create an expectation of privacy verbally or through other means).
  • Tailor company social media policies to industry-specific laws and regulations, including disclosure requirements applicable to regulated industries.
  • Prohibit targeted advertising that is based on impermissible criteria such as race.
  • Prohibit the posting of legally impermissible content.
  • To avoid liability for third-party postings, particularly in the case of regulated industries, assert the right to remove unlawful or inappropriate content.

As noted, technology innovation and use continues to rapidly evolve, creating new means of generating, communicating and distributing information. It is a safe bet that the law will be unable to keep pace with these rapid changes, resulting in some legal, business and regulatory uncertainties. Nevertheless businesses can benefit from social media technologies and minimize risk by formulating carefully considered social media policies followed with appropriate oversight and coordination among departments.

Businesses should keep apprised of changes in the legal or regulatory environment, and undertake a periodic review of their social media policies to reflect these changes, as well as changes to business operations or the use of new communications technologies and tools.

 

Back to Top


Karen Neuman Discusses Privacy & the Use of Biometrics by Institutions of Higher Learning
On November 18, 2010 SLRNO Founding Partner Karen Neuman discussed legal risks associated with the use of biometric systems for identity management by higher education institutions during an Educause Live! Webinar. Noting that the emergence of biometrics technologies offers colleges and universities potential new tools for confirming identity for such functions as campus security, managing access to facilities and services, and online test-taking, the same technologies create legal and reputational risks that must be considered before implementation. Karen provided a framework for evaluating these risks – taking into account key federal, state, and European privacy laws, as well as common law. She concluded her remarks by offering some practical strategies for minimizing risk based on existing laws and regulations and emerging trends.

 

Back to Top


Copyright © 2010 St. Ledger-Roty & Olson, LLP.
1250 Connecticut Avenue, N.W., Suite 200, Washington D.C 20036