Posted on February 5, 2012 by Mark Brennan

Draft House Bill Would Impose New Requirements on Mobile Data Collection and Create Joint FTC-FCC Oversight

A draft bill circulated by Rep. Ed Markey (D-Mass) would require the Federal Trade Commission (FTC) to adopt regulations addressing monitoring software installed on mobile devices.  The bill stems from media reports last year regarding Carrier IQ's monitoring software, which is installed on millions of mobile devices.  If enacted, the Mobile Device Privacy Act would result in new obligations for wireless service providers, equipment manufacturers, device retailers, operating system providers, website operators, and other online service providers, underscoring both the number of industry segments involved and the complexity of addressing privacy concerns in todays mobile ecosystem.

One particularly noteworthy element of the Markey bill is the definition of monitoring software that spurs a host of new regulations.

The term monitoring software means software that has the capability automatically to monitor the usage of a mobile telephone or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.

This broad definition would encompass a wide array of mobile apps and services available today.

Under the draft Mobile Device Privacy Act, the FTC would have one year to issue regulations requiring carriers and device retailers to disclose at the point of sale in a clear and conspicuous manner the fact that monitoring software is installed, the type of information the software is capable of collecting and transmitting, the identity of parties with which the information will be shared, and how the information will be used.  If the monitoring software is installed after the consumer purchases the device or service, the entity installing the software or providing the software download (e.g., carrier, equipment manufacturer, operating system provider, website operator, or other online service provider) would have to make the disclosure. 

The bill would also require parties to obtain express consent from consumers before the monitoring software begins collecting and transmitting data.

In addition, the bill would impose new information security requirements.  The FTC would have one year to adopt regulations requiring recipients of the monitoring data to establish information security policies and procedures to protect the data.  Parties that enter into agreements to share the monitoring data would have to file those agreements with the FTC and the Federal Communications Commission (FCC).

The Markey bill would also establish joint FTC and FCC enforcement, with the FCC having enforcement authority over commercial mobile service providers, mobile broadband service providers, and mobile telephone manufacturers and the FTC having authority over other parties.  The bill also provides for state attorney general suits and a private right of action.
Tags: , , , , , , , , , , , , , , ,
Posted on January 4, 2012 by Christopher Wolf

Announcing Our New Hogan Lovells Privacy Partner Tim Tobin

We are delighted to announce that Tim Tobin, a key player in the Hogan Lovells Privacy and Information Management practice, has become a partner at our firm.

Tim Tobin’s entire professional career, even before law school, has had a privacy law focus. As an early practitioner in the relatively new field of privacy law, Tim has established himself as a "go-to guy" in the entire range of privacy law.  

Tim graduated from the George Mason University School of Law in May 2001 in the top 10% of his class, magna cum laude. Tim attended the evening program at George Mason law, working full time throughout law school. At law school, he was on the Law Review and served as Articles Editor of the Law Review. 

Tim had a professional career prior to, and during law school. He worked at the U.S. Parole Commission within the U.S. Department of Justice, from 1992 to January 2000.  It was in this government job that Tim first became familiar with, and handled privacy issues relating to the Freedom of Information Act (FOIA), the Privacy Act, and similar issues relating to victim privacy and Government records.          

Tim joined Hogan Lovells practice director Chris Wolf at their previous firm, after a stint at a communications law-focused firm, and he assisted in all manner of privacy and data security issues for clients.  At the previous firm,  Tim served as senior editor of a comprehensive legal treatise on privacy law published by the Practising Law Institute (PLI) that has been highly praised.  

Throughout his legal career, Tim has focused on a wide range of privacy and data security law matters. He provides compliance counselling to clients on the wide array of privacy and data security laws, and is deeply experienced in litigation, regulatory agency investigations, agency rulemaking processes, and public policy issues. Tim has worked with clients across a range of industries including those involved with the Internet, new media and communications as well as financial services, airlines, hotel, transportation, sports and entertainment, among many others.

Tim writes and speaks frequently on privacy law topics, including recently at the Los Angeles Auto Show on the topic of new automobile technologies and privacy.  He is the Smart Grid expert for the Future of Privacy Forum, and he leads the firm's pro bono efforts in a new privacy pro bono initiative spearheaded by IBM and the IAPP.

Tim has distinguished himself by his prodigious work ethic, his comprehensive knowledge of privacy law which he translates into thorough and practical advice for clients, and for his strategic insights on contested matters.  He also is known as a really nice guy.

We are delighted to announce his advancement to partner.

 

Tags: , , , , , , ,
Posted on August 20, 2009 by Scott Loughlin

Possible Health Information Trend in State Data Protection Statutes

With the compliance date for the federal health data breach notifications in the HITECH Act looming, more states are amending their data breach notification statutes to cover health information. The possible trend is evident in the newly-enacted laws of three states – Missouri, New Hampshire and Texas – all of which have been enacted since June 2009. 

  • Missouri – Within the key definition of “Personal Information,” Missouri’s new data breach notification law includes both “medical information” and “health insurance information,” which if disclosed in combination with an individual’s name, may trigger notification rights. 
  • New Hampshire– In a separate provision from its general data breach notification law, disclosure of HIPAA protected health information by health care providers and business associates may trigger notice requirements even if the disclosure is permitted under federal law or does not create a risk of harm.
  • TexasExpanding its existing data breach notification statute, Texas specifically amended the definition of “sensitive personal information” to include types of health information not previously covered.

These states join California, Arkansas and Puerto Rico as the only jurisdictions to protect health data under their data breach notification statutes. Still, compliance with these statutes may be costly and burdensome.  Businesses must carefully monitor access, acquisition and disclosure of health and medical information in addition to other types of sensitive information – social security number numbers, financial account numbers, etc. – routinely protected under these statutes. Definitions of health and medical information vary, but can be quite broad to cover, among other things, information relating to:

  • physical or mental health or conditions and medical histories; 
  •  provision of health care;
  •  treatment and diagnosis; 
  •  payments for health care; and 
  •  insurance policy numbers and subscriber IDs.

Although the interaction of these state laws with the federal data breach notification regulations under the HITECH Act is unsettled, state laws must continue to be monitored and analyzed closely, especially if the number of states protecting health information continues to grow and their notification obligations are consistent with, but extend beyond, the federal requirements.

Tags: , , , , , , , , , , , ,