Privacy and Security Law Blog

• FTC Announces "Crackdown" on Do-Not-Call Violators
  

  Posted by Ronald G. London

  The Federal Trade Commission recently announced that as a result of a new crackdown by the agency on violations of the National Do-Not-Call Registry (“NDNCR”) and related provisions of the FTC’s Telemarketing Sales Rule (“TSR”), it entered several consent decrees with multiple companies totaling $7.7 million in civil penalties, with one complaint still outstanding. The FTC brought the enforcement actions against Craftmatic (purveyor of adjustable beds and mobility assistance scooters) and affiliated entities through which it conducts telemarketing, ADT for TSR-violative actions by authorized third-party dealers of its security systems, Ameriquest Mortgage Company, Guardian Communications and its prerecorded call vendor U.S. Voice Broadcasting, and Global Mortgage Funding. Each of the first four companies and their affiliated entities entered consent decrees with the government and agreed to pay substantial civil penalties (amounts provided below) and to injunctive relief prohibiting them from engaging in similar violations in the future, while the FTC’s complaint for civil penalties and injunctive relief against Global was to be filed.

  The thrust of the FTC’s complaints are as follows:

  For Craftmatic, which agreed to pay a $4.4 million civil penalty, the second highest NDNCR fine ever, its attempt to use sweepstakes to create an established business relationship and/or obtain prior express consent to future telemarketing calls was insufficient to permit calls to the sweepstakes entrants who were on the NDNCR, and the FTC further alleged violations of its rule against “abandoned” telemarketing calls (i.e., those that connect to a consumer but disconnect before a live sales agent comes on the line), and that Craftmatic failed to honor company-specific do-not-call requests.

  With respect to ADT, which agreed to pay a $2 million civil penalty, the FTC made allegations similar to those it made in brokering a $5.3 million settlement with DirecTV in 2005 -- that is, the company failed to exercise sufficient control over authorized third-party dealers selling its services through (among other means) telemarketing to numbers on the NDNCR, which in ADT’s case, were Alarm King and Direct Security services, who respectively agreed to pay $20,000 and $25,000 civil penalties. In addition, ADT’s consent decree required it, like DirecTV, to adopt a compliance program with detailed monitoring, record-keeping, and reporting requirements.

  The complaint and consent decree for Ameriquest are somewhat opaque in alleging that it placed calls to numbers listed on the NDNCR and to consumers who had made company-specific do-not-call requests to Ameriquest, which agreed to pay a $1 million civil penalty. However, the FTC’s press release provides slightly more detail, basically that Ameriquest improperly relied on third-party lead-generators for TSR compliance, as has been the case with other telemarketers with whom the FTC has settled alleged telemarketing violations.

  For Guardian Communications and U.S. Voice Broadcasting, which agreed to a judgment in the amount of nearly $7.9 million with all but $150,000 suspended due to inability to pay, the violations arose out of prerecorded messages, all of which the FTC treated as abandoned calls, while further alleging that Guardian failed to provide proper caller ID information and placed calls on behalf of entities that were required to pay NDNCR fees but had not done so.

  The Global Mortgage complaint contains bare allegations that it placed calls to numbers on the NDNCR, without paying NDNCR fees, that it abandoned calls, and that it failed to transmit caller IDs. As noted, there is no consent decree for Global (and, moreover, the complaint recites that it filed Chapter 7 bankruptcy last year), so there are fewer details about this enforcement action than there are about those above.

  There are a number of compliance lessons that can be taken from the complaints and consent decrees. Each is well worth reviewing for an understanding of what, precisely, the settling company was accused of doing, and how that differed from what the FTC expects with respect to telemarketing compliance.

• So How Many Health Care Privacy Laws Do We Need?
  

  Posted by Tom Jeffry

  Last week, under pressure from privacy rights activists, Vermont Senator Patrick Leahy introduced an amendment to the Wired for Health Care Quality Act [S.1693].  Until then, this bill was nurtured along by proponents of health information networks and was poised to be “hotlined” for unanimous consent without debate in Congress.  

  The proposed amendment uses language familiar to those of you who have read HIPAA.  Terms such as “protected health information” and “notice of privacy practices” appear in both the HIPAA regulations and the proposed amendment. However, the definitions are dramatically different.  For example, the proposed amendment to S. 1693 includes genetic and biometric information in the definition of protected health information and expands it to information collected or used by health researchers, schools and universities, and employers.  The scope of HIPAA was limited to those traditionally engaged in the delivery of health care such as providers and payers.

  When HIPAA was being considered by Congress, the debate over the appropriate level of privacy protections threatened to derail the legislation.  The solution then was to punt the process of establishing privacy and security standards for health care to the administrative rulemaking process of the Department of Health and Human Services.  Deja vu . . . with the introduction of this amendment we are back to privacy concerns threatening legislation that has bi-partisan support to advance health care technology and potentially improve the quality and efficiency of the delivery of health care.  

  Of course, there is no requirement that the federal laws and regulations of our nation be consistent, avoid duplication, or otherwise articulate a uniform policy or approach.  As a lawyer, I suppose I should be grateful for that.  Nevertheless, rather than appending the bill intended to develop health information networks with privacy provisions that duplicate and/or contradict the HIPAA regulations, the more rational approach would be to address privacy concerns in an amendment to HIPAA and extend the application of HIPAA to health information networks.  

  There are some privacy provisions unique to the concerns of information available and shared through a health information network that are appropriate to retain in the legislation and proposed amendment.  Mandatory notification of security breaches to the network and opt-out rights are specific privacy and security safeguards for the storage and exchange of electronic health records in such networks and addressed in the S. 1693 proposed amendment.

• Lust, Caution...Virus
  

  Posted by Lance Koonce

  It may sound like a public health warning, but apparently a late night with an illicit movie downloading site can leave you with a very nasty infection.

  Tech analysts in China have announced that users downloading Ang Lee's thriller Lust, Caution from any one of hundreds of Chinese websites offering the film up for free have found themselves in the position of that befuddled alien in Independence Day, who realizes only a few moments too late that he's (she's? it's?) just uploaded the galactic equivalent of a wooden-horse-thingy hiding millions of tiny Greek nano-soldiers.  The befuddlement, of course, stems from being outwitted by Geena Davis's ex-husband and the Fresh Prince.

  What does this mean?  That screenwriters are morons, of course -- there's simply no chance those aliens zipped across the galaxy, took out our nukes, but forgot to install McAfee or Norton.  But that's