Group items tagged

Don't expect a letter from Monster or Heartland Payment Systems letting you know they've lost your data. The breaches at Monster.com and Heartland Payment Systems are raising questions about the efficacy of data-loss disclosure laws enacted in at least 45 states. Back in 2007 we wrote about how the financial services industry lobbied hard to block proposed federal rules requiring organizations to notify individuals whose data they lose, and to permit consumers to freeze their credit histories. States such as California and Massachusetts have passed laws giving consumers these rights. But the Monster and Heartland capers have brought weaknesses in the legislation to center stage. I asked Lisa Sotto, head of privacy and information management at law firm Hunton & Williams, about this: Q: Heartland and Monster told me they intend to comply with all state laws. That said, they have not announced plans to notify individual victims. Is that OK? A: In the state breach notification laws, it is permissible to delay notification if a law enforcement agency determines that notification would impede a criminal investigation. If such a delay is requested by law enforcement, notification must be made after the law enforcement agency determines that notice would not compromise the investigation. I do not know if these companies received a delay request from a law enforcement agency. Q: Monster says it chose not to email individual victims because the bad guys could then replicate that message and use it as a phishing template. That makes sense. But is that allowed by state consumer protection laws? A: There are now 45-plus state laws and they are not uniform. Typically, notice is provided via first class mail, but there are provisions in the state laws allowing for electronic notice as well. Q: The only official notices from Heartland and Monster so far has been one-page disclosures posted on a web site. Does that cover them? A: There are provisions in the state laws al

A group of U.S. companies, led by technology giants Microsoft, Hewlett-Packard and eBay, is set to outline recommendations for new federal data-privacy legislation that could make life easier for consumers and lead to a standard federal breach-notification law. The recommendations, which were developed by a group of industry players called the Consumer Privacy Legislative Forum, are set to be released at an upcoming privacy conference six weeks from now, according to Peter Cullen, Microsoft's chief privacy officer. The companies have been working for the past three years to encourage the adoption of federal consumer data-privacy laws and to answer the question of what federal legislation should look like, Cullen said in an interview. Other forum members include Google, Oracle, Procter & Gamble and Eli Lilly. One idea is that laws should make it easier for consumers to understand what they're getting into when they share their personal data with Web sites, Cullen said. "The whole focus on consent really puts an unfair burden on the consumer," he said. "My mom doesn't know what an IP address is." The recommendations will cover rules around data use and the ability of consumers to correct inaccurate data. And they will cover data breach notification, which is now covered by a patchwork of state laws. Simplifying breach-notification laws by creating a single federal standard is important, Cullen said Wednesday while speaking at a discussion of privacy policy in San Francisco. "It's not that there is no privacy law. There's actually too much privacy law," he said. "If you think about data-breach notification laws just as an example, there are 38 state laws, many of them very different." "We need to think about much more of a framework approach." Congress has passed some laws covering consumer data privacy, such as the 1996 Health Insurance Portability and Accountability Act (HIPAA), but existing laws do not comprehensively cover consumer privacy in general.

IT practices such as identity management, email and URL filtering, virus scanning and electronic monitoring of employees can get companies that do business globally into a heap of trouble if deployed without an understanding of global data privacy laws. The warning was one of several alarms raised in a presentation on global privacy best practices by Gartner Inc. analysts Arabella Hallawell and Carsten Casper at the recent Gartner Risk Management and Compliance Summit in Chicago. Always a thorny issue, the protection of personally identifiable information (PII) is made more complicated in a world where there is limited agreement on how best to do that. According to the Gartner analysts, the world is divided into three parts when it comes to data privacy laws: countries with strong, moderate or inadequate legislation. The European Union, under the European Union Directive on Data Protection, possesses the strongest privacy regulations, followed by Canada and Argentina; Australia, Japan and South Africa have moderate to strong, recent legislation; laws in China, India and the Philippines are the least effective or laxly enforced. The United States has the dubious distinction of occupying two categories -- the strong column, due to the 45 state breach notification laws on the books, and the weak column, because of the lack of a federal law. Even among the three categories, nuances abound. Under the European Union Directive, member countries enact their own principles into legislation, and some laws (like Italy's) are more stringent than the directive's standards. Russia's very recent law is modeled after the strong EU laws, but how it will be enforced remains questionable. And in the U.S., state breach notification laws vary, with Nevada and Massachusetts proposing the most prescriptive data privacy legislation to date.

A law designed to keep college students' grades private often is used for a much different purpose -- to shield universities from potentially embarrassing situations. Some critics say a number of schools are deliberately misreading the Family Educational Rights and Privacy Act in order to keep scandals and other unflattering news from hitting the media. "Some schools have good-faith misunderstandings of the law, but there are others that simply see this as a handy excuse to hide behind," says Frank LoMonte, executive director of the Student Press Law Center, which provides student journalists with legal help. Legal experts say part of the problem is that the law is loosely defined. In addition, the potential consequences of violating the law -- namely, that schools would lose their federal funding -- prompt university officials to be conservative in their decisions about releasing information. Those complaints rankle advocates of student privacy, who say that, if anything, the three-decade-old law should be expanded. "Most of these kids are adults, and they should be able to make their own decisions," says Daren Bakst, president of the Council on Law in Higher Education. Congress already reworked the law to clarify when universities can disclose student information, especially involving health and safety matters. Those changes, adopted in January, followed the 2007 shooting rampage at Virginia Tech by a mentally troubled student.

Two companies that collect, analyze and sell prescription information are mounting a Supreme Court challenge to New Hampshire's first-in-the-nation law making doctors' prescription writing habits confidential. In an appeal filed March 27, IMS Health Inc. of Norwalk, Conn., and Verispan LLC of Yardley, Pa., tell the high court that the law violates their First Amendment right to free speech in pursuit of their business. The law, aimed at thwarting hard-sell tactics by drug companies to doctors, makes it a crime for pharmacies and others to transfer information disclosing a doctor's prescribing history if the information could be used for marketing of prescription drugs in New Hampshire. Patients' names are not included in the data. The companies say that the ruling by the 1st U.S. Circuit Court of Appeals in Boston that upheld the law's constitutionality could be broadly applied to newspaper publication of stock market information and many other services that gather large amounts of information. The money made by selling the information to drug makers, the companies say, allows them to provide the same material to researchers and humanitarian organizations at little or no cost. The law first took effect in 2006. The following year, U.S. District Judge Paul Barbadoro in Concord ruled in the companies' favor and said the law violated the First Amendment. Another federal judge subsequently ruled against a similar law in Maine, relying heavily on the New Hampshire decision. But the 1st Circuit overruled Barbadoro, calling the law a valid step to promote the delivery of cost-effective health care. "Even if the Prescription Information Law amounts to a regulation of protected speech - a proposition with which we disagree - it passes constitutional muster," the court said. "In combating this novel threat to cost-effective delivery of health care, New Hampshire has acted with as much forethought and precision as the circumstances permit and the

New Englanders have a reputation for being taciturn, but when it comes to data Massachusetts takes the cake. No state loves its privacy more than the Bay State, which last year passed the nation's most exacting data privacy law, requiring companies to check off a honey-do list of steps designed to protect personal data belonging to commonwealth residents. Connecticut and Rhode Island preceded Massachusetts in joining the minority of states that have enacted proactive data privacy laws, requiring businesses to protect information like Social Security and credit card numbers. Maine, Vermont and New Hampshire, like nearly all states, have only reactive data laws, requiring companies to take certain steps - like reporting a breach to authorities - after data has been compromised. Rhode Island's law, passed in 2006, requires businesses that own or license Rhode Islanders' personal information to "provide reasonable security" for that data. Connecticut's law, passed shortly before Massachusetts enacted data privacy legislation last summer, requires businesses to create and publicly display a data protection policy, but does not specify what that policy should entail. The Connecticut and Rhode Island laws stop far short of the controversial requirements in Massachusetts, where new regulations are scheduled to take effect by January 2010. "They're not technically one-liners, but they're very general," Goodwin Procter LLP partner David Goldstone said of the Connecticut and Rhode Island statutes, which are similar to laws passed in Texas and California. "Essentially they say companies have to have reasonable protections in place."

Stay Online on the world wide web online roulette from Contemporary sydney, Fun and Free! Now you is capable of doing Actual "www.funlivecasino.com.au" Stay Online on the world wide web online roulette for Fun in Contemporary sydney on a product new web page, FunLiveCasino.com.au. Using the newest on the world wide web operating technology, Fun Stay Gambling house allows you be a part of a genuine action occurring on a genuine desk in a genuine betting house, all approved on Live! You can see other real gamers in the betting house betting on the same outcomes you do providing you greatest believe in in the outcomes as they are not designed 'just for you a, like other action experiencing items such as 'live studios' or pc designed actions. Its awesome to think next time your really in the betting house that you might be on digicam, and individuals on the world wide web might be watching! The long run is scary! Believe one day soon this will be the only way individuals would bet on the world wide web because the worldwide web is complete of fraudsters, you have to be extremely cautious, and why would you perform Online Online on the world wide web online roulette any other way except from a Actual Gambling house you can check out, see, pay attention to and trust! Amazingly this site is absolutely 100 % 100 % 100 % free and has no determining upon up process, no junk, no pc rabbit mouse mouse clicks and no pressure. Just Immediate Fun "www.funlivecasino.com.au" 100 % 100 % 100 % free Stay Roulette! Give it a try, its value verifying out! "www.funlivecasino.com.au"Australia's Online Fun Stay Casino! Backlinks designed from http://fiverr.com/radjaseotea/making-best-156654-backlink-high-pr

Point by Marcus Ranum THERE'S AN OLD SAYING, "Sometimes things have to get a lot worse before they can get better." If that's true, then breach notification laws offer the chance of eventual improvements in security, years hence. For now? They're a huge distraction that has more to do with butt-covering and paperwork than improving systems security. Somehow, the security world has managed to ignore the effect voluntary (?) notification and notification laws have had in other fields-namely, none.We regularly get bank disclosure statements, stock plan announcements, HIPAA disclosures, etc.-and they all go immediately in the wastebasket, unread.When I got my personal information breach notification from the Department of Veterans Affairs, it went in the trash too. Counterpoint by Bruce Schneier THERE ARE THREE REASONS for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law-"They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing"-is just wrong. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, it forces companies to improve their security. That last point needs a bit of explanation. The problem with companies protecting your data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control-or even knowledge- of the company's security practices. The idea behind such laws, and how they were sold to legislators, is that they would increase the cost-both in bad publicity and the actual notification-of security breaches, motivating companies to spend more to prevent them. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of

"The United States House of Representatives took a major step this week toward enacting a national data breach notification law. H.R. 2221, the Data Accountability and Trust Act (DATA), cleared the House with a voice vote. In its current form, DATA requires businesses to notify customers and the Federal Trade Commission (FTC) if sensitive information has been exposed to a security breach. If the U.S. Senate can reconcile its own approach to data breach notification legislation with DATA, a new federal standard will emerge. If signed into law by President Barack Obama, a federal data breach ¬law would pre-empt the jumbled mass of dozens of state laws. "You'd be better served by federal legislation if the federal legislation has teeth and doesn't pre-empt the state's law," said California state senator Joe Simitian, speaking to executive editor Scot Petersen in September. "If there was a meaningful standard at the national level, I think many states would be happy to accept it." Aside from the data breach notification required by the HITECH Act, DATA would put into place the first national law of its kind. H.R. 2221 was sponsored by House Subcommittee Chair Rep. Bobby L. Rush of Illinois. The bill specifically states that: "Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data -- 1. notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security; and 2. notify the Federal Trade Commission."

Laws in Canada and other countries are increasingly helping technology force people to identify themselves where they never had to before, threatening privacy that allows people to function effectively in society, a new study has found. "What we're starting to see is a move toward making people more and more identifiable," University of Ottawa law professor Ian Kerr said Wednesday. His comments followed the launch of Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society, a book summing up the study's findings, at a public reading in downtown Ottawa hosted jointly with the Privacy Commissioner of Canada. Kerr led the study with University of Ottawa criminology professor Valerie Steeves. They collaborated with 35 other researchers in Canada, the U.S., the U.K., the Netherlands and Italy. The researchers reported that governments are choosing laws that require people to identify themselves and are lowering judicial thresholds defining when identity information must be disclosed to law enforcement officials. That is allowing the wider use of new technologies capable of making people identifiable, including smartcards, security cameras, GPS, tracking cookies and DNA sequencing. Consequently, governments and corporations are able to do things like: * Embrace technologies such as radio frequency identification tags that can be used to track people and merchandise to analyze behaviour. * Boost video surveillance in public places. * Pressure companies such as internet service providers to collect and maintain records of identification information about their customers. While Canada, the U.K., the Netherlands and Italy all have national laws protecting privacy - that is, laws that allow citizens to control access to their personal data - such legal protection does not exist for anonymity, Kerr said. "Canada is quite similar [to other countries] with respect to anonymity. Namely, it's shrinking here just as it is there.

A new report from the Progress & Freedom Foundation says that officials in some states want to pass legislation that would extend the Children Online Privacy Protection Act (COPPA) from covering children under 13 to covering teens until they're 18. COPPA, which became law in 1998, requires verifiable parental consent before a child under 13 can provide personally identifiable information to a Web site that caters to children. Expanding the law to cover teens till they're 18, according to the report, would "require Web sites to obtain more information about both minors and their parents, which runs counter to the original goal of the Act: protecting the privacy of minors." Ultimately, say the authors, "this would actually make minors less 'safe online.'" In this podcast, the report's co-author, PFF Senior Fellow Adam Thierer, explains the original COPPA law and why, in his opinion, the expanded law could have a chilling effect on the free speech rights of minors. The podcast runs 11:30

There are three reasons for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law - "They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing" - is just wrong. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, it forces companies to improve their security. That last point needs a bit of explanation. The problem with companies protecting your data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control - or even knowledge - of the company's security practices. The idea behind such laws, and how they were sold to legislators, is that they would increase the cost - both in bad publicity and the actual notification - of security breaches, motivating companies to spend more to prevent them. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.

The Data Protection Directive is old-fashioned and out of date, a report published by the UK's privacy regulator the Information Commissioner's Office (ICO) has said. Commissioner Richard Thomas said that the European Union must change its legislation. The ICO commissioned RAND Europe to investigate whether or not 1995's EU Data Protection Directive was a good basis for Europe-wide data protection law. The research concluded that the law was flawed and needed to be updated. It found that the law must be clearer about what it seeks to achieve, that it should be better at forcing organisations to protect personal data in their charge, that it should encourage a more strategic approach to enforcement and that it does not deal well enough with the export of personal data outside the EU. Thomas said that the Directive, on which the UK's Data Protection Act is based, is outmoded. "The Directive is showing its age. Modern approaches to regulation mean that laws must concentrate on the real risks that people face in the modern world, must avoid unnecessary burdens, and must work well in practice," he said. "Organisations must embed privacy by design and data protection must become a top level corporate governance issue." RAND said that the Directive would be improved by its fundamental approach to ensuring data privacy being changed. It said that the law should focus on the protection of individuals and the security of their data, and not on the processes that lead to that. "The stronger, results oriented approach described in this report aims to protect data subjects against personal harm resulting from the unlawful processing of any data, rather than making personal data the building block of data protection regulations," said the report. "It would move away from a regulatory framework that measures the adequacy of data processing by measuring compliance with certain formalities, towards a framework that instead requires certain fundamental principles to be respected

The US government has now adopted a policy of fostering the adoption of electronic medical records (EMR). The policy is intended to increase the efficiency of the US healthcare system, thereby lowering costs and reducing the incidence of preventable errors. At the same time, through its The Health Insurance Portability and Accountability Act (HIPAA) privacy rules, the government has set minimum standards for the security of those records. These two goals-privacy and security of these records, along with their free interchange among medical providers-can easily wind up at odds with each other. A recent study that looked at the role of state privacy laws in EMR adoption suggests that the problem is very real, as state privacy laws seem to inhibit the use of EMR by hospitals located there. The authors, based at MIT and the University of Virginia, line up a variety of data that validate their suggestion that privacy and the use of EMR may require a careful balance. So, for example, they cite some highly publicized lapses when it comes to the maintenance of patient privacy: someone once offered the records of 200,000 patients for sale on Craigslist, while hospitals have seen their own employees attempt to get at the electronic files of famous patients. Perhaps more significantly, the authors suggest that the public, as represented by their legislators, has concerns about the privacy of EMR. They found that states that have passed their own privacy laws to supplement the HIPAA rules tend to have a higher percentage of their populace signed up for the Do Not Call Registry, indicating a corresponding individual-level interest in maintaining privacy. So, they looked at whether these laws had any impact on the adoption of EMR by hospitals located in each state.

making best indexing in goggle and bing. RADJASEOTEA is a master of backlinks. You want indexing in goggle and bing. LOOK THIS www.fiverr.com/radjaseotea/making-best-super-backlink-143445

A top affliction of privacy professionals is the growing complexity of privacy laws. The number of jurisdictions regulating data privacy and the number of other laws in which privacy provisions are tucked has increased with no letup since 2000. Like the Lilliputians in Gulliver's Travels, the tiniest jurisdictions are now lassoing their privacy ropes around the mightiest of corporations. Where does this leave those who are charged with keeping their organizations privacy-compliant? Desperately looking for a way to organize news about all of these developments. I recently surveyed the landscape of possible solutions to this problem. What did I find? Three different approaches: free Web sites, newsletters and news feeds; fee-based periodicals; and fee-based databases, such as Nymity's PrivaWorks, Cecile Park Publishing's DataGuidance and law firm Morrison and Foerster LLP's Summit Privacy. What were the pros and cons of each approach? Free sources Privacy leaders with no budget will want to exploit what's free, including these options: * Morrison & Foerster's Privacy Library, probably the most comprehensive and current free online listing of privacy laws in 95 countries. * Law firm Baker & McKenzie's annual Global Privacy Handbook, which is distributed to clients and friends. * Computerworld's own Security Newsletter, which offers a regular look at news about the technical threats to personal data. * The International Association of Privacy Professionals' Daily Dashboard, Canada Dashboard Digest and monthly Inside 1to1: Privacy. These are the best available free news feeds on privacy.

Two Philadelphia law firms have filed class action suits on behalf of all cardholders in the U.S. who had their credit or debit card data stolen in the Heartland Payment System (HPY) data breach. This brings to three the total number of class action lawsuits filed against the Princeton, NJ-based payments processor. The law firm of Berger & Montague filed a class action suit in the U.S. District Court for the District of New Jersey, alleging Heartland's failure to safeguard cardholder data when the company's computer systems were hacked and cardholder data was stolen. Heartland says last year it processed 100 million card transactions per month, but an unknown number of cards were impacted by the breach. The law firm says fraudulent activity has occurred on some of those cards. The law firm alleges that Heartland's security measures and intrusion detection systems were inadequate. "Because of Heartland's inadequate data security, cardholders have had their card information compromised, have been exposed to the risk of fraud, have spent and will spend time to monitor their accounts and dispute fraudulent charges, and have suffered other economic damages," the law firm says in its statement regarding the suit. Berger & Montague were also co-lead counsel in the consumer class action suit brought against TJX Companies, which resulted in a $200 million settlement. The third class action lawsuit filed in February against Heartland comes from Sheller P.C. of Philadelphia, PA. Sheller's suit against Heartland has similar charges against the payment processor. Sheller P.C. also filed its class action lawsuit in the U.S. District Court for the District of New Jersey. Sheller P.C. has also filed a consumer class action suit against RBS WorldPay for its security breach that was made public on Dec. 23, 2008. Previously, Chimicles & Tilellis LLP of Haverford, PA filed suit in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Co

DURING the Parliament session on Monday, MP of Ang Mo Kio GRC Ms Lee Bee Wah, asked the Minister of Information, Communications and Arts, Dr Lee Boon Yang, whether a comprehensive privacy law will be introduced to protect the privacy of individuals and their personal data. She also queried about the existing laws which are in place to protect people from spam mails and unauthorised sale of personal information, as well as protecting people whose photographs are posted on blogs and other new media platforms. Dr Lee's reply was: "The Government recognises the importance of data protection and the need to protect personal data. At the same time, we also appreciate the impact of data protection on businesses and the general public. I had previously informed the House that an Inter-Ministry Committee is reviewing Singapore's data protection regime. This review is on-going. We are currently looking into developing a data protection model that can best address Singapore's privacy concerns, commercial requirements and national interest. As data protection is a complex issue with extensive impact on all stakeholders, this review will take some time." With regards to unauthorised Use of personal data, he replied: "While there is currently no generic data protection law, it does not mean that there is no protection of personal data. In fact we have in place strict provisions in sectoral laws, such as the Banking Act and codes for medical professionals to protect sensitive financial and health information. There are also other industry codes of practices against the unauthorised use of personal information. For example, in the telecommunications sector, under the Telecom Competition Code, IDA requires licensees to take reasonable measures to prevent the unauthorised use of End User Service Information. A telecom licensee would be in breach of the Code if it shares with third parties its customers' information that was obtained from the use of its service, without the cust

The California State Senate approved today SB 20, legislation by State Senator Joe Simitian (D-Palo Alto), which aims to strengthen existing privacy protection laws for California consumers. The new law builds on legislation authored by Simitian in 2002 that requires a business or government agency that incurs a data breach to provide notice to the individual(s) whose information was compromised. More than 40 states have adopted similar legislation since that time, largely based on the California measure. "No one likes to get the news that information about them has been stolen," said Simitian, "but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next." "The premise is simple," added Simitian. "What you don´t know can hurt you. Ignorance is not bliss. And you can´t protect yourself if you don´t know you´re at risk." Simitian said his latest proposal (SB 20), "is designed to make a good law even better." California´s current security breach notification law (AB 700, Simitian -2002) requires notice to consumers when their information has been compromised, but does not require data holders to provide any standard set of information about the nature of the breach. SB 20 will enhance consumer knowledge about security breaches by requiring that the notification contain specified information, including the type of personal information breached and the date of the breach.

A coalition of privacy groups today urged the Obama Administration to defend California's landmark financial privacy law against the banking industry's legal efforts to overturn it. The US Supreme Court is currently considering taking up the banks' appeal of a 2008 decision by the 9th Circuit Court upholding almost all provisions of the Financial Information Privacy Act of 2003 (SB 1 - Speier). On March 9th, the Supreme Court invited the Obama Administration to voice its opinion on the California privacy law. The case is American Bankers Association v. Brown, Supreme Court Docket Number 08-730. Letters to President Obama and Solicitor General Elena Kagan were signed by The Consumer Federation of California, Privacy Rights Clearinghouse, CALPIRG, Consumers Union, Consumer Action, The Older Women's League, The California Alliance for Retired Americans, and Chris Larsen, Propser Marketplace, and founder of Californians for Privacy Now, the organization that spearheaded a 2003 ballot initiative campaign that turned fierce banking industry opposition into acquiescence with SB 1. "This represents a defining moment for privacy rights" the letter states. We ask you to stand with consumers by telling the Supreme Court to reject the banks' appeal in Brown." Privacy advocates support the State of California's position in this legal matter, which is that there is no merit to the appeal filed by the American Bankers Association. At issue is whether federal laws preempt portions of California law that regulate the sharing of private consumer information within a financial institution's family of affiliates.

Raises some realistic questions about the American approach to privacy law & regulation. Unfortunately, the article tends to point at the misapplication of laws more heavily than offering the reader an account of the abuses that led us to where we are now. Businesses & government, including the medical industry, freely shared details - or spied on Americans with impunity for decades. The article reminds us that work needs to continue to balance our approach. A Federal law, that sets a floor for privacy requirements, could help reduce conflicting requirements caused by almost every state writing seperate laws because there was a lack of leadership from Washington. American privacy regulations are implemented sectorally - at the industry or State level for example. This leads to many different, and conflicting laws. Privacy is a difficult subject with complex considerations touching aspects of life that have not been questioned for years. This article provides more con than balance, but it reminds us that extreme positions rarely serve anyone well.

Special interest groups and lawyers claim they are defenders of individual privacy. But all that red tape is causing more harm to consumers than good. In a world of tight budgets and sacrificed programs, one sector has continued to grow with the speed and choking effectiveness of kudzu: regulations around privacy. More than 300 privacy-related laws are on the books, in both Washington, D.C. and state capitals. Privacy-related consulting services provided by law and accounting firms are a $500-million-a-year business and have been growing at double digits.

On September 12, 2009, Maine's Act to Prevent Predatory Marketing Practices Against Minors (the "Act") will take effect. The Act prohibits businesses from knowingly collecting or receiving a minor's health-related information or personal information for marketing purposes without first obtaining verifiable parental consent. Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor. Pursuant to the Act, the use of information in such a manner is a predatory marketing practice, which may be sanctioned as an unfair trade practice. The law also allows individuals subject to unlawful data collection or predatory marketing practices to bring a private right of action against violators. For businesses, the implications of Maine's new data collection and marketing restrictions are far-reaching. The scope of the law covers both online and off-line marketing activities, and the broad definition of personal information includes a minor's name in combination with any information concerning the minor. In light of the Act's restrictive requirements and considerable scope, businesses would be well-advised to evaluate their current marketing practices and age verification mechanisms. The text of the law is available here.