Your SlideShare is downloading. ×
April 2003




                           FTC and FCC Act on Telemarketing Rules
Following the recent enactment of “The Do...
Getting a Handle on the New
    New Wiley Rein & Fielding LLP                                       HIPAA Security Regulat...
Guest author J. Trevor Hughes, IAPP Executive Director, presents:

       The IAPP and Ponemon Institute Survey of Privacy...
Getting a Handle on the New HIPAA Security Regulation
 continued from page 2

 and claim systems. Congress, recognizing th...
WRF to Host FCC Telemarketing Briefing
               The Firm is hosting a breakfast briefing featuring K. Dane Snowden, Ch...
Getting a Handle on the New HIPAA Security Regulation
 continued from page 4

 Scaleable Mandates                         ...
Getting a Handle on the New HIPAA Security Regulation
 continued from page 6

 systems), workstation use policies, worksta...
Department of                                                                              FTC and FCC Act on Telemarketin...
Upcoming SlideShare
Loading in...5
×

FTC and FCC Act on Telemarketing Rules

862

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
862
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "FTC and FCC Act on Telemarketing Rules"

  1. 1. April 2003 FTC and FCC Act on Telemarketing Rules Following the recent enactment of “The Do-Not-Call After paying the fee, the seller will be able to access data for Implementation Act,” both the Federal Trade Commission the area codes for which it has paid as often as it wishes during (FTC) and the Federal Communications Commission (FCC) the annual period. are developing administrative records to support their new The FTC also proposes that third-party telemarketers that telemarketing rules, including the politically popular national are not also sellers (e.g., a telemarketing firm that a seller hires Do-Not-Call list. Telemarketers and sellers that hire them to place marketing calls to consumers) will not have to pay a should be aware of recently-announced compliance deadlines separate fee for their access to the national registry. Instead, and new opportunities for comment. these “pure telemarketers” will need to ensure that the sellers for Additional Comments Sought whom they place telemarketing calls have paid for access. On April 3, 2003, the FCC issued a further Notice of Proposed FTC Do-Not-Call Compliance Dates Rulemaking (NPRM) seeking comment on how it might Consumers will begin placing their telephone numbers on the change its existing rules implementing the Telemarketing FTC Do-Not-Call list in July 2003. Access to the registry by Consumer Protection Act (TCPA), while maximizing sellers will begin on September 1, 2003, and full compliance consistency with the FTC’s newly-expanded Telemarketing with the Do-Not-Call requirements will be required on October Sales Rule. Congress has required the FCC to complete the 1, 2003. Thus, by October 1, 2003, each seller conducting TCPA rulemaking by September. Written comments on the telemarketing calls over state lines to consumers must obtain FCC’s NPRM are due on May 5, 2003. an access number and pay a fee based on the number of area The FTC also issued a revised Notice of Proposed Rulemaking codes it wishes to access. Sellers or their telemarketing agents (Revised Fee NPRM) requesting public comment on its will then be required, every 90 days, to “scrub” the residential proposal to charge telemarketers fees to access the Do-Not- telephone numbers appearing in the Do-Not-Call registry from Call registry, as described in the Telemarketing Sales Rule. their calling lists. Written comments on the FTC’s Revised Fee NPRM will be continued on page 8 accepted until May 1, 2003. Do-Not-Call Access Fee In the Revised Fee NPRM, the FTC proposes to charge sellers Also in This Issue that place interstate telemarketing calls to consumers an annual New Wiley Rein & Fielding LLP fee to obtain access to the Do-Not-Call registry. The access-fee Partner Further Enhances Its amount would depend on the number of area codes for which National Insurance and Privacy Practices ..............2 the seller wishes to obtain Do-Not-Call telephone numbers. Access to each area code list will cost $29, with the annual Getting a Handle on the maximum set at $7,250 (250 area codes or more). The FTC New HIPAA Security Regulation............................2 proposes not charging a fee for businesses that wish to access The IAPP and Ponemon Institute five area codes or less. Separate divisions, subsidiaries or Survey of Privacy Professionals’ Salaries................3 affiliates of a corporation will be treated as separate sellers. WRF to Host FCC Telemarketing Briefing ..............5 Should a seller wish to access additional area codes within The Speaker’s Corner ..........................................5 the annual period, it may do so by paying an additional fee Department of Homeland Security of $29 per area code during the first six months of the annual Announces Privacy Officer ...................................8 period and $15 per area code during the second six months. © 2003 Wiley Rein & Fielding LLP ✦ Washington, DC ✦ Northern Virginia ✦ www.wrf.com
  2. 2. Getting a Handle on the New New Wiley Rein & Fielding LLP HIPAA Security Regulation Partner Further Enhances Its On February 20, 2003, the U.S. Department of Health and National Insurance and Human Services released the long awaited security rule under the Health Insurance Portability and Accountability Act. This Privacy Practices is the third leg of the HIPAA “Administrative Simplification” Wiley Rein & Fielding LLP is pleased to announce the trilogy, covering privacy, standardized electronic transactions continued expansion of its pre-eminent 40-lawyer and security. Insurance Practice with the addition of Cynthia T. The Security Rule will substantially affect any entity Andreason. Ms. Andreason joined the firm as a participating in the health care system, not only the “covered Partner on April 2, 2003, and advises insurers regarding entities” under the Rule (including health plans, health care emerging privacy and e-commerce issues, and regularly providers and health care clearinghouses), but also their counsels financial services clients on compliance and vendors and business partners that provide critical services. litigation avoidance related to privacy and various This Rule also will become part of the developing legal and other market conduct matters. She will also continue regulatory structure surrounding the privacy of sensitive to represent clients in insurance litigation matters on customer/patient information. behalf of life, disability and property/casualty insurance For those affected by this Rule directly, the key questions will companies. involve process (e.g., what steps need to be put in place, what “We are thrilled to have Cynthia join our practice,” decisions will result from the security evaluative process?) commented Thomas W. Brunner, chair of the Insurance and timetable (e.g., do I have the full two years, or does the Practice. “Her addition broadens the range of services we HIPAA Privacy Rule require/encourage me to move more provide for some of the top insurers in the United States quickly?). In order to provide a context for examining these and overseas. Her expertise and practice will provide issues, this article presents a brief summary of the critical additional depth to our already substantial insurance components of the Security Rule, and a beginning analysis of and privacy practices. We are pleased to welcome her how covered entities need to follow this rule, including some to the firm.” of the strategy questions facing covered entities—and their Ms. Andreason joins the firm with more than 19 years business partners—that need to structure their operations to of legal experience. Most recently, she practiced at the protect the security of protected health information. Washington, DC office of LeBoeuf, Lamb, Greene & Administrative Simplification Background MacRae, LLP. Ms. Andreason has defended clients in complex class action litigation and major regulatory Now more than 4½ years after HHS released the “draft” proceedings, as well as environmental, advertising Security Rule in August, 1998, the world is a vastly different liability and products liability matters. Prior to place. We have witnessed the entire “boom and bust” of the private practice, she served as a law clerk to the “Dot.Com” economy. The Year 2000 “crisis” raised enormous Honorable I. Daniel Stewart, Associate Justice, Utah concerns, and then fizzled. Wireless communications, using Supreme Court. cell phones, Blackberry devices and other technologies, once almost unthinkable, are now commonplace. The events of Ms. Andreason received her Bachelor’s degree in Music, September 11 have changed, perhaps permanently, the relative with high honors, from the University of Colorado and balance between privacy rights and security obligations. earned her J.D. from the University of Utah, where she was a member of the Utah Law Review. For the health care industry specifically, change has also been dramatic. Malpractice reform, HMO litigation, ERISA Wiley Rein & Fielding’s Insurance Practice is among changes, rising costs and technological advances all have the largest and most prominent in the United States, impacted the business of providing health care. emphasizing coverage dispute resolution, bad faith and market conduct litigation, insurance fraud issues, This time period also has seen evaluation and implementation litigation management and claims counseling, amicus of most of the HIPAA Administrative Simplification, often in curiae participation and reinsurance. ✦ the face of enormous challenges. The standard transaction rules have been defined (for the most part), and health care For more information, contact Cynthia Andreason companies (having incurred enormous information technology (202.719.7364 or candreason@wrf.com). costs due to Y2K) have now moved to revamp their billing continued on page 4 Privacy In Focus—April 2003 www.wrf.com © 2003 Wiley Rein & Fielding LLP page 2
  3. 3. Guest author J. Trevor Hughes, IAPP Executive Director, presents: The IAPP and Ponemon Institute Survey of Privacy Professionals’ Salaries The International Association of Privacy Professionals The average overall experience level of participants was (IAPP) and The Ponemon Institute, a privacy “think- 19.8 years. The survey clearly showed a relationship tank,” recently performed one of the first broad-based between increased salary and experience—but only to salary studies of privacy professionals both in the United a point. After a number of years of privacy experience, States and abroad. The survey, conducted by The the salaries for professionals were actually lower. This Ponemon Institute, solicited responses from the 1100 inverted relationship may be tied to the pattern described members of the IAPP, the largest association of privacy above—privacy professionals may need to add other duties professionals in the United States. to their jobs in order to increase their compensation. Privacy professionals who do not diversify in this manner Six Figures! may find that their salary stagnates over time. Another The survey revealed that privacy professionals in today’s theory is that these compensation decreases reflect the marketplace are earning, on average, six-figure salaries. relatively recent addition of privacy positions to existing Privacy professionals in the study earned a mean salary of company advancement structures in a manner that may $101,000—with a full 70% of the respondents earning not provide the full level of advancement that other more between $60,000 and $150,000 per year. This salary traditional positions enjoy. level would seem to befit the “professional” status of those individuals who are responsible for privacy. Other Industry Variations results were intuitive as well: salary levels appeared to Privacy personnel salary comparisons between industries increase in direct relation with the size of the individual’s also presented compelling results. For example, the organization, as well as the individual’s experience within health care industry appeared to compensate its privacy the field. professionals at a lower pay rate than other industries. In fact, the pay rate for health care professionals was 15% Diversification and Experience lower than the mean for the entire sample. This finding While the IAPP/Ponemon findings contained some great may be linked to the fact that health care respondents news for the emerging ranks of privacy professionals, typically came from smaller organizations. Health care the study also revealed some compelling distinctions privacy issues may also be handled primarily within within the profession. For example, individuals who compliance departments (as opposed to legal, marketing perform privacy functions as a part of their total or government affairs departments). job responsibilities reported higher salaries than Overall, the results of the 2003 IAPP/Ponemon privacy individuals who work exclusively within the privacy salary survey point to the continued evolution of the field. One possible explanation for this result is that privacy profession. In spite of variations between privacy professionals are frequently drawn from legal industry, experience, and job functions, salaries for departments. Persons who spend more than half of their privacy professionals are comfortably within ranges time serving in legal positions, and less than half of their enjoyed by other professions. While experience does time in privacy positions, may enjoy greater salaries as a count, it appears that diversification is a key factor in result of their continued allegiance to the organization’s acquiring and maintaining higher salaries for privacy legal department. Individuals who are not affiliated with professionals later in their careers. ✦ a legal department may not reap the benefit of the higher salaries generally afforded to attorneys. If you would like to request a copy of the 2003 Another striking survey fi nding was the correlation IAPP / Ponemon Institute Privacy Professional between salary and a person’s experience in the privacy Salary Survey Report, please contact the IAPP field. Participants who completed the survey had (www.privacyassociation.org or 215.545.8990) worked for an average of five years in the privacy or data or The Ponemon Institute (www.ponemon.org or protection field, and 3.7 years in their current position. 520.290.3400). Privacy In Focus—April 2003 www.wrf.com © 2003 Wiley Rein & Fielding LLP page 3
  4. 4. Getting a Handle on the New HIPAA Security Regulation continued from page 2 and claim systems. Congress, recognizing the compliance (v) The needs and capabilities of small health care providers difficulties with these “standard” transactions—which are and rural health care providers proving not to be really “standard”—provided an extra 42 USC 1320d-2(d)(1)(A). compliance year. Now, the industry awaits whether the “standardized” system actually will work in October 2003 Next, the same covered entities have been struggling to (the compliance date for the transaction rule). understand the security implications of the HIPAA Privacy Rule. Under the Privacy Rule’s cryptic provisions, a covered On the privacy front, through two Administrations, various entity “must have in place appropriate administrative, technical, drafts, a final rule, and now a “Final” final rule, the industry and physical safeguards to protect the privacy of protected is in the initial month of mandatory privacy compliance, with health information.” Privacy Rule, 45 CFR 164.530(c)(1). predictions by respected advisory bodies of the “likelihood In addition, any “business associate” under the Privacy Rule of widespread disruption” surrounding the April 14, 2003 (typically, a vendor to health care entities whose work involves compliance date. patient/member information) also must agree by contract to Only a few weeks prior to privacy compliance, HHS launched “use appropriate safeguards to prevent use or disclosure of another “Administrative Simplification” bomb-shell—the protected health information (PHI) other than as provided Security Rule—with not only wide-ranging effects on the for by” the business associate contract. Neither the Rule itself security of electronic protected health information, but also nor the Preamble provide any meaningful additional detail as significant immediate implications for privacy compliance. to what should be included in these “safeguards.” Prior to the Final Rule The Privacy/Security Link The Security Rule provisions are not the first federal security While the Privacy Rule provisions are “separate” from the requirements for the health care industry. The HIPAA statute Security Rule—most importantly in terms of compliance itself, which has led to the creation of all of the Administrative dates—there are critical links. For example, according to Simplification regulations, contained specific requirements for the Preamble, the security of health-related information—effective in 1996. [S]ecurity and privacy are inextricably linked. The Specifically, the statute stated that: protection of the privacy of information depends in large Each [covered entity] who maintains or transmits health part on the existence of security measures to protect information shall maintain reasonable and appropriate that information…. The security standards…defi ne administrative, technical and physical safeguards: administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of (A) To ensure the integrity and confidentiality of the electronic protected health information.… The Privacy information Rule, by contrast, set standards for how protected health (B) To protect against any reasonably anticipated threats or information should be controlled by setting forth what hazards to the security or integrity of the information; uses and disclosures are authorized or required and and unauthorized uses or disclosures of the information what rights patients have with respect to their health (C) Otherwise to ensure compliance with this part by the information. officers and employees of such [covered entity] Preamble to Security Rule, 68 Fed. Reg. at 8335. 42 USC 1320d-2(d)(2). Moreover, in announcing the final Security Rule, HHS also Beyond this mandate—which required the covered entities indicated that: themselves to take certain steps, independent of the issuance of It is likely that covered entities will meet a number of a Security Rule—the statute also required the HHS Secretary the requirements in the security standards through the to adopt security standards that take into account: implementation of the privacy requirements. For example, (i) The technical capabilities of record systems used to in order to comply with the Privacy Rule requirements to maintain health information make reasonable efforts to limit the access of members of (ii) The costs of security measures the work force to specified categories of protected health information, covered entities may implement some of the (iii) The need for training persons who have access to health administrative, physical, and technical safeguards that the information entity’s risk analysis and assessment would require under (iv) The value of audit trails in computerized record the Security Rule. 68 Fed. Reg. at 8371. systems continued on page 6 Privacy In Focus—April 2003 www.wrf.com © 2003 Wiley Rein & Fielding LLP page 4
  5. 5. WRF to Host FCC Telemarketing Briefing The Firm is hosting a breakfast briefing featuring K. Dane Snowden, Chief of the Consumer & Governmental Affairs Bureau at the Federal Communications Commission. The focus of the briefing will be on the FCC’s telemarketing rule and its cooperative efforts with the FTC and state regulators. The event will be held on Wednesday, May 21st at 8:30 in the 10 East Conference Center. If you would like to attend, please contact Maggie McBride (202.719.4510 or mmcbride@wrf.com). The Speaker’s Corner WRF Attorneys regularly share their expertise at conferences and seminars around the country. Visit our website at www.wrf.com for additional information on these events. Blue Cross Blue Shield Association Lawyers Conference May 8-9, 2003 Santa Fe, NM Kirk J. Nahra, Speaker, “Privacy For the Health Insurance Industry” National Insurance Crime Bureau, Legal Training Seminar May 20, 2003 Chicago, IL Kirk J. Nahra, Speaker, “Compliance with Federal Rules on Privacy and Information Sharing” Blue Cross Blue Shield Association National Fraud and Audit Conference May 30, 2003 New Orleans, LA Kirk J. Nahra, Speaker, “Health Plans as Victims, Witnesses And Perpetrators” American Bar Association Joint Committee on Employee Benefits June 4-6, 2003 Chicago, IL David R. Levin, Speaker, “ERISA Basics” CBI’s 2nd Annual Continuing Medical Education (CME) Conference June 12, 2003 Philadelphia, PA John F. Kamp, Speaker, “Understand The Proposed ACCME Standards for Commercial Support” American Bar Association Annual Meeting August 7, 2003 San Francisco, CA David R. Levin, Speaker, “ERISA in the News” and “The Sarbanes Oxley Act” National Task Force on CME Provider/Industry Collaboration September 11, 2003 Chicago, IL John F. Kamp, Panelist, “Interactive Case-Based Discussion: Controversies and Challenges for CME and CPD” Privacy In Focus—April 2003 www.wrf.com © 2003 Wiley Rein & Fielding LLP page 5
  6. 6. Getting a Handle on the New HIPAA Security Regulation continued from page 4 Scaleable Mandates particular safeguards designed to address the specific standard. In setting out the Security Rule requirements, HHS focused All of these topics are designed to protect “electronic” PHI on four key goals/mandates for covered entities. To be in from the Privacy Rule that is transmitted or maintained in compliance with this Rule, a covered entity must: electronic media. Some of the specifications are “required,” and must be implemented. Others are “addressable,” meaning ✦ Ensure confidentiality, integrity, availability of electronic that a covered entity must review the issue and evaluate protected health information created, received, whether the particular step is “reasonable and appropriate” maintained, transmitted for implementation by the covered entity. 68 Fed. Reg. at 8377 (§164.306(d)). ✦ Protect against “reasonably anticipated threats or hazards” to “security or integrity” of this information The Rule sets out a series of “administrative” safeguards that constitute the key provisions of an effective security program. ✦ Protect against “reasonably anticipated uses or disclosures” In particular, the requirements for “risk analysis” and “risk of this information that are not permitted under the management” set the stage for the remainder of the activities. Privacy Rule In fact, most of the Security Rule describes an appropriate ✦ Ensure compliance by its workforce “process” that covered entities must go through in evaluating security options, broken down into technical, physical and 68 Fed. Reg. at 8376 (§164.306(a)). administrative safeguards. In order to make compliance with this mandate feasible, Under the Rule, “risk analysis” means to: HHS developed a “flexible” approach to compliance, by making the requirements “scaleable” based on the specifics Conduct an accurate and thorough assessment of the of the organization. The provisions also are intended to be potential risks and vulnerabilities to the confidentiality, “technology neutral”—meaning that the Rule does not dictate integrity, and availability of electronic protected any specific technological solution. Instead, the Rule focuses health information held by the covered entity. on process—how to evaluate a company’s security risks and Id. (§164.308(a)(ii) (A)). decide what steps should be taken. Under the Rule, “risk management” involves an obligation to: Covered entities, therefore, must develop appropriate security Implement security measures sufficient to reduce measures based upon: risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule.] ✦ The size, complexity, and capabilities of the covered Id. (§164.308(a)(ii) (B)). entity Also included among the section 164.308 administrative ✦ The covered entity’s technical infrastructure, hardware, safeguards are requirements such as a sanction policy, and software security capabilities assigned responsibility for security activities, security awareness and training, contingency planning and “security ✦ The costs of particular security measures incident” procedures (a “security incident” is an “attempted or ✦ The probability and criticality of potential risks to successful unauthorized access, use, disclosure, modification electronic protected health information or destruction of information or interference with system operations in an information system). There is a separate 68 Fed. Reg. at 8376-77 (§164.306(b)). administrative safeguard related to “business associates,” In general, with this “flexibility,” a covered entity under which are vendors to covered entities (as defi ned by the the Rule may use “any security measures that allow the HIPAA Privacy Rule). These security provisions will require covered entity to reasonably and appropriately implement the specific provisions in business associate (and, unfortunately, standards and specifications” of the Security Rule. Id. 68 will require in most circumstances that covered entities amend (§164.306(b)(1)). the contracts they have just signed with business associates setting forth the requirements of the Privacy Rule). The Security “Process” “Physical” safeguards are less dramatic, but constitute an In addition, the Rule breaks down the regulatory provisions additional core set of safeguards. These include facility into “standards”—which constitute the general security topic access controls (limiting physical access to information which must be addressed, and “specifications,” which are the continued on page 7 Privacy In Focus—April 2003 www.wrf.com © 2003 Wiley Rein & Fielding LLP page 6
  7. 7. Getting a Handle on the New HIPAA Security Regulation continued from page 6 systems), workstation use policies, workstation security, and Security Rule. While the Security Rule’s required provisions device and media controls (such as procedures for disposal are very similar to terms that are mandated under the Privacy of computer hardware in light of recent reports of privacy Rule, they are not the same (couldn’t HHS have done a better violations involving discarded computers that still retained job on this?). Accordingly, covered entities will, in most PHI). 68 Fed. Reg. at 8378 (§164.310). instances, need to develop a second round of business associate The “technical” safeguards also are relatively specific, involving contracting to incorporate Security Rule requirements. access controls (such as unique user identification, automatic ✦ Between Now and 2005 log-off, and emergency access procedures), audit controls, integrity (protection against improper alteration or destruction Perhaps the most immediate question for health care entities of PHI), person/entity authentication and transmission is how to interpret the Security Rule provisions now, in security. 68 Fed. Reg. at 8378 (§164.312). developing the Privacy Rule’s “appropriate standards.” Will security standards under the Privacy Rule be “appropriate” even In addition to these safeguards, the Security Rule requires if they are not what is required by the Security Rule? Given covered entities to develop security policies and procedures, the “post hoc” enforcement of most security concerns (meaning and to maintain appropriate documentation of these policies that enforcement happens only after there is a problem), will and procedures. 68 Fed. Reg. at 8378 (§164.316). covered entities be able to maintain the position that their Critical Challenges security is appropriate now, but under lesser standards than are required by the Security Rule? HHS clearly did not intend With this background, when should companies in the health to impose the Security Rule requirements immediately, but care industry be focusing their attention over the next few they also did act aggressively to ensure that this result will months and years in connection with the security of health not happen. The issue arises not only with general security information? provisions, but also in the context of a business associate ✦ Privacy Connections—Regulatory Requirements contract. If there are business associate contracts that are not yet signed (and we know there are many), should covered One of the critical challenges involves what to do now about entities move to include Security Rule provisions now, to avoid security, based on the requirements of the Privacy Rule. a second round of large-scale contracting in two years? Can Clearly, the Privacy Rule requires all covered entities to take these contract provisions be written in a way that does not some steps to protect security. Moreover, unlike the Security require premature compliance with the Security Rule? Rule, the Privacy Rule security requirements are not limited to electronic information, and, therefore, require steps to protect Conclusion all forms of protected health information. These steps were to With all these challenges, health care entities face an be in place as of April 14, 2003 for most covered entities. ongoing problem of how best to protect the customer/patient ✦ Tension Between Access/Privacy and Security information entrusted to their care. How will these standards evolve between now and 2005? Obviously, health care entities As with all security rule provisions, regardless of the industry, encounter today a vastly different environment than when the security provisions reflect a tension with one key component the draft security rule was issued in August 1998. While of most privacy rules—the access of individuals to information we may not see quite as much change in the computerized the covered entity has about them. The easier the access, the world in the next two years, health care entities need to view “looser” the security protections. This is particularly important information security as a continuing challenge, with today’s for companies that operate on the Internet or use other forms industry standards replaced quickly by new templates. These of key access to information or products. All covered entities companies also need to begin security efforts now, and need will need to develop an effective balance between access and to make security protections a continuing part of any health security, to manage tensions between these privacy and security care entity’s ongoing business operations. ✦ provisions. For more information on this topic, or for questions about any of ✦ Business Associate Issues the HIPAA Administrative Simplification rules, please contact Covered entities that are currently completing their business Kirk J. Nahra (202.719.7335 or knahra@wrf.com). associate contracting now face an additional bureaucratic hurdle—implementing the contracting requirements of the Note: This article appeared in the March/April 2003 edition of the Privacy Laws & Business International Newsletter. Privacy In Focus—April 2003 www.wrf.com © 2003 Wiley Rein & Fielding LLP page 7
  8. 8. Department of FTC and FCC Act on Telemarketing Rules continued from page 1 Homeland Security Announces Privacy Officer “Abandoned Calls” Deadline Extension On April 16, Secretary of Homeland Security Tom The Telemarketing Sales Rule’s call-abandonment prohibition Ridge announced the appointment of Nuala O’Connor applies to telemarketing calls made with predictive dialers, Kelly to be the Privacy Officer at the Department of technology that boosts telemarketing efficiency, but can leave Homeland Security. O’Connor Kelly is currently serving consumers with “dead air” when they answer the phone. at the Department of Commerce where she has been the The FTC has determined that failing to route an answered Privacy Officer, Chief Counsel for Technology, and the call to an operator within two seconds after a called person Deputy Director for Policy and Planning. Previously, completes his or her greeting is “call-abandonment” and an she worked at Double Click, Inc. as the Vice President abusive practice. Nonetheless, telemarketers using predictive for Data Protection and Chief Privacy Officer, where she dialers may qualify for a “safe harbor” by taking certain helped form the company’s data protection and privacy steps to minimize call abandonment. The FTC now has compliance department. announced a deadline extension for full compliance with the Telemarketing Sales Rule’s prohibition on “abandoned calls” Secretary Ridge explained that the Privacy Officer for and the safe harbor for call abandonment. Telemarketers now the Department of Homeland Security is responsible for have until October 1, 2003 to comply with these provisions. ensuring that the department’s policies protect privacy The previous deadline was March 31, 2003. ✦ rights of American citizens afforded by our Constitution and laws. The Privacy Officer is also tasked with ensuring For additional information, please contact John Kamp that the use of technologies within the Department (202.719.7216 or jkamp@ wrf.com), Amy Worlton sustain, and do not erode, privacy protections. ✦ (202.719.7458 or aworlton@wrf.com), or Sarah Dylag (202.719.4613 or sdylag@wrf.com). For more information, contact Bruce L. McDonald (202.719.7014 or bmcdonal@wrf.com). April PIF Contributors Cynthia T. Andreason..................................................... 202.719.7364...................................................... candreason@wrf.com Thomas W. Brunner ....................................................... 202.719.7225..........................................................tbrunner@wrf.com Sarah Dylag .................................................................... 202.719.4613.............................................................. sdylag@wrf.com John F. Kamp ................................................................. 202.719.7216..............................................................jkamp@wrf.com Bruce L. McDonald ........................................................ 202.719.7014........................................................ bmcdonal@wrf.com Kirk J. Nahra .................................................................. 202.719.7335.............................................................knahra@wrf.com Amy E. Worlton.............................................................. 202.719.7458.......................................................... aworlton@wrf.com 1776 K Street NW ✦ Washington, DC 20006 ✦ (ph) 202.719.7000 ✦ (fax) 202.719.7049 7925 Jones Branch Drive ✦ Suite 6200 ✦ McLean, VA 22102 ✦ (ph) 703.905.2800 ✦ (fax) 703.905.2820 For past issues of WRF Newsletters, please visit www.wrf.com/publications/newsletter.asp You are receiving this newsletter because you are subscribed to WRF’s Privacy In Focus. To sign up to receive this newsletter by email or to change the address of your current subscription, please visit www.wrf.com/newsletters.asp. To unsubscribe from this list, please send an email to wrfnewsletters@wrf.com with “Remove: Privacy In Focus” in the subject line. This is a publication of Wiley Rein & Fielding LLP providing general news about recent legal developments and should not be construed as providing legal advice or legal opinions. You should consult an attorney for any specific legal questions. © 2003 Wiley Rein & Fielding LLP ✦ Washington, DC ✦ Northern Virginia ✦ www.wrf.com

×