Data Security
MA - The Massachusetts Office of Business Affairs and Consumer Regulation has extended the deadline for complying with new data protection standards. The January 1, 2009 deadline has been pushed to May 1, 2009. For more information about the scope of this law, please read the November 2008 Legislative Update

Bermuda - Government officials announced plans in November to draft electronic data protection legislation in Bermuda. They hope it will help ease business dealings with the European Union. Bermuda has seen an increase in the amount of data international companies store on the island electronically and the territory does not meet EU protection standards for data transfers. Identity theft is also a concern: “Crime is an increasingly sophisticated business and therefore consultation on draft data protection and privacy legislation will commence during the session.”

Uruguay - In August, Uruguay adopted a new personal data protection law modeled on the European Union Data Directive, and Uruguay, is applying to the European Commission for a determination that their laws are “adequate” by EU standards. The new law establishes a Regulatory and Personal Data Control Unit. It covers both the public and private sector, and both individuals and corporate entities, whose records are kept in databases, and managed by government, public, or private organizations. Institutions have one year to comply with the new guidelines.

MA - The 1st U.S. Circuit Court of Appeals in Boston ruled that New Hampshire's law to restrict access to doctor's prescription-writing habits is constitutional. The New Hampshire Prescription Information Law aims to protect the privacy of doctors' prescribing data, which pharmaceutical companies use to help sales representatives personalize their pitches. Under the law, entities will be prohibited from selling or using prescription information for commercial purposes. The law was intended to cut down on state health care costs by eliminating the tool used by drug sales representatives in promoting brand name drugs. By purchasing the data describing which doctors prescribe what drugs, pharmaceutical sales forces are better able to identify which doctors might use their products and be receptive to their sales pitches. The decision overturns that of a lower court, which ruled that the law infringed upon commercial free speech.

The decision could also have implications in other states that have either adopted or are considering similar legislation, particularly Maine, which is in the same appellate district as New Hampshire and where a similar law was struck down by a district court this year. Vermont has also enacted a similar law that is to take effect next year but is also facing a court challenge. Survey and opinion researchers who rely on physician prescribing data for survey research purposes are not confined by the scope of this decision since it relates to gathering the data for commercial related purposes. If the survey, however, is used for future marketing and other promotional material, then it will be prohibited under the New Hampshire law.

Telephone Records
NJ - Sen. Madden (D) introduced SB 2278, the Consumer Telephone Records Protection Act. The Act prohibits gaining access to a customer’s telephone records and account information without consent or by using fraudulent means. The bill also makes it a crime for any person to receive, or attempt to purchase or receive, confidential telephone records; or any employee of an entity that provides voice services, data broker, or other person to knowingly sell, or attempt to sell, confidential customer telephone records information without the customer's authorization. SB 2278 also provides exemptions from the legislation, which include: law enforcement agencies, entities that provide voice service and their agents.