Data Privacy Monitor - Commentary on Data Privacy, Security and Social Media Subjects

There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH).  In Part I, we discussed what HIPAA covered entities (CEs) need to do to prepare.  This discussion will focus on what suggestions we have for HIPAA business associates (BAs) and their subcontractors (subBAs).  Although the core recommendations are for the most part the same as we identified in Part I for CEs, the justification for adopting these suggestions is slightly different and the priorities are reorganized for BAs and subBAs.

Legal:  BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. Experienced outside privacy counsel can help BAs become compliant with the final rule requirements.  Privacy counsel will be valuable to assist and document whether a breach has occurred, as well as to help BAs and SubBAs develop appropriate compliance programs. Now that CEs have an obligation related to appropriately selecting and retaining vendors, CEs will be doing their due diligence to determine whether their vendors are compliant.

Cyber Insurance:  CE’s have been struggling with HIPAA compliance, particularly compliance with the Security Rule, for nearly a decade.  Now, BAs must enter into the fold.  While BAs for the most part have safeguards in place for protected health information (PHI), strict compliance with the HIPAA Security Rule by BAs is questionable.  Insurance is not a substitute for compliance.  More than one-third of breaches are caused by vendors and the breach reports we have seen since 2009 suggest that BAs and subBAs have a lot to do to become fully compliant with HIPAA.  Therefore, as BAs and subBAs wrestle with these compliance issues, it is critical to have a robust cyber insurance policy in place that covers not only notification costs, but also regulatory penalties.  BAs and CEs need to keep in mind that penalties for violations of the HIPAA Rules will be specific to the organization against which the penalty is being assessed.

There appears to be some confusion over whether or not joint and several liability principles will apply to assessment of penalties.  There may be a few very limited circumstances where this might be an issue, but for the most part, the penalty will relate to a specific violation by that entity.  For example, a BA will not be subject to penalties because a CE did not perform a periodic risk assessment as required by HIPAA. Or, a BA may be subject to a penalty for not having sufficient technical safeguards in place while the CE may be subject to a penalty for being aware of the BA’s failures and not doing something to stop the practice.

Policies and Procedures:  Compliance with HIPAA requires that administrative, technical, and physical safeguards be in place to protect PHI.  Additionally, the organization must have policies and procedures in place to implement these safeguards.  The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has enforcement authority of the HIPAA Privacy and Security Rules.  After a breach is reported to HHS, OCR requests a copy of the organization’s policies and procedures in place to safeguard PHI.  The request is often more broad than the cause of the reported breach and extends to all policies and procedures in place in order for OCR to determine if the responding organization is compliant with HIPAA.  Examples of policies that BAs should have in place include:  (1) permitted uses and disclosures of PHI; (2) business associates; (3) minimum necessary; (4) de-identification of PHI; (4) back-up plans; (5) disaster recovery; (6) risk analysis; (7) risk management plans; (8) workforce training; and (9) termination of access.

Risk Assessments and Risk Management Plans:  BAs are now subject to the OCR HIPAA Audit protocol.  HIPAA requires organizations to conduct periodic risk assessments and then to address the risks identified in a risk management plan.  The OCR HIPAA Audit program sets a framework to analyze process, controls, and policies of the selected BA by using a comprehensive audit protocol.  The protocol addresses uses and disclosures, safeguards in place (administrative, physical, and technical), and breach notification rule compliance.

Incident Response Plans (IRPs):  IRPs are a roadmap to guide an organization’s incident response team’s (IRT) breach response activities.  As with CEs, the IRPs of BAs and subBAs must include the factors HHS has outlined for consideration in determining whether there is a low probability of compromise:  (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed).   An IRT’s members depend on the size and complexity of the organization, but typically include members from the following groups:  (1)  general counsel; (2) IS/IT; (3) communications; (4) HR; (5) compliance and (6) privacy.  External members of the team can include:  (1) outside privacy counsel; (2) forensics; (3) notification vendors; and (4) crisis management.

Breach Analysis Forms:  Keep in mind two basic requirements when considering the impact of the final rule.  The first is compliance and the second is documentation.  As BAs develop their compliance programs to fit the new requirements, they need to remember to update their forms as well.  The standard for determining whether or not a breach has occurred has changed and so has the required analysis.  A breach is presumed unless the CE can show that there is a low probability of compromise.  Moreover, HHS has outlined at least four (4) factors that must be considered. (The four factors are listed under Incident Response Plans, supra.) To the extent that third-party tools which analyze breach notification are utilized, BAs need to confirm that the approach reflects the new requirements.

Education:  A culture of compliance is expected.  Education and awareness are the best ways to develop that culture.  In addition to new employee training and annual training, consider periodic training in the form of newsletters and other events to keep privacy at the top of employees’ minds.

Business Associate Agreements:  Expect an administrative nightmare.  Changes to business associate agreements (BAAs) are coming.  CEs will be struggling with compliance with the final rule and you are going to see demands from CEs that may test the BAs' ability to comply with the requests--both on an administrative level because of the volume of contracts that will need to be amended and from a compliance standpoint because BAs are not prepared to meet the safeguard demands.  Additionally, BAs will need to modify the agreements they have in place with subBAs to ensure compliance with HIPAA. 

Forensics:  As with CEs, BAs need to develop relationships with forensic firms because outside forensics is going to be critical in helping to reach a conclusion that a breach has not occurred--low probability of compromise. For those BAs that already have cyber insurance, talk to your broker or carrier about the forensics options and seek recommendations from them as to how the coverage will support you with the changes in the regulations.

OCR Director Rodriguez has made it clear the final rule provides for the most sweeping changes to HIPAA since the Privacy and Security Rules were released.  And, further, the final rule provides OCR with an opportunity to vigorously enforce compliance.  These statements are a reality for the several dozen OCR investigations that we are currently defending.  As time passes, and OCR gains experience through the thousands of breaches that are reported and the audits that are conducted, the questions which organizations face will become more difficult to answer.  Compliance with HIPAA must be a top priority for all CEs, BAs, and subBAs.  

The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far:

• BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements:  impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual's designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.
• Insurers may need a business associate agreement (BAA) with a covered entity if it is performing risk management or assessment activities or legal services for the covered entity which involve access to PHI.
• Additional guidance has been provided regarding the assessment of civil monetary penalties (CMPs):  number of individuals affected and time period during which violations occurred will be considered.  As noted below, OCR's presentation to the State Attorneys General shows how quickly CMPs can reach very high numbers.
• Reputational harm is a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis.  Instead, OCR will look at whether there were adverse affects on employment, standing in the community, or personal relationships.  
• When assessing CMPs, an organization's history of compliance and non-compliance will be considered.  A mere complaint does not constitute an indication of non-compliance.
• There are significant changes to treatment and care communications when the covered entity receives financial remuneration for promoting a third party's goods and services.
• Individuals must have a right to access and to obtain a copy of PHI within 30 days (with a one-time 30 day extension after written notice for the delay and when the records will be provided).
• The definition of breach has been modified to clarify that an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised.  Documentation sufficient to meet this burden of proof must be maintained.
• Breach notification is not required if a CE or BA demonstrates through a risk assessment that there is a low probability that the PHI has been compromised--the focus is no longer on the harm to the individual.
• The probability of harm must be assessed by considering at least: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). Most of these factors were likely considered previously by CEs.
• Notification does not require an analysis of risk because the occurrence of a breach is presumed.
• Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.  An example is provided of a misdirected fax to the incorrect physician who immediately calls to report the error. This is nothing new, just a clear expression of what many have already believed.
• Substitute notice or media notice may at times occur after the 60-day period dependin g on circumstances.
• Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred.
• Notification to the Secretary must occur contemporaneously with notice to individuals for breaches over 500.

We also notice some things remain:

• HITECH only preempts state law to the extent HITECH is more stringent.  HITECH is only a Federal floor of privacy protection.
• The revised penalty structure remains.  A presentation by the OCR to state Attorneys General shows how aggressive OCR may be in assessing civil monetary penalties (CMPs).
• "The goal of enforcement is to ensure that violations do not recur without impeding access to care." P. 79.  An entity's financial condition will still be considered.
• The addressable standard remains.  HHS does "not mandate the use of specific technologies, or require uniform policies and procedures for compliance, because [they] recognize the diversity of regulated entities and appreciate the unique characteristics of their environments." P. 102.
• The "minimum necessary" standard applies directly to BAs.
• Certain provisions of the Privacy Rule do not apply to BAs unless the CE delegates that responsibility: designating a privacy officer, providing a notice of privacy practices (NPP).
• BAAs are still required to help clarify and limit permissible uses and disclosures.
• A decedent's PHI will require protection for 50 years.
• The requirement for return or destruction of PHI by the BA at the termination of the contract (if feasible) does extend to sub-BAAs.
• HHS will not establish or endorse a certification process for HIPAA compliance by BAAs and sub-BAAs.
• Timeliness and content of notification have not changed.
• A CE retains the ultimate obligation for proper notification.  Notification by the BA can be delegated.
• Media notification and notification to HHS has not changed.
• Law enforcement delays remain available.
• There are no changes to the circumstances permitting preemption of state law of HITECH.

We will continue to assess these changes and post updates as our analysis develops and the impact of these changes is further considered.  

Connecticut has been in the forefront in protecting the personal information of its residents.  In July 2010, in the first action by a state attorney general for violations of HIPAA since HITECH authorized state attorneys general to enforce HIPAA, a settlement was reached between HealthNet and the state of Connecticut – stemming from a May 2009 incident related to a lost computer disk containing the protected health and other private information of 1.5 million consumers nationwide.  The incident affected nearly a half million Connecticut consumers.  The settlement included HealthNet’s payment of $250,000 to the state representing statutory damages and HealthNet’s implementation of a corrective action plan.     

Connecticut’s commitment to its residents’ personal privacy continued into 2011.  In September of 2011, Connecticut Attorney General George Jepsen announced the creation of a privacy task force to focus on internet and data privacy concerns.  Since its creation, the Attorney General’s office has publicly requested information from various entities, including the state Department of Labor, Central Connecticut State University, Wells Fargo, and Zappos, after receiving reports of security breaches affecting Connecticut residents.  The requests for information have occurred without a statutory requirement for the notification of a security breach to the Attorney General’s office.  Recently, however, Connecticut joined the ranks of states requiring notification to the Attorney General following a breach incident. 

On June 12, 2012, at an end of term General Assembly special session, Connecticut updated its existing data breach notification statute, Conn. Gen Stat. 36a-701b.  The update appears on page 162 of the Connecticut General Assembly's June 12, 2012 Special Session Bill No. 6001, a 468 page house and senate budget bill.  The updates to the statute are effective as of October 1, 2012. 

The legislature, instead of amending the existing data breach notification statute, repealed the statute in full, replacing it with an amended version.  The amended statute differs from the one it replaces as follows:

• "breach of security” is defined as the "unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable" (amended language is underlined);
• If notice of a breach of security is required, notice must also be provided to the Attorney General at a time no later than when notice is provided to a resident;
• the statute expressly states that the statute's notification requirements are applicable only to the personal information of a "resident of this state."

Personal information continues to be defined as an individual's first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number; (2) driver's license number or state identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.  Any violation of the statute continues to be considered an unfair trade practice under Connecticut’s Unfair Trade Practices Act, with the Attorney General retaining enforcement authority, and no private right of action.

Fifteen months after releasing its preliminary report, the Federal Trade Commission released its final Report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.”  The much anticipated final report went further than the preliminary report by now calling for Congress to enact general privacy, data security and breach notification, and data broker legislation in addition to advocating that companies self-regulate by adopting the best practices set forth in the FTC’s privacy framework.  The mix of baseline privacy legislation and industry self-regulation tracks the Obama administration’s white paper recommendations for a “privacy bill of rights” and industry codes of conduct enforced by the FTC.

The three prongs of the FTC’s recommended “best practices” to protect consumers’ private information are:

1) Privacy by Design—building in privacy at every stage of product development;

2) Simplified Choice—simplifying consumers’ and businesses’ ability to make choices    about their information, such as through a “Do Not Track” mechanism; and

3) Greater Transparency—improving transparency in and consumer access to data       collection and use policies.  

In response to over 450 public comments to its preliminary report, which are heavily cited throughout the final report, the FTC altered some of its previous recommendations.  First, the FTC recognized the burden faced by small businesses in meeting the FTC’s recommendations.  Thus, the final framework does not apply to companies that collect non-sensitive data from fewer than 5,000 customers per year.  Additionally, in response to concern that data can be “reasonably linked” to consumers, and computers or devices, the Commission clarified that data is not “reasonably linked” where a company takes reasonable measures to ensure data is de-identified, publicly commits to not trying to identify data, and contractually prohibits downstream recipients from trying to re-identify the data.

Secondly, while the FTC previously proposed a list of five “commonly accepted” information collection and use practices, many commentators were concerned these practices could stifle innovation.  In response, the new guidelines state companies do not need to provide choice before collecting and using consumer data for practices consistent with the transaction, the company’s relationship with the consumer, or as required by law.  Thirdly, the Commission now recommends that any legislation addressing the practices of information brokers include procedures for consumers to access and dispute personal data held by information brokers.

The final report summarized the enforcement actions brought by the FTC since it issued the preliminary report, highlighting enforcement priorities that involve website privacy policies and practices, online behavioral advertising, COPPA, FCRA, and data security.  The FTC also identified five key areas it plans to focus its policymaking efforts on in the next year to promote the implementation of its privacy framework:

• Do Not Track—implementing an easy-to-use, persistent, and effective Do Not Track system;
• Mobile—improving privacy protections through short, meaningful disclosures; 
• Data Brokers—supporting targeted legislation that would require data brokers to create a centralized website that would identify brokers to consumers and detail access rights and choices consumers have;
• Large Platform Providers—exploring issues related to comprehensive tracking of online activities by ISPs, operating systems, browsers, and social media; and
• Promoting Enforceable Self-Regulatory Codes—working with the Department of Commerce and industry stakeholders to develop sector-specific codes of conduct, with the carrot that compliance with such codes will be viewed favorably by the FTC when it comes to enforcement.

The FTC cautioned that, to the extent the framework exceeds existing legal requirements, it is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.  However, expect to see the principles of the privacy framework continue to appear as requirements of consent orders the FTC enters into to resolve the enforcement actions it brings.  Indeed, the FTC did just that the day after releasing its final report when it announced that it had entered into a proposed settlement agreement with social game site operator RockYou (prior coverage here) to resolve the FTC’s claims that RockYou failed to protect the privacy of its users when hackers gained access to the user names and passwords of 32 million users and violated COPPA by collecting information from 179,000 children.   

 Authorship Credit: Craig A. Hoffman & Jennifer D. Johnson

Last week in Washington, DC, officials from the U.S. Federal Trade Commission, the Department of Commerce, major trade associations and key stakeholders from around the world gathered at a global privacy summit convened by the International Association of Privacy Professionals.  During the two day conference, panels covered a broad range of topics from mobile device privacy to the outlook for federal legislation to global corporate compliance programs.  Several themes emerged, including:

• Rapid technological change is prompting an evolution in traditional notions of privacy.  While the law – state, federal, EU – is evolving much more slowly, changes are underway and regulators and legislators need (and want) to hear from stakeholders;
• No one wants to stifle technology and the new economy jobs it creates, but many current privacy disclosures and practices (or the lack thereof) risk making the “privacy bargain” (personal information in return for free content/services) so one-sided that prescriptive regulation becomes inevitable; 
• Companies lacking a robust compliance program governing collection, protection and use of personal information (be they customers, employees, vendors, or others) may face significant risk of a data breach or legal violation, resulting litigation, and a hit to their bottom lines.

The huge attendance at this year’s summit by a wide range of companies, technical professionals, and inside and outside counsel from all over the world reflects the growing importance of these issues.  Following are highlights from some of the conference panels I attended featuring the FTC:

Collection Versus Use

Regulation of data collection versus data usage was a central theme at a panel that had hoped to discuss the FTC’s final version of its 2010 framework for protecting consumer privacy (still no word on when the final report will be issued).  Disagreeing with a fellow panelist from George Washington University who said the FTC should simply focus on how collected consumer data is used, FTC Commissioner Julie Brill expressed serious concerns about the “unmitigated collection” of consumer data for all manner of purposes that then exists in perpetuity.  Referencing a recent New York Times article about the ability to predict whether someone is pregnant out of “relatively innocuous information,” Brill said she is most concerned about vast amounts of information being collected and then used to compile profiles of consumers.  Brill urged companies not to think about privacy just in terms of compliance but to think about it as “risk management” at the corporate executive level, pointing out that the more information a company collects the greater the potential liability if it is breached.  Brill also emphasized the collection versus usage theme in the context of “do-not-track” proposals being developed by industry, saying it is very important that do-not-track address both the collection and use of consumer information; to ignore the collection element would only yield a “do-not-target” mechanism, which is not what the FTC called for in its preliminary framework. 

Liability and Proactivity

Brill also said that failure to have a “privacy by design” program in place would not be automatic grounds for a violation of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices.” Brill said that the FTC looks at companies’ practices and processes when evaluating a potential privacy-related enforcement action, insisting over her co-panelist that such actions are not subject to strict liability.  Nonetheless, Brill encouraged companies to be forward-thinking, saying that standards in the realm of privacy and data security have evolved and the reasonable steps a company is expected to take will become more comprehensive in the future.  Similarly, Brill encouraged privacy professionals to help their clients realize that privacy and data security issues are not going away; ignore a problem and you’ll end up sitting across from the FTC in an enforcement action.  Finally, Brill also warned that many data brokers do not even realize that they come under the Fair Credit Reporting Act.

COPPA and Mobile Privacy

The FTC is continuing to review its rules with respect to children’s growing use of mobile devices and online services.  Referring to the “long tail” in the app industry and the fact that so many apps lack privacy policies as found in FTC’s February report, Commissioner Brill said she wanted to get the message out that the Children’s Online Privacy Protection Act applies to mobile device applications.  Brill described COPPA, which requires parental consent for collection and use of children’s personal information, as an appropriate “speed bump” for particular types of users, while private sector panelists characterized COPPA as more of an obstacle to the possibilities created by new online and mobile platforms that requires fine tuning.  The issue of how to treat teens, currently not covered by COPPA, was also discussed.  Brill could not comment on specifics due to the review underway, but thinks that teens require some sort of special protection and said some commenters believe COPPA should be extended up to age 18.

In a separate panel, Christopher Olsen, assistant director of privacy and identity protection in the FTC's Bureau of Consumer Protection, similarly warned that companies need to do a better job providing information about their mobile apps’ data collection; that the same privacy and security principles apply in the mobile and non-mobile environments.  The FTC undertakes its own inspections of mobile apps, testing developers’ claims, in addition to considering consumer and NGO complaints and congressional concerns.  With all the different players involved in the mobile device space – from app developers to telecom carriers to add networks to device manufacturers – contract provisions play a large role in how information is collected and used.  Olsen stressed that compliance with such provisions – making sure someone is actually monitoring – will be an important issue going forward.

Finally, the FTC will hold a mobile payments workshop on April 26 and a “Public Workshop to Explore Advertising Disclosures in Online and Mobile Media” on May 30.  The latter will inform FTC’s thinking on updating guidance to businesses about disclosures in online advertising.

While plaintiffs continue to face an uphill battle proving damages in privacy litigation - regulatory actions and investigations seem to be increasing.  During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Office of Inspector General (OIG), Security Exchange Commission (SEC), state Attorneys General, and the California Department of Public Health (CaDPH).

FTC 

The FTC has a long history of being proactive in promoting consumer protection and in preventing anti-competitive business practices.  The FTC has the power to regulate against unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.  In 2011, there were several noteworthy FTC actions in the privacy sector.

• Google Buzz:  The settlement with Google arose out of alleged violations of Google’s privacy promise related to the sharing of Gmail user account information to populate Google’s new social network, Google Buzz.  The settlement bars the company from future privacy misrepresentations.  Google is also required to implement a comprehensive privacy program and submit to independent audits for the next 20 years.  Additionally, for the first time, the FTC alleged violations of the U.S.-EU Safe Harbor Framework (which has privacy requirements for the transferring of personal information from the EU to the U.S.).
• Playdom:  Playdom, an online game developer, was accused of collecting and disclosing information about hundreds of thousands of children under 13 without parental consent.  The FTC announced on May 12, 2011 that it had reached the largest civil penalty settlement under the Children’s Online Privacy Protection Act (COPPA) with Playdom for $3,000,000.  COPAA  prohibits owners of websites and online services directed to children (including general audience websites) from collecting or maintaining personal information about children under 13 without verifiable parental consent (including name, address, email address, telephone number, social security number, etc.).  The FTC has online resources for those interested in learning more about COPPA.
• Facebook:  Ending the FTC’s 18-month investigation into Facebook’s user privacy practices, the FTC and Facebook reached a settlement [pdf] in November of 2011.  As we reported here, by adding Facebook to the list of major social media entities subject to an FTC consent order—a list that includes Google and Twitter—the FTC has loudly signaled its leading role in regulating the online privacy practices of businesses.  The focus of the FTC seemed to be on sharing user information and making certain user information available without clear consent.  Similar to the Google Buzz settlement, Facebook agreed to not misrepresent its privacy controls.  Independent audits for the next 20 years are also part of the settlement.

With the FTC’s recent workshop on facial recognition technology as it relates to privacy and security concerns, it is clear that we will continue to see FTC activity in 2012.  The question remains—will we see any enforcement activity relating to the Red Flag Rules, which we talked so much about between 2008 and 2010?

DOE 

We have seen investigations by the DOE following data breaches involving educational institutions pursuant to Family Educational Rights and Privacy Act (FERPA).  While there is currently no duty to report a breach to the DOE, the agency is reading news reports and utilizing online resources to track breaches that have been made public.  We expect that this activity will continue in the new year, particularly since the DOE has been more focused on privacy issues in the past few years with the addition of a new Chief Privacy Officer, establishment of the Privacy Technical Assistance Center (PTAC), and the enhancement of FERPA regulations.

HHS OCR

Since the enactment of HITECH, and with its enforcement authority of the HIPAA Privacy and Security Rules in place, OCR has been quite active following data breaches involving healthcare organizations.  Typically, the organization receives a laundry list of document requests (and often supplemental requests as well) during the course of the investigation.  While penalties are available, we have not seen significant activity in this regard.  Still, there were two civil penalties assessed in 2011 that may be a warning call that the HHS is looking carefully at the safeguards in place to protect protected health information (PHI) at healthcare organizations.   The first penalty was for $1M and involved Massachusetts General Hospital.  There, records of 192 patients of the Infectious Disease Associates outpatient practice were lost on public transportation—some containing diagnoses of HIV/AIDS.  The second incident involved a $4.3M penalty against Cignet for refusing to provide 41 patients access to medical records.  Additionally, it was alleged that Cignet did not cooperate with HHS’s investigation.  With the audits of covered entities commencing just recently, the occurrence of major healthcare breaches in 2011, and the fact that over 30,000 healthcare breaches have been reported since HITECH, we expect that OCR activity will increase in 2012.

State AGs

2011 brought additional activity by state AGs.  AGs have enforcement authority of their own state data breach laws in most cases, as well as enforcement authority under HITECH.  Two actions came out of Massachusetts that should be closely followed. The first involved the Briar Group, LLC (“Briar Group”), a restaurant chain.  On March 28, 2011, the Briar Group was the first company to be fined  under the Massachusetts Data Privacy Law.  In addition to the $110,000 in penalties, the Briar Group will have to prove compliance with the Commonwealth’s data security regulations as well as the Payment Card Industry Security Standards.  The second action involved Belmont Savings Bank and a $7,500 fine.  The fine may seem small, but the incident involved only 13,000 customers, and the back-up tapes at issue were known to be discarded in a trash can by a cleaning company.  The focus of this action seems to be an allegation of poor information security practices, including security procedures for handling computer tapes and customer information.  Also, in Indiana, the Attorney General settled with Wellpoint, Inc. for $100,000 after the company allegedly delayed in notifying approximately 32,000 residents about a data breach.  Wellpoint was also required to provide up to 2 years of credit monitoring and identity theft protection services to Indiana consumers affected by the breach, and reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the incident.  The Indiana Attorney General’s Office interprets the timeliness requirement of the Indiana Disclosure of Security Breach Act to require notice to affected individuals within 30 days.

In addition, the HHS conducted training sessions for HITECH enforcement this year to state AGs.  Now that the training has been completed, we expect to see increased activity in 2012.

These are some of the 2011 regulatory highlights.  Other agencies have been active as well.  No matter which agency may have enforcement power over your organization, do not wait until a breach occurs to think about how you will respond to an investigation.  As we discussed here, regulators expect a prompt and thorough response, transparency and involvement by the C-Suite. 

A consumer institute, Center for Digital Democracy, filed a complaint and request for investigation with the FTC on October 19 related to the marketing of Doritos to adolescents.  The complaint cites a research report, Digital Food Marketing to Children & Adolescents, which identifies digital marketing practices that purportedly pose threats to the health of children.  Some of the Doritos marketing campaigns referenced in the complaint won prestigious marketing awards, including the Hotel 626 campaign.     

The complaint alleges that Pepsi’s subsidiary Frito-Lay engaged in deceptive and unfair digital marketing practices in violation of §5 of the FTC Act through a social media marketing campaign (contests, video games, concerts) targeted at teens because: (1) the marketing campaign is disguised as entertainment instead of advertising; (2) Pepsi fails to adequately protect the personal information it collects from teens and it collects personal information from teens without giving meaningful notice and consent; and (3) its use of viral marketing through Facebook and Twitter endorsements by teens violates the FTC’s Endorsement Guidelines.  The complaint also alleges that the campaign contains material misrepresentations and omissions because consumption of Doritos harms the health of teens. 

We are following the FTC’s response to this complaint because the arguments made by the complaint could conceivably apply to the use of social media by many large brands. 

Jonathan B. New, a partner in Baker Hostetler's New York office and a member of the firm's White Collar Defense and Corporate Investigations Team, along with associate attorney Sammi Malek recently authored the article, "White Collar Wiretaps: Will Your Own Words Come Back to Haunt You?" published in the July 21, 2011 issue of the New York Law Journal.

The article examines the prosecution and conviction of Raj Rajaratnam, Galleon Group's co-founder, for insider trading -- a significant conviction due to the novel use of wiretap evidence to bring the crime to life before the jury. New and Malek explore the history of wiretapping, limitations on the use of wiretaps and the effects that prosecutors' newly aggressive use of wiretaps will have on the practices of the financial services sector.

"The government's recordings have ensnared not just traders and financiers but also officers and directors of public companies, lawyers, and consultants. As a result," the authors explain, "Wall Street may now be wondering 'is law enforcement listening?' whenever they pick up the phone, as U.S. Attorney Preet Bharara warned in announcing the arrest of Mr. Rajaratnam."

Wiretaps and Financial Crimes

Historically, law enforcement has used wiretaps to assist in investigations of narcotics trafficking and organized crime. "Nevertheless, the Galleon case reflects a recent coordinated effort by law enforcement to use electronic surveillance and 'organized crime' style approaches more frequently in white collar cases."

Limitations

New and Malek examine the limitations and conditions of wiretap use. "The government can only seek a wiretap if there is probable cause to believe that a predicate offense is being committed, and a court may suppress a wiretap if the application fails to meet this standard or for government misconduct. The number of crimes that may be investigated using wiretaps has expanded over time, but still does not include securities fraud."

Implications

"The authors analyze electronic surveillance in the Galleon case, and what this will mean for corporate America going forward. Although electronic surveillance of the financial sector may not become routine, its dramatic use in the Galleon and expert networking investigations has highlighted the need for effective and comprehensive compliance programs to identify and address questionable practices before they become widespread. With the government having publicly declared its policy of aggressively pursuing cases of financial fraud, companies are well-advised to take this opportunity to review and update their internal policies and procedures currently in place, to retrain their employees on best practices, and establish a culture in which employees seek advice on actions that may be close to the line.... Compliance officers and IROs [investment relations officers] who seize this opportunity stand a greater chance of preventing or detecting early even an inadvertent improper disclosure of material nonpublic information, which not only protects the company and its insiders from criminal prosecution, but also benefits the investing public."

Although the world did not come to the end on Saturday, as one millennial group had predicted, some in Europe worry that the end is near for European Internet start-ups when the new EU cookie directive goes into effect on May 25, 2011.  The concern is that European-based web sites will become littered with pop-up windows seeking consent to the use of cookies, while sites in the U.S. will continue benefit from cookies without having to get a user’s express consent for every cookies placed on a user’s machine.

And while European-based web sites fear they will bear the brunt of enforcement, U.S.-based website with users in Europe are potentially subject to these rules.

Website operators install cookies (small digital files) on user’s computers to store and retrieve information on a user's activity on the site.  Cookies are an important tool for measuring the appeal of content, improving user services and targeting advertising.   Traditionally, website operators have disclosed their use of cookies on their website privacy policy.  Users were deemed to consent to having cookies installed on their computer in accordance with this posted policy.   As the UK Information Commissioners Office (“ICO”) has explained in recently-issued Guidance, this passive consent is no longer generally permitted under the new EU rules.  With certain limited exceptions, a user must affirmatively “opt in” to accepting cookies before a website can install cookies (or any similar file) on a user’s computer.

The potential fines for violation of the EU cookies rule are high – up to £500,000 in the UK – but it is unclear whether or when EU authorities will commence enforcement of this new rule.  The ICO has said it will delay enforcement to give website operators the time to adjust their practices.  The ICO has also held out the possibility that the ultimate solution will be more advanced web browser technology.  The ICO advocates widespread adoption of web browsers that give users more control over the types of cookies that they allow to be placed on their computer.  But until this technological solution arrives, website operators with users in Europe must confront the question of how and how soon they will bring their sites into compliance with the EU directive.

The two events that drew the most attention in 2010, both of which occurred at year-end, were reports from the FTC and the Department of Commerce.  Below is a brief summary of those two reports and other issues drawing attention in the past year:

(1) FTC Issues Long-Awaited Consumer Privacy Policy Report

On December 1, the FTC published the Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers

The FTC’s press release provides a summary of the preliminary report.  The best practices framework recommended in the preliminary report for businesses that collect or use consumer data include:

• simplifying choices for consumers, providing consumers with greater transparency, and following the Fair Information Practice Principles;
• creating a “Do Not Track” mechanism to give consumers a choice to avoid online tracking;
• extending protection to information collected offline;
• dispensing with the distinction between PII and non-PII because technology allows data fragments to be pieced together; and
• a “Privacy by Design” concept for businesses.

The preliminary report did not change the FTC’s continued focus on self-regulation.  Finally, the preliminary report contained an appendix with 64 questions on which it invited comment by January 31, 2011.  A final report will be issued later in 2011 based on the comments. 

 (2) Department of Commerce Calls for a “Privacy Bill of Rights”

On the heels of the FTC’s preliminary report, the Department of Commerce Internet Policy Task Force released a green paper titled: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  The press release contains a summary.

The Baker Hostetler Data Privacy Monitor covered this green paper here.  The four broad policy recommendations of the task force are:

• Enhance consumer trust online through recognition of revitalized Fair Information Practice Principles.
• Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through collaborative efforts of multi-stakeholder groups, the FTC, and a Privacy Policy Office within the Department of Commerce.
• Encourage global interoperability.
• Ensure nationally consistent security breach notification rules.

(3) Behavioral Advertising Opt-Out Icon

As reported by the Baker Hostetler Data Privacy Monitor, a behavioral advertising industry group proposed a Self-Regulatory Program for Online Behavioral Advertising, which features an “Advertising Option Icon” that can be placed near online ads that collect data used to conduct behavioral advertising.  Users who click on the icon will receive a disclosure statement about the data collection and use practices associated with the ad along with the ability to opt-out of being tracked.

(4) Social Media

• Facebook faced several privacy issues, including an FTC complaint regarding its privacy policy, details of 100 million Facebook users were published online, and questions from U.S. Senators.
• Google apologized for collecting about 600 gigabytes of data snippets captured from e-mails and browsing history from Wi-Fi networks in more than 30 countries.
• In the first FTC action against a social network service, Twitter settled charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.

 (5)  HHS/HIPAA/HITECH

• White House Forms New Subcommittee to Review Online Privacy Issues
• HHS Withdraws Draft Of Final HIPAA Breach Notification Rule

(6) Massachusetts Data Security Regulations

Massachusetts’ aggressive new data security regulations (201 CMR 17.00 et seq.), which became effective on March 1, 2010, contain broad and imposing mandates that go further than any other state law or regulation.  Even companies that have no facilities or personnel in Massachusetts must comply with the strict mandates if they maintain personal information of any Massachusetts resident in connection with providing goods or services. 

All businesses covered by the statute must institute a written information security program.  That program must, among other things:

• Designate an employee to maintain the security program;
• Identify and evaluates internal and external security risks;
• Impose disciplinary measures for violations of the program rules;
• Oversee third-party service providers;
• Require regular monitoring and updating of the program; and
• Documents responsive actions taken in connection with any breach of security.

For many business, the most difficult compliance issues arises from the encryption mandates of 201 CMR 17.04, which requires the encryption of: (1) laptops containing personal information that leave the businesses premises; (2) personal information transmitted across the Internet or wirelessly; and (3) backup tapes on a prospective basis.

A coalition of advertising trade groups launched a new online behavioral advertising (“OBA”) opt-out program on October 4, 2010, to build on the self-regulatory principles they released last summer.  The program, which is explained on the group’s website, features an “Advertising Option Icon” that can be placed near online ads that collect data used to conduct behavioral advertising.  Users who click on the icon will receive a disclosure statement about the data collection and use practices associated with the ad along with the ability to opt-out of being tracked.

The Self-Regulatory Principles for Online Behavioral Advertising the new icon enhances were released in July 2009 by the online advertising industry to correspond with the guidelines for behavioral advertising issued by the U.S. Federal Trade Commission in February 2009.  The seven self-regulatory principles—education, transparency, consumer control, data security, consent before material changes, limiting collection of sensitive data, and accountability—were designed to address growing consumer concern about the collection and use of personal information.  According to Network Advertising Initiative spokesperson, Andrew Weinstein, the new icon is designed to provide “consistency to the visual icon, messaging and opt-out process across all of the participants in the online advertising industry.”  

OBA and social networks are not easy to regulate, but the self-regulatory approach to this industry has come under fire by privacy advocates who argue that the approach fails to offer consumers meaningful, informed choices and that the new opt-out program is a last-ditch effort to avoid new federal legislation.  Although the head of the FTC’s Bureau of Consumer Protection, David Vladeck, has recently expressed his disappointment in the industry’s self-regulatory efforts, he stated that he will continue to support self-regulation.  Mr. Vladeck also stated that the FTC is reviewing the viability of a “do-not-track” mechanism following the announcement by Senate Commerce Consumer Protection Subcommittee Chairman Mark Pryor, D-Ark., that he is working on such legislation.  The “do-not-track” mechanism would function like the national Do Not Call Registry by allowing consumers to opt-out of having their browsing activities tracked.