Congratulations to the BakerHostetler Privacy and Data Protection Team for their ranking and “considerable praise” in the 2013 edition of Chambers USA: America’s Leading Lawyers for Business. The team was ranked among the nation’s best in the area of “Privacy & Data Security: Nationwide.” Privacy and Data Protection Team Co-Leader, Ted Kobus, was individually ranked for his “excellence,” leadership, and expertise. Equally impressive, the BakerHostetler team was also given the distinction of being “Recommended for Client Service” and “Recommended for Commercial Awareness.” Our results and client confidence speak for themselves with our clients endorsing us as “a very strong team” and the “go-to firm on these issues” given our “deep capability,” “dedicated service to clients,” and “commercial awareness." The BakerHostetler Privacy and Data Protection Team is recognized for looking “to get the job done in a manner that is in the best interests of the client, in a professional and cost-effective manner."
Privacy and data protection issues confront all organizations—whether you handle employee information, credit card data, sensitive financial information or trade secrets. Securing data is a daunting task that is further complicated by cross-border transfer issues and the differences in privacy laws around the world. These laws are complex and can pose myriad and sometimes conflicting obligations to a multinational enterprise. BakerHostetler's Privacy and Data Protection Team is experienced at guiding our clients through this maze of global privacy norms.
The BakerHostetler Privacy and Data Protection Team has developed a prompt and practical approach. We have a comprehensive international network of experienced service providers who are responsive when clients require support and guidance through a data security event. This compendium represents our global experience in this field. While it is not a substitute for legal advice, it is a reference guide that outlines the basic requirements in place when dealing with an international data breach so that you can know what immediate steps to take and what questions you need to ask to minimize your company's exposure.
BakerHostetler's International Compendium of Data Privacy Laws is now accessible.
We hope you find the information practical and welcome your comments and suggestions. We encourage you to contact the authors of the compendium, Gerald J. Ferguson at firstname.lastname@example.org, Theodore J. Kobus III at email@example.com, or Gonzalo S. Zeballos at firstname.lastname@example.org for further information.
Use the form below to tell us about a blawg—not your own—that you read regularly and think other lawyers should know about. Or if you don't have particular blawgs in mind but think blawgs from a certain practice areas should be represented in the Blawg 100, you can use this form to let us know which ones. If there is more than one blawg you want to support, feel free to send us additional amici through the form. We may include some of the best comments in our Blawg 100 coverage. But keep your remarks pithy—you have a 500-character limit.
We invite our readers to recommend the Data Privacy Monitor and other favorite legal blogs for selection by the the ABA. Submissions are accepted through September 7.
Internet-rights pundits had been waiting with baited breath for the Brazilian Congress’s vote on a proposed internet bill of rights—the so-called “Marca Civil da Internet.” That vote, which was scheduled for August 8, 2012, was canceled at the last minute without explanation. The proposed bill represents a unique, collaborative effort with the public—whose input was solicited by legislators via the internet—to regulate internet use not by defining prohibited acts, but rather by prescribing affirmative rights for internet users and service providers. The bill’s stated goal is to make the internet more open and transparent by establishing internet neutrality. But the bill is not without its detractors, who claim that its expansive protections for internet service providers regarding content are both a recipe for disaster and in contradiction with existing Brazilian legislation. Regardless of one’s position on the bill, which does enjoy significant popular support, the cancelation of the vote was disappointing to many, who see the proposed legislation as an in important step in defining internet rights. A new date for the vote has yet to be scheduled.
For the complete text of the proposed legislation click here.
“Information wants to be free” has been a rallying cry of technology activists from the inception of the Internet revolution. True to this slogan, web sites offering free web content and free web services are the most pervasive and popular sites on the Internet.
But, to quote another adage that predates the Internet: “There is no such thing as a free lunch.” The providers of these “free” websites are extracting something of value from consumers in exchange for the “free” content and services. These websites are collecting information about individual consumers’ identity, interests and habits -- valuable information that can be sold to advertisers looking to target individuals matching the profile of their desired consumers.
In its recently issued Report detailing its recommendations for protecting consumer privacy, the FTC made a priority of empowering Internet users to prevent websites from tracking user activity across the Internet. Adopting a slogan of its own – Do Not Track – the FTC has called upon industry groups to implement an “easy-to use, persistent, and effective” system that will allow consumers to block the tracking of user activity across the Internet. The not so veiled threat from the FTC is that if industry refuses to act, government regulators will have to step in and impose a “Do Not Track” regime.
Assuming that the FTC achieves its stated goals--to clearly warn consumers whenever their Internet activity is tracked, and to empower those consumers to block that tracking immediately, what are the potential commercial implications?
One scenario is that there will be no implications. For example, web browsers have long given consumers the ability to disable cookies. But any consumer activating that web browser feature quickly learns that he or she has access to almost no web sites because virtually every interactive web site relies on cookies. If consumers are routinely denied access to desired web sites when they block “tracking”, consumers will quickly be taught not to block tracking.
Another scenario is possible as well. To date, “paid for” web services have generally found it difficult to compete with “free” web services. Why pay for something that you can get for “free”? However as outlined above, “free” services are not really free. There is a price paid in terms of privacy sacrificed. To date, that price has been hidden in lengthy privacy policies that must be accessed through a link at the bottom on the home page. If that cost is made clear though “persistent” and highly visible warnings to consumers, then some (but not all) consumers may conclude that the price they are paying in terms of privacy sacrificed is too high. They may look for an alternative. And if the market responds by offering web services that are paid for with cash but not with a disclosure of private information, some consumers may choose that option, and the “paid for” web service model may have increased viability.
Yesterday, Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (ID-Conn.), Ranking Member Susan Collins (R-Maine), Commerce Committee Chairman Jay Rockefeller (D-W.Va.), and Select Intelligence Committee Chairman Dianne Feinstein, D-Ca. introduced The Cybersecurity Act of 2012. The press release can be found here.
We are seeing an increasing number of attacks targeting government secrets, trade secrets, and other intellectual property rather than the traditional personal information used to fraudulently open credit card accounts. Law firms, for example, are a prime target for an attacker to obtain the intellectual property of the firm’s clients in an effort to compete against them or enter into business deals with the leverage the criminals would not otherwise possess. And, these attackers oftentimes have plans in place to effectively shutdown the victim of the attack if they are discovered. The issues trying to be addressed by this proposed legislation are real.
This is not a federal data breach statute, but rather an attempt to prepare our defense against cyber attacks that could cripple our ability to function. The Act uses the term “critical infrastructure” which relates to services like utilities, telecommunications, transportation, public health services, agriculture, banking, and security services. The proposed legislation speaks more in general terms of the private sector “providing input” and gaining participation of private entities in public-private partnerships. What will be key is how the baseline for compliance is defined. If the government is too aggressive initially, there will be a lack of buy-in from private companies. The government is going to need to work to gain the cooperation they are probably looking for from the private sector, and one of the ways to do that is to provide real incentives to those companies. What is being proposed offers certain immunity from punitive damages in lawsuits; however, perhaps it could go further in that regard and provide even more incentives and broader immunity from civil liability.
There will be concern about the extent to which a private company, or the government, will be able to monitor cybersecurity threats. However, there are many limitations in place under the current laws regarding a company’s ability to monitor its own information systems. Indeed, that is one of the challenges we face when responding to a data security incident which implicates employee personal information and personal email accounts—even when that information is on a network or computer owned by a company. Section 701 in the proposed legislation, however, is clear about requiring authorization from a third party a private entity may be monitoring. And, any of this monitoring must be in the name of detecting “cybersecurity threats”. “Cyber risk “ is defined in Section 101, and if a “cybersecurity threat” is a “cyber risk”, it means “any risk to information infrastructure . . . that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure”. Although the authority to monitor may seem broad, there must still be a significant risk of disruption posed to an essential component of the operations of systems we depend on to function—power, water, and transportation. That could still pose a burden on the company doing the monitoring to ensure that our privacy laws are not abrogated by this proposed legislation.
The Act as proposed does include an exemption to the Freedom of Information Act (FOIA) rules and I think you need that. Otherwise, no company is going to share the type of information being sought by the government to defend against these types of cybersecurity threats. The question remains how a private citizen is going to find out that the information being monitored went beyond an attempt to detect a cybersecurity threat—however, that challenge exists today under current laws because a company’s monitoring activities often go undetected.
Another concern that will likely be raised is that the government will able to require compliance by a company by designating an entity as a covered critical infrastructure. However, there are significant protections under the proposed legislation to limit the government’s ability to make such a designation. The unanswered question is how much the civil penalties are going to be for non-compliance once designated, and how tough the government will be when it comes to defining the level of security that needs to be in place to address a vulnerability. The government will still need to balance the cost to the covered entity to implement those security measures with the cost being passed along to consumers. In fact – with much of the country’s critical infrastructure privately owned – the government depends on the privately owned infrastructure to support its day-to-day operations. This would not be different during a cyber threat. The intent here seems to be, and should be, fine tuning federal government and private entity coordination in preventing and responding to threats.
The proposed law should not present significant changes to companies that own infrastructure assets. By way of a presidential directive, policies and procedures have been in place since 1998--and updated in 2003--for preparedness and response to serious incidents that may affect the critical infrastructure here in the US. In fact, the federal government requires companies with infrastructure assets to: assess its vulnerabilities, plan to eliminate such vulnerabilities, develop systems to identify and prevent attacks, and to contain any attacks with the Federal Emergency Management Agency (FEMA) in order to rebuild infrastructure capabilities.
Seven Senate Republican Ranking Members signed a letter expressing process and substance concerns and demanding hearings in their respective committees.
The Third Circuit recently affirmed a district court’s decision refusing to enjoin an amendment to the New Jersey Unclaimed Property Act (the “Act”) which requires issuers of stored value cards (“SVCs”) to obtain the name and address of purchasers of SVCs and to maintain a record of the zip code of each purchases. New Jersey Retail Merchants Assoc. v. Sidamon-Eristoff, Nos. 10-4551, 10-4552, 10-4553, 10-4714, 10-4715, 10-4716, 11-1141, 11-1164 & 11-1170 (3d Cir. Jan. 5, 2012); Am. Express Travel Related Servs. Co. v. Sidamon-Eristoff, No. 10-4328 (3d Cir. Jan. 5, 2012). The case returns to the district court for further proceedings.
The Act is intended to ensure that an owner’s right to property is not forfeited by the passage of time and seeks to reunite customers with their property. In 2010, a series of amendments were made to the Act, 2010 N.J. Laws Chapter 25 (NJ A3002), addressing for the first time, SVCs (e.g. gift certificates, gift cards, etc.).
Under the Act, a "stored value card" is defined as any "record that evidences a promise, made for monetary or other consideration, by the issuer or seller of the record that the owner of the record will be provided, solely or a combination of, merchandise, services, or cash in the value shown in the record, which is pre-funded and the value of which is reduced upon each redemption. The term 'stored value card' includes, but is not limited to the following items: paper gift certificates, records that contain a microprocessor chip, magnetic stripe or other means for the storage of information, gift cards, electronic gift cards, rebate cards, stored-value cards or certificates, store cards, and similar records or cards."
The Act provides that SVCs are deemed to be abandoned after two years of inactivity, requiring issuers to transfer to the State the remaining value on the SVCs. Issuers of SVCs must obtain:
- name and address of the purchaser/owner of each SVC issued/sold; and
- at a minimum, maintain the record of the zip code of the purchaser/owner.
N.J. Stat. Ann. 46:30B-42.1c (2010) (Chapter 25, § 5c) (“data collection provision”). SVCs issued under a promotion program, customer loyalty program, charitable program or by a business selling $250,000 or less of SVCs in the prior year are exempt. (Per the State Treasurer until further notice, also exempt from the reporting requirements under the Act are "prepaid phone cards" and "prepaid calling cards" issued solely for the purpose of providing telephone call services. "Prepaid phone cards" do not include those cards issued by the telecommunications industry that are used for prepaid services and are redeemable for cash or merchandise).
Chapter 25, § 5c contains both a “data collection provision” and a “place-of-purchase presumption” provision – which provides that if an issuer does not have the name and address of the purchaser or owner of the SVC, the purchaser or owner assumes the address of the place where the SVC was purchased or issued – and if the SVC was purchased or issued in New Jersey, the address must be reported to the State.
Subsequent to Chapter 25’s enactment, SVC issuers, including the New Jersey Retail Merchants Association, New Jersey Food Council, and American Express Prepaid Card Management Corporation, in separate complaints, sought a preliminary injunction against the law – challenging the constitutionality of the law. Part of the litigation focused on the “place-of-purchase” presumption provision in Chapter 25, § 5c. The District Court, in a consolidated decision, enjoined, inter alia, the prospective enforcement of the “place-of-purchase presumption” under Chapter 25, § 5c. The District Court declined to prospectively enjoin the “data collection provision” included in Chapter 25, § 5c, holding that the provision was severable (separable into legally distinct obligations).
On January 5, 2012, the Third Circuit affirmed the lower court’s decision of enjoining the “place-of-purchase presumption” without enjoining the “data collection provision”, holding that the provisions in Chapter 25, § 5c are severable. Whether the New Jersey law will ultimately be enforceable remains to be seen. In the meantime, however, per the “data collection provision,” SVC issuers must obtain the name and address of the purchaser or owner of each SVC issued or sold in New Jersey, and maintain, at a minimum, a record of the zip code of the owner or purchaser. It is anticipated that the New Jersey Office of the State Treasurer will issue guidance on the data collection requirement.
Given that the information SVC issuers must obtain, and maintain, may constitute personal information under state data breach statutes, SVC issuers must have a policy and procedure for protecting the security of the information being collected and stored. For example, in New Jersey, a breach of security pertains to personal information that has not been secured by encryption, or by any other method or technology that renders the personal information unreadable or unusable. In addition, as an SVC issuer must only maintain the information collected for a two year period, SVC issuers should also institute a policy and procedure for destruction of such records.
In a significant development impacting the wider electronic health record (EHR) community, the HHS Office of Inspector General (OIG) on December 7 issued an Advisory Opinion (AO 11-18) approving an EHR vendor's proposed transaction fee structure for charging customers that use the vendor's new patient referral ordering system. Although the Advisory Opinion applies only to the specific requestors, the result is viewed favorably by both government and the EHR industry as an initial step in establishing market-based transaction charges for electronic transmission of health information under the nation's developing Health Information Technology (HIT) infrastructure.
Under the proposed arrangement, described as a cloud-based "Coordination Service," the EHR vendor's product would facilitate the electronic transmission of requests for referrals, between so-called ordering (or referring) health professionals and receiving health professionals, which incude a variety of supporting information in standardized format, such as insurance authorization, the ordering health professional's contact information and NPI (National Provider Identifier), the receiving health professional's (referred to as a trading partner, where such professional has signed an agreement to participate in the Coordination Service) contact information and, to the extent needed or available, certain necessary clinical information taken from the patient's EHR, as requested by the receiving health professional.
Three levels of fees are triggered by the service, namely a base transmission fee (capped at $1 per transaction), a functionality fee for recording information and attaching clinical information and a service fee for benefit eligibility and referral authorization. Ordering health professionals who subscribe to the Coordination Service would receive a discount of up to 35 percent off their current monthly EHR service fees. Receiving health professionals who sign a trading partner agreement (which entitles them to enhanced functionality and information) would be charged the transmission fee; otherwise the ordering health professional would be charged the transmission fee. Receiving health professionals that are trading partners also would be assessed the functionality fee and service fee (if applicable) (such services are not available if the receiving health professional is not a trading partner).
In the Advisory Opinion, the OIG stated that "the efficient exchange of health information between Health Professionals is a laudable goal" but that when "the [information] exchange takes place in the context of referrals, we must evaluate whether the means used to achieve that goal implicate the anti-kickback statute." First, the OIG found that the transmission fee, other related service fees and the discount from the EHR service fees offered to ordering health professionals, would not violate the anti-kickback statute because the fees were not offered or received in return for the referrals, nor for the right to be included in the EHR vendor's "network" of health professionals participating in the Coordination Service (which is open to any professional signing a trading partner agreement). Second, the OIG found that the three types of transaction fees were consistent with fair market value because they were unrelated to inducing the actual referrals and were determined in a manner that did not vary based on the value of the items or services that a receiving health professional might ultimately provide to federal healthcare program beneficiaries. Third, the transmission fee, charged on a "per-click" basis, was reasonable since it was charged on each transaction regardless of whether a patient actually received services from the receiving health professional.
The other fees were reasonable because they were related to the value-added services provided and were distinguishable from so-called "success fees" that are directly or indirectly tied to federal healthcare program payments. Further, the OIG concluded that the transaction fees would be unlikely to materially influence providers' referral decisions, were expressly intended to facilitate the permissible purpose of exchanging information and would not necessarily result in preferences in referrals by health professionals, which are based on a variety of other factors (although the added convenience and ease of information exchange was recognized as an advantage that trading partners would receive over nontrading partners).
Therefore, the OIG concluded that, in the absence of any requisite intent to pay for, or induce, the referral of federally reimbursed items and services, no penalties under the anti-kickback statute or civil monetary penalties law would be applied to the proposed arrangement.
As a result of the favorable outcome in this proposed arrangement, industry experts predict that the development of fair market value transaction fees for electronic information exchange under the growing variety of EHR systems will be significantly advanced.
Privacy class action litigation is hot in California and a new wave of lawsuits are being filed under California’s 2003 “Shine the Light” law, codified in Cal. Civ. Code Section 1798.83.
Personal information is broadly defined and includes:
- Name and address
- Email address
- Age or date of birth
- Names of children
- Email or other addresses of children
- Number of children
- The age or gender of children
- Telephone number
- Political party affiliation
- Medical condition
- Drugs, therapies, or medical products or equipment used
- The kind of product the customer purchased, leased, or rented
- Real property purchased, leased, or rented
- The kind of service provided
- Social security number
- Bank account number
- Credit card number
- Debit card number
- Bank or investment account, debit card, or credit card balance
- Payment history
- Information pertaining to the customer's creditworthiness, assets, income, or liabilities
Once per calendar year, a consumer has the right to request and receive within 30 days of the request, information about (1) how the consumer can exercise opt-in or opt-out rights or (2) the type of personal information shared for direct marketing purpose and with whom it was shared.
The FTC held its first ever workshop to explore the privacy and security implications of facial recognition technology on December 8. Facial detection (identifying certain traits from a person’s face, such as age and gender) and facial recognition (identifying a specific person) technology is no longer futuristic technology found only in movies like the Minority Report. Current uses include targeted advertising on billboards, tagging friends on social media sites, in mobile applications that report on the age and gender of a bar crowd, as well as assisting law enforcement in catching criminals.
Panelists at the workshop included government officials, consumer privacy advocates, academics, and facial recognition industry representatives. You can read transcripts of the four sessions here and the remarks of FTC Commissioner Julie Brill here. The panelists emphatically discussed the absence of applicable regulations and how to appropriately address the emerging uses of facial recognition technology. The questions involved whether a faceprint should be treated as “personally identifiable information,” should opt-in consent be required for the use of facial recognition but only opt-out consent for facial detection, and how to address uses that may also trigger concerns under COPPA or HIPAA. In so doing, a clear consensus emerged that a higher order of scrutiny should apply to the use of facial recognition technology versus facial detection technology.
As with other emerging technologies, there was a debate as to whether the use of this technology should be addressed through new comprehensive privacy legislation or whether industry self-regulation would be sufficient. On the self-regulatory side, the digital signage industry has issued the “Digital Signage Standards” and “Recommended Code of Conduct for Consumer Tracking Research.” On the consumer privacy side, the Center for Democracy and Technology released a report in advance of the workshop that provided a summary of the technology, a description of existing commercial uses, and advocated for “a mix of government regulation, industry self-regulation, and privacy enhancing technologies.”
The FTC indicated that facial recognition issues will be addressed in the final FTC staff report on its recommended privacy framework. The final report, which is expected within weeks, follows the preliminary report issued by the FTC in December 2010.
In the wake of the recent breaches at Epsilon and Sony and the scrutiny Apple and Google are facing for their geolocation data tracking practices, there has been little media focus on the benefits of data collection and analysis. Indeed, most of the coverage has been trained on proposed legislation and new regulations that would restrict data collection practices. A research study released earlier in May 2011 by McKinsey Global Institute, however, suggests that utilization of “big data” could lead to billions of dollars in annual value in the private and public sectors.
The study, Big data: The next frontier for innovation, competition, and productivity, is a 156-page effort that looks at the proliferation of large datasets and finds that data can create “significant value for the world economy.” The source of data include customer transactions, networked sensors and actuators (the so-called “Internet of Things”), social media sites, smartphones, PCs, and laptops. And after identifying the techniques and technologies used capture and analyze big data, the study concludes that “[a]nalyzing large data sets—so called big data—will become a key basis of competition, underpinning new waves of productivity growth, innovation, and consumer surplus as long as the right policies and enablers are in place.”
The study cites examples of companies that have effectively used big data to create economic value through increased productivity and customer loyalty, including Tesco’s use of customer loyalty card data, Wal-Mart’s use of vendor-managed data to optimize its supply chain, and Amazon’s use of customer data to make “you may also like” recommendations. McKinsey looked at five domains—health care, retailing, the public sector, manufacturing, and personal location data. From this research, the study identified five ways to leverage big data: (1) Making big data more accessible in a timely manner; (2) Using data and experimentation to expose variability and improve performance; (3) Segmenting populations to customize actions; (4) Replacing and supporting human decision-making with automated algorithms; and (5) Innovating new business models, products, and services.
For the healthcare industry, after making certain assumptions (e.g. necessary IT investment, analytical capabilities, privacy protections, and economic incentives), the study predicts that in ten years there will be an opportunity to capture $300 billion annually in new value, “with two-thirds of that in the form of reductions to national health care expenditure.” In the public sector, the study projects that the EU could use “big data levers” to increase productivity and efficiency that would result in administrative cost savings of up to $446 billion. In retail, “pioneers” are projected to have the ability to reduce operating margins by up to 60%. Similarly, the manufacturing sector could use big data to reduce costs and increase innovation. Lastly, the study projects that use of geolocation data will create $100 billion in revenue to service providers over the next ten years and as much as $700 billion in annual value to customers.
In response to skeptics who suggest that the economic benefit of big data is still wishful thinking and that productivity gains driven by data analytics has peaked, the authors of the study suggest that economic statistics will not show productivity gains for a few years, similar to the delay in measuring the productivity gains from the use of computers.