As expected, 2010 saw an unprecedented increase in the prominence of privacy and data security concerns, affecting companies of all types and sizes. This trend appears likely to continue in 2011 and beyond. With major legislation being readied in Congress, multiple federal agencies working toward expanding privacy regulations, and many states emphasizing privacy and data security as a top priority on their regulatory enforcement agendas, 2011 promises to be another active year for privacy law in the U.S.
Following is a synopsis of some of the most buzzworthy news items from late 2010, and issues to be aware of in 2011, in each of the five subject matters covered by the multi-disciplinary team that comprises Sullivan & Worcester LLP’s Privacy & Data Security practice group. We are, of course, available anytime to answer your questions regarding compliance with the ever-expanding body of privacy and data security laws. Please contact the S&W attorney with whom you normally work, or any of the Privacy & Data Security group members listed on this Advisory.
PRIVACY OF CONSUMER INFORMATION AND COMPLIANT MARKETING PRACTICES
Companies that may be subject to new privacy rules for consumer, employee, and other personal information, which are expected to be adopted in the first half of 2011, should consider filing comments on recommendations contained in the reports recently issued by the Federal Trade Commission ("FTC") and the Department of Commerce ("Commerce") as discussed in our Courtesy Update dated January 10, 2011. Comments on the Commerce report are due January 28, 2011 and comments on the FTC report are due February 18, 2011 (the FTC announced an 18-day deadline extension on January 24, 2011). The FTC is proposing major changes to its existing regulatory framework to accommodate the rapidly-changing privacy/technology landscape, focusing on three components: privacy by design; simplified choice for consumers; and greater transparency regarding data collection. One of the most controversial elements of the FTC Report is its recommendation that a "Do Not Track" mechanism akin to the FTC’s successful "Do Not Call" list be implemented to limit online data collection and targeted advertising. Commerce recommends establishing a baseline set of privacy requirements (a so-called "Privacy Bill of Rights") through recognition of the "Fair Information Practice Principles," which would help fill gaps where certain businesses are not subject to one of the existing, sector-specific privacy laws. Commerce also recommends a federal data breach notification law.
The 112th Congress convened on January 5, 2011, and enacting new federal privacy legislation is high on the agenda. Among the bills expected to be introduced shortly is an amended version of Rep. Bobby Rush’s BEST PRACTICES Act (“Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguard Act”), which was originally introduced in 2010. The original version proposed a bevy of new regulations to be administered by the FTC, with penalties for noncompliance reaching $5 million, and a limited private right of action provided. The regulations would require businesses to obtain express affirmative opt-in consent before collecting, using, or disclosing “sensitive information” including information concerning medical history, race or ethnicity, religious beliefs and affiliation, sexual orientation or sexual behavior, financial information, precise geolocational information (and any information about the individual’s activities and relationships associated with such geolocation), unique biometric data, and social security numbers. Also highly anticipated are privacy bills expected to be introduced shortly by Sen. John Kerry (D-Mass.) and Rep. Cliff Stearns (R-Fla.). The FTC and Commerce reports are likely to spawn additional federal privacy legislation. And, a coalition of interests is pressing for reform of the federal Electronic Communications Privacy Act, which currently provides less protection for data stored in the cloud than on personal computers.
On December 23, 2010, a class action suit was filed in California federal court against Apple and others, based on alleged violations of the Electronic Communications Privacy Act and other privacy and computer fraud laws. The suit was filed less than a week after a Wall Street Journal article highlighted privacy issues concerning the transmission of personal information based on a study of certain mobile apps available on Apple devices. The suit alleged that despite Apple’s claims to have created “strong privacy protections” for its customers, some applications available on Apple devices transmit personal information to advertising networks without obtaining prior consent of consumers. It was alleged that each Apple iPhone is encoded with an electronically readable Unique Device Identifier “which cannot be blocked, altered, or deleted (and) is now being used by ad networks to track Plaintiffs and the Class – including what apps they download, how frequently they use the apps, and for how long. Some apps are also selling additional information to ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation and political views.” Apple’s co-Defendants include Pandora, Dictionary.com, The Weather Channel and Backflip Studios (maker of the popular “Paper Toss” app).
In what might trigger an interesting U.S. Supreme Court case, the Supreme Court of California recently upheld, in People v. Diaz, a warrantless search of a cell phone in the possession of a person arrested for being a coconspirator in the sale of drugs. The search, conducted 90 minutes after a lawful arrest, revealed a text message connecting the arrestee to the sale of ecstasy. In its decision released January 3, 2011, the Supreme Court of California relied on U.S. Supreme Court precedent from the 1970’s upholding searches “incident to lawful arrest” involving cigarette packages and clothing. But the search of a cell phone raises significantly more serious privacy concerns than the items involved in those landmark U.S. Supreme Court cases, considering the large amount of highly-sensitive personal information that potentially can be stored on a cell phone. The Ohio Supreme Court ruled the opposite of the California court in December 2009, holding in a 4-3 decision that a warrantless search of the content of a suspect’s cell phone is a Fourth Amendment violation. Because of the split between the two states, it is more likely that the U.S. Supreme Court will now consider this issue (the U.S. Supreme Court denied review of the Ohio case last year).
In a December 14, 2010 decision, the United States Court of Appeals for the Sixth Circuit held in United States v. Warshak that an internet subscriber enjoys a reasonable expectation of privacy in his emails vis-à-vis a commercial internet service provider (“ISP”). The court held that a warrant based on probable cause is required to compel an ISP to turn over the contents of a subscriber’s emails. The court stated that emails must be afforded similar protection to other forms of communication such as telephone calls and postal mail. “Given the fundamental similarities between email and traditional forms of communication, it would defy common sense to afford emails lesser Fourth Amendment protection,” the court wrote.
Also on December 14, 2010, a federal court in Virginia issued an order requiring Twitter to turn over subscriber account information for persons associated with Wikileaks, in connection with an ongoing criminal investigation into leaks of classified information. In an ironic twist, the confidential court order was leaked to the website Salon.com.
PRIVACY OF HEALTH INFORMATION
A study released by the Ponemon Institute on November 9, 2010 indicated that despite efforts to protect patient data through the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and otherwise, attention to privacy compliance and protective safeguards in the healthcare sector remain woefully inadequate. While the average economic impact of a data breach is approximately $2 million per organization, and the total economic burden created by data breaches on U.S. hospitals has reached nearly $12 billion, respondents to the study indicated that the practices of many healthcare organizations are not changing. Seventy percent of hospitals reported that protecting patient data is “not a top priority” and 69 percent reported that there are insufficient policies and procedures in place to prevent and quickly detect patient data loss.
On December 20, 2010, the U.S. Department of Health and Human Services (HHS) regulatory agenda was published in the Federal Register, indicating that the final rule implementing modifications to HIPAA and the HITECH Act will be issued in March 2011. The most significant change proposed is the application of HIPAA directly to business associates (companies handling patient records in connection with providing services to the healthcare industry) and their subcontractors. For business associates that were not previously considered “covered entities” under HIPAA, this change would impose far more extensive and costly privacy, security and breach notification requirements than before.
A 144-page complaint was filed on November 23, 2011, by four privacy groups requesting that the FTC investigate the online marketing practices of pharmaceutical companies. The Center for Digital Democracy, U.S. Public Interest Research Groups, Consumer Watchdog, and the World Privacy Forum asked the FTC to examine the “largely stealth interactive medical marketing apparatus that has unleashed an arsenal of techniques designed to promote the use of specific brand drugs and influence consumers about treatments for health conditions.” The groups allege that companies such as Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL and others engage in online profiling and behavioral tracking, collecting personal information from users without their knowledge and matching the information with additional data gathered online (such as the types of websites visited and searches conducted by individual users), to deliver targeted pharmaceutical marketing to those customers. Copies of the complaint also were sent to the FDA and members of Congress.
In a brief filed December 13, 2010, the State of Vermont petitioned the U.S. Supreme Court to review a Second Circuit Court of Appeals decision that struck down Vermont’s Prescription Confidentiality Law. The law required prior consent before prescriber information linking prescribers to prescriptions for particular drugs could be sold or used for marketing. The Second Circuit held that Vermont’s law violated the right to commercial speech under the First Amendment. Two recent decisions of the First Circuit examining similar laws, however, held the opposite. The State of Vermont asked the Supreme Court to provide guidance to resolve the differences among lower courts and promote consistency among the states, citing 26 other states considering proposed prescription confidentiality laws. The Supreme Court granted the Petition on Jan. 7, and will hear the case, Sorrell v. IMS Health, this spring.
Courtesy Reminder: The annual deadline for HIPAA covered entities to report breaches affecting fewer than 500 individuals to HHS is March 1, 2011. Breach notifications can be submitted electronically at the link provided above. Breaches affecting more than 500 individuals must be reported to HHS without unreasonable delay and no later than 60 days after the date on which they are discovered.
PRIVACY OF FINANCIAL INFORMATION
As we reported last month in a Client Advisory, Congress passed the “Red Flag Program Clarification Act of 2010” (“RFPCA”) on December 7, 2010, providing much-needed clarifications on the applicability of the onerous requirements of the FTC’s Red Flags Rule (“Rule”). The Rule requires “creditors” and “financial institutions” to have a written Identity Theft Prevention Program in place. Most notably, the RFPCA clarified the definition of “creditor,” exempting those in certain professions ― such as lawyers, dentists, doctors, veterinarians and accountants ― who do not otherwise fall under the amended definition. President Barack Obama signed the RFPCA into law on December 18, 2010 and, after multiple delays, enforcement of the Red Flags Rule in its amended form is now in effect.
On October 28, 2010, the PCI Security Standards Council released Version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS), which went into effect January 1, 2011. Version 2.0 does not include any major changes, but provided clarifications to the meaning of certain requirements. Some of the minor changes were implemented to assist small merchants, simplifying their compliance efforts through accommodation of their unique environments. Organizations are now permitted to adopt a risk-based approach when assessing and prioritizing vulnerabilities, based on their specific business circumstances.
After a one-year grace period in the enforcement of new IRS “e-file” security, privacy, and business standards, enforcement of the standards began on January 1, 2011, supplementing the Gramm-Leach-Bliley Act requirements applicable to providers of online filing services for individual income tax returns. The new standards impose enhanced encryption, authentication and other privacy and security safeguards designed to protect the sensitive financial information collected, processed and stored by such online providers. More information on the standards is available here.
An S&W Advisory released on January 6, 2011, highlighted SEC rules that may require reporting companies to note data privacy and security risks in SEC filings. As discussed in the Advisory, reviews of risk disclosures in recent SEC filings suggest that many companies may be unaware of new data privacy laws that could impact their business, or may not yet appreciate the potentially material business and financial risks involved in the collection and maintenance of certain data.
One of the biggest challenges presented by the rise in the popularity of social media is its impact on the work lives of those maintaining online profiles. While social media offers tremendous benefits for companies and their employees, there are also significant risks involved, as misuse of such platforms and/or poor common sense can lead to serious consequences. Many companies have developed and are regularly revising social media policies to reflect these challenges. In November, the American Medical Association (“AMA”) adopted its own social media policy for its members, recognizing the importance of preserving ethical doctor/patient relationships. The AMA recommends separating personal and professional content wherever possible, but, to the extent that interaction with patients exists, maintaining appropriate boundaries in accordance with professional ethical guidelines.
Included within S&W’s 2010 Employment Law Wrap-Up Advisory was an item of considerable interest to those concerned with workplace privacy. The Advisory provided tips on compliance with Massachusetts’ recently amended personnel records statute, which now requires employers to notify an employee within ten days of placing “any information” in the employee’s personnel record that is, has been, or may be used “to negatively affect the employee’s qualification for employment, promotion, transfer, additional compensation or the possibility that the employee will be subject to disciplinary action.” As discussed in the Advisory, this requirement further confuses a statute which already lacked clarity. The Advisory provides some practical tips to consider while awaiting more formal guidance.
A recent incident in Illinois served as a reminder that oftentimes, the biggest threat to data security lies within an organization. A former employee of the Federal Student Aid (FSA) Division of the Department of Education, pleaded guilty on December 14, 2010 to illegally accessing confidential student loan files. The defendant accessed the National Student Loan Database System (NSLDS), which contained confidential federal student loan records including sensitive financial information, social security numbers, loan balances and more. She admitted that between April 2006 and May 2009, she repeatedly searched for and viewed the confidential student loan records of several hundred people, including musicians, actors, family members, friends and other individuals. She had no official government purpose to access the records, doing so purely out of idle curiosity. She will be sentenced on February 22, 2011.
BREACH MANAGEMENT AND LITIGATION
A symbolic watershed moment occurred in 2010 when, for the first time ever, reported thefts of information and electronic data surpassed the theft of physical property worldwide, according to Kroll’s fourth annual Global Fraud Report. The amount of electronic data stolen rose by half, with more than 27 percent of 801 companies surveyed reporting data losses, up from 18 percent last year. The sharpest increase in incidents occurred within the financial services industry (42 percent reporting information loss or attacks), up from 24 percent last year. More than one-third (37 percent) of technology, media, and telecommunications companies reported at least one incident, up from 29 percent in 2009.
The report highlighted an alarming trend in North America, specifically. While North American fraud levels rose from 22 percent to 32 percent in 2010 (the survey average was 27 percent), only 34 percent of the survey respondents considered themselves “moderately to highly vulnerable to information theft,” and investment in IT security measures in North America actually declined from 2009 levels. The primary fraud tactics employed in North America, according to the survey, were phishing (cited by 26 percent of the respondents) and increased use of technology (19 percent).
Honda Motor Co. recently experienced a massive data breach, warning approximately 2.2 million customers that an email database containing its customers’ personal information was stolen. Honda is reportedly the most recent victim tied to the same email marketing firm whose data was breached in thefts of consumer information from McDonald’s and DeviantART. The exposed list contained the names, login names, email addresses and vehicle identification numbers of the Honda owners. Honda sent each affected customer a letter reporting the breach and posted a web notice announcing that law enforcement authorities were contacted and an investigation was in process. Honda warned its customers to be wary of unsolicited emails requesting personal data.
Lost and stolen laptops continue to be one of the top sources of data breaches. A Ponemon Institute Study sponsored by Intel released on September 30, 2010, revealed that in a 12-month period, 329 U.S. companies reported a total of 86,455 laptops lost or missing, representing a total economic value of $2.2 billion. A study conducted by the Ponemon Institute in 2009 indicated that the average cost to businesses of a single lost laptop is $49,246. The study concluded that more than 7 percent of all work-assigned laptops will be lost or stolen sometime during their useful life. The most frequent locations where laptops are lost or stolen are off-site locations like a hotel room or homes (43 percent) or in transit (33 percent).
The credit card information of 110,000 CitySights NY customers was breached last Fall, as a SQL injection attack on a CitySights web server provided hackers access to the company’s customer list. According to CitySights’ breach notification letter to the New Hampshire Attorney General’s Office sent December 9, 2010, the exposed database contained unencrypted customer information including names, addresses, email addresses, credit card numbers, card expiration dates, and CVV2 (card verification value) data. An article by Threatpost speculated that because the breach affected the personal information of 1,800 Massachusetts residents, it could set the stage for enforcement of what is considered the nation’s strictest state data protection regulations, 201 CMR 17.00, which went into effect March 1, 2010.