HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Recently-enacted amendments to the Montana and North Carolina data breach notifications go into effect today, October 1, 2009.

• North Carolina. The amendment to North Carolina’s statute increases the state’s notification requirements for smaller breaches. Under the amended law, businesses and public agencies are required to notify the state attorney general every time a resident is notified. Prior to the amendment, notification to the state attorney general was only necessary if the breach affected more than 1,000 state residents. In addition, the amendment expands the contents of any notice to residents. 
•  Montana.   The amendment to Montana’s data breach statute expands the state’s private sector data breach notification statute to cover public-sector entities. State agencies that maintain computerized data containing personal information in a data system must make “reasonable efforts” to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. In addition, the modified law requires state agencies to develop procedures to protect social security numbers.   

The amendments to the Montana and North Carolina laws exemplify the growing number of states strengthening their data breach notification laws.   It is likely that additional states will join the trend, so compliance will require monitoring amendments.

• Email This
• Print

The health breach notification rule issued by the Federal Trade Commission (“FTC”) went into effect on Thursday, September 24, 2009.

The FTC final rule, issued on August 17, 2009, applies to vendors of personal health records (“PHR vendors”), PHR-related entities and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) are excluded from the definition of PHR vendor and PHR-related entities and instead are subject to a separate breach notification rule issued by the Department of Health and Human Services. The FTC Rule requires PHR vendors and PHR-related entities to notify consumers following discovery of a breach involving unsecured identifiable health information that is in a personal health record. The Rule also specifies timing, method and content of notification requirements. Of particular importance, for all breaches involving 500 or more consumers, the Rule requires notice to the FTC within 10 business days of discovery of the breach. Notice of smaller breaches can be provided to the agency on an annual basis.

While the Rule is now in effect, the FTC has announced it will delay enforcement of its rule until February 22, 2010 in order to give entities time to come into compliance.

• Email This
• Print

The Personal Data Privacy and Security Act (“PDPSA”), recently reintroduced by Sen. Patrick Leahy (D-VT) and referred to the Senate Judiciary Committee proposes comprehensive federal regulation of data broker services.  While enactment of the PDPSA remains uncertain, the draft legislation may presage future legislative and regulatory trends.

Comprehensive Federal Regulation of “Data Brokers”

Title II of the PDPSA would introduce significant new regulation for data brokers, which are defined as

“a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.” 

PDPSA § 3(5).  Entities that are already regulated under the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), or Health Insurance Portability and Accountability Act (“HIPAA”) are not subject to the data broker requirements of the PDPSA as currently drafted.  See PDPSA § 201(b)(1)-(3).  Notably, the PDPSA requirements would apply to the use of any form of sensitive personally identifiable information ("SPII"), unlike the FCRA which is limited to information used in consumer reports. 

• Email This
• Print

The Department of Homeland Security (DHS) has released new directives regarding government searches of electronic and digital devices at the U.S. border, including computers, disks, drives, tapes, mobile phones, cameras, and music and other media players.   The directives consist of guidelines for the U.S. Immigration and Customs Enforcement (ICE), dated August 18, and for the U.S. Customs and Border Patrol (CBP), dated August 20, and modify policies issued by CBP and ICE in July of 2008 under President Bush.   In addition, DHS released a Privacy Impact Assessment regarding these directives "to enhance public understanding of the authorities, policies, procedures, and privacy controls elated to these searches."

• Email This
• Print

Many people remember the now-dated cartoon from the New Yorker magazine showing two dogs sitting in front of a computer, with one observing to the other "the best part about the Internet is that no one knows you are a dog".  Even today, many people feel they enjoy complete privacy when interacting online, especially with certain social media sites.  But times have changed from when anonymity meant there were no obvious consequences to online conduct.  The proliferation of the use of social media is much in the news, and the legal issues also are proliferating.

Hogan & Hartson has just authored an advisory, available by clicking here, setting forth the considerations that arise when social media is used by three different groups — an entity itself, the employees of that entity, and third parties in reference to the entity. We discuss the benefits of social media, as well as issues and risks, from each of these three angles.

Also, the U.S. Food and Drug Administration recently announced that it will hold a two-day public hearing in November on how pharmaceutical companies use the web and social-media tools to market their products.  This is the first step in a process that will establish guidelines for drug makers using the tools of social networking.  The Hogan & Hartson advisory on this development is available by clicking here.

• Email This
• Print

 On July 22, 2009, Sen. Patrick Leahy (D-VT) reintroduced S. 1490, the Personal Data Privacy and Security Act (“PDPSA”), which has been referred to the Senate Judiciary Committee.   The reintroduced PDPSA is substantially similar to the prior version reported out by the Judiciary Committee in 2007, which was co-sponsored by then-Sen. Barack Obama.  Among the provisions of the proposed law are a mandated adoption and maintenance of a comprehensive information security program, a national data breach notification law, and regulation of data broker services.  Further, while the bill as currently drafted reflects many commonly accepted principles of data privacy and security underlying existing federal and state laws, it deviates from current laws and standards regarding data security and breach notification on several noteworthy points.  Although passage of this legislation during the current session of Congress is far from certain, the existing PDPSA draft may foreshadow future legislative and regulatory trends. 

• Email This
• Print

The breach notification rule issued by the Department of Health and Human Services (“HHS”) goes into effect on Wednesday, September 23, 2009. 

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a breach of security involving an individual’s protected health information (“PHI”). Covered entities do not need to provide breach notification if the PHI was secured through methodologies and technologies specified by HHS in recent Guidance.  Notice also is not required if the breach does not pose a significant risk of financial, reputational or other harm to the individuals whose information was breached or in limited other exceptions for internal disclosures or involving limited health information. 

While HIPAA covered entities are expected to comply with this rule effective September 23, HHS has stated that it will not impose sanctions for failure to provide breach notifications until February 22, 2010 in order to give covered entities time to come into compliance. HHS is accepting comments on the provisions of the rule until October 23, 2009.

• Email This
• Print

This past June France enacted an Internet anti-piracy law commonly known as the "HADOPI" or "three strikes" law, because after a certain number of warnings an online infringer's Internet access would be cut off.   On June 10th, the French Constitutional Court found a portion of the law unconstitutional.  Specifically, the court held that because terminating an individual's Internet access affects that individual's right to free expression, a fundamental right, a decision to terminate access must be made by a court after a careful balancing of interests.  Because the HADOPI law gave Internet access termination power to an agency, the court held that grant of authority unconsitutional.  Further background on this decision can be found in our update on the HADOPI law and the French Consitutional Court's decision .

On September 22, 2009, the French parliament passed a bill intended to remedy the enforcement gap left by the court's decision.  This bill, known as HADOPI 2,  empowers French courts, instead of the HADOPI administrative agency, with the authority to cut off the Internet access of copyright infringers or of individuals who are manifestly negligent in their duty to protect their broadband access line against illegal downloading.

The cornerstone of the new law is an affirmative duty imposed on French broadband subscribers to take measures to ensure that their broadband access is not used for infringing file sharing.  If the subscriber ignores this duty and the broadband access is used for illegal downloading, the subscriber of the line may have his or her Internet access cut off for a limited time.  If the subscriber installs certain approved protection technologies (and no one is yet sure what those technologies will be), the subscriber will be deemed to have fulfilled his or her duty of care.

• Email This
• Print

Data security breaches remain a major risk for any company or entity that handles personal information.  The costs of a breach and harm to reputation can be significant.

At the IAPP Privacy Academy in Boston on September 18, I moderated a session on dealing with the aftermath of a data breach.  I was fortunate to have an expert panel -- Chris Cwalina, Vice President, Associate General Counsel, Intersections Inc. and Carol DiBarriste, SVP Privacy, Security, Compliance and Government Affairs, LexisNexis Group. You can view a copy of our Powerpoint presentation.

There is useful information in the slide deck including information on the current legislative landscape -- note the analysis of currently-pending HR 2221 and a review of recent state laws, as well as some points on the variations in the requirements of breach notification laws. 

Fundamentally, you will find helpful tips on what to do in the aftermath of a breach, and how to take steps in advance of a breach to minimize the risks.

The session in Boston concluded with a recommendation that companies conduct an assessment of how they are collecting, using, sharing, storing, securing, and disposing of personal data -- for only by understanding how data is handled can the risk of a breach (and its expensive effects) truly be avoided.  Hogan & Hartson regularly conducts such risk management assessments for our clients, which often results in recommendations on how to close the "gaps" -- how to improve policies, practices, training and auditing.

• Email This
• Print

By Lynda Marshall, Chris Wolf, Marcy Wilder and Tracy Gray

Hello and welcome to the Hogan & Hartson Chronicle of Data Protection.   

We are delighted to introduce you to our privacy blog.  Our goal is to use this blog to bring you timely updates on a wide-range of issues in the privacy arena, including the evolving role of privacy and data protection in health law and policy, security safeguards, international compliance and e-commerce.  The practical implications of changing privacy regulations affect us all, both as professionals and personally, and we hope this blog will serve as a key source of information for you in navigating this ever-changing field.

We also hope you will have the chance to catch some of Hogan & Hartson's privacy team at the IAPP Privacy Academy in Boston, September 16 - 18th.    H&H attorneys will be on the following panels:

• Data Retention - the Monster in the Servers, September 17th at 2:15, featuring Chris Zaetta, Hogan & Hartson, and Andy Holleman, Chief Privacy Officer and Associate General Counsel, Qwest Communications
• In to the Breach - Dealing with the Aftermath of a Data Breach, September 18th at 11 AM, featuring Christopher Wolf, Hogan & Hartson, Chris Cwalina, Vice President and Associate General Counsel, Intersections, Inc., and Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance and Government Affairs, LexisNexis Group
• Pie in the Sky - Looking at a Cloud Contract at Ground Level, September 18th at 11 AM, featuring Zenas Choi, Hogan & Hartson, and Geff Brown, Senior Attorney,  Law and Corporate Affairs, Microsoft Corporation

Thanks for joining us, and we look forward to being a helpful guide in the world of privacy.

• Email This
• Print

Hogan & Hartson's Marcy Wilder will be presenting on "HITECH's Impact on Business Associate Agreements with Healthcare Providers: Complying With New HIPAA Requirements and Preparing for Touger Enforcement" in a CLE Teleconference on Thursday, September 24, 2009, at 1pm EDT.

The Health Information Technology for Economic and Clinical Health Act (HITECH) dramatically expands the scope and application of the HIPAA Privacy and Security Rules. These changes have the greatest impact on business associates and on agreements that providers reach with them. For the first time, business associates will be directly subject to many of the HIPAA rules. To ensure compliance with the new requirements, counsel to healthcare providers and business associates must examine the implications of HITECH for all existing and future agreements. This program will examine the new HITECH requirements as they relate to business associates and business associate agreements, discusses evaluating existing agreements, and offers best practices for developing and negotiating new agreements.

• Email This
• Print

The Federal Trade Commission has just announced that it will host a series of day-long public roundtable discussions on the East and West Coasts "to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data."  The first roundtable discussion will occur on December 7th at the FTC Conference Center in Washington.

It has been widely-reported that the FTC is examining new ways to think about privacy and these discussions will further that examination. 

As the Commission explained the focus of the first roundtable:

Such [technology and business] practices [to be examined] include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.

The initial questions the FTC has presented for comment at the first workshop are:

1. What risks, concerns, and benefits arise from the collection, sharing, and use of consumer information?  For example, consider the risks and/or benefits of information practices in the following contexts: retail or other commercial environments involving a direct consumer-business relationship; data broker and other business-to-business environments involving no direct consumer relationship; platform environments involving information sharing with third party application developers; the mobile environment; social networking sites; behavioral advertising; cloud computing services; services that collect sensitive data, such as information about adolescents or children, financial or health information, or location data; and any other contexts you wish to address.
    
2. Are there commonly understood or recognized consumer expectations about how information concerning consumers is collected and used? Do consumers have certain general expectations about the collection and use of their information when they browse the Internet, participate in social networking services, obtain products from retailers both online and offline, or use mobile communications devices? Is there empirical data that allows us reliably to measure any such consumer expectations?  How determinative should consumer expectations be in developing policies about privacy?
    
3. Do the existing legal requirements and self-regulatory regimes in the United States today adequately protect consumer privacy interests? If not, what are the particular privacy interests that warrant increased protection? How have changes in technology, and in the way consumer data is collected, stored, and shared, affected consumer privacy? What are the costs, benefits, and feasibility of technological innovations, such as browser-based controls, that enable consumers to exercise control over information collection? How might increased privacy protections affect technological innovation?

The FTC has explained that individuals and organizations may submit requests to participate as panelists in the December dicussion, and may recommend topics for inclusion on the agenda. The requests and recommendationshave been directed to privacyroundtable@ftc.gov.   More details can be found here.

• Email This
• Print

When the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

A host of businesses and colleges are hoping that old adage has no relevance when it comes to new laws to protect kids online.  Maine's  “Act To Prevent Predatory Marketing Practices Against Minors,” effective September 12, 2009, was the source of major controversy and litigation over the Summer because of the law's extreme overbreadth.  See, e.g.  "Child-Proofing Your Ads: New Maine Law restricts Marketing to Minors", National Law Journal (August 4, 2009)   

A lawsuit brought to enjoin the law from going into effect resulted in the plaintiffs and Maine's Attorney General agreeing that the law could violate the First Amendment to the United States Constitution because of its overbreadth.  U.S. District Judge John A. Woodcock dismissed the lawsuit without prejudice, observing that "[t]he Attorney General has acknowledged her concerns over the substantial overbreadth of the statute and the implications ... and accordingly has committed not to enforce it.”  The Order goes on to say any private suits brought under the law “could suffer from the same constitutional infirmities.”   Thus, most observers believe that businesses run little risk from non-compliance with the law in light of the Judge's observations even though they are dicta.

Even the sponsor of  the law now recognizes that it has problems, but according to press reports blames that on the fact that no one raised any issues during the public hearings on the legislation leading to the law. The law is expected to be revised when the Maine legislature reconvenes in January 2010.

It was over the course of the Summer when Maine’s leaders came to recognize that the hastily-passed law, although bearing a laudable pro-kids/anti-predation title, may not have been exactly what they thought it was. The closer look prompted serious second thoughts and the lawsuit that effectively stays enforcement of the law.

• To start with, the Maine law goes well beyond predatory practices because it covers all marketing to people under 18 in Maine, whether you know they are under 18 or not. And it greatly exceeds the scope of the federal Children’s Online Privacy Protection Act of 1998  (“COPPA”). 
  • On a national level, COPPA requires web site operators to obtain verifiable parental consent before collecting personal information online from children.  While COPPA applies to children under13 years old, the Maine law includes anyone under age18 and makes no distinction between information collection online or offline – it all is covered whether the business has a commercial web site or not. And unlike COPPA, which does not provide for a private cause of action, the Maine law allows individuals to bring civil suits and to seek punitive damages, equitable relief and attorney costs.
• Section 9552 of the Maine law prohibits knowingly collecting orreceiving "health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent." It also prohibits selling, offering to sell or otherwise transferring to another "health-related information or personal information about a minor."
• Section 9553 flatly prohibits using health-related or personal information about a minor for "marketing a product or service to that minor or promoting any course of action for the minor relating to a product." There is no parental consent exception.   So, while businesses may be able to collect, receive and sell a minor's information, as long the is verifiable parental consent, they may not use that information for marketing regardless of parental consent prior to collecting the data.

Like many state privacy laws, the coverage of the law extends to those wherever located who collect information from state residents.  Thus, businesses nationwide are covered. And those businesses appear to be prohibited from sending to those under 18 in Maine any marketing information, even materials requested by Maine kinds like college information and volunteer service brochures. No provision is made in the law for non-profit or educational institutions.  And, again, notably, the law does not require knowledge that the person to whom marketing information is sent is under 18, making compliance even more difficult.

At web sites where kids have signed up legally, the sites are banned from communicating with those people if there is a marketing message, even where there is a bona fide request for information.  

And so, businesses of all types would have a hard time figuring out how to exclude Maine’s minors from their marketing efforts without thwarting their legal right to send information to people in the 49 other states, DC and the territories.  That is why the lawsuit seeking an injunction against the law going into effect was brought.  The judge's order avoided an injunction against the State but made it clear that the law had Constitutional deficiencies. 

States often are heralded as incubators of our nation’s privacy laws, but in Maine, the “baby” may not be exactly what the parents expected.

• Email This
• Print