HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The Federal Trade Commission has warned one hundred businesses and organizations that peer-to-peer software (typically used by employees to download and share copyrighted music, software and movie files over the Internet) is exposing information on customers and employees, including health and financial data, Social Security numbers and driver's license numbers.

In a release entitled "Widespread Data Breached Uncovered by FTC Probe" the FTC warned that the presence of privacy-violating peer-to-peer software on an organization's network may represent a violation of the security obligations under a variety of federal statutes.

In one sample letter of the type sent to one of the 100 entities referenced in the FTC release the Commission wrote:

We have not determined whether your company is violating laws enforced by the Commission. However, the FTC is urging you to review your security practices for personal information about your customers and employees, and, if appropriate, the practices of contractors and vendors with access to such information, to ensure that the practices are reasonable, appropriate, and in compliance with the law. It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers. (emphasis supplied)

In the letters sent to organizations found to be hosting the P2P software, the Commission also pointedly provided a link to the long list of enforcement actions taken by the Commission for inadequate data security (leading to compromised personal privacy).

While focused on the data security threats created by P2P software, the FTC's release also underscores the importance of data security generally and the legal risks involved in not adequately addressing the issue.   (In that connection, Hogan & Hartson's privacy and data security practice group regularly assists clients in conducting a risk management assessment to indentify privacy and data security issues, including the presence of P2P software, and to suggest remedial steps.)

• Email This
• Print

Today as the HHS Office of Civil Rights begins to enforce the federal health data breach notification rule, the agency publicly posted the list of reported breaches affecting 500 or more individuals. The list is available on the  HHS’ website and includes the following information:

• the entity’s name
• state
• approximate number of affected individuals
• date of breach
• type of breach (e.g. theft, misdirected e-mail)
• location of information at time of breach (e.g. desktop computer, laptop, paper, mailing).

• Email This
• Print

Enforcement of the Department of Health and Human Services’ (“HHS’”) and the Federal Trade Commission’s (“FTC’s”) Breach Notification rules begin today. Both agencies initially exercised their enforcement discretion and delayed enforcement until February 22, 2010, to provide entities subject to the rules with time to implement compliance processes and procedures.

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA and their business associates to provide notification following discovery of a breach of security involving an individual’s unsecured protected health information.  Under the rule, covered entities are also required to notify the HHS Secretary. For breaches affecting fewer than 500 individuals that occurred during calendar year 2009 and after the September effective date of the HHS breach rule, notification to the Secretary must be submitted by March 1, 2010. 

The FTC breach rule, issued on August 17, 2009, applies to vendors of personal health records, PHR-related entities and third-party service providers. 

• Email This
• Print

This blog entry is provided by Hogan & Hartson litigators Trevor Jefferies in our Houston Office and Alvin F. Lindsay in our Miami Office:

A new decision released on 8 January 2010 from the French high labor court (the Cour de Cassation Chambre Sociale) may provide some grounds for arguing that a party in France can review a French employee’s e-mails and electronically stored information to determine whether the data is relevant to a U.S. litigation, without the employee’s knowledge or presence.  This is a significant development in the perennial tension between EU privacy law and U.S. discovery principles.

European Union policies protecting personal privacy almost always conflict with United States policies that grant litigants full and complete discovery of documents and electronically stored information in U.S. court actions.  The conflict is particularly acute in France, where a French corporation participating in U.S. litigation may easily run afoul of the French Blocking Statute (Law No. 68-678, as amended), data processing laws (e.g. Law No. 78-17, as amended), and the EU Directive 95/46 on Personal Data (“Directive”), among others.

Indeed, after years of goading by U.S. courts, French authorities even prosecuted someone, a French lawyer, under the blocking statute.  His crime was attempting to comply with a U.S. court order compelling production of documents.  See In re Christopher X, Cour de Cassation, Chambre Criminelle, Paris, December 12, 2007, No. 07-83228 (French Supreme Court upholding conviction and €10,000 fine against French lawyer attempting to facilitate collection of evidence for use as ordered in a U.S. judicial proceeding).  Examples of U/S. goading include In re Vivendi Universal S.A. Secs. Litig., No. 02 Civ. 5571, 2006 WL 3378115 at *3 (S.D.N.Y. 2006) (French blocking statute did not subject parties to a “realistic risk of prosecution”) and Minpeco S.A. v. Conticommodity Servs., Inc., 116 F.R.D. 517 at 528 (S.D.N.Y. 1987) (“this is not a situation in which the party resisting discovery has relied on a sham law such as a blocking statute to refuse disclosure"). 

With French and EU law acting to prevent a litigant engaged in the U.S. litigation discovery process even from collecting a relevant employees' e-mails for litigation purposes, let alone viewing the e-mails to see if they contain relevant information, French parties seem at a distinct disadvantage in a U.S. forum.  Failing to produce relevant documents is a direct path to an uncomfortable hearing before the U.S. judge and possibly severe sanctions such as a default judgment being entered against those parties for not complying with discovery orders.

Thus, Bruno B. vs. Giraud et Migot, Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264 is a significant development.  In that case, an accounting firm fired Bruno after the firm discovered files on his work computer addressed to government regulators wherein Bruno disparaged the firm for alleged tax and related fraud as well as working conditions.

The documents held subject lines as “Essay 1”, “Essay 2”, and so on, which the firm discovered without Bruno’s permission or presence. Bruno sued the firm seeking damages for unjustified dismissal, arguing that the firm violated his rights under EU privacy (human rights) conventions, as well as several provisions of the French labor code, claiming the documents were his personal data.  On appeal, the Cour de Cassation Chambre Sociale held for the accounting firm, finding that because Bruno failed to mark the documents as “private,” the firm justifiably assumed that the documents were work-related and could open them.

The Bruno B. case clearly refines the general rule set forth in an earlier case from the same court, Nikon France vs. Onof, Cass. Soc., No. 4164 (Oct. 2, 2001), where the French high labor court established that employees have a right to privacy in the workplace and held that an employer cannot search an employee’s files stored on a work computer without breaching the employee’s right to privacy.  The Nikon case’s broad ruling has been the subject of private criticism, especially from business interests in France, but now, after Bruno B., there is arguably no right to privacy to an employee’s computer-stored data unless the employee takes affirmative steps to designate the information as personal.  Simply labeling the documents as “personal” or “private” may have been enough to compel the Bruno B. court to rule in the employee’s favor, but the holding is still a far cry from the absolute presumption that any data with an employee’s name is private.

• Email This
• Print

Health care providers, health plans, clearinghouses and their business associates face deadline for implementation of significant new compliance obligations.

 February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.

Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).

New Requirements

Covered entities must now comply with most of the new privacy requirements introduced under HITECH including, among other requirements:

·        additional requirements regarding “minimum necessary” uses and disclosures of protected health information (PHI);

·        new limitations on uses and disclosures of PHI for marketing;

·        new individual rights related to electronic access to PHI maintained in an electronic health record; and

·        new individual rights allowing individuals the right to restrict their providers from sending PHI to the individuals’ health plan if the individuals pay in full for the product or service at issue.

Business associates also now face substantial new compliance obligations under HITECH.Prior to HITECH, business associates were not directly subject to HIPAA and were subject only to the contractual obligations imposed on them by covered entities through business associate agreements (BAAs). HITECH changes the regulatory landscape by imposing a direct statutory obligation on business associates to comply with the new privacy and security requirements. These include such things as:

·        compliance with the bulk of the HIPAA Security Rule requirements;

·        compliance with the new HITECH data breach provisions; and

·        compliance with the new individual rights provisions related to access to PHI and restrictions on certain disclosures of PHI.

 BAA Challenges

HITECH further requires that the new privacy and security requirements “shall be incorporated” into BAAs. The amendment of BAAs has been one of the most troublesome and challenging issues for both covered entities and business associates. While some have hoped that HITECH “by law” amends existing BAAs (an argument that may raise constitutional issues given that private contracts and assets are at stake), most, if not all, have struggled with the decision whether to amend existing BAAs prior to the February 17, 2010 compliance date or rely upon a “transition period” that has been hinted at by the Department of Health and Human Services (HHS) and was provided in the Privacy Rule when compliance was required in 2003.

New Enforcement Framework

In addition to the new compliance challenges faced by covered entities and business associates under HITECH, several notable changes to HIPAA enforcement were also introduced under HITECH. Although many of the new enforcement provisions were effective upon enactment of HITECH (e.g., enforcement by state attorneys general, increased civil monetary penalties), several other enforcement provisions are now effective, including:

·        business associates are now subject to direct enforcement actions; and

·        covered entities and business associates are now subject to mandatory, periodic audits by HHS.

Beginning February 22, 2010 HHS also will begin enforcement of the new HITECH data breach regulations issued in September 2009.

Members of the Hogan & Hartson HIPAA Privacy practice are available to assist clients in working through these legal issues to implement compliance with HITECH efficiently and effectively—both before and after regulatory guidance is issued.

• Email This
• Print

 The Department of Health and Human Services (“HHS”) announced that it will host an in-person workshop to address and collect stakeholders’ views regarding how to best implement the Privacy Rule’s current requirements for the de-identification of protected health information (“PHI”). The American Recovery and Reinvestment Act of 2009 (“ARRA”) requires HHS, in consultation with stakeholders, to issue guidance on methods for de-identifying PHI. The workshop, which will consist of multiple panel sessions, is open to the public and will be held on March 8-9 in Washington, DC. Following the workshop, HHS will synthesize the input it receives from the workshop and general comments, and issue guidance on its Web site for public comment.

The deadline to register for the workshop is March 1, 2010. Additional details about the workshop can be found on HHS’ Health Information Privacy Web site.

• Email This
• Print

International transfers of personal data are heavily restricted under EU data protection rules. As a general rule, transfers from an EU/EEA Member State to recipients in countries outside the EU/EEA are only permitted if the laws of the recipient country ensure an adequate level of data protection. There are only limited exceptions to this rule. For instance, organizations may transfer personal data to countries outside the EU/EEA that do not ensure an adequate level of data protection if they have entered into a data transfer agreement using one of the sets of EU approved standard contractual clauses. Up to now, the European Commission has approved three sets of contractual clauses: two of these sets apply to transfers from data controllers to other data controllers, while the third set has been drafted for transfers from data controllers to recipients who act as data processors only. In EU privacy parlance, if organizations hold or process personal data without taking responsibility for or control over the data (e.g., payroll service providers), they are viewed as “processors”.     

On February 5^th, the European Commission decided to modify the standard contractual clauses for ”controller to processor” transfers of personal data, repealing the original decision (Decision 2002/87/EU) that introduced these clauses back in 2002. The European Commission considered it necessary to adjust the existing standard contractual clauses to meet the growing challenges of global outsourcing.  As more and more organizations are not only transferring personal data to a “processor” but also to one or more “sub-processors” (and sometimes “sub-sub-processors”) outside the EU/EEA, the original standard contractual clauses were no longer suitable to deal with these complex onward transfers.   

So what’s new about the updated set of standard contractual clauses?  The most important novelty is the inclusion of a specific subcontracting clause, which imposes a number of requirements on parties wishing to use sub-processors. Sub-processing will, for example, require the prior written consent of the data controller, while the data processor must put in place a written agreement with each sub-processor that mirrors the terms of the “controller to processor” agreement. In some cases it may be possible to meet this requirement by having the sub-processor co-sign the data transfer agreement between the controller and processor including the standard contractual clauses.      

• Email This
• Print

The Hogan & Hartson privacy lawyers are counseling clients on the use of social media, as the legal risks are significant -- especially if employees use the shield of anonymity to protect their privacy but make representations on behalf of their employers without disclosing their affiliation.  The FTC and FDA recently have focused on social media.  And on January 25, the Financial Industry Regulatory Authority (FINRA), an industry self-regulatory organization, issued Regulatory Notice 10-6, which gives guidance to member companies on the use of blogs and social networking sites to engage in company-sponsored communications with the public. 

The unique nature of social networking sites and the speed and fluidity with which communications can be made to the public have presented challenges in the implementation of existing FINRA rules.  Some recommendations made in the guidance includes:

• Supervising interactive communications made through social networking sites in a manner reasonably designed to ensure that they do not violate the content requirements of FINRA's communications rules or other securities laws, and instituting policies and procedures for this supervision
• Instituting a policy prohibiting business communications by employees through social networking sites that are not subject to the company's supervision
• Requiring employees posting content to social networking sites to undergo training
• Establishing appropriate usage guidelines for customers and other third parties that are permitted to post on company-sponsored web sites
• Adopting disclaimers to help ensure that third-party content posted to blogs or social networking sites is not attributed to the company
• Monitoring third-party posts to mitigate the perception that the company is adopting the content of the post or to assist compliance with the "Good Samaritan" safe harbor for blocking and screening offensive material under Section 230 of the Communications Decency Act.

While FINRA exercises oversight of the securities industry, the recommendations in Notice 10-6 are good advice for any business that is considering communicating or marketing with consumers through social media, whether hosted by the company or on a third-party social networking site such as MySpace or Twitter.  In addition to the recommendations listed here, businesses seeking to enter the social networking space should also institute policies that ensure that its representatives don't deceive consumers and that the content posted complies with all applicable laws and regulations, such as defamation and intellectual property laws.

The fact that FINRA is looking into this issue -- in September 2009, FINRA organized a Social Networking Task Force from which these guidelines were generated -- highlights the importance of social networking as a marketing tool, along with the accompanying risks.  Other industries are also considering these issues; for example, in November 2009 the FDA held a well-attended public hearing about the use of social media as a marketing tool for FDA-regulated entities.  For more information about legal risks that can arise through business use of social networking sites and how to address these risks, check out Hogan & Hartson's recent guidance on the topic.

• Email This
• Print