First Quarter 2010
In This Issue:
I. Consumer and Online Privacy
II. Liability Shields and Content Protection
A. Immunity Under CDA Even If Site Solicits Potentially Negative Comments
B. User Shielded from Liability for Forwarding Defamatory E-mail C. iSafe Hopes to Become New COPPA Safe Harbor Provider
III. Online Contracts
IV. Data Breach and Data Security
V. Financial Privacy
A. FINRA Issues Social Networking Guidance For Securities Firms and Brokers B. MA DATA Protection Law Now Effective C. Bank Seeks Declaratory Judgment Over Reasonableness of its Security Practices
VI. Workplace Privacy
A. Suit Against Sony For ADA Violations in Video Game Dismissed B. Manager Reading E-mail Is Not An “Authorized” Act
VII. Healthcare Privacy
VIII. International Privacy Issues
Liisa Thomas will be speaking at the Canadian Institute’s Advertising and Marketing Law Conference on recent developments in U.S. Advertising Laws. The conference will be at the Hotel Mont-Royal in Montreal on March 25-26, 2010. For more information and to register, visit http://www.winston.com/index.cfm?contentID=32&itemID=2530. |
A. Social Network Application Creator Faces Class Action for Alleged Privacy Violations
In a recent lawsuit filed in California against RockYou Inc., it is alleged that the company, makers of applications meant to be run on social networking websites, failed to take adequate steps to protect consumers’ personally identifiable information, in violation of California unfair competition laws. RockYou’s applications run on social network sites like Facebook and MySpace, and allow users to share photos, play games, and the like. If a RockYou application is used, paid advertisements are displayed. In order to use a RockYou application, users were required to register at the RockYou website. According to the complaint, RockYou failed to keep the users’ passwords and usernames in an encrypted file, making them vulnerable to “reasonably foreseeable” hacker attacks. And, according to the complaint, such attacks did occur, and RockYou was aware that problems with its security had occurred. The complaint also alleged that RockYou violated data breach notification laws, inasmuch as it failed to notify users of the security problems in a timely fashion, and those security problems left users at risk for identity theft. In particular, since many people use their e-mail address as a user name, in combination with a password that is shared across multiple accounts, a hacker who obtained the information from RockYou could then potentially break into the user’s e-mail account (which might use the same password). The case is currently pending.
TIP: This case reminds us to examine what types of data we consider to be sufficiently “sensitive” to merit strong protections. In particular, if you do not do so already, when allowing users to register at your site, consider using sufficient measures to protect usernames and passwords against hacker attack. Failure to do so might be seen as an “unfair practice” giving rise to a state – or federal – cause of action.
B. Netflix Sued for Releasing Customer Rental History
A putative class of some 500,000 Netflix subscribers filed a complaint against Netflix in the Northern District of California alleging that Netflix failed to live up to privacy protection promises it made in its posted privacy policy, as well as violating the federal Video Privacy Protection Act, 18 U.S.C. § 2710, and California consumer protection statutes,. According to the complaint, Netflix gave researchers customer video rental and rating data for 480,000 subscribers as part of a contest for researchers. The researchers were offered the chance to win up to $1 million if they could create new algorithms to improve Netflix’s ability to provide rental recommendations. Although Netflix did not list subscribers by name, and used other anonymization techniques, the complaint alleged that these steps could be easily circumvented to mine the data sets to identify individuals. The complaint also alleged that even after Netflix became aware that the data could be de-anonymized, including through a research paper published by one of the researchers only 16 days after Netflix launched the contest, Netflix announced its intention to run a second contest with similar data.
TIP: Companies should use caution when releasing customer information to third parties, especially when doing so as part of a publicly promoted program..
C. BCBS Ordered to Pay $95,000 Settlement for Do-Not-Call Violations
Blue Cross and Blue Shield of North Carolina recently settled with the North Carolina Attorney General regarding the AG’s allegations that BCBS violated the state’s law when it obtained North Carolina residents’ contact information from a registered voter database and contacted residents using auto-dialing technology and pre-recorded messages in connection with a campaign to raise public awareness regarding the health care debate. Under state law, the use of automatic dialing technology and pre-recorded messages to make unsolicited calls to state residents’ personal phone numbers is prohibited. The settlement agreement requires BCBS to pay $95,000, requires BCBS to comply with state telemarketing laws, including BCBS establishing and implementing written policies to ensure compliance with state telemarketing laws.
TIP: In addition to federal laws and regulations regarding unsolicited telephone calls made to consumers, the majority of states have similar if not more restrictive laws concerning such calls. Companies looking to make unsolicited calls to consumers, whether for marketing or sales purposes or for other purposes, should ensure that they are in compliance with both state and federal law.
D. Free Speech Defense Against Right of Publicity Violation Rejected on Motion to Dismiss
The Northern District of California recently denied Electronic Arts’ motion to dismiss a right of publicity claim brought against it by former college football player Sam Keller. The dispute was over the use by EA of Keller’s college jersey number, physical characteristics, and other identifiers (such as home state) in EA’s NCAA Football video game. EA argued that its use of Keller’s likeness was a defensible violation of Keller’s right of publicity under two different First Amendment arguments: (a) that the use was transformative; and/or (b) that it was merely publishing matters in the public interest (i.e., reporting newsworthy information). In finding that the use was not transformative, the court noted that when looking at the use of Keller’s likeness, rather than the game as a whole, EA has shown Keller “as what he was: the starting quarterback for Arizona State University.” In finding that the use was not merely news reporting, the court distinguished from fantasy football games (where use of player stats has been found to be protected under the First Amendment). In particular, unlike a fantasy football game where the reporting on the actual facts is necessary for a participant’s success in the fantasy football game, in NCAA Football, a video game player’s success was not dependent on the real-life facts. Moreover, the court noted, EA had provided more than just the bare facts, but had also included other elements, such as the college and university players’ physical characteristics and home states.
TIP: If you are considering using a celebrity’s name or likeness in your advertisement, take care if you believe that your use is protected by the First Amendment, as such a defense is quite limited.
II. Liability Shields and Content Protection
A. Immunity Under CDA Even If Site Solicits Potentially Negative Comments
A website where consumers can post (typically negative) comments about businesses and other goods and services recently won an appeal in a case brought against it by a New York city car dealership, Nemet Chevrolet. The website, consumeraffairs.com, is structured to serve as a forum for developing class action lawsuits (according to the website, it “empowers consumers by providing a forum for their complaints and a means for them to be contacted by lawyers if their complaints have legal merit.”) Nemet argued that consumeraffairs.com should be held responsible – and liable – for defamation as a result of negative postings by users about Nemet. Consumeraffairs.com argued that it was shielded from immunity under the Communications Decency Act, since it was not participating in the creation of the negative comments about Nemet, and thus was not an information content provider. The Fourth Circuit agreed, and in deciding for consumeraffairs.com, expressly distinguished this case from a similar one brought against the website Roommates.com. In the Roommates.com case, certain posting features of the website were designed so that the only content that could be posted through them was content that violated the law. As a result, the Ninth Circuit held that Roommates.com was participating in the creation of the content by forcing users to violate the law when they used those site features. On the consumeraffairs.com website, in contrast, consumers were not forced to violate the law, and those who made negative comments could use the website to post legal (negative) content.
TIP: If you are creating an interactive forum on your website where users can post content, take care to ensure that you are not forcing users to violate the law when creating content. While you may be able to encourage users to post negative commentary about other parties, doing so is not without risk. You should only offer this service after ensuring that you will not be held responsible for those negative comments under the argument that you are a “co-author.”.
B. User Shielded from Liability for Forwarding Defamatory E-mail
Under the Communications Decency Act, an individual who forwards a defamatory e-mail message is shielded from liability as long as the individual did not participate in the creation of the original message’s content. What was less clear, however, was whether the shield would still apply if the individual added his or her own introduction to the message. In a recent case before a California appeals court, the court held that merely adding an introduction to the message did not remove the CDA shield. In reaching its decision, the court noted that the defendant did not materially contribute to the message he sent (saying essentially only “see the message below” and “everything will come out in the end”).
TIP: Take care to avoid contributing to the creation of defamatory content.
C. iSafe Hopes to Become New COPPA Safe Harbor Provider
The Children’s Online Privacy Protection Act (“COPPA”) contains a “safe harbor” under which companies that participate in approved programs will be deemed by the FTC to be in compliance with the Act. There are currently four approved safe harbor programs. The industry group iSAFE is seeking to become the fifth such program, and recently submitted proposed self-regulatory guidelines to the FTC. iSAFE’s proposed guidelines mirror the requirements of COPPA, and provide that websites that collect personal information from children 12 years old or younger must contain a prominent link to the site’s privacy policy. In addition, the guidelines provide that participating websites must make efforts to ensure parents receive notice regarding the website’s information collection, use and disclosure practices and, subject to certain enumerated exceptions, must obtain verifiable parental consent before any collection, use, or disclosure of personal information from children. Participating websites must also provide parents with the ability to access and review their child’s personal information and provide parents and children with reasonable means to submit and attempt to resolve complaints about the participant’s information practices. Finally, the guidelines prohibit participating websites from conditioning a child’s participation in an activity on disclosing more personal information than is reasonably necessary to participate in the activity.
TIP: Operators of websites that are directed at children may want to consider taking advantage of the liability shields an FTC-approved safe harbor program can offer.
III. Online Contracts
A. New CA Law For Negative Option, Automatic Renewal And Continuity Programs
California recently enacted a new law regarding the use of automatic renewal and continuous service offers, commonly referred to as negative option marketing. This law makes it unlawful to fail to present the offer terms in a clear and conspicuous manner, or to charge the consumer for an offer without first obtaining the consumer’s affirmative consent. The law also requires that companies provide an acknowledgment to consumers that includes the terms of the offer, the cancellation policy, and information regarding how to cancel. If there is a material change in the terms of the offer, the law requires that companies provide consumers with a clear and conspicuous notice of the change and information regarding how to cancel. The law provides that if a company sends products to a consumer without first obtaining the consumer’s affirmative consent, the products shall be deemed an unconditional gift to the consumer. This law will go into effect December 1, 2010.
TIP: Negative option automatic renewal and continuity programs are facing increasing scrutiny. If you use such tactics, you should ensure that you are in compliance with the requirements of this law, as well as FTC guidelines, although this law largely mirrors existing FTC guidelines and policies.
B. eBay’s Right To Terminate Users On Belief Of “Bad Acts” Held Enforceable
Essex Technology Group sued eBay for terminating Essex’s right to trade on the eBay auction system after Consumer Depot, a competitor of Essex, accused Essex of “shill bidding,” and eBay subsequently terminated Essex’s ability to trade on the eBay site. Shill bidding occurs where a seller places a bid on its own item in order to artificially increase the price or interest in that time. In granting eBay’s motion for summary judgment, the Tennessee court relied on the eBay User Agreement, which provided that eBay could suspend or terminate the agreement if eBay “believes a user is a threat to the marketplace.” The court found the user agreement to be valid and enforceable, rejecting Essex’s claims that the agreement was unconscionable and illusory as insufficiently definite. The court disagreed, concluding that the “belief” provision does not give eBay an unlimited right to suspend or terminate, but a right that is tempered by a “good faith reasonableness standard.” Consequently, the court held that as long as the termination provision is exercised reasonably and in good faith, the provision is enforceable.
TIP: Be careful to balance a need to terminate a clickwrap contract like website terms of use for consumer misconduct with risks that too-flexible termination clauses might be viewed as unconscionable or illusory. Inclusion of reasonableness standards should help in avoiding an unconscionable argument..
C. Signees to Online Contract Must Be Identifiable for Document to be Enforced
An individual who signed up for a Prudential life insurance policy online allegedly submitted fraudulent information when completing his application. Prudential pursued a case against him for fraud, and in response, the individual argued that he had never “signed” his policy as is required under New York law. Although indicating that electronic signatures are generally acceptable, the court denied the insurance company’s motion for preliminary injunction, indicating that it was a question of fact whether or not sufficient information was asked during the online application process to enable the company to authenticate the signator. The court in reaching its decision indicated that electronic insurance contracts can only be deemed as “signed” under New York state insurance law if the company requesting the signature had authentication procedures in place permitting it to identify the signator.
TIP: If setting up an electronic signature process, keep in mind that there may be specific requirements depending on the type of contract being signed. These requirements may vary depending on the state where the contract will be executed.
D. Enforceability of Clickwrap Executed by Non-Executives
Clickwrap agreements are generally considered enforceable; however, if the proponent of a clickwrap receives notice that only certain people, such as executives, are authorized to bind a company, subsequent clickwrap acceptance by others may not bind the company. In a recent case brought against SysLOCATE, the plaintiff, National Auto Lenders, alleged that defendant’s GPS units for tracking vehicles were defective. During settlement, National Auto Lenders notified SysLOCATE that only its officers were authorized to bind the company and all communications regarding the matter should be directed to plaintiff’s counsel. SysLOCATE subsequently implemented an amended clickwrap agreement significantly limiting its liability for defective products. Its customers had to accept the amended clickwrap to access the SysLOCATE website to track vehicles using the GPS products. The court found that a contractor and an employee of National Auto Lenders who agreed to the amended terms of use in order to access the site and track vehicles did not have apparent authority to accept the clickwrap on National Auto Lender’s behalf because National Auto Lenders had notified SysLOCATE that only its executives were authorized to bind the company. In reaching its decision, the court held that this notice made it unreasonable for SysLOCATE to believe that the individuals who accepted the clickwrap were authorized to do so.
TIP: Your written contracts with online service providers should state that online terms have no effect, or that in the event of a conflict the written agreement takes precedence. If your company is in a dispute with an online service provider, consider giving the provider formal written notice that only certain people at your company are authorized to enter into agreements or amend existing agreements. For service providers, where there is no notice, avoid arguments by including in a prominent statement adjacent to your clickwrap’s “Accept” mechanism that the user who accepts the agreement terms on behalf of an entity is authorized to do so.
IV. Data Breach and Data Security
A. FTC Urges Review of Data Security After Peer-to-Peer File Sharing Breaches
The Federal Trade Commission sent out letters to approximately 100 organizations, urging them to review their data security practices after discovering that many of those firms’ private files were found on peer-to-peer file sharing websites. The letters notified the recipients that files containing sensitive personal information of their employees or customers were found on P2P file sharing networks, where they could be accessed by those seeking to commit identity theft or fraud. Recipients of the letters included both public and private entities, ranging from local governments to large corporations with thousands of employees. The letters reminded companies that it was their responsibility to ensure that their internal security procedures, included controls over use of internal and external P2P software and other appropriate security measures to protect sensitive data.
TIP: These FTC letters suggest that the agency is continuing its efforts to enforce failures to protect the security of sensitive personal information. FTC enforcement in this area falls under its authority to stop deceptive and unfair practices, with the failure to protect data viewed as an unfair act. Companies should review their security practices, including use of P2P software, to ensure that access to sensitive information is properly restricted.
B. Mortgage Broker Settles Over Failure to Properly Dispose Consumer Information
In another action by the FTC to ensure that companies are providing adequate data security, the agency recently settled with Nevada entrepreneur, Gregory Navone, based on his alleged improper disposal of about 40 boxes of sensitive consumer records collected by those companies. As part of the settlement, Navone agreed to pay a civil penalty of $35,000. The FTC complaint alleged that the documents, which included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and credit reports, were thrown away in a publicly accessible dumpster, which violated the privacy and security promises that Navone made to customers, and thus constituted a deceptive practice under the FTC Act. In addition to the monetary penalty, the consent judgment prohibits Navone from misrepresenting measures he takes to protect personal information, requires him to implement a comprehensive information security program for sensitive consumer information, and requires him to hire an independent third-party security professional to review the program every year for 10 years.
TIP: This FTC settlement is the first one brought over improper disposal of customer information, joining state actions for similar activities. When disposing of sensitive data, companies should remember to do so in a secure manner.
C. Heartland Systems Enters Into Large Settlements with Credit Card Providers
Heartland Payment Systems Inc., one of the nation’s largest payment processors, informed the public in January 2009 that tens of millions of debit and credit card accounts had been breached. Heartland then found itself facing 17 consumer class action complaints and 10 bank and/or credit union class actions. Heartland agreed to pay $4.7 million to settle consumer class actions, and recently settled with both Visa and American Express Travel Related Services Company, Inc. for almost $60 million and $3.5 million respectively. According to the Visa settlement, $59.2 million is available to Visa card-issuing banks for their costs associated with the data breach.
TIP: Companies that process credit card data should keep in mind that not only may they find themselves liable to consumers in the event of a data breach, but may also find themselves answering complaints brought by credit card companies as well. Proper security measures are thus all the more important.
D. Computer Fraud and Abuse Act Losses Must Relate to Service Interruption
A Tennessee court recently considered what losses are actionable under the Computer Fraud and Abuse Act (CFAA), which provides a cause of action against anyone who obtains information from a protected computer by intentionally accessing the computer without authorization or exceeding authorized access. In the case, the defendant was a former employee who allegedly transferred trade secrets and other confidential information, including customer lists, confidential pricing formulas, and marketing strategies, to his personal computer for the purpose of forming a competing business. The court found the plaintiff did not allege a recoverable loss under the CFAA, following a line of cases that have held that lost revenue is only recoverable under the CFAA if incurred due to a “loss of service.”
Tip: To recover lost revenue under the CFAA, you need to be able to tie the damages to an interruption or loss of service.
V. Financial Privacy
A. FINRA Issues Social Networking Guidance For Securities Firms and Brokers
The Financial Industry Regulatory Authority (“FINRA”) recently issued a guidance for securities firms and brokers on how to use social networking websites such as Facebook and LinkedIn. The guidance focuses on preventing the use of social networking sites to propagate information to investors that may be false or misleading, and indicates that securities recommendations made by the firms or their personnel on such forums may constitute a “recommendation” for the purposes of Rule 2310 and communications that recommend specific investment products may trigger the FINRA suitability rule. Under FINRA rules, static content must have the approval of a registered principal of the security firm. Interactive content does not have the same requirements. Since social media has both static and active content, FINRA provides guidance about how it will determine whether content requires prior approval. If, for example, a blog is used to create real-time interactive communications, FINRA would not consider the content on the blog as requiring prior principal approval, provided, however, that such communications are supervised. With regard to social networking websites such as Facebook, FINRA would find that the static content on the websites, such as profile information, or background or wall information, needing prior approval, but not for real-time non-static content. The guide also indicates that the content provisions of FINRA’s communications rules apply to interactive electronic communications sent through social networking sites, and indicates that employees who participate in social networking should be properly supervised and trained, and disciplined if they fail to meet the company’s guidelines. The guide also states that in general, FINRA will not treat posts by consumers or other third parties on social networking sites as communications by the firm, unless the firm participates in the creation of the content. The guides require that, in addition to considering the guides, each firm should also develop its own social networking policies and procedures designed to suit the firm and its personnel.
TIP: Securities firms and brokers should have a social media policy in place, and should train employees on how to adhere to that policy. The policy should follow the requirements of the new FINRA guide.
B. MA Data Protection Law Now Effective
Massachusetts’ new data security regulation went into effect on March 1 of this year. Under the new regulation, those who “receive, store, maintain, process, or otherwise access [certain limited] personal information in connection with the provision of goods of services or in connection with employment” (these activities defined in the regulations collectively as “owing” data) must have a data security program in place. The type of information that triggers the law is limited to first and last name with one or more of the following: (1) Social Security number; (2) driver’s license or state-issued ID card number; or (3) financial account or credit card number. Those who “own” such data about Massachusetts residents must have a security program in place that includes the following: (1) a written security program; (2) an employee in charge of the program and training for all employees about the program and its requirements; (3) provisions for when data is being transported off-site; (4) oversight of vendors who handle such information on the company’s behalf; and (5) monitoring compliance with and regular review of the program to ensure its effectiveness. The requirements are more detailed than this overview, but the foregoing gives a good example of the types of things that must be included in a program.
TIP: If you collect Social Security numbers, drivers’ license numbers, or credit card numbers from individuals in Massachusetts as part of the provision of goods and services (or in connection with employment), you should ensure that you have sufficient measures in place to protect that data. To meet the law’s requirements, you will need to have those measures formalized into a security program that includes the elements required by the Massachusetts law. Even if this law doesn’t directly apply, companies should still be taking steps to protect sensitive information in order to avoid liability under, for example, data breach notification and unfair business practice laws. This new regulation can give guidance for what a protection program might look like to help limit such liability.
C. Bank Seeks Declaratory Judgment Over Reasonableness of its Security Practices
A Texas bank recently asked a federal court to declare that its Internet banking security system is “commercially reasonable” in light of the occurrence of a recent online identity theft where consumer’s bank account funds were stolen. One of the bank’s clients stated that it lost funds due to the bank’s failure to “employ commercially reasonable security measures” in its Internet banking system during several wire transfers. However, the bank seeks a judgment that its methods were in fact commercially reasonable, apparently because the bank met industry standards for funds transfers in the banking industry. The bank further alleges in its complaint that the client’s lost funds were caused by a person who obtained access to transmitting facilities of the client or who obtained the information that facilitated the client’s security breach from the client itself, rather than as a result of the online identity theft event that affected the bank’s other consumers.
Tip: It may be possible that by following industry standard measures for data security, a company can avoid liability for failure to adequately protect data or systems through which data is transmitted.
VI. Workplace Privacy
A. Suit Against Sony For ADA Violations in Video Game Dismissedr
A case brought against Sony Corp. alleging that Sony’s video games violated the Americans with Disabilities Act (“ADA”) was recently dismissed. The complaint had alleged that the user’s visual impairments prevent him from fully enjoying the video games manufactured by Sony, and that Sony’s refusal to accommodate his disability by modifying the video games (as some other video game manufacturers have done, the complaint stated) violated the ADA. In particular, the user had wanted Sony to provide visual and auditory cues that would aid his ability to play Sony’s video games. To prevail on an ADA discrimination claim, a plaintiff must prove that he or she was denied public accommodations by the defendant because of a disability. The Ninth Circuit has interpreted a place of public accommodation to require “some connection between the good or service complained of an actual physical place.” Because Sony was a manufacturer of video games and a provider of online services, the court held that Sony is not a place of public accommodation. Furthermore, the court held that the user was never denied access to conventions or other events organized by Sony in connection with its video games.
TIP: While this court has found that the ADA does not apply to a video game and related online services, other courts concluded that virtual places, such as a website, can be subject to the ADA if there is a sufficient nexus to a physical location.
B. Manager Reading E-Mail Is Not An “Authorized” Act
Brent Yessin and his wife were business partners and managers of a Florida company, and were seeking a divorce, when Mr. Yessin allegedly intercepted his wife’s business e-mail in order to review messages between her and her divorce attorney. Ms. Yessin sued Mr. Yessin under the Computer Fraud and Abuse Act, which prohibits knowingly accessing a computer without authorization or exceeding authorized access and thereby obtaining information or anything of value. She also argued that the Electronic Communications Privacy Act (“ECPA”), which prohibits the intentional interception of electronic communications, was violated. In his motion to dismiss, Mr. Yessin argued that because he was a manager of the company, he was authorized to access the computer network in question. Denying Mr. Yessin’s motion to dismiss, the Virginia court found that even if Florida law authorizes managers to access information stored on a company’s servers for the purposes of carrying out the company’s business, Mr. Yessin was not acting as an agent of the company when accessing his wife’s e-mail account. The court did grant Mr. Yessin’s motion to dismiss the claim brought under the ECPA because his action was not “interception” under that act since the e-mails had already been received when he accessed them.
TIP: Exercise caution and consult with counsel before accessing your employees’ and co-workers’ e-mails, and ensure that access is in accordance with company policy and applicable laws and for legitimate business purposes.
VII. International Privacy Issues
A. HHS Investigates for Retaliation Against Doctors Who Notified of HIPAA Violations
The U.S. Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has joined the New Hampshire Attorney General’s Office in an investigation of Wentworth-Douglass Hospital in Dover, New Hampshire, concerning HIPAA violations based on allegations that upwards of 1,500 patient records were improperly accessed and altered. Two pathologists who learned of the incident allege the hospital retaliated against them for reporting the HIPAA breach. The hospital contends that a comprehensive audit which resulted in the termination of the employee who accessed and altered the files, as well as notification of the breach to the physicians but not the affected patients, resolved the matter. However, CMS surveyors have begun conducting a survey of the hospital’s privacy issues, medical recordkeeping, and quality assurance to determine whether the facility meets the Medicare and Medicaid “conditions of participation” for reimbursement under the federal programs. Deficiencies discovered during the survey in turn would result in a full survey of the hospital. In addition to possible HIPAA violations, New Hampshire law requires businesses, presumably including hospitals, to notify consumers “as quickly as possible” regarding data breaches of computerized, unencrypted personal information. The state law also requires the business to inform the New Hampshire Attorney General or state regulators of the breach.
TIP: Be sure to comply not only with HIPAA but all applicable state laws governing consumer medical data.
B. Interim Rule Would Increase HIPAA Privacy and Security Violation Penalties
Under a new HIPAA interim rule, HIPAA rule violations can result in up to $1.5 million in total annual penalties, including for unintentional, multiple lesser violations. The interim final rule implements the civil penalties provided under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act sets forth four civil penalty categories: the lowest where the covered entity would not have known about a violation even through the exercise of reasonable diligence; the next level where the entity did not reasonably know of a violation; the third level where violations are due to willful neglect but are corrected; and the highest level where violations are due to willful neglect and are not corrected. The interim final rule does not limit the annual total penalties to the willfully negligent violations, but rather allows for multiple violations of all penalty categories. Industry groups have filed public comments contending that covered entities should not be subject to annual penalties up to $1.5 million for violations they either were not or could not reasonably have been aware of.
TIP: Be sure to implement an appropriate HIPAA compliance program to discover all potential violations and minimize the possibility of being subject to civil penalties.
C. New Hampshire Laws Expand Privacy Protections Beyond HIPAA
Effective January 1, 2010, New Hampshire law requires personal health data to be protected beyond what is required by HIPAA. Under H.B. 619, health care providers and business associates must obtain consent from individuals before using protected health information for marketing purposes; the individuals have to be given an opportunity to elect not to receive any fund raising communications based on their protected health information; and individuals have the right to file lawsuits for violations, including special or general damages of not less than $1,000 for each violation. H.B. 542 allows individuals to opt out of sharing health care data with e-health data exchanges; limits access in e-health data exchanges to providers for treatment purposes; and requires the exchanges to maintain logs of providers that access patient data.
TIP: Be sure to implement procedures consistent with these new state laws if you have access to personal health data in New Hampshire.
D. Patient Records Seized Without Warrant Are Usable
A Florida state appellate court recently denied a motion to suppress from evidence patient records seized from a pharmacy without a search warrant or notice to the patients, finding no statutory or constitutional violation. The court reversed the trial court’s order suppressing the evidence, holding that a Florida statute requires a pharmacy to make controlled substances records available to law enforcement officials without a warrant or notice to the patients. The appellate court determined that, under both the Florida and U.S. constitutions, law enforcement needs trump any right to privacy the patients may have regarding the pharmacy records. The court cited a Florida statute which permits law enforcement officers to inspect or copy pharmacy controlled substances records without the need for a warrant or notice to the patients. The court concluded that, while patients have a right to privacy regarding their medical records, this right is not absolute and must “yield to compelling government interests” such as the need to enforce controlled substances laws. Addressing the possibility of a HIPAA violation, the appellate court also noted that HIPAA permits disclosure of patient records as required by state law or to comply with “an authorized investigative demand” and that suppression of evidence in a criminal trial is not a HIPAA violation remedy.
TIP: Be aware of state laws governing the seizure of protected health data.
E. Surviving Spouse Permitted Access to Decedent’s Medical Records Under HIPAA
The Georgia Supreme Court has found state law does not preempt HIPAA regarding a surviving spouse’s ability to access her dead husband’s medical records. In the case, the surviving spouse sought medical records from a nursing home as part of a possible wrongful death action. The nursing home denied the request, contending that under HIPAA, the records only could be released to a permanent administrator or executor of the estate. Finding that Georgia statutory law permits a surviving spouse to file suit on behalf of the deceased spouse, the court concluded that HIPAA’s regulation allowing an authorized person to act on behalf of the deceased person “under applicable law” was sufficient to allow access to the medical records. In so doing, the court rejected the contention that the HIPAA regulation preempts Georgia state law, noting that HIPAA does not preempt any state law which provides more stringent disclosure requirements and that the Georgia law limited disclosure of only certain records to the surviving spouse while the HIPAA regulation permits any executor, administrator, or authorized person to have access to protected health information. In a dissent, Justice Melton of the Georgia Supreme Court concluded that the surviving spouse was acting on her own behalf in pursuing a wrongful death claim which was unrelated to any authority to act on behalf of her deceased husband.
Tip: Note that state statutes governing protected health data which are more restrictive than the HIPAA regulations are likely to be upheld.
F. Medical Records of Person With Infectious Disease Not Given to Roommate
The Ohio appeals court has held that a patient is not entitled to the medical records of a former hospital roommate suspected of having an infectious disease. In so doing, the court overruled the trial court’s determination that the roommate’s medical records fell within a non-statutory exception to the physician-patient privilege. In the case, a patient who contracted a staph-resistant infection known as MRSA after being in the hospital for back surgery alleged the hospital improperly gave her a roommate with MRSA, contending she heard two nurses discuss the fact that the roommate was infected. As part of her personal injury claim, the patient requested a copy of the roommate’s medical chart. The hospital refused to disclose the records, contending the physician-patient privilege protected the roommate’s medical records from disclosure and that the patient already knew the roommate’s identity since they had shared a room for four days. Both a magistrate and the trial court concluded the patient could have the records with the roommate’s name and date of birth redacted, determining the patient’s right to prove her personal injury case outweighed the non-party roommate’s right to physician-patient confidentiality, and ordered a limited redacted amount of the roommate’s medical records be disclosed. In reversing the magistrate and trial court, the Ohio appeals court found that neither the statutory exceptions to the physician-patient privilege nor the limited common law exceptions to the privilege applied to the facts at hand. The appellate court also noted that redaction “does not remove the confidential or privileged nature” of the records.
TIP: Exceptions to physician-patient confidentiality will vary according to jurisdiction.
G. Plaintiff’s Physicians Communicating with Defendants’ Attorneys Violates HIPAA
Citing HIPAA, the Missouri Court of Appeals prohibited a plaintiff’s non-party medical providers from engaging in ex parte communications with defense attorneys. The plaintiff, Proctor, filed a personal injury suit against several medical providers. As part of the discovery in the case, the trial court allowed Proctor’s physicians and other health care providers to speak ex parte with defense counsel, but noting the providers could refuse to do so if Proctor didn’t authorize them to do so. Proctor moved for a writ of prohibition of the order, contending HIPAA prevents such a disclosure and also preempts Missouri state law regarding this issue. In a case of first impression, the Missouri appellate court agreed, concluding that HIPAA preempts state law except for those provisions which are more stringent than HIPAA. Rejecting the trial court’s determination that disclosure was permitted under 45 C.F.R. 164.512(e)(1), which allows a health care provider to disclose protected health information “in the course of any judicial or administrative proceeding,” the appellate court concluded that informal, ex parte communications with defense counsel are not proceedings authorized or held under the supervision of the court. The appeals court also held that the reasoning of a pre-HIPAA Missouri Supreme Court case which found no state law prohibiting such ex parte communications was preempted by HIPAA, since to do otherwise would allow Missouri law to impede HIPAA’s purpose of protecting the disclosure of personal health information.
TIP: HIPAA preempts state law except for those provisions which are more stringent than HIPAA.
VIII. INTERNATIONAL PRIVACY ISSUES
A. UK Office Given Power to Fine Up to £500,000 for Data Protection Violations
Starting in April, companies that violate UK’s Data Protection Act 1998 risk a maximum penalty of £500,000. Guidance has been published on when the fine may be imposed, the steps that the Information Commissioner’s Office (“ICO”) will take in imposing the monetary penalty, as well as examples of what constitutes a violation. When considering whether an organization has violated the law, the ICO will objectively take into account the circumstances, the seriousness of the contravention, if there was substantial damage or distress as a result, whether the violation was deliberate, whether the organization knew or ought to have known, and what reasonable steps it took to avoid the violation. Additional factors to consider will include the organization’s financial resources, sector, and size, and the severity of the data breach to warrant that penalties are fair and not harsh.
TIP: The UK Information Commissioner has signalled a toughening-up of its stance in relation to violations of the Data Protection Act. Companies in the UK should review their policies and confirm their compliance, including that data processing is relevant and not excessive to the purposes for which the data was collected, that data is not kept for longer than necessary, that data is secured, and that data is not transferred to other countries without “adequate protection,” except in certain circumstances.
B.French Piracy Law Sanctions Struck As Violating User Rights
At a time where Internet piracy in France is on the rise, French legislators introduced in June 2009 the Creation and Internet Law (“HADOPI 1”), based on a three-strikes approach. Part of the sanctions that could be imposed under the new law would have been the suspension of a user’s Internet access for a year. The French Constitutional Court declared unconstitutional certain provisions of HADOPI 1, including suspending the subscriber’s Internet access for up to one year. The Constitutional Court considered this sanction to be a disproportionate infringement on the freedom of expression and communication, a fundamental right guaranteed by the Constitution, and took issue with the fact that HADOPI 1 placed the burden of proof on the Internet subscribers, who had to demonstrate that they were not responsible for the alleged piracy. This presumption of guilt upon the Internet subscriber was in conflict with the constitutionally guaranteed right under French law of a presumption of innocence. As a result of this decision, new legislation (“HADOPI 2”) was introduced, removing the power to directly impose sanctions on Internet subscribers. According to the new law, the government entity charged with enforcing the law’s main function, based on complaints from copyright holders, is to warn illegal downloaders that their actions violate the law, first by e-mail, then by registered mail. Thereafter, a special judge, uniquely having the power to order a third strike, can suspend a user’s access for three months to a year and issue fines. The HADOPI 2 legislation came into effect on December 29, 2009 with the adoption of the decree pertaining to the organization of the High Authority.
TIP: Copyright holders (such as media companies, artists, etc.), should be aware that if they detect illegal downloads in France, they can complain to the High Authority. For repeat offenders, a special judge can sanction the Internet subscribers.
C. French Authority Issues Report on Call Center Security
In response to recent uproar in France involving personal data leaks by call center employees, the French data protection authority (CNIL) conducted inspections at two major call centers and plans to expand the inspections to other companies in order to ensure that such companies are complying with French data privacy laws. Although the CNIL stated that there was room for improvement, the data security at the inspected centers was considered “relatively satisfactory.” According to the CNIL, improvements could be achieved through better “traceability” of how company personnel use databases, such as keeping a log of who has accessed what data. During the investigations, the CNIL also reviewed monitoring of call center workers by employers and noticed that, although it is permitted by law, it is subject to certain restrictions. Not only must employees be informed when their conversations could be monitored, but the recording must also satisfy predefined needs, such as for training or evaluation, and it can only be kept for a limited time period.
TIP: Companies that operate call centers in France should review the advice of the CNIL and ensure that security of data is appropriate and in line with recent recommendations.
D. Germany Issues Fines for Unlawfully Collecting Employees’ Health Information
The German federal state of Baden-Wuerttemberg, through its data protection authority, has fined a large drugstore chain for collecting and retaining employees’ health information in violation of Germany’s data protection law. The Mueller Group was fined €137,500 for routinely questioning employees about their health when they returned to work from sick leave, including asking for information about underlying health conditions. Germany’s data protection law precludes companies from collecting health data unless there is an urgent reason to do so, such as the possible spread of infectious disease or where the illness may be the result of working conditions.
TIP: If you have operations in Germany or other foreign countries, make sure that company practices are consistent with applicable local law.
E. New Model Contract Clauses for Transfers Out of EU Go Into Effect May 15
Transferring data from an EU member state to a country outside of the EU is restricted under EU laws; however, companies seeking to engage in such a practice have long been able to take advantage of a “model contract” option. Under this approach, the company transferring the data and the recipient enter into a form agreement, typically referred to as the “model contract.” The terms of the model contract have been revised, and the new version must be used starting May 15. The new version takes into account situations where data will be transferred to a third-party vendor acting on the data recipient’s behalf (referred to as “sub-processors”).
TIP: Companies seeking to transfer data from the EU to the US should keep in mind the model contract option. If using this approach, the new version of the contract must be used beginning May 15.
If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:
| CHICAGO | LOS ANGELES | ||
|
Liisa M. Thomas |
(312) 558-8121 |
Steven D. Atlee (Litigation) |
(213) 615-1827 |
| Julie Bauer (Litigation) |
(312) 558-5973 | Anna S. Masters (Labor and Employment) |
(213) 615-1711 |
| Monique Bhargava (Advertising) |
(312) 558-3732 | ||
Stephen P. Durchslag |
(312) 558-5288 |
NEW YORK |
|
Christine A. Edwards |
(312) 558-5571 |
Virginia R. Richard (Intellectual Property) |
(212) 294-4639 |
Brian D. Fergemann |
(312) 558-8024 |
||
Delilah B. Flaum |
(312) 558-8922 |
PARIS | |
Jason W. Gordon |
(312) 558-6145 |
Sébastian Ducamp (Employment, Litigation) |
33 0(1) 53 64 82 08 |
Brian L. Heidelberger |
(312) 558-5897 |
Blaise Deltombe (Employment, Litigation) |
33 0(1) 53 64 82 31 |
Mary Hutchings Reed |
(312) 558-5721 |
Nathalie Hadjadj-Cazier (Intellectual Property) |
33 (0)1 53 64 81 50 |
| Michael Melbinger (Employee Benefits) |
(312) 558-7588 | Gwendaline Sarrat (Intellectual Property) |
33 (0) 1 53 64 82 47 |
Robert H. Newman |
(312) 558-8125 |
||
| Michael Philipp (Financial Services) |
(312) 558-5905 | SAN FRANCISCO | |
| Tim Rivelli (Litigation) |
(312) 558-5817 | David S. Bloch (Intellectual Property, Litigation) |
(415) 591-1452 |
Cardelle B. Spangler |
(312) 558-7541 |
Andrew P. Bridges (Intellectual Property) |
(415) 591-1482 |
Marc H. Trachtenberg |
(312) 558-7964 |
Kimberly E. Eckhart (Intellectual Property) |
(415) 591-6805 |
|
|
Jennifer A. Golinveaux (Intellectual Property, Litigation) |
(415) 591-1056 |
| LONDON | Becky L. Troutman (Intellectual Property) |
(415) 591-1401 | |
| Zoë Ashcroft (Corporate, Financial) |
44 (0)20 7105 0025 | ||
| Danvers Baillieu (Litigation, Financial) |
44 (0)20 7105 0017 |
WASHINGTON, D.C. | |
| Barry Vitou (Corporate, Financial) |
44 (0)20 7105 0018 |
Marion K. Goldberg (Health Care) |
(202) 282-5788 |
Attorney Advertising Materials
These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.
Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).
Copyright © 2010. Winston & Strawn LLP.