H&H Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan & Hartson Law Firm : Data Security, E-Commerce & Technology

On 22 February, the European Data Protection Supervisor (EDPS) released an unsolicited opinion on EU negotiations of an Anti-Counterfeiting Trade Agreement (ACTA). The EDPS expresses some strong opinions on the use of the “three strikes law” and other measures to control copyright violations by Internet users that might be in the ACTA. The EDPS is not subtle – he declares that “[s]uch practices are highly invasive in the individuals’ private sphere. They entail the generalised monitoring of Internet users’ activities, including perfectly lawful ones.” The opinion describes how a “three strikes” or similar approach might be set up, as well as the applicable EU data protection and privacy legal framework (in paragraphs 23 to 26). It then issues harsh conclusions (paragraphs 81 to what should be 88 but is mis-numbered as 80). The EDPS “strongly encourages” the Commission to set up a public and transparent dialogue on ACTA (which so far has been secret). He insists that the Commission strike a correct balance between “demands for the protection of intellectual property rights and the right to privacy and data protection,” which should be taken into account at the beginning of the negotiations. In his view:

85. …three strikes Internet disconnection policies are not necessary to achieve the purpose of enforcing intellectual property rights. The EDPS is convinced that alternative, less intrusive solutions exist or, at least, that the envisaged policies can be performed in a less intrusive manner or at a more limited scope, notably through the form of targeted ad hoc monitoring.

In the last paragraph of the conclusion the EDPS insists on being consulted on the measures to be implemented. EDPS opinions have no legal binding status but can be influential indicators of how data privacy laws might be interpreted.

• Email This
• Print

The Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”), include a broad range of administrative, physical, and technical obligations.  Nevertheless, there are certain common business processes that may pose unique and substantial compliance challenges.  Accordingly, organizations subject to these regulations should give very careful consideration to their practices in the following high risk areas. 

Email

First, the obligation to encrypt all sensitive personal information transmitted over public networks will have a substantial impact on the use of email to collect and transmit such data.  While there is generally accepted technology available to encrypt email and/or or files attached to emails, implementing such tools and properly training the workforce to use them may require significant expense.  (It should also be noted that this would apply to webpage forms that populate and transmit emails, as well as the use of Instant Messaging, Text Messaging, or similar technologies to transmit personal information.)

Organizations that exchange personal information directly with consumers may find the transition particularly difficult.  Many consumers may be ill-equipped to deal with encrypted messages and attachments.  Moreover, the encryption/decryption process may create negative user experiences that undermine customer goodwill.  While decrypting messages and attachments may be quite straightforward for the technology savvy consumer, it is likely to be confusing or frustrating for many others.  Similar complications may arise when dealing with small to mid-sized third party service providers that have limited technological sophistication.

In light of the foregoing, many organizations may consider alternative communications protocols, such as shifting email-dependent business processes to web browser-based processes that can be secured in a more efficient and centralized manner. Web pages served over secure HTTP or secure FTP could replace most present-day email communications involving personal information. 

Portable Devices

The Massachusetts Standards require the encryption of sensitive personal information stored on portable devices.  By the Massachusetts government’s own admission, there are no generally accepted encryption tools for use on many commonly-used portable devices, such as smartphones and PDAs.  As a result, enterprises subject to the Massachusetts Standards should carefully consider when it is necessary and appropriate, if ever, to store sensitive personal information on portable devices.  Alternatives, such as truncation of sensitive data (e.g., SSNs and financial account numbers) and use of secure online protocols (e.g., secure HTTP or secure FTP) for transmitting data to third parties, should be thoroughly contemplated.  In those instances when such storage is both necessary and appropriate, procedures, including workforce training, should be developed to ensure that the data remains secure during storage.

There is a certain level of overlap with the email concerns discussed above because a likely source of personal information on smartphones is the email messages that may accessed through the devices.  Since encryption of these messages may not be practicable, organizations may have further incentive to suspend the exchange of personal information via email in favor of browser-based protocols.  

Third Party Relationships

The Massachusetts Standards require enterprises to “select and retain” third party service providers that will provide safeguards consistent with the other requirements of the regulations, as well as contractually obligate third party service providers to maintain such safeguards.  The “select and retain” provision is fairly vague, affording the Massachusetts government (and courts) the opportunity to interpret it in ways that could introduce substantial obligations.  This provision appears to impose obligations to engage in pre-contract evaluation and post-execution monitoring of the security practices of third parties. 

Prior iterations of the Massachusetts Standards included an explicit requirement to obtain written certification of compliance from third party service providers.  Since that language has been removed, the regulations no longer provide concrete guidance on what steps should be taken to “select and retain” appropriate third party service providers.  The resulting ambiguity is a problem for both data owners and their prospective service providers.  Service providers are reluctant to reveal detailed information about their security policies and procedures because such information may be misused at significant cost to the service provider.  On the other hand, data owners are limited in their ability to rely upon imprecise representations of robust security measures from service providers because such representations appear to be self-serving. 

Accordingly, it is important for enterprises in both positions (as data owners and/or service providers) to thoroughly analyze the most effective and appropriate way to ensure that their contractual relationships satisfy the Massachusetts Standards.  Among the potential alternatives is the retention of reputable independent auditors to analyze service provider security practices and generate compliance reports for distribution to business partners (as is common for third parties that provide services subject to the Sarbanes Oxley Act). 

• Email This
• Print

 A new era of information security law may well start as the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”) go into effect today, March 1, 2010.  All institutions collecting sensitive personal information (e.g., a name combined with a Social Security Number, state-issued identification number, or financial account number) from Massachusetts residents should pay careful attention to the requirements and enforcement of these regulations.  However, the implications beyond those entities that operate in Massachusetts may be longstanding as well.

Information Security Law Trend: From Generalities to Specificity

While information security statutes and regulations are fairly new developments in United States law, the previous trend reflected a bifurcated approach by federal and state authorities.  On the one hand, were somewhat ambiguous reasonableness standards imposed by states such as California and Texas.  On the other hand, were detailed regulations imposed upon industry sectors commonly involved in the handling of sensitive personal information, such as the HIPAA Security Rule, GLB Safeguards Rule, and FCRA/FACTA Disposal Rule. 

As press reports of significant breaches of sensitive personal information continued to mount, state lawmakers have taken an increasingly aggressive approach to regulation. Starting with the rather quiet passage of the Oregon Identity Theft Protection Act and more widely noted passage of the Minnesota Plastic Card Security Act, both in 2007, several states have attempted to adopt detailed information security obligations applicable to all entities that handle sensitive personal information.  Accordingly, Nevada has recently revised its data protection statute, which includes an obligation that businesses that handle credit card transactions must comply with the Payment Card Industry Data Security Standard (similar to the Minnesota Plastic Card Security Act).  Meanwhile, detailed information security regulations remain under development in New Jersey.

A New Revolution Starts in Massachusetts

The Massachusetts Standards stand as a unique development in this lineage because they are notably more comprehensive than the reasonable security statutes implemented in many states and expressly disclaim any exemptions based upon compliance with other regulatory schemes (whether self regulatory such as PCI DSS or federal such as HIPAA and GLB).  In fact, the Massachusetts Standards include a number of technical requirements that are not spelled out in similar detail in the federal sector-specific regulations.  For example, the Massachusetts Standards expressly require the implementation of network firewalls and regularly scheduled patching of operating systems, obligations that are not expressed in either the HIPAA Security Rule or the GLB Safeguards Rule. 

While the Commonwealth’s enforcement agenda remains to be seen, particularly with respect to out-of-state organizations, the regulations are likely to have a distinct impact on many entities. The wide scope of the regulations themselves (covering many administrative, physical, and technical security areas) and the entities arguably subject to the regulations (any entity, regardless of size, that collects sensitive personal information from Massachusetts residents), will compel a significant number of organizations to consider their compliance alternatives.

Although the Massachusetts Standards are designed to scale to the unique circumstances of each entity subject to the obligations (a point reemphasized in revisions issued on August 17, 2009), it is yet to be seen how the enforcement authorities will apply this scalability in practice.  Some of the provisions introduced in an attempt to increase the flexibility of the regulations have inadvertently led to new ambiguities.  For instance, the technical security requirements are only necessary to the degree that they are “technically feasible.”  However, the definition of “technically feasible” (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) provides limited practical guidance.  Regardless of their ultimate decisions, entities will be assuming a certain level of risk with any compliance decision until the Massachusetts authorities establish further guidance, either through supplemental documents or enforcement actions.

All that being said, many elements of the Massachusetts Standards are more evolutionary than revolutionary, but their impact may remain substantial.  For example, the Massachusetts Office of Consumer Affairs and Business Regulation has stated in its official Frequently Asked Questions that all backup media must be encrypted prospectively.  While encryption has been a solution of choice for legislators and regulators for sometime now, it has historically been encouraged as a form of safe harbor for data breach notification requirements (in state law and recently issued federal health data breach notification regulations).  However, the Massachusetts Standards join the Nevada encryption law in mandating the encryption of sensitive personal information both during transmission and during storage on portable devices and media.  The financial and opportunity costs of such wide ranging obligations to encrypt data may prove substantial and enterprises should be planning accordingly.

• Email This
• Print

The Federal Trade Commission has warned one hundred businesses and organizations that peer-to-peer software (typically used by employees to download and share copyrighted music, software and movie files over the Internet) is exposing information on customers and employees, including health and financial data, Social Security numbers and driver's license numbers.

In a release entitled "Widespread Data Breached Uncovered by FTC Probe" the FTC warned that the presence of privacy-violating peer-to-peer software on an organization's network may represent a violation of the security obligations under a variety of federal statutes.

In one sample letter of the type sent to one of the 100 entities referenced in the FTC release the Commission wrote:

We have not determined whether your company is violating laws enforced by the Commission. However, the FTC is urging you to review your security practices for personal information about your customers and employees, and, if appropriate, the practices of contractors and vendors with access to such information, to ensure that the practices are reasonable, appropriate, and in compliance with the law. It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers. (emphasis supplied)

In the letters sent to organizations found to be hosting the P2P software, the Commission also pointedly provided a link to the long list of enforcement actions taken by the Commission for inadequate data security (leading to compromised personal privacy).

While focused on the data security threats created by P2P software, the FTC's release also underscores the importance of data security generally and the legal risks involved in not adequately addressing the issue.   (In that connection, Hogan & Hartson's privacy and data security practice group regularly assists clients in conducting a risk management assessment to indentify privacy and data security issues, including the presence of P2P software, and to suggest remedial steps.)

• Email This
• Print

Today as the HHS Office of Civil Rights begins to enforce the federal health data breach notification rule, the agency publicly posted the list of reported breaches affecting 500 or more individuals. The list is available on the  HHS’ website and includes the following information:

• the entity’s name
• state
• approximate number of affected individuals
• date of breach
• type of breach (e.g. theft, misdirected e-mail)
• location of information at time of breach (e.g. desktop computer, laptop, paper, mailing).

• Email This
• Print

Enforcement of the Department of Health and Human Services’ (“HHS’”) and the Federal Trade Commission’s (“FTC’s”) Breach Notification rules begin today. Both agencies initially exercised their enforcement discretion and delayed enforcement until February 22, 2010, to provide entities subject to the rules with time to implement compliance processes and procedures.

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA and their business associates to provide notification following discovery of a breach of security involving an individual’s unsecured protected health information.  Under the rule, covered entities are also required to notify the HHS Secretary. For breaches affecting fewer than 500 individuals that occurred during calendar year 2009 and after the September effective date of the HHS breach rule, notification to the Secretary must be submitted by March 1, 2010. 

The FTC breach rule, issued on August 17, 2009, applies to vendors of personal health records, PHR-related entities and third-party service providers. 

• Email This
• Print

This blog entry is provided by Hogan & Hartson litigators Trevor Jefferies in our Houston Office and Alvin F. Lindsay in our Miami Office:

A new decision released on 8 January 2010 from the French high labor court (the Cour de Cassation Chambre Sociale) may provide some grounds for arguing that a party in France can review a French employee’s e-mails and electronically stored information to determine whether the data is relevant to a U.S. litigation, without the employee’s knowledge or presence.  This is a significant development in the perennial tension between EU privacy law and U.S. discovery principles.

European Union policies protecting personal privacy almost always conflict with United States policies that grant litigants full and complete discovery of documents and electronically stored information in U.S. court actions.  The conflict is particularly acute in France, where a French corporation participating in U.S. litigation may easily run afoul of the French Blocking Statute (Law No. 68-678, as amended), data processing laws (e.g. Law No. 78-17, as amended), and the EU Directive 95/46 on Personal Data (“Directive”), among others.

Indeed, after years of goading by U.S. courts, French authorities even prosecuted someone, a French lawyer, under the blocking statute.  His crime was attempting to comply with a U.S. court order compelling production of documents.  See In re Christopher X, Cour de Cassation, Chambre Criminelle, Paris, December 12, 2007, No. 07-83228 (French Supreme Court upholding conviction and €10,000 fine against French lawyer attempting to facilitate collection of evidence for use as ordered in a U.S. judicial proceeding).  Examples of U/S. goading include In re Vivendi Universal S.A. Secs. Litig., No. 02 Civ. 5571, 2006 WL 3378115 at *3 (S.D.N.Y. 2006) (French blocking statute did not subject parties to a “realistic risk of prosecution”) and Minpeco S.A. v. Conticommodity Servs., Inc., 116 F.R.D. 517 at 528 (S.D.N.Y. 1987) (“this is not a situation in which the party resisting discovery has relied on a sham law such as a blocking statute to refuse disclosure"). 

With French and EU law acting to prevent a litigant engaged in the U.S. litigation discovery process even from collecting a relevant employees' e-mails for litigation purposes, let alone viewing the e-mails to see if they contain relevant information, French parties seem at a distinct disadvantage in a U.S. forum.  Failing to produce relevant documents is a direct path to an uncomfortable hearing before the U.S. judge and possibly severe sanctions such as a default judgment being entered against those parties for not complying with discovery orders.

Thus, Bruno B. vs. Giraud et Migot, Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264 is a significant development.  In that case, an accounting firm fired Bruno after the firm discovered files on his work computer addressed to government regulators wherein Bruno disparaged the firm for alleged tax and related fraud as well as working conditions.

The documents held subject lines as “Essay 1”, “Essay 2”, and so on, which the firm discovered without Bruno’s permission or presence. Bruno sued the firm seeking damages for unjustified dismissal, arguing that the firm violated his rights under EU privacy (human rights) conventions, as well as several provisions of the French labor code, claiming the documents were his personal data.  On appeal, the Cour de Cassation Chambre Sociale held for the accounting firm, finding that because Bruno failed to mark the documents as “private,” the firm justifiably assumed that the documents were work-related and could open them.

The Bruno B. case clearly refines the general rule set forth in an earlier case from the same court, Nikon France vs. Onof, Cass. Soc., No. 4164 (Oct. 2, 2001), where the French high labor court established that employees have a right to privacy in the workplace and held that an employer cannot search an employee’s files stored on a work computer without breaching the employee’s right to privacy.  The Nikon case’s broad ruling has been the subject of private criticism, especially from business interests in France, but now, after Bruno B., there is arguably no right to privacy to an employee’s computer-stored data unless the employee takes affirmative steps to designate the information as personal.  Simply labeling the documents as “personal” or “private” may have been enough to compel the Bruno B. court to rule in the employee’s favor, but the holding is still a far cry from the absolute presumption that any data with an employee’s name is private.

• Email This
• Print

Health care providers, health plans, clearinghouses and their business associates face deadline for implementation of significant new compliance obligations.

 February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.

Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).

New Requirements

Covered entities must now comply with most of the new privacy requirements introduced under HITECH including, among other requirements:

·        additional requirements regarding “minimum necessary” uses and disclosures of protected health information (PHI);

·        new limitations on uses and disclosures of PHI for marketing;

·        new individual rights related to electronic access to PHI maintained in an electronic health record; and

·        new individual rights allowing individuals the right to restrict their providers from sending PHI to the individuals’ health plan if the individuals pay in full for the product or service at issue.

Business associates also now face substantial new compliance obligations under HITECH.Prior to HITECH, business associates were not directly subject to HIPAA and were subject only to the contractual obligations imposed on them by covered entities through business associate agreements (BAAs). HITECH changes the regulatory landscape by imposing a direct statutory obligation on business associates to comply with the new privacy and security requirements. These include such things as:

·        compliance with the bulk of the HIPAA Security Rule requirements;

·        compliance with the new HITECH data breach provisions; and

·        compliance with the new individual rights provisions related to access to PHI and restrictions on certain disclosures of PHI.

 BAA Challenges

HITECH further requires that the new privacy and security requirements “shall be incorporated” into BAAs. The amendment of BAAs has been one of the most troublesome and challenging issues for both covered entities and business associates. While some have hoped that HITECH “by law” amends existing BAAs (an argument that may raise constitutional issues given that private contracts and assets are at stake), most, if not all, have struggled with the decision whether to amend existing BAAs prior to the February 17, 2010 compliance date or rely upon a “transition period” that has been hinted at by the Department of Health and Human Services (HHS) and was provided in the Privacy Rule when compliance was required in 2003.

New Enforcement Framework

In addition to the new compliance challenges faced by covered entities and business associates under HITECH, several notable changes to HIPAA enforcement were also introduced under HITECH. Although many of the new enforcement provisions were effective upon enactment of HITECH (e.g., enforcement by state attorneys general, increased civil monetary penalties), several other enforcement provisions are now effective, including:

·        business associates are now subject to direct enforcement actions; and

·        covered entities and business associates are now subject to mandatory, periodic audits by HHS.

Beginning February 22, 2010 HHS also will begin enforcement of the new HITECH data breach regulations issued in September 2009.

Members of the Hogan & Hartson HIPAA Privacy practice are available to assist clients in working through these legal issues to implement compliance with HITECH efficiently and effectively—both before and after regulatory guidance is issued.

• Email This
• Print

 The Department of Health and Human Services (“HHS”) announced that it will host an in-person workshop to address and collect stakeholders’ views regarding how to best implement the Privacy Rule’s current requirements for the de-identification of protected health information (“PHI”). The American Recovery and Reinvestment Act of 2009 (“ARRA”) requires HHS, in consultation with stakeholders, to issue guidance on methods for de-identifying PHI. The workshop, which will consist of multiple panel sessions, is open to the public and will be held on March 8-9 in Washington, DC. Following the workshop, HHS will synthesize the input it receives from the workshop and general comments, and issue guidance on its Web site for public comment.

The deadline to register for the workshop is March 1, 2010. Additional details about the workshop can be found on HHS’ Health Information Privacy Web site.

• Email This
• Print