Regulators Issue Final Model Privacy Notice

By Mehmet Munur

On November 17, eight federal regulators issued final rules and model privacy notice forms as required under the Gramm-Leach-Bliley Act. While the use of the notice forms are not required, the two-page forms create a safe-harbor for disclosures required under the GLBA.

The notice forms replace the Sample Clauses previously issued by the regulators. The regulators stated that their studies “confirm[ed] that a notice composed solely of the Sample Clauses promotes ease of scanning to perform simple tasks – because the notice is short and not because it is understandable – but the Sample Clauses do not do well on comprehension measures. Moreover, the testing showed that current notices – in which the Sample Clauses are typically embedded – do poorly on all measures.” Therefore, the regulators appear to want to increase the use of the model clauses as much as possible.

The FTC has been pushing for alternate means of providing notice to individuals for some time. The FTC noted in its February 2009 Behavioral Advertising Staff Report that “privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.” Then in its recent Sears Enforcement, FTC stated that Sears failed to “disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers’ computers.” Sears had mentioned the broad nature of data collection only in the 75^th line of a legal agreement. Then in August, FTC once again mentioned the Sears enforcement and the need to provide better notice in the Health Breach Notification Rule; stating “[b]uried disclosures in lengthy privacy policies do not satisfy the standard of ‘meaningful choice.’” FTC will be conducting Privacy Roundtables in the near future. We expect the highlights notices, model privacy notices, and Carnegie Mellon’s Nutrition Label Approach to privacy statements to take center stage in these roundtables.

Read More...

FTC Delays Enforcement of Red Flags Rule, Court Holds Red Flags Do Not Apply to Lawyers

by Mehmet Munur

The FTC news release notes that the Federal Trade Commission delayed the enforcement of the Red Flags rules until June 1, 2010. The FTC news release also notes the decision by the U.S. District Court for the District of Columbia that the FTC Red Flags Rules did not apply to attorneys. The Federal Trade Commission v. American Bar Association order states that the memorandum will be published in the next thirty days.

The FTC promulgated the Red Flags Rules under the authority given to it by the Fair and Accurate Credit Transactions Act. FTC had previously suspended the enforcement of the rules until November 1, 2009. Congress is currently considering a bill that would limit the scope of the Red Flags Rules.

Read More...

FTC Modifies ChoicePoint Consent Order and Imposes Stricter Compliance

By Mehmet Munur

The Federal Trade Commission announced today that it had entered into a modified consent agreement with ChoicePoint due to ChoicePoint’s inability to live up to the original consent agreement entered into in 2006.

The FTC entered into a consent agreement with ChoicePoint was due to compromise of 163,000 financial records and at least 800 cases of identity theft. The breach was possibly a watershed moment in data breaches and brought attention to data aggregators. ChoicePoint paid $10 million in civil fines, $5 million in consumer redress, and countless millions of dollars in forwent business opportunities, attorneys’ fees, and settlement fees for lawsuits. ChoicePoint also agreed to “establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers” which would be subject to an audit every two years.

The FTC press release for the most recent consent order notes that ChoicePoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off.” As a result, ChoicePoint, since acquired by Reed Elsevier, compromised the personal information of approximately 13,750 individuals. ChoicePoint must now pay a fine of $275,000 and report to the FTC every two months for two years. The FTC also increased the final data by which ChoicePoint would be subject to biennial audits by two years to 2028. The new consent order may be found here.

The FTC enforcement reiterates FTC's attitudes about privacy promises. Such scrutiny by the FTC will certainly be burdensome for ChoicePoint and require it to step up its information security operation or face even more fines and enforcement from the FTC.

Read More...

FTC Settles with Six Companies with Lapsed Safe Harbor Certifications

By Mehmet Munur

On October 6, 2009, Federal Trade Commission filed six complaints against companies falsely claiming that they were self-certified to the Department of Commerce EU Safe Harbor when their certification had lapsed. This FTC action should serve as a reminder to Safe Harborites either to keep up their annual recertification or to avoid misrepresenting that they are self-certified to the Safe Harbor.

The EU Safe Harbor is one of the methods allowing US corporations to export data from the EU while complying with the Article 25 of the EU data Protection Directive, which requires that data only be transferred to countries with adequate data protections—with exceptions. The Department of Commerce, European Commission, and the Article 29 Working Party negotiated the Safe Harbor. US companies self-certify for the Safe Harbor and the DoC maintains a list of these companies on its export.gov website. However, the Federal Trade Commission and the Department of Transportation have the authority to enforce the Safe Harbor. While the Safe Harbor plays a crucial role for multinational corporations in transferring personal data from the EU without violating the EU Data Protection Directive’s adequacy requirements, now more than ever, failure to abide by the Safe Harbor requirements can result in enforcement actions by the FTC.

Six companies, World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive GaitWays LLC, each represented that they were self-certified to the Safe Harbor when in fact their certification had not been renewed for several years. At least three of the companies had failed to either recertify or remove their representations related to their certification from their websites for two to three years. For example, ExpatEdge had certified for the Safe Harbor in 2002 but had failed to recertify since 2006. Onyx Graphics had certified in 2006 but failed to recertify since 2007. Progressive GaitWays had certified in 2004 but failed to recertify since 2006. Since the FTC enforcement, the remaining three companies have recertified for the Safe Harbor.

The six companies each entered into consent agreements with the FTC related to their infringing activities. The consent agreements are similar to the previous FTC settlement on the Safe Harbor. The consent agreements prohibit any of the companies from “misrepresent[ing] in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.” Furthermore, the companies must make all documents related to compliance with the consent agreement available for inspection for the next 5 years.

In our previous blog post, we had stated that the FTC’s enforcement was tacked onto other issues related shipment of goods. This time the FTC has squarely addressed Safe Harbor violations using its deceptive trade practices powers. According to the FTC policy statement on deception, a material representation, omission, or practice that is likely to mislead the consumer is needed for any enforcement activity. Any “act or practice is likely to affect the consumer's conduct or decision with regard to a product or service” is considered material. Additionally, any express claims are presumed material. Furthermore, the Safe Harbor Principles and FAQ 11 of the Safe Harbor clearly state FTC’s jurisdiction to bring actions against Safe Harborites for deceptive trade practices. Therefore, the companies’ express claims that they were self-certified with the Safe Harbor when their certifications had expired are clearly material misrepresentations that would mislead a reasonable consumer under the circumstances.

The recent enforcement actions in this area are certainly signs of FTC’s willingness to bring enforcement actions in this area in the future. The recent changes to the list showing organizations certified to the Safe Harbor is possibly another indication of things to come. International Trade Administration website used to host the Safe Harbor list. Recently, it has moved to the Department of Commerce’s export.gov/safeharbor/ website, which is where all other Safe Harbor related documents used to reside. The list now more readily identifies non-compliant companies.

The FTC is likely to bring more enforcement actions against companies in the Safe Harbor list that represent that they are certified but have not in fact kept up their certifications with the Department of Commerce. The FTC is also likely to expand its enforcement activities into more substantive issues related to the privacy practices of Safe Harborites in the near future. Therefore, Safe Harborites intending to leave the Safe Harbor should either promptly renew their certifications or remove any public representation that they are certified with the Safe Harbor. This should help alleviate any FTC deceptive trade practices claims. However, note that obligations undertaken by a Safe Harborite do not disappear with the organization leaving the Safe Harbor. Therefore, removing such representations only resolves part of the issues involved in joining then leaving the Safe Harbor.

Read More...

FTC Obtains TRO Against E-Commerce Merchant Falsely Claiming Safe Harbor Certification

By Mehmet Munur

On July 31, the Federal Trade Commission obtained a temporary restraining order against a California website for deceptively claiming to be a member of the EU Safe Harbor administered by the Department of Commerce. This is the first FTC enforcement involving the FTC’s authority to prosecute violations involving EU Safe Harbor and FTC’s authority to prosecute an American company for deception of foreign consumers.

According to the FTC complaint, the defendants posed as UK websites, did not deliver on minimal consumer protections, and lied about being in the Safe Harbor. Balls of Kryptonite, LLC, is based out of Pasadena, California. However, it operates under www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, states prices in pound sterling, and referred to UK competitors and Royal Mail. The website did not specifically state its location, though such a disclosure is required under the Distance Selling Directive. Therefore, the FTC inferred that the websites advertised and sold consumer electronics products to consumers in the UK “under the pretext of being located within the UK.”

The websites shipped products from the US to the UK. Customers also had to pay substantial customs duties and import taxes. Some of these products were incompatible with the UK power grid. The websites also stated that the products would be covered under warranty. The products were not designed for distribution in the UK and, therefore, were not covered by warranty. Further, consumers were not allowed to cancel their orders, charged 50% restocking fees, and items were not shipped for weeks.

Finally, the defendants advertised that they self-certified with the Department of Commerce for the EU Safe Harbor when they were not. However, this false statement defies all logic. It does not help the defendants establish that they are a website based in the UK. A corporation must have a US establishment that receives personal information from the EU/EEA before it can certify to the Safe Harbor. Maybe this was the company’s way of stating that it was transferring data to the US. Maybe, the website owner believed that the Safe Harbor deception would make their website more attractive to UK customers. Nonetheless, Balls of Kryptonite is likely subject to this enforcement not due to inadequate legal advice, but lack of legal advice.

Nevertheless, the temporary restraining order resulting from the enforcement action makes an interesting example due to its scope. The TRO enjoins the defendants from misrepresenting “[t]he extent to which Defendants are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.” Thus, the FTC enjoined the defendants from misrepresenting that they are members of any third-party privacy program. In effect, the FTC is recognizing that the health of the Safe Harbor Program is intricately linked to the third-party programs. The Safe Harbor Enforcement Principle requires an independent dispute resolution mechanism that TRUSTe’s EU Safe Harbor Program and BBB EU Safe Harbor offer. However, one could argue that third-party privacy seals programs should enforce their own marks and that the FTC should focus on the Safe Harbor program exclusively.

The enforcement action sets a much-needed precedent for false claims related to the Safe Harbor program. Nevertheless, the majority of the complaint was based on false statements concerning the shipment of goods. The Safe Harbor issue appears to be tacked onto the other issues. The Safe Harbor program has been in existence for nearly a decade and studies by the European Commission in 2004 and others in 2008 have argued that enforcement has been lax. One would hope that, in the future, the FTC would bring section five claims exclusively in the data protection realm in addition to mixed consumer protection claims.

Read More...

FTC Issues Final Breach Notification Rules as Required by the Stimulus Bill

By Mehmet Munur

On August 18, Federal Trade Commission issued the final rules on breach notification as required by the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. The rules will take effect in 30 days from publication in the Federal Register. The FTC will only begin enforcement after 180 days of the publication of the final rules.

The final rules addressed the public comments to the proposed rules, clarified certain issues such as the broad scope of the rules, the application of either the HHS or FTC breach notification rules, notifying individuals by email, notifying the FTC for breaches involving more than 500 individuals, and privacy notices.

FTC received 129 comments related to its notice of proposed rulemaking. Google (see our previous blog post on Google Health) was noticeably absent from the list, while Microsoft (see our previous blog post on HealthVault) commented on several issues including email notices and use of cloud computing storage. Microsoft’s concerns related to cloud computing prompted FTC to require that vendors of PHR and PHR related entities notify their third party service providers of their status as vendors of PHR.

The FTC adopted the definition of personal health record without modification. Under the proposed rules, breach of name and credit card numbers would have triggered a notification. The FTC backed away from that interpretation and now states that name and credit card numbers alone will not constitute personal health record. On the other hand, FTC renewed its statement that de-identified data would not be considered personal health record “[g]iven the small risk that such data will be re-identified by unauthorized third parties.” Such references show FTC’s renewed interest in the identification of individuals using non-personally identifiable information. FTC had previously mentioned the issue in February in the Behavioral Advertising Staff Report.

The FTC confirmed the wide scope of the new breach notification rules. The proposed rule applies to vendors of PHR and PHR related entities “irrespective of any jurisdictional tests in the Federal Trade Commission Act.” Therefore, even if an entity is not covered by the FTC Act, it may fall under the scope of the breach notification. Additionally, the Commission reiterated that “foreign entities with U.S. customers must provide breach notification under U.S. laws.” Similar to the EU Data Protection Directive, the rules appear to apply to the individual’s data regardless of the data’s location.

The FTC agreed with some of the commentators to the proposed rules that some entities would be covered by both the FTC and the HHS rules. Therefore, the FTC “consulted with HHS to harmonize the two rules, within the constraints of the statutory language.” A related issue concerned the provision of a single breach notification for a single breach, though several entities may be involved. The FTC addresses this issue by providing examples of when entities may comply with both the FTC and the HHS requirements to provide notice.


The final rules also addressed privacy notices and, with it, FTC’s recent incursion into privacy enforcement and behavioral advertising. FTC addressed privacy notices because the “final rule provides that a breach of security means acquisition of information without the authorization of the individual.” FTC stated that “an entity’s use of information to enhance individuals’ experience with their PHR would be within the scope of the individuals’ authorization, as long as such use is consistent with the entity’s disclosures and individuals’ reasonable expectations.” The FTC reiterated its suspicion of lengthy privacy notices, which it originally voiced in the Behavioral Advertising Staff Report, by stating that “the Commission expects that vendors of personal health records and PHR related entities would limit the sharing of consumers’ information, unless the consumers exercise meaningful choice in consenting to such sharing. Buried disclosures in lengthy privacy policies do not satisfy the standard of “meaningful choice.”” The FTC cited to the recent Sears enforcement to reinforce its seriousness in enforcing the meaningful choice doctrine. There, Sears had buried its data mining activities deep in its privacy policy instead of providing clear and conspicuous notice of the broad scope of its activities. This could be an indication that the FTC may consider data processing without adequate notice as a data breach.

The final rules now make it easier to provide individual notice through email as well. The FTC is persuaded that the relationship between the vendors of PHR, PHR related entities, and consumers take place online, email notice can be used as a default option. Individual’s express affirmative consent to notify by email is no longer necessary. Nevertheless, the consumers must still have a meaningful choice not to receive notice by email. Additionally, the FTC made it clear that no confirmation is required for the receipt of emails, only “reasonable efforts to contact all individuals” is required. EPIC advocated for social media breach notification. The FTC declined to adopt such measure, but stated that the rule did not preclude other forms of notice in addition to the required forms. We are looking forward to public reactions to the first social media breach notification on Twitter, Facebook, or LinkedIn.

Web postings related to breaches on entities’ websites now need not be maintained for 6 months. The FTC shortened the public posting on websites to 90 days. With respect to notifying the FTC of breaches for breaches involving more than 500 people, the FTC increased the time to provide notice to FTC to 10 business days from 5. In addition, entities may use the form created by the FTC to notify the FTC about breaches. Email notification of the FTC is not an option at this time due to security concerns.

While the effective date of the rules were set by the Stimulus Bill and cannot be changed, the FTC stated that it will “will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered” 180 after the publication of the final rules. The HHS should shortly follow with its final rules on the Stimulus Bill.

Read More...

Sears Settles with FTC on Information Tracking

By Mehmet Munur

FTC entered into a settlement agreement with Sears in June related to its failure to provide adequate notice to its customers during the sign up process for an information collection software. This settlement highlights the need to create accurate highlight notices for privacy policies.

Sears invited customers visiting the Sears.com website and kmart.com websites to join the My SHC Community. Sears paid the customers $10 to sign up to participate in the community. Customers downloaded and installed a “research” software for participating in the community after being presented with the privacy policy and a license agreement.

Sears mentioned on its marketing material that the software would confidentially track online browsing. However, the FTC charged that the software allowed Sears to monitor consumer’s online sessions including shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. FTC appears to be concerned that Sears’ “Privacy Statement and User License Agreement” did not discuss the full scale of the data mining until the 75th line of the agreement. The agreement stated:

Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.

Therefore, the FTC argued, burying the scope of this information collection activity in the 75th line of legal agreement did not adequately disclose the fact that the consumer was allowing the tracking for all of his internet activity. This, the FTC concluded, was a deceptive practice under section 5 of the FTC act.

In hindsight, Sears probably did not need all of the data that it gather in the first place. The competitive advantage that Sears may gain in collecting and processing such sensitive financial and health data is likely to be outweighed by the disadvantages in maintaining the confidentiality of such sensitive information and the public relations problems that follow its disclosure. Even if Sears could in fact use this data, installation of software that practically works like a commercial key logger likely requires specific and unambiguous consent.

In light of the Sears settlement, corporations should consider building several layers of privacy policies. Article 29 Working Party and the UK ICO have proposed simplifying privacy policies to provide better notice to data subjects. Such a scheme would require that corporations build and use highlights notices that provide a summary of privacy notices that then provides links to the full privacy policy.

In fact, some corporations, such as Google and Microsoft, have started using the A29WP approach in their privacy policies. Note that the users would still be bound to the full privacy policy with such an approach. Therefore, this highlights notice makes privacy policies easy to understand for consumers while maintaining the detailed approach of a privacy policy. Possibly, Sears could have used such a privacy policy on its website and more accurately described its information collection.

Read More...

FTC and HHS Issue Proposed Rules on Breach Notification

By Mehmet Munur

Both the Federal Trade Commission and the Department of Health and Human Services issued proposed regulations last week to satisfy their obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was a part of the American Recovery and Reinvestment Act of 2009. The FTC rules address the obligations of non-HIPAA covered entities such as vendors of personal health records and third party service providers, while the HHS rules address the procedures required to secure unprotected health care information. Affected entities should invest in technologies that prevent and detect breaches and also draft and implement policies to notify the appropriate parties when they do occur.

FTC Proposed Regulations:

While the FTC proposed regulations track the HITECH Act in many respects, they differ in others. The definitions of the terms business associate, HIPAA-covered entity, personal health record, PHR identifiable health information, vendor of personal health records, and unsecured stay substantially the same as under the HITECH act. However, the FTC adds more substance around the concepts of third party service providers, presumption for acquisition, notification of senior officials in vendors in a breach, and discovery of data breaches.

While PHR related entities and third party service provider are non-HIPAA covered entities, they are, nevertheless, covered by the HITECH Act’s breach notification provisions enforced by the FTC. Third party service providers include “entities that provide billing or data storage services to vendors of personal health records or PHR related entities.” Such services certainly include the likes of Google Health and Microsoft HealthVault. Both services have been in the spotlight recently. Google Health recently signed up CVS and HealthVault recently announced a partnership with the Mayo clinic.

Due to the difficulty in determining whether access results in acquisition of data, the proposed FTC regulations enhance the definition of breach by adding language that creates a presumption of unauthorized acquisition where unauthorized access has taken place. However, the vendor or the PHR related entity may rebut this presumption where it “has reliable evidence showing that there has not been, or could not reasonably have been, any unauthorized acquisition of such information.”

The proposed regulations also require entities to notify senior officials in vendors or PHR related entities and to obtain an acknowledgement in the event of a breach. The FTC also prevents entities from ignoring a breach by making inability to reasonably ascertain a breach to be a violation of the regulations. On the other hand, the failure to discover a breach would not constitute a violation of the rules if the organization had strong breach detection measures and still failed to detect it. Therefore, breach detection is almost as important as breach notification under the proposed regulations.

The FTC expects the rules to affect about 900 entities and cost a total of $1 million for 11 breaches per year. The FTC appears to be concerned about some overlap between the FTC and the HHS regulations and is therefore seeking comments on the dual role of certain entities which would bring them under the scrutiny of the both FTC and the HHS. More detail on the proposed rules can be found at the FTC website.

HHS Proposed Regulations:

The regulations proposed by the HHS mainly concern the definition of the term “unsecured” as it modifies “protected health information” under the HITECH Act. This term is crucial as notification is not necessary if the protected health information is secured.

If the Secretary had not issued timely guidance, the term “unsecured protected health information” would have meant “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute (ANSI).” Now that the HHS has proposed these regulations, protected health information will be secured if it is encrypted or destroyed. However, such encryption and destruction will have to abide by the strict requirements of National Institute of Standards and Technology Special Publications on encrypting and destroying data.

The HHS relies on the existing HIPAA Security Rule for encryption and requires “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” where the keys for decryption have not been breached. However, as a new measure, the HHS issued an exhaustive list of NIST publications for encrypting data at rest and for encrypting data in motion. For example, NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, recommends that travelling laptops should be secured using full-disk encryption and pre-boot authentication. HHS also requires that electronic media be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, which requires that magnetic hard drives be purged using “Secure Erase” or degaussing, making them inoperable. The HHS is seeking public comments on the adequacy of some of these methods. More detail about the HHS proposed rules can be found at the HHS website.

The comment period for both sets of regulations will last until June and the agencies should issue interim final rules by August, which may result in changes to the proposed regulations. In addition, Congress may create a federal breach notification law after it receives the joint FTC-HHS report on the entities the HITECH Act regulates. Nevertheless, both HIPAA covered entities and non-HIPAA covered entities should invest in technologies and policies to prevent data breaches that may affect their bottom lines through breach notification costs, regulatory fines, and tarnished brands.

Read More...

Stimulus Bill Requires Data Breach Notification Under HIPAA and Signals Broader Enforcement

by Mehmet Munur

The American Recovery and Reinvestment Act that President Obama signed into law on February 17, 2009 includes wide reaching data breach notification provisions for entities covered by the Health Insurance Portability and Accountability Act and organizations servicing those entities. It also has privacy provisions related to sales of protected health information, marketing, fines, and enforcement. The Act is likely to increase joint enforcement activities by the Federal Trade Commission and the Department of Health and Human Services Office for Civil Rights. Such enforcement will likely result in settlements similar to the CVS settlement on February 18, 2009 that arose out of improper disposal of protected health information.

I. Data Breach Notification

The Act places notification obligations on covered entities, business associates, and vendors of personal health records for breaches of protected health information as well as required updates to contracts between covered entities and business associates.

A. Covered Entities

Generally speaking and without using the defined terms of the Act, an entity’s duty to notify arises when it has a breach involving unencrypted personal health information that it processes. The entity must then notify, the individual, the media, and the Secretary of the DHHS within 60 days of finding out about the breach, so long as the law enforcement exception does not apply. In creating these obligations, the Act defines the terms breach, electronic health record, personal health record, and vendors, but retains the earlier definitions of covered entities and business associates from HIPAA. The Act and the obligation to notify will likely become effective for breaches discovered 210 days from its enactment.

A breach is the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. The term has several narrow exceptions related to inadvertent disclosures to authorized users. Most importantly, a breach is deemed to have been discovered on the first date on which it is known or reasonably should have been known to have occurred.

Covered entities still refer to health plans, health care clearinghouses, or health care providers who transmit any health information in electronic form. Processing, while not a term used in the language of the Act, includes access, maintenance, retention, modification, storage, destruction, using, or disclosing.

Unencrypted personal health information refers to the defined term unsecured protected healthcare information. The portion of term referring to protected healthcare information retains its definition under HIPAA and means individually identifiable health information that is either transmitted by electronic media or maintained in electronic media, or both. Unsecured, on the other hand has two meanings. The Secretary should issue guidance specifying the technologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals within 60 days. If he does not, then that technology will be a technology developed or endorsed by the American National Standards Institute. Though the Act does not specify that technology, it will probably be the Advanced Encryption Standard used by the Federal government for sensitive documents.

Notification takes 3 forms: individual, media, and the DHHS. Notification must be made without unreasonable delay and within 60 days after its discovery. However, the law enforcement exception can delay such notification if the entity receives and documents a written or oral statement from the DHHS. The burden to prove that the notification was performed according to the Act lies with the covered entity.

Entities must notify each individual whose unsecured protected health information has been, or is reasonably believed by the entity to have been accessed, acquired, or disclosed during the breach. This individual notice may be by first class mail at the last known address of the individual or by email if that is the preference of the individual. If the entity has more than 10 individuals with insufficient or out of date contact information, then it is required to place a conspicuous post on its web page or notice in major print or broadcast media for a period of time that the Secretary specifies. The entity may also notify by phone due to possible imminent misuse of the information.

The entity must notify prominent media outlets serving a state or jurisdiction if the information of more than 500 residents are reasonably believed to have been subject to the breach. The entity must also notify the Secretary. If the breach involves more than 500 individuals, the entity must notify immediately, whereas breaches involving less than 500 individuals may be submitted in an annual log. The Secretary is then required to post breaches involving more than 500 individuals on its website.

The Act delineates the contents of the notifications. They must include a brief description of the events, the date of the events, a description of the types of information involved, the steps the individuals should take to protect themselves from any harm that may result, and procedures for contacting the entity through a toll-free phone number, email address, or website.

The Secretary must also pass interim final regulations on breach notification within 180 days. These regulations will apply to breaches discovered after 30 days after their enactment. These regulations will certainly require covered entities to craft breach response procedures and implement them promptly.

B. Business Associates

Business associates that service covered entities under HIPAA have an obligation to notify the covered entities in the event of a breach. Business associates are now also subject to the same security procedures that covered entities are under HIPAA and these requirements must also be incorporated in their agreements.

The definition of a business associate has not changed with the Act. Business associates still refer to persons that perform or assist any activity involving the use or disclosure of individually identifiable health information or persons performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity. The Act states that the business associates need to notify the covered entities who must then notify the individuals. However, the requirements related to timeliness and the discovery of the breach are the same.

Covered entities will need to amend their contracts with business associates to reflect the provisions of the Act. These amendments must include administrative safeguards, physical safeguards, technical safeguards, and policies and procedures and documentation requirements promulgated by the DHHS. Business associates that receive protected health information may be subject to fines for wrongful disclosures of protected health information. Prior to the Act, HIPAA only made business associates liable to the covered entity for contract breaches.

The Act also contains a whistle blowing provision for business entities and the covered entities they serve. Prior HIPAA regulations stated that a covered entity was non-compliant if it knew of a business associate’s activity that constituted a material breach of the associate’s contractual obligations and did not take reasonable steps to cure them. If the business associate did not cure the problems, the covered entity was required to terminate the contract or, if that was not feasible, inform the secretary. Now, the Act requires that business entities have the same whistle blowing responsibility towards the covered entities they service. Failure to do so is a violation of the Act.

C. Vendors and Non-HIPAA Covered Entities

The breach notification standards also apply to a new kind of entity called vendors under the Act. These are entities other than covered entities that offer or maintain personal health records. A personal health record is an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. Google Health and Microsoft HealthVault are examples of such entities.

A vendor’s obligations under the Act are similar to the covered entities’ and business associates’ responsibilities. Vendors must notify individuals and the Federal Trade Commission, instead of the DHHS, of data breaches. The FTC then notifies the DHHS. The methods and timeliness of these disclosures and the definitions of breach and unsecured protected health information are almost identical to the methods and timeliness that covered entities. Violation of this duty to notify is considered an unfair and deceptive trade practice under the FTC Act. Third party services providers that service vendors have an obligation to notify their vendors of any breaches they experience, as well.

The FTC is required to pass regulations related to vendors covered under the Act within 180 days. If, however, Congress passes breach notification laws that directly apply to vendors, then the breach notification provisions of the Act will be overridden. While this provision may be good housekeeping to prevent dual breach notification laws for vendors, it may also be a sign of further breach notification legislation to come from Congress.

II. Marketing, Sale of Protected Healthcare Information, and the Minimum Necessary Standard

The Act has several provisions that restrict marketing activities and create greater privacy protections for individuals. Covered entities will need to revise their privacy practices to accommodate their new responsibilities.

The Act reduces the amount of marketing activities allowed under HIPAA. Communication by covered entities or business associates that is about a product or service and that encourages recipients to purchase or use the product or service are not considered a health care operation under HIPAA unless they are made 1) to describe a health-related product or service, 2) for treatment of the individual, or 3) for case management or care coordination for the individual. If, however, the covered entity or business associate receives direct or indirect payment in exchange for the communication, then the communication is considered marketing. On the other hand, such a communications will still be considered to be a healthcare operation if it describes a drug that the recipient is using and the payment received is reasonable. The Secretary is charged with defining the amount of reasonable compensation through regulations. However, such communication must still be made with a valid authorization. The Act also prohibits the sale of protected health information without a valid authorization. The regulations for these authorization do not change under the Act.

The Act now makes it mandatory to comply with an individual’s request that the entity restrict the use and disclosure of protected health information about the individual to carrying out treatment, payment, or healthcare operations. Prior HIPAA regulations did not require covered entities to agree to such restrictions.

Individuals also have the right to access protected health information in electronic format if the entity maintains that information. The fee for such access cannot exceed labor costs in responding to the request.

Under HIPAA, an entity was required to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of that information. The Act further reduces the amount of data in circulation by requiring the Secretary to promulgate regulations based on the limited data set concept that excludes identifiers such as names, addresses, social security numbers, email addresses and similar information to the extent practicable. Such changes will certainly require that covered entities revisit their privacy practices.

III. Fines and Enforcement

The Act also promotes enhanced enforcement through required fines and investigations.

Violations due to willful neglect now require a fine by the Secretary. Furthermore, the Secretary now has an obligation to investigate any complaint of a violation of the Act if a preliminary investigation of the facts of the complaint indicate a possible violation due to willful neglect. Most importantly, the Act requires that any civil monetary fine or settlement fund collected relating to privacy and security be transferred to the Office for Civil Rights of the DHHS. This provision will likely create a positive feedback loop where enforcement will result in fines and settlements that will give the OCR more funds to carry out more investigations. Additionally, individuals harmed by such breaches may also receive a percentage of the funds received by the OCR, but this amount will be determined three years from the date of the enactment. The Act also creates four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are effective immediately.

The law can also be enforced by the State Attorneys General. If there is reason to believe that the interests of one or more of the residents of the State is or could be threatened, then the AGs may bring action in federal district court. The courts can, in their discretion, award attorneys fees to the AGs that bring action in federal district courts. However, such state action is limited to circumstances where the Secretary is not already bringing an action. Considering the availability of attorneys fees and the public record of breaches, it is likely that this provision will increase enforcement in cases where the FTC or the DHHS decline enforcement.

IV. Joint Enforcement and CVS’s $2.25 million DHHS Fine

The day after the Act was signed into law, the FTC and the DHHS announced separate settlements with the nationwide pharmacy chain CVS arising out of improper disposal of sensitive personal information. The settlement is significant because it is the first joint investigation by the FTC and the DHHS, involves a health provider, and employee data. Moreover, due to the language of the Act and the cooperation required between the two organizations, it is likely to be a sign of more joint investigations to come.

According to the FTC complaint, during 2006 and 2007 television stations found evidence of CVS’s disposal of names, addresses, dates of birth, bank account numbers, physicians’ names, insurance account numbers and other personal information in unsecured dumpsters in at least 15 cities. Seizing on CVS’s statements that “nothing is more central to our operations than maintaining the privacy of your health information” and that CVS took “this responsibility very seriously,” the FTC argued that CVS’s representations in its notice of privacy practices were false and misleading, likely to cause substantial injury to consumers; therefore, an unfair act or practice. As a result, CVS settled with the FTC and the DHHS in separate settlement agreements.

The FTC settlement is very similar to the other settlements that FTC reached with ChoicePoint, DSW, and TJ Maxx. CVS must create a comprehensive information security program, designate an accountable employee for that program, identify risks, and receive third party assessments of its security procedures for the next 20 years. It is the 24th FTC case that challenges a company’s failure to implement reasonable information security practices.

The DHHS settlement is similar but probably more significant. Under the resolution agreement with the OCR, CVS agreed to pay $2.25 million and implement a robust corrective action plan that includes safeguards for disposal, employee training, and employee sanctions for noncompliance. CVS must comply with this action plan for the next three years, followed by the FTC settlement’s two decade long program. The DHHS Office of Civil Rights press release on the resolution agreement highlights the OCR’s intention to make an example of CVS and its “commitment to strong enforcement of HIPAA Privacy Rule . . . [intended to] spur other health organizations to examine and improve their privacy protections.” The DHHS settlement is the second one of its kind. The previous resolution agreement was with Providence Health Information for $100,000. While the OCR conducts investigations and allows entities to correct HIPAA problems, it had not issued fines of this magnitude.

Vendor breach notifications under the Act will likely spur closer cooperation between the two agencies. OCR’s new obligation to assess fines, conduct investigations in certain cases, and its ability to keep the fines it issues will result in OCR having more resources and incentives to enforce the law. This positive feedback loop will likely result in the FTC and the OCR enforcing the requirements of HIPAA and publicizing them in the future. Therefore, the CVS settlement should provide an incentive for entities of all sizes to satisfy not only their current HIPAA obligations but also their future breach notification requirements.

V. Conclusion

The Recovery and Reinvestment Act creates broad data breach notification requirements for covered entities, business associates, and vendors on a federal level under HIPAA. These entities will need to abide by the regulations that the Secretary of the DHHS will promulgate in the next six months. Further, they will need to abide by the breach notification rules or face fines and settlements by both the FTC and the OCR. Therefore, affected organizations should act quickly to update their breach response plans, revise their privacy policies, stop sales of protected health information without appropriate authorization, and update business associate agreements.

Read More...

Heartland Payment Systems Loses Credit Card Data to Malware

By Mehmet Munur

Heartland Payment Systems, the 6th largest card acquirer in the United States with a processing volume of $51.9 billion, reported that its “investigation uncovered malicious software that compromised data that crossed Heartland’s network.” This data breach is disconcerting because consumers may be unable to pin down the source of the fraudulent transactions and also because Heartland was a Payment Card Industry Data Security Standard compliant acquirer. Heartland will likely be subject to liability from consumers, investors, and the FTC.

Heartland’s data breach may have revealed close to 100 million card numbers. It appears that a malicious software within Heartland’s network collected the data on the magnetic stripes of credit and debit cards. Heartland believes that the security codes or sensitive data, such as driver license numbers or social security numbers, are not a part of the data breach; therefore, the risk of identity theft is minimal. However, the risk of financial loss still exists due to the possibility of placing the magnetic information involved in the data breach on another card and using that card fraudulently. Considering that Heartland services all types of merchants, the largest risk to consumers is that such fraudulent transactions could come from any source and consumers do not have a way of identifying whether any of their cards was involved in the breach.

Another disturbing point for both consumers and corporations is that Heartland was a PCI DSS compliant acquirer. According to its 2008 10-K, Heartland “maintain[ed] current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test [its] systems for vulnerability to unauthorized access.” Furthermore, Heartland encrypted the data stored in its databases but not when the data was in transit across its network. Heartland’s assumption was that its network was secure. As a result of the breach, Heartland’s listing in Visa’s Cardholder Information Security Program is now under review. To remedy the situation, Heartland announced that it would begin encrypting cardholder data throughout its network.

However, encryption is not the silver bullet that will save Heartland—or another acquirer—in the future. While PCI-DSS only requires that cardholder data be encrypted while crossing public networks and when it is stored, it does not require that data be encrypted while crossing an acquirer’s internal network. However, this data must be decrypted at some point in order for it to be processed. Furthermore, due to the fast evolution of malware, a vulnerability is likely to develop within any system at some point. Instead, companies that thrive on data processing must approach data security with comprehensive processes—such as ISO 270002. This is not to say that PCI-DSS is inadequate. Considering that the 6th requirement of PCI-DSS is the development and maintenance of secure systems and applications, it appears that it was Heartland’s implementation of PCI-DSS that failed—not PCI-DSS itself.

Heartland may be subject to legal liability from consumers, the Federal Trade Commission, and investors. A week after the breach, Heartland is already facing a class action lawsuit. TJ Maxx recently settled a similar class action lawsuit arising out of its data breach using its reserve of $178 million. Such a class action lawsuit may prove costly for Heartland as well.

TJ Maxx did not have to pay a fine to the Federal Trade Commission. Heartland may be lucky enough to avoid fines from the FTC, as well. Yet, similar to the TJ Maxx’s FTC settlement, Heartland may be subject to third-party audits as a part of a compliance program for the next 20 years. Heartland may also be able to avoid a lawsuit from its investors. While Heartland’s stock prices have declined from about $18 to $8[1] since the breach became public, it appears to have made the appropriate disclosures as a part of its risk factors in its 10-K:

Unauthorized disclosure of merchant and cardholder data, whether through breach of our computer systems or otherwise, could expose us to liability and protracted and costly litigation.

Our computer systems could be penetrated by hackers and our encryption of data may not prevent unauthorized use. In this event, we may be subject to liability, including claims for unauthorized purchases with misappropriated bank card information, impersonation or other similar fraud claims. We could also be subject to liability for claims relating to misuse of personal information, such as unauthorized marketing purposes. These claims also could result in protracted and costly litigation. In addition, we could be subject to penalties or sanctions from the Visa and MasterCard networks.

In sum, corporations like Heartland that make their money through processing personal data should invest in data protection using comprehensive processes, especially if the loss of that data may result in financial liability. Such comprehensive processes are likely to better protect corporations and their customers against data breaches.

[1] The connection between data breaches and stock prices declines have been subject to several studies since the ChoicePoint data breach.

Read More...