Tag: privacy

Think Your Cellphone Usage is Private? Think Again

In a closely-watched case out of Miami, the Eleventh Circuit Court of Appeals redefined the zone of privacy for cell phone users. As the Tech World was focused on Miami for the second annual eMerge conference, the court issued an opinion permitting prosecutors to obtain records from mobile carriers—without a search warrant—allowing the tracking of an individual’s movements through his or her cell phone’s interaction with cell towers.

In U.S. v. Davis, the Eleventh Circuit, sitting en banc, considered the appeal of Quartavious Davis who was convicted by a Miami jury of participating in seven armed robberies. At trial, the prosecution presented accomplice and eye witness testimony that Davis was involved in seven separate armed robberies in a two-month period. The prosecutors also introduced historical cell tower records obtained from Davis’ mobile carrier for the time period spanning the robberies. The records contained a history of numbers dialed by Davis and the cell tower that connected each call. The prosecutors called a police officer that was able to pinpoint on a map the exact location of each robbery and—using the data obtained from Davis’ mobile carrier—the location of the cell tower that connected Davis’ calls around the time of each robbery. While Davis’ location was not precise, the evidence gave the government a basis to argue that the calls to and from Davis’ cell phone were connected through cell tower locations near the robbery locations. Several witnesses testified that Davis used his cell phone around the time of the robberies. These facts allowed the prosecutors to assert that Davis was necessarily near the locations of the robberies at the times they occurred.

The government acquired Davis’ mobile carrier’s records pursuant to the Stored Communications Act (the “SCA”), under which a governmental entity may require a telephone service provider to disclose “a record … pertaining to a subscriber to or a customer of such service (not including the contents of communications) … if a court of competent jurisdiction” finds “specific and articulable fact showing that there are reasonable grounds to believe” that the records sought are “relevant and material to an ongoing investigation.” Importantly, the government is not required to show probable cause—as it would to obtain a search warrant—before a court will issue an order mandating the release of the records.

Following the guilty jury verdict, Davis appealed on the grounds that that the government violated his Fourth Amendment rights by obtaining his mobile carrier’s records without a search warrant and a showing of probable cause.

The Eleventh Circuit rejected Davis’ arguments on two independent grounds. First, the court held that the government’s acquisition of Davis’ mobile carrier’s records did not constitute a search for purposes of the Fourth Amendment. The court reasoned that Davis did not have ownership or possession of the records, and, moreover, Davis did not have a reasonable expectation of privacy in records of the transmissions between his cell phone and his mobile carrier’s cell phone towers—particularly given that it was information captured in the mobile carrier’s records. Second, the court found that even if the government’s acquisition of the mobile carrier’s records did constitute a search under the Fourth Amendment, the government’s acquisition of the information was nonetheless reasonable because the government relied upon and adhered to the strictures of the SCA.

The full implications of the Davis case still remain to be seen, but the case raises important questions about privacy interests in respect of information transmitted over the airwaves and through the internet. For example—and as several judges concurring with the court’s opinion pointed out—what differentiates a third-party internet site’s tracking of a user’s movements on its site through the use of cookies from a mobile carrier’s tracking of a user’s location? One thing that we can say for certain is that as Miami continues to develop as an incubator for technology, start-ups and innovation, the Davis case certainly will not be the last word from our courts on the intersection of privacy and technology.

ARTICLE BY Naomi R. Alzate & Scott N. Wagner of Bilzin Sumberg Baena Price & Axelrod LLP
© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

Data Privacy and Data Security; Two Sides of the Same Coin A Conversation with Patrick Manzo, Executive Vice President, Global Customer Service and Chief Privacy Officer of Monster Worldwide, Inc

The National Law Review - Legal Analysis Expertly Written Quickly Found

Cybersecurity is an important issue facing companies and legal departments across the country.  With high profile, and sometimes embarrassing, data breaches dominating news coverage, data security and privacy have become major concerns.  Patrick Manzo, Executive Vice President, Global Customer Service and Chief Privacy Officer of Monster Worldwide, Inc. will be speaking at the Inside Counsel SuperConference on May 12th, 2015 to give insight into these very important issues.  He will speak on a panel entitled: Cybersecurity Regulations: What you Need to Know.

Manzo says, “There is a drumbeat of data security issues permeating both the mainstream and legal press, and while individuals may have different levels of understanding and engagement, I’m sure that awareness of these issues is high.” There are differing perspectives and approaches on the issue– risk management and policy on one end of the spectrum, technical issues on the other–but importantly, the conversation is underway and there is cognizance at companies, at all levels, of the important of these issues.

Manzo believes a discussion of cybersecurity must consider both data security and data privacy.  He defines data security as, simply, knowing where your data is located, and who may access the data. Data privacy is predicated on data security and requires further understanding how personal data is being collected, processed (and by whom), and transferred, and the consistency of these practices with applicable laws, regulations, and the reasonable expectations of the relevant consumers.   Manzo says, “Data security and data privacy are two sides of the same coin, and we trade that coin for consumer trust.”

Since our modern world is so dominated by data, by its collection, its use, and its analysis, both companies and consumers realize that who we share information with and what they do with it is an important issue.  Manzo uses the term “good data hygiene” to describe what consumers and companies should work towards, and how it is both a company and a consumer’s responsibility to be aware of these issues.  Consumers would do well to acquire a basic understanding of what data they’re sharing and with whom, while companies, Manzo says, “need to be responsible stewards of consumers’ personal information.”

Manzo says, “Data security and privacy should be part of the DNA of a company.”

Data security and privacy are clearly not just IT issues anymore, but instead, Manzo says, “extend into all areas of an organization.”  From a company perspective, good data hygiene requires a strong command of data security and a robust privacy program.  Manzo also advocates that companies be transparent with consumers and customers about their data security and privacy practices.  Transparency requires a company to be aware of what data is being collected and from whom, and what is done with that data–who processes the information, if it is not done in house, and where the information is stored or transferred.  Beyond that, a company should have rules and policies in place to protect the information, and should incorporate data security and privacy into employee training, so that all employees are aware of the issues and concerns.

Manzo says, “Transparency allows you to be upfront and clear with consumers.  You can say, here’s what data I collect, here’s how I use and protect your data, and here’s what might happen to that data.”  Consumers, in turn, need to understand the data they are sharing and reasonably evaluate the attendant risks and benefits, and thereby make an informed decision about sharing their information.

However, it is not just between consumers and companies.  Legislation and regulation have a role to play as well.  “The Federal Trade Commission has a significant role to play in data privacy and security issues, and they have raised consumer and industry awareness of the responsibilities that go hand in hand with using personal information,” Manzo says.  Looking forward, legislation and regulation will play a major role in how companies manage data privacy and security. A clearer, more unified set of rules and laws governing data security and privacy practices, as well as breach notifications, likely enacted on the federal level, would be helpful for consumers and companies.

Right now, companies struggle with a patchwork of laws and regulations.  For example, Manzo says, “to respond to a breach, a company must first pull out a matrix of laws and regulations and determine which apply to the situation.  The patchwork of rules creates unnecessary complexity and slows breach response and notification efforts.”  Moving forward, Manzo says, “more unification of breach response and breach notification laws will be a benefit to consumers and industry.”

Our data soaked society is here to stay, and most have accepted that the risks of having our information available is outweighed by the benefits and the convenience it affords.  That said, more understanding, transparency, awareness and clarification can help consumers and companies move forward in this brave, new, information-saturated world.

You can find more information about the Inside Counsel Super Conference here.

ARTICLE BY

Eilene Spear
The National Law Review / The National Law Forum LLC

Supreme Court to Decide Who Can Sue Under Privacy Law

Does a consumer, as an individual, have standing to sue a consumer reporting agency for a “knowing violation” of the Fair Credit Reporting Act (“FCRA”), even if the individual may not have suffered any “actual damages”?

The question will be decided by the U.S. Supreme Court in Spokeo, Inc. v. Robins, 742 F.3d 409 (9th Cir. 2014), cert. granted, 2015 U.S. LEXIS 2947 (U.S. Apr. 27, 2015) (No. 13-1339). The Court’s decision will have far-reaching implications for suits under the FCRA and other statutes that regulate privacy and consumer credit information.

FCRA

Enacted in 1970, the Fair Credit Reporting Act obligates consumer reporting agencies to maintain procedures to assure the “maximum possible accuracy” of any consumer report it creates. Under the statute, consumer reporting agencies are persons who regularly engage “in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” Information about a consumer is considered to be a consumer report when a consumer reporting agency has communicated that information to another party and “is used or expected to be used or collected” for certain purposes, such as extending credit, underwriting insurance, or considering an applicant for employment. The information in a consumer report must relate to a “consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.”

Under the FCRA, consumers may bring a private cause of action for alleged violations of their FCRA rights resulting from a consumer reporting agency’s negligent or willful actions. For a negligent violation, the consumer may recover the actual damages he or she may have sustained. For a “willful” or “knowing” violation, a consumer may recover either actual damages or statutory monetary damages of $100 to $1,000.

Background

Spokeo is a website that aggregates personal data from public records that it sells for many purposes, including employment screening. The information provided on the site may include an individual’s contact information, age, address, income, credit status, ethnicity, religion, photographs, and social media use.

Spokeo, Inc., has the dubious distinction of receiving the first fine ($800,000) from the Federal Trade Commission (“FTC”) for FCRA violations involving the sale of Internet and social media data in the employment screening context. The FTC alleged that the company was a consumer reporting agency and that it failed to comply with the FCRA’s requirements when it marketed consumer information to companies in the human resources, background screening, and recruiting industries.

Conflict in Circuit Courts

In Robins v. Spokeo, Inc., Thomas Robins had alleged several FCRA violations, including the reckless production of false information to potential employers. Robins did not allege he had suffered or was about to suffer any actual or imminent harm resulting from the information that was produced, raising only the possibility of a future injury.

The U.S. Court of Appeals for the Ninth Circuit, based in San Francisco, held that allegations of willful FCRA violations are sufficient to confer Article III standing to sue upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of the statute. In other words, the consumer need not allege any resulting damage caused by a violation; the “knowing violation” of a consumer’s FCRA rights alone, the Ninth Circuit held, injures the consumer. The Ninth Circuit’s holding is consistent with other circuits that have addressed the issue. See e.g., Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 705-07 (6th Cir. 2009). It refused to follow the U.S. Court of Appeals for the Eighth Circuit in finding that one “reasonable reading of the [FCRA] could still require proof of actual damages but simply substitute statutory rather than actual damages for the purpose of calculating the damage award.” Dowell v. Wells Fargo Bank, NA, 517 F.3d 1024, 1026 (8th Cir. 2008).

The constitutional question before the U.S. Supreme Court is the scope of Congress’ authority to confer Article III standing, particularly, whether a violation of consumers’ statutory rights under the FCRA are the type of injury for which Congress may create a private cause of action to redress. In Beaudry, the Sixth Circuit identified two limitations on Congress’ ability to confer standing:

  1. the plaintiff must be “among the injured,” and

  2. the statutory right must protect against harm to an individual rather than a collective.

The defendant companies in Beaudry provided check-verification services. They had failed to account for a change in the numbering system for Tennessee driver’s licenses. This led to reports incorrectly identifying consumers as first-time check-writers.

The Sixth Circuit did not require the plaintiffs in Beaudry to allege the consequential damages resulting from the incorrect information. Instead, it held that the FCRA “does not require a consumer to wait for consequential harm” (such as the denial of credit) before bringing suit under FCRA for failure to implement reasonable procedures in the preparation of consumer reports. The Ninth Circuit endorsed this position, holding that the other standing requirements of causation and redressability are satisfied “[w]hen the injury in fact is the violation of a statutory right that [is] inferred from the existence of a private cause of action.”

Authored by: Jason C. Gavejian and Tyler Philippi of Jackson Lewis P.C.

Jackson Lewis P.C. © 2015

When Coworkers Invade Your Space re: Personal Privacy in the Workplace

Raymond Law Group LLC Connecticut, and Boston law firm

Invasion of personal privacy in the work place concerns all of us, but can you sue for that? A Connecticut trial court recently addressed this compelling privacy issue.  A Board of Education employee sued her coworkers for intentional infliction of emotional distress and for invasion of privacy. The employee alleged that her co-workers had, for several months, gathered together without her knowledge or permission to open and read her personal materials that she had stored on her work computer. The Waterbury Superior Court held that the employee had not stated a claim for intentional infliction of emotional distress, as the alleged conduct was only “undesirable and inappropriate”, and thus did not meet the “extreme and outrageous” standard of an intentional infliction of emotional distress claim. However, the court held that the employee had stated a claim for invasion of privacy, since her coworkers’ uninvited intrusion into her personal material was behavior that a reasonable person would find highly offensive. Referencing a 2009 District of Connecticut case, where the court held that employees have a reasonable expectation of privacy for their work emails, the Waterbury Superior Court noted that although the employee’s computer was a work computer, and not a personal device, this fact did not preclude her from bringing an invasion of privacy claim.

The right of privacy was first recognized by the Connecticut Supreme Court in 1982, when the Court adopted the standards for invasion of privacy listed in the Restatement (Second) of Torts. The Restatement explains that “[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy if the intrusion would be highly offensive to a reasonable person.” 3 Restatement (Second), Torts, Invasion of Privacy § 652B, p. 378 (1977). Following the Restatement, Connecticut law now categorizes four classes of invasion of privacy: 1) unreasonable intrusion upon the seclusion of another; 2) appropriation of the other’s name or likeness; 3) unreasonable publicity given to the other’s private life; or 4) publicity that unreasonably places the other in a false light before the public. Goodrich v. Waterbury Republican-Am., Inc., 188 Conn. 107, 127-28 1982). A few years later, a Connecticut Appellate Court adopted the invasion of privacy damages listed in the Restatement (Second) of Torts. In that decision, the court held that a plaintiff who has established a cause of action for invasion of his privacy is entitled to recover damages for: 1) the harm to his interest in privacy resulting from the invasion; 2) his mental distress proved to have been suffered if it is of a kind that normally results from such an invasion; and 3) special damages of which the invasion is a legal cause. Jonap v. Silver, 1 Conn. App. 550, 557 (. 1984)

This raises an interesting legal question. If a plaintiff’s claim is found to have fulfilled the standards of an invasion of privacy claim, yet not the standards of an intentional infliction of emotional distress claim, what damages can the plaintiff recover? An intentional infliction of emotional distress claim must involve “extreme and outrageous” conduct, while an invasion of privacy claim must involve conduct that is “highly offensive to a reasonable person.” It seems incongruous that a plaintiff is unable to recover for emotional distress under an intentional infliction of emotional distress claim, yet is able to recover for “mental distress” arising from an invasion of privacy claim. However, it appears that courts have determined that conduct qualifying as invasion of privacy needs to meet a less stringent standard of distress than conduct qualifying as intentional infliction of emotional distress. If this is true, then it makes sense that a plaintiff could be unable to recover for emotional distress under an intentional infliction of emotional distress claim, while still being able to recover for mental distress under a less stringent invasion of privacy claim.

ARTICLE BY

Bruce H. Raymond
Raymond Law Group LLC
Connecticut Workplace Privacy Law

The Data Security and Breach Notification Act of 2015

Jackson Lewis P.C.

On March 25, 2015, the United States House of Representative, Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved draft legislation which would replace state data breach notification laws with a national standard.  This draft legislation comes on the heels of the President’s call for a national data breach notification law.  The proposed legislation is identified as the “Data Security and Breach Notification Act of 2015.”

The overview of the draft provides that “Data breaches are a growing problem as e-commerce evolves and Americans spend more of their time and conduct more of their activities online. Technology has empowered consumers to purchase goods and services on demand, but it has also empowered criminals to target businesses and steal a host of personal data. This costs consumers tens of billions of dollars each year, imposes all kinds of hassles, and can have a lasting impact on their credit.”  Like many existing state laws, the proposal would require companies to secure the personal data they collect and maintain about consumers and to provide notice to individuals in the event of a breach of security involving personal information.

The draft legislation contains several key provisions:

  • Companies would be required to implement and maintain reasonable security measures and practices to protect and secure personal information;

  • The definition of personal information is more expansive than most state breach notification laws, including home address, telephone number, mother’s maiden name, and date of birth as data elements;

  • Companies are not required to provide notice if there is no reasonable risk of identity theft, economic loss, economic harm, or financial harm;

  • Companies would be required to provide notice to affected individuals within 30 days after discovery of a breach;

  • The law would preempt all state data breach notification laws;

  • Enforcement would be by the Federal Trade Commission (FTC) or state attorneys general; and

  • No private right of action would be permitted.

The measure must now be formally introduced in the House of Representatives before further action can be taken.  Notably, similar measures introduced in the past in an effort to nationalize data breach response have all failed.  However, given the number of individuals affected by, or likely to be affected by, a data breach and the fact identity theft has topped the FTC’s ranking of consumer complaints for the 15th consecutive year, support for a national data breach notification law has never been stronger.

ARTICLE BY

Jason C. Gavejian
Jackson Lewis P.C.
Workplace Privacy Blog

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).

ARTICLE BY

Michael L. Pillion
A. Benjamin Klaber
Morgan, Lewis & Bockius LLP

IoT – It’s All About the Data, Right?

Foley and Lardner LLP

A few weeks ago, the FTC released a report on the Internet of Things (IoT). IoT refers to “things” such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet. This year, there are estimated to be over 25 billion connected devices, and by 2020, 50 billion. With the ubiquity of IoT devices raising various concerns, the FTC has provided several recommendations.

Security

The report includes the following security recommendations for companies developing Internet of Things devices:

  • Build security into devices at the outset, rather than as an afterthought in the design process

  • Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization

  • Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers

  • When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk

  • Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network

  • Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks

Data Minimization

The report suggested companies consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. Data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.

Notice and Choice

The FTC provided further recommendations relating to notice and choice. It is recommended that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.

What Does This Mean for Device Manufacturers?

It is evident from the FTC’s report that security and data governance are important features for IoT device manufacturers to consider. Although the report suggests implementing data minimization protocols to limit the type and amount of data collected and stored, IoT device manufacturers should not be short-sighted when deciding what data to collect and store through their IoT devices. For many IoT device manufacturers, the data collected may be immensely valuable to them and other stakeholders. It would be naïve to decide not to collect certain types of data simply because there is no clear use or application of the data, the costs and risks of storing such data are cost prohibitive or because they want to reduce their exposure due to a security breach. In fact, quite often IoT device manufacturers do not realize what types of data may be useful. IoT device manufacturers would be best served by analyzing who the stakeholders of their data may be.

For instance, an IoT device manufacturer that monitors soil conditions of farms may realize that the data they collect can be useful, not only to farmers, but also to insurance companies to better understand water table levels, produce suppliers, wholesalers, and retailers to predict produce inventory, farm equipment suppliers, among others. Because of this, IoT device manufacturers should identify the stakeholders of the data they collect early and revisit the data they collect to identify new stakeholders not previously identified based on trends that can be determined from the data.

Moreover, IoT device manufacturers should constantly consider ways to monetize or otherwise leverage the data they gather and collect. IoT device manufacturers tend to shy away from owning the data they collect in an effort to respect their customers’ privacy. Instead of not collecting sensitive data at all, IoT device manufacturers would be best served by exploring and implementing data collection and storage techniques that reduce their exposure to security breaches while at the same time allay the fears of customers.

ARTICLE BY

Shabbi S. Kahn
OF
Foley & Lardner LLP

Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data

McDermott Will & Emery

On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherent weaknesses within the protocol” and, because of the weaknesses, “no version of SSL meets PCI SSC’s definition of ‘strong cryptography.’” The bulletin does not offer an alternative means that would be acceptable, but rather “urges organizations to work with [their] IT departments and/or partners to understand if [they] are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.” The Council reports that it intends to publish soon an updated version of PCI-DSS and the related PA-DSS that will address this issue. These developments follow news of the Heartbleed and POODLE attacks from 2014 that exposed SSL vulnerabilities.

Although the PCI standards only apply to merchants and other companies involved in the payment processing ecosystem, the Council’s public pronouncement that SSL is vulnerable and weak is a wakeup call to any organization that still uses an older version of SSL to encrypt its data, regardless of whether these standards apply.

As a result, every company should consider taking the following immediate action:

  1. Work with your IT stakeholders and those responsible for website operation to determine if your organization or a vendor for your organization uses SSL v. 3.0 (or any earlier version);

  2. If it does, evaluate with those stakeholders how to best disable these older versions, while immediately upgrading to an acceptable strong cryptographic protocol as needed;

  3. Review vendor obligations to ensure compliance with a stronger encryption protocol is mandated and audit vendors to ensure the vendor is implementing greater protection;

  4. If needed, consider retaining a reputable security firm to audit or evaluate your and your vendors’ encryption protocols and ensure vulnerabilities are properly remediated; and

  5.  Ensure proper testing prior to rollout of any new protocol.

ARTICLE BY

Heather Egan Sussman
Sarah T. Hogan
OF
McDermott Will & Emery

Responding to the Anthem Cyber Attack

Proskauer Rose LLP, Law Firm

Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.Anthem has reported that the exposed information includes member names, member health ID and Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information. The investigation of the massive data breach is ongoing, and media outlets have reported that class action suits have already been filed against Anthem in California and Alabama, claiming that lax Anthem security measures contributed to this incident.

Employers, multiemployer health plans, and others responsible for employee health benefit programs should take note that theHealth Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws may hold them responsible for ensuring that certain notifications are made related to the incident. The nature of these obligations will depend on whether the benefits offered through Anthem are provided under an insurance policy, and so are considered to be “fully insured,” or whether the Anthem benefits are provided under a “self-insured” arrangement, where Anthem does not insure the benefits, but instead administers the benefits. The most significant legal obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will apply to Anthem benefits that are self-insured.

Where notifications must be made, the notifications may be due to former and present employees and their dependents, government agencies, and the media.  Where HIPAA applies, the notifications will need to be made “without unreasonable delay” and in any event no later than 60 days after the employer or other responsible party becomes aware that the breach has affected its own health plan participants. Where state data breach laws apply, notifications generally must be made in the most expedient time possible and without unreasonable delay, subject to certain permitted delays. Some state laws impose outside timeframes as short as 30 days. Under the state laws, reporting obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will generally turn on whether they, or Anthem, “own” the breached data. Since the state laws apply to breaches of data of their residents, regardless of the states in which the compromised entities and data owners are located, and since former employees and dependents could reside anywhere, a comprehensive state law analysis is required to determine the legal requirements arising from this data breach. Fortunately, depending on the circumstances, some (but not all) state data breach notification laws defer to HIPAA breach notification procedures, and do not require additional action where HIPAA applies and is followed.

As potentially affected parties wait for confirmation from Anthem as to whether any of their employees, former employees or their covered dependents has had their data compromised, we recommend that affected parties work with their legal counsel to determine what their responsibilities, if any, might be to respond to this incident. Among other things, for self-insured arrangements, HIPAA business associate agreements and other contracts with Anthem should be reviewed to assess how data breaches are addressed, whether data ownership has been addressed by contract, and whether indemnification provisions may apply. Consideration should also be given to promptly reaching out to Anthem to clarify the extent to which Anthem will be addressing notification responsibilities. Once parties are in a position to make required notifications, we also recommend that companies consult with legal counsel to review the notifications and the distribution plans for those notifications to assure that applicable legal requirements have been satisfied.

ARTICLE BY

Roger A. Cohen
Paul M Hamburger
Kristen J. Mathews
Ellen H Moskowitz
Richard J Zall
OF
Proskauer Rose LLP

It’s Data Privacy Day 2015

Mintz Levin Law Firm

Today is Data Privacy Day, and as you might expect, we have a few bits and bytes for you.

Use the Opportunity

Data Privacy Day is another opportunity to push out a note to employees regarding their own privacy and security — and how that can help the company.

The Federal Trade Commission Issues IoT (Internet of Things) Report

Following up on its November 2013 workshop on the Internet of Things, the Federal Trade Commission (“FTC”) has released a staff report on privacy and security in the context of the Internet of Things (“IoT”), “Internet of Things: Privacy & Security in a Connected World” along with a document that summarizes the best practices for businesses contained in the Report.  The primary focus of the Report is the application of four of the Fair Information Practice Principles (“FIPPs”) to the IoT – data security, data minimization, notice, and choice.

Data PrivacyThe report begins by defining IoT for the FTC’s purposes as “‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet,” but limits this to devices that are sold to or used by consumers, rather than businesses, in line with the FTC’s consumer protection mandate.  Before discussing the best practices, the FTC goes on to delineate several benefits and risks of the IoT.  Among the benefits are (1) improvements to health care, such as insulin pumps and blood-pressure cuffs that allow people avoid trips to the doctor the tools to monitor their own vital signs from home; (2) more efficient energy use at home, through smart meters and home automation systems; and (3) safer roadways as connected cars can notify drivers of dangerous road conditions and offer real-time diagnostics of a vehicle.

The risks highlighted by the Report include, among others, (1) unauthorized access and misuse of personal information; (2) unexpected uses of personal information; (3) collection of unexpected types of information; (4) security vulnerabilities in IoT devices that could facilitate attacks on other systems; and (5) risks to physical safety, such as may arise from hacking an insulin pump.

In light of these risks, the FTC staff suggests a number of best practices based on four FIPPs. At the workshop from which this report was generated, all participants agreed on the importance of applying the data security principle.  However, participants disagreed concerning the suitability of applying the data minimization, notice, and choice principles to the IoT, arguing that minimization might limit potential opportunities for IoT devices, and notice and choice might not be practical depending on the device’s interface – for example, some do not have screens.  The FTC recognized these concerns but still proposed best practices based on these principles.

Recommendations

Data Security Best Practices:

  • Security by design.  This includes building in security from the outset and constantly reconsidering security at every stage of development. It also includes testing products thoroughly and conducting risk assessments throughout a product’s development

  • Personnel practices.  Responsibility for product security should rests at an appropriate level within the organization.  This could be a Chief Privacy Officer, but the higher-up the responsible part, the better off a product and company will be.

  • Oversee third party providers.  Companies should provide sufficient oversight of their service providers and require reasonable security by contract.

  • Defense-in-depth.  Security measures should be considered at each level at which data is collected stored, and transmitted, including a customer’s home Wi-Fi network over which the data collected will travel.  Sensitive data should be encrypted.

  • Reasonable access control.  Strong authentication and identity validation techniques will help to protect against unauthorized access to devices and customer data.

Data Minimization Best Practices:

  • Carefully consider data collected.  Companies should be fully cognizant of why some category of data is collected and how long that data should be stored.

  • Only collect necessary data.  Avoid collecting data that is not needed to serve the purpose for which a customer purchases the device. Establish a reasonable retention limit on data the device does collect.

  • Deidentify data where possible.  If deidentified data would be sufficient companies should only maintain such data in a deidentified form and work to prevent reidentification.

Notice and Choice Best Practices:  The FTC initially notes that the context in which data is collected may mean that notice and choice is not necessary. For example, when information is collected to support the specific purpose for which the device was purchased.

When notice or choice are necessary, the FTC offers several suggestions for how a company might give or obtain that, including (1) offer choice at point of sale; (2) direct customers to online tutorials; (3) print QR codes on the device that take customers to a website for notice and choice; provide choices during initial set-up; (4) provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet; (5) provide notice through emails or texts when requested by consumers; and (6) make use of a user experience approach, such personalizing privacy preferences based on the choices a customer already made on another device.

Legislation.  The FTC staff recommends against IoT-specific legislation in the Report, citing the infancy of the industry and the potential for federal legislation to stifle innovation.  Instead, the FTC recommends technology-neutral privacy and data security legislation.  Without saying it explicitly, this appears to be a recommendation for something akin to the Consumer Privacy Bill of Rights recently proposed by the President, along with giving the FTC authority to enforce certain privacy protections, including notice and choice, even in the absence of a showing of deceptive or unfair acts or practices.

In the meantime, the FTC notes that it will continue to provide privacy and data security oversight of IoT as it has in other areas of privacy.  Specifically, the FTC would continue to enforce the FTC Act, the Children’s Online Privacy Protection Act, and other relevant statutes.  Other initiatives would include developing education materials, advocating on behalf of consumer privacy, and participating in multi-stakeholder groups to develop IoT guidelines for industry.