Posted on March 25, 2011 by Nicole Friess

Kerry Releases Draft of "Privacy Bill of Rights"

A week after the Senate held a hearing on the state of online consumer privacy, Senator John Kerry (D-Mass) has published a draft of the "Commercial Privacy Bill of Rights Act of 2011." The Act, co-sponsored by Senator John McCain (R-Ariz.), directs the FTC to make rules requiring certain entities that handle information covered by the Act to comply with a host of new requirements protecting the security of the information as well as the privacy of the individuals to whom information pertains. The Act aims to enhance individual privacy protections “in a balanced way that establishes clear, consistent rules,” and “will stimulate commerce by instilling greater consumer confidence at home and greater confidence abroad.” In this post, we take a look at the highlights of the Act.

Entities Covered by the Act. The Act defines “covered entities” as any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period and is subject to FTC jurisdiction, as well as telecommunication common carriers and non-profit organizations.

Information Protected Under the Act. The various provisions of the Act address “covered information” which includes personally identifiable information (“PII”), unique identifier information (“UII”), and any information that is collected, used, or maintained in connection with PII or UII that may be used to identify an individual. Some provisions require businesses to comply with specific obligations when dealing with “sensitive” PII, which is defined as PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

Some information is always considered PII of the individual to whom it pertains, including:

  • First name (or initial) and last name;
  • Residential address;
  • E-mail address if it contains the individual’s name (the draft brackets indicate it is currently undecided whether that means the individual’s full name, legal name, maiden name, nickname, initials, or names embedded with other letters or characters such as Danny123@xyz.com);
  • Telephone or mobile device numbers other than those considered work contact numbers;
  • Social security numbers and other government-issued identification numbers
  • Credit card numbers;
  • Unique persistent identifiers (including cookies, user IDs, processor serial numbers, or device serial numbers) if used to identify a specific individual; and
  • Biometric data, including fingerprints and retina scans.

If used, transferred, or maintained in connection with one or more pieces of PII listed above, the following information is also considered PII:

  • Birth date, birth or adoption certificate number, or place of birth;
  • Unique persistent identifiers (not limited to those used to identify a specific individual);
  • Precise geographic location; and
  • Any other information concerning an individual that may “reasonably be used to identify that individual.”

UII includes unique persistent identifiers other than those qualifying as PII, including “a customer number held in a cookie, user ID, processor serial number, or device serial number.”

Data Collection, Integrity and Retention Constraints. Covered entities may collect only as much covered information about an individual as is reasonably necessary to improve their services through research and development, provide services requested by or consented to by the individual, or to prevent fraud. Covered entities are required to establish procedures to ensure that the PII they maintain is accurate. The Act restricts the retention of covered information to a period only as long as necessary to provide a service or for a reasonable period of time if the service is ongoing.

Right to Notice. Covered entities must provide readily accessible notice regarding the collection and use of covered information as well notify individuals of any changes to the entity’s collection and use practices. The FTC will establish rules requiring a covered entity to provide individuals with a mechanism for opt-in consent for:

  • The collection, use, or transfer of an individual’s sensitive PII other than to process transactions or services requested by the individual, for fraud prevention and detection, or to provide for a secure environment;
  • The use or transfer of previously collected PII if there is a material change in the entity’s practices requiring notice to the individual; and
  • The transfer of PII, UII, and other covered information to third parties for an unauthorized use or public display.

The FTC’s rules will also require covered entities to offer individuals a mechanism for opt-out consent for any unauthorized use of their PII.

Right to Access. Covered entities are required to provide individuals reasonable access to their PII. If an individual terminates a service or relationship with the covered entity or if the entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.

Constraints on Transfers to and Use by Third Parties. The Act prohibits third parties from unauthorized use of PII for which opt-in consent is required, unless the individual is notified of and consents to the use. A “third party” is a person that is not related to the covered entity by common ownership or control nor contractually required to comply with the covered entity’s privacy policies, privacy controls, and any applicable confidentiality agreement.

A covered entity is required to provide notice to individuals if the entity intends to transfer covered information to third parties. If a third party receives covered information from a covered entity, the third party is treated as a covered entity under the Act unless the FTC decides otherwise. When a transfer occurs, the covered entity and third party must enter into a contract ensuring that "the third party will not combine information that is not personally identifiable ... with other information in order to identify individuals with that information." The concept of transfer is not limited to situations where active steps are undertaken by a covered entity – it includes the collection of the information by a third party through a covered entity’s website, mobile application, or other consumer interface. Transfers to "unreliable third parties" are prohibited.

Unauthorized Use. The term ‘‘unauthorized use’’ means the use of covered information for any purpose not authorized by the individual to whom the information pertains, other than use:

  • To process a transaction or service requested by that individual;
  • To operate the covered entity that is providing a transaction or service requested by that individual, such as inventory management, accounting, planning, product or service improvement or forecasting;
  • To prevent or detect fraud or to provide for a secure environment;
  • To investigate a possible crime or that is required by law or legal process;
  • To market or advertise to an individual from a covered entity if the personally identifiable information used for such marketing or advertising was collected directly by the covered entity;
  • Necessary for the improvement of the transaction or service through research and development; or
  • Necessary for internal operations, including collecting customer satisfaction surveys to improve customer service information as well as collection of website visit and click-through rates to improve site navigation.

Enforcement and Penalties. The FTC is granted enforcement authority and state attorneys general are given civil action authority to enforce the Act. The Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. Monetary penalties for violating the Act are stiff - a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance. If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater. However, liability is capped at $2 or $3 million depending on the nature of the violation.

Effect on Other Laws. State laws are preempted by the Act, except those laws dealing with health or financial information or data breach notification.

Safe Harbor Programs. The Act requires the FTC to create requirements for “safe harbor programs.” The programs, administered by non-governmental organizations, will be designed to enable participants to implement the requirements of the Act, implement "comprehensive information privacy programs," and offer consumers a means to opt out if a participant transfers covered information to a third party for an unauthorized use. A covered entity that participates in such a program is exempt from the major provisions of the Act if, according to the FTC’s determination, the program obligates participants to comply with requirements that are substantially the same as, or more protective of privacy than, the provisions of the Act. The programs are to be supervised and enforced (with penalties) by the FTC.

With the exception of the FTC’s enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation. Between the new draft of the "Commercial Privacy Bill of Rights Act of 2011," three separate privacy bills pending in the House, and the Obama administration backing a “consumer privacy bill of rights,” it looks like change is in the air (and I’m not just saying that to be clever).

 
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on July 21, 2010 by Richard L. Santalesa

Health Net Agrees to $250,000 Fine and "Corrective Action Plan" to Settle Loss of PHI

It didn't take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement.  Indeed, Heath Net of the North East, Inc. and its various related affiliates (collectively, “Health Net”) consented to a Stipulated Judgment (Civ. No. 3:2010CV-00057(PCD)), available here, with the Connecticut Attorney General's Office and the State of Connecticut (the “Judgment”), which stands as the first example of a state Attorney General independently enforcing HIPAA violations since the HITECH Act authorized state attorneys general to do so.

Background.

The Judgment was the end result of a year and half long action brought by Connecticut Attorney General Richard Blumenthal (“CT AG”) on Jan. 13, 2010 against Health Net. (See Attorney Gen v. Health Net of NE Inc., et al., complaint available here).

The CT AG alleged Health Net was responsible for “failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and [for failing to] promptly notify consumers endangered by the security breach" because a terabyte portable hard disk had been either lost or stolen at Health Net's Shelton, CT offices. (See CT AG Press Release, available here).  The disk was later determined to contain “27.7 million scanned pages of over 120 different types of documents such as insurance claims forms, membership forms, appeals and grievances, correspondence and medical records” of 1.5 million past and present members of Health Net administered plans, including 538,470 Connecticut residents.  As the data on the disk was neither encrypted nor protected from access by unauthorized persons or third parties, this loss, according to the CT AG, violated HIPAA's security standards and privacy rules, as contained in HIPAA, as provided in 45 CFR 160 and 164 Subpart A, C and D. (See 45 CFR 160, available here; 45 CRF 164, available here; see also, HITECH ACT, Sections 13402(a) and (b), available here).

The Complaint.

The Complaint claimed Health Net violated a litany of HIPAA provisions and:

a. [] failed to ensure the confidentiality and integrity of electronic protected health information it created, receives, maintains, and transmits in violation of 45 CFR 164.306(a)(1).

b. Defendants failed to implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights in violation of 45 CFR 164.312(a)(1).

c. Defendants failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility to maintain their security in violation of 45 CFR 164.310(d)(1).

d. Defendants failed to implement policies and procedures to prevent, detect, contain, and correct security violations in violation of 45 CFR 164.308(a)(1).

e. Defendants failed to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity in violation of 45 CFR 164.308(a)(6)(ii).

f. Defendants failed to protect against any reasonably anticipated threats or hazards to the security or integrity of electronic protected health information in violation of 45 CFR 164.306(a)(2). Defendants failed to protect against any reasonably anticipated uses or

g. disclosures of electronic protected health information that are not permitted under the privacy rules regarding individually identifiable health information in violation of 45 CFR 164.306(a)(3).

h. Defendants failed to ensure compliance with the HIPAA security standard rules by its workforce in violation of 45 CFR 164.306(a)(4).

i. Defendants impermissibly and improperly used and disclosed protected health information that is and remains accessible to unauthorized persons in violation of 45 CFR 164.502 et seq.

j. Defendants failed to effectively train all members of its workforce (including independent contractors involved in the data breach) on the policies and procedures with respect to protected health information as necessary and appropriate for the members of its workforce to carry out their functions and to maintain security of protected health information in violation of 45 CFR 164.530(b) and 45 CFR 164.308(a)(5).

k. Defendants’ policies and procedures establishing physical and administrative safeguards were not adequately designed to appropriately and reasonably safeguard protected health information in violation of 45 CFR 164.530(c).

l. Defendants did not maintain an effective and appropriate sanctions policy for members of its workforce (both employees and independent contractors) who failed to comply with the policies and procedures for the protection and safeguarding of protected health information in violation of 45 CFR 164.530(e).”

In addition, the CT AG alleged Health Net's actions constituted unfair trade practices in violation of Conn. Gen. Stat. §42-110b (a/k/a “CUTPA”, with civil penalties of up to $5,000 per willful violation), and that the loss of the personal information was a “breach of security”, as defined by Conn. Gen. Stat. 36a-701b(a).  Further, the Complaint alleged Health Net delayed disclosing the breach within the meaning of Conn. Gen. Stat. §36a-701b(b) (“Such disclosure shall be made without unreasonable delay . . . 1to identify the individuals affected, or to restore the reasonable integrity of the data system.”).

Finally, as relief, the CT AG sought: (a) a preliminary and permanent injunction from any further such violations by Health Net; (b) statutory damages for all violations (pursuant to 42 U.S.C. §1320-5(d)(1)(A)); (c) an injunction against further violations of CUTPA and Connecticut's data breach statute; (d) civil penalties pursuant to CUTPA; and, of course, (e) attorneys' fees.

The Judgment.

After a year and a half, with a docket replete with motions to extend the defendants' time to answer the complaint and motion for preliminary judgment, the action came to a sudden head in early July with the CT AG's “Motion for judgment upon stipulation” which in the course of two days was reviewed, approved and entered as the Judgment bringing the action to a close.  (See Docket here).

The Judgment maps out a rather onerous plan of "Corrective Action" and details a variety of additional facts, beyond those in the Complaint, that serves as a warning beacon as to practices to avoid as well as those to consider and follow.

$7 Million and Counting.  As if to confirm that data breaches are not only costly, but distracting, time consuming and sure to be splashed on the front pages, the Complaint notes Health Net during its investigation and response engaged at least three consultants at a cost, including presumably Health Net's own time and efforts, “exceeding $7,000,000 to investigate the circumstances surrounding the missing portable disk drive, to notify Health Net Members, and to offer credit monitoring services and identity theft insurance.” Judgment at 6. The consultants included: Kroll, Inc., to forensically recreate the disk and determine what the missing disk contained; Navigant Consulting, Inc., to datamine the recreated disk and identify Health Net members and Connecticut residents; and, finally, Debix, Inc., to notify the affected members, 538,470 Connecticut residents and run a “dedicated call center to address their questions and concerns, and to provide credit monitoring services....” Id.  Anyone handling PHI should carefully weigh the above sobering list of costs in the face of any hesitation to purchase and install full disk encryption across the enterprise.

Disk Logs.   In addition, one item that can be gleaned from this action, both from the Complaint and Judgment, is that any portable hard drives which could, conceivably, under any circumstances, contain PII or PHI, should be, according to the CT AG's office, set up such that the OS or suitable third party software creates and maintain a “log file of the collection and transfer of [] data transferred to the disk drive.” Id. at 7.

Why a log file? The Complaint noted that:

"when the disk was discovered missing, the defendant Health Net's failure to create a log file further increased the risk of disclosure of the protected health information … and constituted a breach of the defendant's obligation to safeguard the protected health information because the defendant did not readily have information as to the contents of the disk drive. As a consequence, the defendant Health Net replicated the entire creation of the disk drive, thus delaying efforts to safeguard or otherwise mitigate the data breach. ” Complaint at 5. 

As a result, the inability to readily and quickly determine what a lost hard disk contains could appear to be viewed by the CT AG as potential negligence on the part of the data owner/maintainer/receiver in the event of any breach or loss, because the delay incurred in determining the disk's contents in the absence of a log hinders mitigation and notice efforts.

 

Corrective Action Plan.  A substantial portion of the eighteen page Judgment is devoted to detailing the Corrective Action Plan (“CAP”) Health Net now operates under.   And the ongoing costs, expenses and efforts of fulfilling this CAP will be added on top of the $7 million spent as of the Judgment.   Notable items from the CAP include:

• Completion of notice sent to all members and Connecticut resident whose PI or PHI was on the disk. Judgment at 7-8;

• Two years of credit monitoring services through Debix that include credit monitoring by Transunion and credit restoration services for confirmed identity thefts, along with reimbursement for security freezes and credit unfreezes, plus $1,000,000 of “Personal Internet Identity insurance.” Judgment at 8-9;

• Agreeing to enhance its existing security privacy program to include hardware/software sitting between Health Net's email services and e-mail clients designed to identity email and attachments containing PHI or PI and to then “automatically encrypt email containing such identified information prior to transmission.” Id.;

• Installation of technology to restrict the transfer of PHI and PI to removable media sufficient to comply with HIPAA standards. Judgment at 9;

• Implementation of technology to identify where PHI and PI resides on its systems and that logs actual and attempted access to any such PHI and PI as well as logging when PHI/PI is uploaded or downloaded from a desktop or latop (with an start date for implementation of Oct. 1, 2010). Id.;

• The encryption of all laptop hard drives and all desktop hard drives. Id.;

• Improved IT oversight, including the creation of a “Information Security Analyst” assigned to each new IT project with assessment duties reporting directly to Health Net's Manager of Information Security. Judgment at 10.

• Requiring all “Business Associates”, as defined by HIPAA (see http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html; see also 45 CFR 160.103, available here), to execute “HIPAA compliant Business Associate Agreements”. Id. (See also my colleague Tanya Forsheit's series of FAQS on the Proposed Modificiations to the HIPAA Rules - Part One here; Part Two here);

• Implementation of supplemental education and training of employees by the Information Security team on encryption, storage and removable media – with such training to be performed via Health Net's “online Learning Management System”. Id.;

• The requirement the Health Net's CIO includes “information security” as a regular agenda item on department's “Monthly IT All Hands” meetings. Id.;

• Requirement Health Net's IT dept to cover a “wide variety of information security topics in its monthly IT Awareness Newsletter” to be distributed to all employees. Judgment at 11;

• Providing all new employees with a one page laminated information sheet covering policies and procedures governing PHI protection. Id.;

• Showing all new employees during orientation a DVD detailing their expected information security responsibilities. Id.;

Training all new employees on HIPAA privacy and security requirements, “including incident response procedures.” Id.;

Conducting annual HIPAA training for all Health Net employees with electronic tracking of each employees completion of the training. Id.;

Holding an annual “Compliance Awareness Week” for all employees to “emphasize the importance of proecting the privacy and security of PHI.” Judgment at 12;

Providing semi-annual updates to its initial status report (no end date for these updates is provided in the Judgment) and compliance documentation as reasonably requested by the CT AG, with such documentation to be maintained for at least six years. Judgment at 13;

Further, the Judgment also provides Health Net is to pay $250,000 to the Connecticut General Fund with another $500,000 contingent payment to the State of Connecticut if Debix determines, before November 30, 2011, that any data on the missing disk was accessed and misused or any claims are made on Debix's insurance policy linked to misuse of the lost disk drive. Judgment at 13-14.

There's little doubt that while Connecticut's Attorney General has been the first to reach a settlement of this type the forty-nine other Attorneys General have taken notice.  Stay tuned.

LINKS:

Complaint: http://tinyurl.com/ILG-HealthNet-Complaint

Stipulated Judgment: http://tinyurl.com/ILG-HealthNet-Judgment

Docket Report: http://tinyurl.com/ILG-HealthNet-Docket

 
Tags: , , , , , , , , , , , ,
Posted on February 22, 2010 by David Navetta

The Breach Notification Obligations in the Data Accountability and Trust Act

The Information Law Group has been following various Federal data security bills as they wind their way through the House and Senate.  In December 2009, the Information Law Group commented on the passage of the Data Accountability and Trust Act ("DATA") by the House.  I was recently asked by Data Protection Law and Policy (an excellent publication out of the UK focusing on data security and privacy issues) to take a closer look at the data breach obligations of the current version of DATA.  The end result was my article entitled:  "Potential changes to the US breach notice risk landscape".

In summary, my article discusses some of the similarities and differences between the current state-created breach notice regime and the system set forth under the proposed DATA law.  DATA is interesting because it appears to create counter-opposing breach notice incentives.  On the one had, there are mechanisms that could lead to less breach reporting, including:

  • a "risk of harm" standard that is likely higher than many existing State laws;
  • preemption of existing state law, which eliminates the "least common denominator" approach taken with respect to existing state law; and
  • mandating call center and credit monitoring costs (e.g. these costs may be significant, and therefore encourage non-compliance, especially if enforcement is lax)

On the other hand, DATA allows for the imposition of civil penalties of up $11,000 per violation (capped at $5 million). Each failure to send the required notification to an affected individual is treated as a separate violation.  Depending on how vigorously the law is enforced, the risk of significant civil penalties is likely to encourage compliance.

How these factors would play out is unclear and up for debate.  However, what is even more unclear is whether DATA will ever be made into a law.  The Senate is working on a similar bill, and assuming it passes the Senate it would still have to be reconciled with the House version.  Consumer advocates will likely have concerns about the higher risk of harm threshold in the law.  On the business side, I anticipate great resistance to call center and credit monitoring as mandatory costs.  Moreover, the penalties for non-compliance may be problematic, especially for smaller and medium organizations.  As such, should DATA become a law, it is likely to differ from this version.
Tags: , , , , , , , , , , , , , , , ,