Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

NLRB Allegations

In this proceeding, the NLRB alleged that the employer – a car dealership – fired a salesman in violation of the National Labor Relations Act (NLRA) for criticizing on Facebook the quality of a dealership sales event. According to the NLRB complaint, the dealership held a sales event to promote a new vehicle model. After the event, the salesman posted photos and commentary on his Facebook page mocking the dealership for serving hot dogs and bottled water at a sales event for a luxury car. Other employees had access to and commented on the Facebook page. The NRLB alleged the dealership managers fired the salesman after they learned of his critical Facebook posts. The NLRB argued that the firing violated Section 8(a)(1) of the NLRA, which deems an unfair labor practice for an employer to interfere with, restrain, or coerce an employee in the exercise of the employee’s NLRA Section 7 right to engage “concerted activities for the purpose of collective bargaining or other mutual aid or protection.”

The dealership argued, however, that it terminated the salesman not for criticizing the sales event, but rather for posting on Facebook pictures of “bloopers” from another dealership owned by the salesman’s employer. The pictures showed a customer’s 13-year old son driving a brand new luxury SUV from the dealership into a pond, which the salesman captioned as “This is your car: This is your car on drugs.”

Decision

Dealership Sales Event

The judge agreed with the NLRB that the salesman’s Facebook posts criticizing the sales event were protected by Section 7 of the NLRA in part because the employees expressed their concerns before the salesman posted the event-related photos and commentary on Facebook. The judge reasoned that “[t]he lone act of a single employee is concerted if it ‘stems from’ or ‘logically grew’ out of prior concerted activity.” The judge also found that the inadequate refreshments offered at the sales event, “could have had an effect on [the salesman’s] compensation,” deeming them an appropriate object of discussion. In finding the activity protected, the judge was undeterred by the posts’ “mocking and sarcastic tone,” noting that the NLRB’s general position is that “unpleasantries uttered in the course of otherwise protected concerted activity do not strip away the [NLRA’s] protection.”

SUV in the Pond

The judge, however, ruled that the firing was nevertheless justified because the salesman’s Facebook posts depicting the luxury SUV in a pond were not entitled to NLRA protection. The judge found that the salesman posted about the accident “as a lark” without any discussion with other employees and, more importantly, the posts had no connection to any of the terms and conditions of the salesman’s employment. Based on testimony from both parties, the judge determined that the dealership fired the employee solely for the accident-related posts and, therefore, did not violate the NLRA.

Employee Policy

The judge also ruled on the NLRB’s allegation that the dealership’s employee policy provisions were overly broad in violation of the NLRA. The NLRB challenged the policy’s statements that: (a) “[a] bad attitude creates a difficult working environment and prevents the [d]ealership from providing quality service to our customers” and (b) “[n]o one should be disrespectful or use profanity or any other language which injures the image or reputation of the [d]ealership.” Paragraphs (c) and (d) broadly prohibited employees from participating in interviews or responding to inquiries concerning employees.

The judge held that paragraph (a) was lawful, as it “would reasonably be read to protect the relationship between [the dealership] and its customers, rather than to restrict the employees’ [NLRA] Section 7 rights.” Noting that the dealership sold luxury cars, the judge held that “a dealer in that situation … has the right to demand that its employees not display a bad attitude toward its customers.”

The judge agreed with the NLRB that paragraph (b) was unlawful because it could reasonably be interpret as curtailing Section 7 rights. The judge cited NLRB precedent finding unlawful a similar employer-created rule that prohibited “insubordination … or other disrespectful conduct” because it chilled employee rights.

As for paragraphs (c) and (d), the judge stated that if employees complied with these restrictions, “they would not be able to discuss their working conditions with union representatives, lawyers, or Board agents.” The judge held that paragraphs (c) and (d) were clearly unlawful as they explicitly restricted activities protected by Section 7 of the NLRA.

Although the dealership had rescinded paragraphs (a) through (d) of their employee policy prior to the hearing, the judge held that simply rescinding the provisions was insufficient to relieve the dealership of liability. Accordingly, the dealership was ordered to post a notice informing employees of their right to engage in protected concerted activity.

Our Take

While ultimately favorable for the employer, the decision in this second Facebook firing case is consistent with the positions on employee rights that the NRLB has articulated in its recent enforcement actions. Another important takeaway from the decision is the judge’s finding that the policies that chill employees’ rights under Section 7 of the NRLA are unlawful on their face, regardless of whether an employer actually enforces the policy or the manner in which the policy is enforced. This ruling further emphasizes the importance of reviewing and, as appropriate, revising employee policies to ensure consistency with the NLRB social media guidance.

Although privacy by design isn’t set in stone (yet), start-up companies seeking to collect and use personal information as part of their business plan may want to consider incorporating privacy by design into their everyday business practices. Similarly, as part of their due diligence process, venture capital firms scrutinizing startups seeking to leverage personal information would be well-advised to determine if privacy is being “baked into” into the products and services being offered by such startups. It may be both difficult and costly for companies to implement privacy protections retroactively if privacy concerns are overlooked during the early stages of business planning. Start-ups have the advantage of building privacy protections into their business models from the outset, which can keep those companies out of trouble in the form of litigation or agency enforcement. Privacy-conscious VCs will be more inclined to fund start-ups that reduce risk by proactively address privacy issues and potential liability. In turn, VCs that scrutinize whether privacy is part of a start-up’s business plan will be able to better protect their investment (and their investors).

So what does privacy by design mean? How can start-up companies incorporate privacy by design principles into their business practices to attract VC funding? How should privacy and security legal risks (and solutions) be written into a start-up’s business plan? This post tries to answer these questions.

Step 1 - Understand Your Business Model.

Privacy by design advances the view that privacy assurance should be companies’ default mode of operation. To build privacy protections into a business model, organizations (particularly entrepreneurs seeking VC funding) should know their business models better than anyone else. Companies must understand how they will interact with consumers at every step of each transaction when products and services are under development. From consumer solicitation to the sale of products or services, an entrepreneur should consider evaluating whether and how his or her company collects, maintains, shares, or otherwise uses consumer data. Entrepreneurs may want to conduct a run-down of any and all data involved in their business transactions, including personal consumer data (names, addresses, credit card information, etc.) as well as any other information that can be linked to a specific consumer, computer, or other device. A keen understanding of the technology used by the start-up is also crucial as the functionality provided by such technology (or the lack of certain functionalities) may impact privacy, including the ability of consumers to make decisions about their personal information. By understanding the data and technology involved at each step of the way, entrepreneurs will be more likely to spot potential risks their companies face. Companies that fully understand the scope of the data they collect and how that data is handled will be in better positions to address consumer concerns and respond to objections. Most importantly, they will be in a better position to address legal requirements and build privacy into their products and services from the outset.

Step 2: Understand Your Market.

Really understanding your business model also means understanding the market - including the wants and needs of target consumers and the privacy-related activities of similarly situated companies. Consumers are increasingly wary of privacy issues triggered by their online participation. Start-ups may want to tailor their approach to privacy issues based on their target audience, as various studies show that different subsets of the population may have different privacy expectations and concerns.

For example, a Webroot study concluded that mobile device users over the age of 39 are more concerned about the possible risks associated with geolocation tools compared to 18- to 39-year-olds. Teens may be beginning to respond to privacy concerns on online – TRUSTe found that about 64% of teens use privacy controls on social networks. The platform for personal information collection, storage and processing may also impact the scope of consumer concerns. A new report from the market research firm Nielsen confirms that many Americans have strong concerns about losing some privacy by using location-based mobile services. According to the report, 59 percent of women and 52 percent of men reported having privacy concerns with location-based services and check-in apps. Only 8 percent of women and 12 percent of men reported that they are not concerned with the privacy implications of location-based services and check-in apps.

Consumer outcry and regulatory pressure have forced companies such as Facebook and Google to change their practices, offering consumers privacy controls that are simpler and easier to use. However, while many studies and surveys conclude that people are worried about privacy, people continue to use social media sites, location-based apps, and check-in services despite their concerns. From a market point of view, it’s important for companies to attempt to determine the privacy protections consumers want, as well as what practices may be deemed invasive and “over the line” which could result in backlash.

Determining whether products and services are “over the line” is also valuable for attracting business deals and securing investments. According to a report by the Ponemon Institute, privacy issues have prompted marketers to use online behavioral advertising 75% less than they would otherwise. However, in a previous post we noted that despite consumer concerns, Internet tracking companies continue to secure new investments from VC firms. Recently, a Wall Street Journal article noted that VCs in Silicon Valley are dumping money into social start-ups promoting mobile apps. If they haven’t already, VCs may begin to factor privacy concerns into their due diligence process to avoid future consumer and agency backlash that could potentially devalue their investments. As such, incorporating privacy by design - assessing privacy issues and implementing privacy protections every step of the way – may help attract funding and avoid potential liability.

Understanding the market also means understanding the competition. From start-ups to major market players, many companies are offering privacy protective products and services in response to consumer demand. Companies should conduct thorough due diligence regarding the data practices of established, similarly-situated companies. And a thorough understanding of the market isn’t only about evaluating competitors that exist today – companies would be wise to consider what potential business combinations could become competitors in the future.

Step 3 – Understand the Legal Risk Environment.

Keeping tabs on the privacy legal landscape is important for companies and investors looking to capitalize on consumer demand, particularly those interested in tapping into online markets. Additionally, agency enforcement is on the rise. As such, researching the legal and regulatory environment is a crucial part of due diligence for entrepreneurs and VCs alike.

Multiple privacy bills from both the House and the Senate have recently been introduced. In February, Representative Jackie Speier (D-CA) introduced the “Do Not Track Me Online Act of 2011” that would give the FTC authority to establish an online do-not-track system, giving consumers the ability to prevent the collection and use of data on their online activities. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act of 2011” in April, which would give the FTC significant authority to create rules as to how businesses collect, use, transfer and maintain personal information (for a summary of the bill, click HERE). This month, Senator Jay Rockefeller (D-WV) introduced the “Do-Not-Track Online Act of 2011,” which would create a "universal legal obligation" for companies to honor users' opt-out requests on the Internet and mobile devices, and would give the FTC the power to take action against companies that don't comply. Also this month, Representatives Edward J. Markey (D-MA) and Joe Barton (R-TX) introduced a draft of the “Do Not Track Kids Act of 2011” which would prohibit companies from tracking children on the Internet without parental consent, restrict online marketing to minors and require an "Eraser Button" that would allow parents to eliminate kids' personal information already online. An underlying policy of all of this proposed legislation is the idea that companies should be required to give consumers more notice about the information that is being collected about them, as well as the ability to control such collection.

While much attention has been given to privacy and security legislation at the federal level, there has been a renewed sense of vigor on the state level as well. The privacy legal risk environment is constantly in flux, and the state of law may vary by jurisdiction. For example, Hawaii’s information privacy proposed bill would require breached entities to provide credit monitoring and call center services to impacted individuals. In Colorado, a proposed bill takes a new approach to incentivizing companies to implement good security (for a summary of the bill, click HERE).

This year has also seen an explosion of privacy-related litigation (the RockYou data breach litigation, Amazon privacy litigation, suits involving online tracking, cookies, history sniffing, etc.) as well as agency enforcement actions (Playdom, Google Buzz, Ceridian/Lookout, GunnAllen, etc.). The end results of agency enforcement and privacy-related lawsuits are bound to impact what the government and the public considered “acceptable” from a privacy point of view.

It can be difficult and time-consuming to navigate the legal and regulatory privacy environment, and companies are encouraged to seek the advice of experts to identify potential privacy legal risks. In many cases, to proactively address privacy concerns, it requires careful analysis and prognostication based on the bills, laws, lawsuits and regulatory actions that are in play. Oftentimes, after careful analysis, potential trends and commonalities can be gleaned that can help companies anticipate where the privacy legal environment is going. If the legal risks are identified early and companies keep up-to-date regarding their responsibilities, mechanisms can be built into products and services to allow for compliance with the current legal framework. For example, building in consumer opt-outs of data collection and honoring such requests, as well as encrypting any sensitive personal information collected, are proactive measures that may be used to provide companies with flexibility to adjust to changing legal requirements.

Step 4 – Integrate Privacy by Design.

It’s easier to tailor privacy and security protections to a company’s everyday business practices, products and services once the company has a comprehensive understanding of its business model. the market and legal compliance requirements. It is much easier for a startup company to undertake this exercise at the outset of its business planning and product/service development. As part of its privacy by design framework, the FTC urges companies to systematically consider four substantive privacy protections at all stages of the design and development of their products and services:

Data Collection. One key principle of privacy by design is that companies should automatically protect any consumer data handled by default. However a company chooses to handle consumer data, it may want to consider mechanisms that enable consumers to opt-out or opt-in of data collection practices (even if those mechanisms are not implemented from the outset). Doing so early will decrease the burden of regulatory compliance if offering opt-in or opt-out consent becomes mandatory. Another key principle of privacy by design encourages companies to handle data in a way that is visible and transparent to the consumer, and that allows companies to honor any representations they make to consumers about their business practices. The FTC has increasingly enforced this principle, settling privacy enforcement actions with Twitter and Chitika for deceptive business practices and with Ceridian and Lookout Services for unfair business practices for failing to safeguard personal employee information, among others. Companies are advised to implement data security protocols and privacy policies and to address the concerns of their consumers. Companies can avoid regulatory enforcement by understanding their commitments to protect consumer privacy, being transparent about their business practices, and adhering to their policies and procedures.

The FTC also emphasizes “minimization” – under this concept, the only consumer data that a company should collect is that which is needed to accomplish legitimate business goals. If a company has internal systems and networks, it should consider whether data is routinely saved by default if there is no legitimate business need to do so. By limiting the scope and amount of consumer data collected, companies reduce potential harms that can result in the event of a breach. The information companies need to collect wholly depends on their business model and the consumer data needed to make it work.

Security for Consumer Data. Many companies that conduct internal evaluations of their data practices will conclude that they maintain consumer data in one form or another. Companies that maintain consumer data can proactively employ physical, technical, and administrative safeguards to protect that information. As the FTC notes, the level of security required depends on the sensitivity of the data a company maintains, the size and nature of a company’s business operations, and the types of risks a company faces. A number of federal and state laws require companies to actively protect the data they maintain, and the FTC is increasingly bringing enforcement actions against companies for their failure to do so.

Maintaining adequate security for consumer data helps companies avoid potential lawsuits and FTC enforcement actions in the event of a breach, and mitigates other attendant consequences such as lost productivity and service interruptions. It also helps reduce the possibility that the enormous costs of responding to a breach will be incurred. Symantec Corporation and the Ponemon Institute estimate that the average organizational cost of a data breach in 2010 was $7.2 million and cost companies an average of $214 per compromised record.

To prevent security breaches, data loss, and other headaches, companies can proactively assess their baseline security measures. Again, a company’s thorough understanding of its business model is key in identifying potential protection gaps. Entrepreneurs and established market players alike would be wise to inventory their information assets, and understand where those assets are stored and how they’re accessed. Start-up companies can attempt to forecast their need for antivirus software, firewalls, virtual private networks (VPNs), and intrusion prevention mechanisms to protect their information assets in the face of internal and external risks. The FTC advises companies to use privacy-enhancing technologies such as identity management, data tagging tools, and Transport Layer Security/Secure Sockets Layer (“TLS/SSL”) or other encryption technologies, particularly if a company is handling sensitive consumer data. Start-ups may want to consider their plans for growth and assess whether their network security measures will be able to accommodate increased network traffic or advanced applications without disrupting service.

Data Accuracy. Privacy by design emphasizes that companies should strive to collect accurate consumer data, and that companies ought to implement mechanisms so that consumers can correct the information that companies collect about them, particularly when sensitive data is involved. Kerry and McCain’s "Commercial Privacy Bill of Rights" would require companies that collect data to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution. Regardless of whether such a requirement is codified, companies - particularly start-ups – may want to anticipate and plan for data correction procedures as well as any attendant costs.

Data Retention and Disposal. Companies can retain data for increasingly long periods of time due to the dramatically decreasing cost of data storage. A concern shared by the FTC and privacy advocates is that companies that retain data for long periods of time invent new, secondary uses for the data that consumers didn’t anticipate when they provided the data in the first place. To promote transparency and consumer notice, companies are encouraged to retain consumer data for only as long as they have a specific business need to do so. Companies are also encouraged to safely dispose of data no longer being used to further a specific business need. The "Do-Not-Track Online Act of 2011" would require online companies to destroy or anonymize personal information after it's no longer needed. We have already seen the concept of limited data retention becoming a regulatory principle in the European Union.

Conclusion

As consumers express an increased demand for privacy protections, entrepreneurs should ask themselves if their products and services provide consumers with notice and choice as to how their data is collected and handled, and tailor their business practices accordingly. Companies are wise to understand their business model and the market in order to tailor their products and services accordingly.

Consumer outcry has caused companies such as Google and Facebook to retroactively change their privacy practices – a process than can be costly with unnecessary attendant negative publicity. Anticipating and preventing privacy violations before they happen mitigates the risk such invasions will occur as well as the costs of remediation. This means having a thorough understanding of the privacy legal risk environment. Doing so is difficult as the environment is in upheaval, therefore companies would be wise to seek professional advice to navigate the legal and regulatory landscape at both the state and federal level.

A start-up company has the advantage of being able to develop and implement a privacy program early, and bake privacy into the design of their products and services, thereby ensuring that these substantive privacy protections become a foundational part of its business model. Employees can be trained early regarding the need for privacy and network security, which helps foster a consumer-protective enterprise culture. Privacy by design makes privacy an essential component of the core product or service a company delivers. Spotting privacy issues and addressing concerns before launch aligns products and services with consumer expectations and can save everyone – entrepreneurs and VCs alike – from future headaches.

Entities Covered by the Act. The Act defines “covered entities” as any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period and is subject to FTC jurisdiction, as well as telecommunication common carriers and non-profit organizations.

Information Protected Under the Act. The various provisions of the Act address “covered information” which includes personally identifiable information (“PII”), unique identifier information (“UII”), and any information that is collected, used, or maintained in connection with PII or UII that may be used to identify an individual. Some provisions require businesses to comply with specific obligations when dealing with “sensitive” PII, which is defined as PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

Some information is always considered PII of the individual to whom it pertains, including:

• First name (or initial) and last name;
• Residential address;
• E-mail address if it contains the individual’s name (the draft brackets indicate it is currently undecided whether that means the individual’s full name, legal name, maiden name, nickname, initials, or names embedded with other letters or characters such as Danny123@xyz.com);
• Telephone or mobile device numbers other than those considered work contact numbers;
• Social security numbers and other government-issued identification numbers
• Credit card numbers;
• Unique persistent identifiers (including cookies, user IDs, processor serial numbers, or device serial numbers) if used to identify a specific individual; and
• Biometric data, including fingerprints and retina scans.

If used, transferred, or maintained in connection with one or more pieces of PII listed above, the following information is also considered PII:

• Birth date, birth or adoption certificate number, or place of birth;
• Unique persistent identifiers (not limited to those used to identify a specific individual);
• Precise geographic location; and
• Any other information concerning an individual that may “reasonably be used to identify that individual.”

UII includes unique persistent identifiers other than those qualifying as PII, including “a customer number held in a cookie, user ID, processor serial number, or device serial number.”

Data Collection, Integrity and Retention Constraints. Covered entities may collect only as much covered information about an individual as is reasonably necessary to improve their services through research and development, provide services requested by or consented to by the individual, or to prevent fraud. Covered entities are required to establish procedures to ensure that the PII they maintain is accurate. The Act restricts the retention of covered information to a period only as long as necessary to provide a service or for a reasonable period of time if the service is ongoing.

Right to Notice. Covered entities must provide readily accessible notice regarding the collection and use of covered information as well notify individuals of any changes to the entity’s collection and use practices. The FTC will establish rules requiring a covered entity to provide individuals with a mechanism for opt-in consent for:

• The collection, use, or transfer of an individual’s sensitive PII other than to process transactions or services requested by the individual, for fraud prevention and detection, or to provide for a secure environment;
• The use or transfer of previously collected PII if there is a material change in the entity’s practices requiring notice to the individual; and
• The transfer of PII, UII, and other covered information to third parties for an unauthorized use or public display.

The FTC’s rules will also require covered entities to offer individuals a mechanism for opt-out consent for any unauthorized use of their PII.

Right to Access. Covered entities are required to provide individuals reasonable access to their PII. If an individual terminates a service or relationship with the covered entity or if the entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.

Constraints on Transfers to and Use by Third Parties. The Act prohibits third parties from unauthorized use of PII for which opt-in consent is required, unless the individual is notified of and consents to the use. A “third party” is a person that is not related to the covered entity by common ownership or control nor contractually required to comply with the covered entity’s privacy policies, privacy controls, and any applicable confidentiality agreement.

A covered entity is required to provide notice to individuals if the entity intends to transfer covered information to third parties. If a third party receives covered information from a covered entity, the third party is treated as a covered entity under the Act unless the FTC decides otherwise. When a transfer occurs, the covered entity and third party must enter into a contract ensuring that "the third party will not combine information that is not personally identifiable ... with other information in order to identify individuals with that information." The concept of transfer is not limited to situations where active steps are undertaken by a covered entity – it includes the collection of the information by a third party through a covered entity’s website, mobile application, or other consumer interface. Transfers to "unreliable third parties" are prohibited.

Unauthorized Use. The term ‘‘unauthorized use’’ means the use of covered information for any purpose not authorized by the individual to whom the information pertains, other than use:

• To process a transaction or service requested by that individual;
• To operate the covered entity that is providing a transaction or service requested by that individual, such as inventory management, accounting, planning, product or service improvement or forecasting;
• To prevent or detect fraud or to provide for a secure environment;
• To investigate a possible crime or that is required by law or legal process;
• To market or advertise to an individual from a covered entity if the personally identifiable information used for such marketing or advertising was collected directly by the covered entity;
• Necessary for the improvement of the transaction or service through research and development; or
• Necessary for internal operations, including collecting customer satisfaction surveys to improve customer service information as well as collection of website visit and click-through rates to improve site navigation.

Enforcement and Penalties. The FTC is granted enforcement authority and state attorneys general are given civil action authority to enforce the Act. The Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. Monetary penalties for violating the Act are stiff - a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance. If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater. However, liability is capped at $2 or $3 million depending on the nature of the violation.

Effect on Other Laws. State laws are preempted by the Act, except those laws dealing with health or financial information or data breach notification.

Safe Harbor Programs. The Act requires the FTC to create requirements for “safe harbor programs.” The programs, administered by non-governmental organizations, will be designed to enable participants to implement the requirements of the Act, implement "comprehensive information privacy programs," and offer consumers a means to opt out if a participant transfers covered information to a third party for an unauthorized use. A covered entity that participates in such a program is exempt from the major provisions of the Act if, according to the FTC’s determination, the program obligates participants to comply with requirements that are substantially the same as, or more protective of privacy than, the provisions of the Act. The programs are to be supervised and enforced (with penalties) by the FTC.

With the exception of the FTC’s enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation. Between the new draft of the "Commercial Privacy Bill of Rights Act of 2011," three separate privacy bills pending in the House, and the Obama administration backing a “consumer privacy bill of rights,” it looks like change is in the air (and I’m not just saying that to be clever).

Background.

The Judgment was the end result of a year and half long action brought by Connecticut Attorney General Richard Blumenthal (“CT AG”) on Jan. 13, 2010 against Health Net. (See Attorney Gen v. Health Net of NE Inc., et al., complaint available here).

The CT AG alleged Health Net was responsible for “failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and [for failing to] promptly notify consumers endangered by the security breach" because a terabyte portable hard disk had been either lost or stolen at Health Net's Shelton, CT offices. (See CT AG Press Release, available here).  The disk was later determined to contain “27.7 million scanned pages of over 120 different types of documents such as insurance claims forms, membership forms, appeals and grievances, correspondence and medical records” of 1.5 million past and present members of Health Net administered plans, including 538,470 Connecticut residents.  As the data on the disk was neither encrypted nor protected from access by unauthorized persons or third parties, this loss, according to the CT AG, violated HIPAA's security standards and privacy rules, as contained in HIPAA, as provided in 45 CFR 160 and 164 Subpart A, C and D. (See 45 CFR 160, available here; 45 CRF 164, available here; see also, HITECH ACT, Sections 13402(a) and (b), available here).

The Complaint.

The Complaint claimed Health Net violated a litany of HIPAA provisions and:

“a. [] failed to ensure the confidentiality and integrity of electronic protected health information it created, receives, maintains, and transmits in violation of 45 CFR 164.306(a)(1).

b. Defendants failed to implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights in violation of 45 CFR 164.312(a)(1).

c. Defendants failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility to maintain their security in violation of 45 CFR 164.310(d)(1).

d. Defendants failed to implement policies and procedures to prevent, detect, contain, and correct security violations in violation of 45 CFR 164.308(a)(1).

e. Defendants failed to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity in violation of 45 CFR 164.308(a)(6)(ii).

f. Defendants failed to protect against any reasonably anticipated threats or hazards to the security or integrity of electronic protected health information in violation of 45 CFR 164.306(a)(2). Defendants failed to protect against any reasonably anticipated uses or

g. disclosures of electronic protected health information that are not permitted under the privacy rules regarding individually identifiable health information in violation of 45 CFR 164.306(a)(3).

h. Defendants failed to ensure compliance with the HIPAA security standard rules by its workforce in violation of 45 CFR 164.306(a)(4).

i. Defendants impermissibly and improperly used and disclosed protected health information that is and remains accessible to unauthorized persons in violation of 45 CFR 164.502 et seq.

j. Defendants failed to effectively train all members of its workforce (including independent contractors involved in the data breach) on the policies and procedures with respect to protected health information as necessary and appropriate for the members of its workforce to carry out their functions and to maintain security of protected health information in violation of 45 CFR 164.530(b) and 45 CFR 164.308(a)(5).

k. Defendants’ policies and procedures establishing physical and administrative safeguards were not adequately designed to appropriately and reasonably safeguard protected health information in violation of 45 CFR 164.530(c).

l. Defendants did not maintain an effective and appropriate sanctions policy for members of its workforce (both employees and independent contractors) who failed to comply with the policies and procedures for the protection and safeguarding of protected health information in violation of 45 CFR 164.530(e).”

In addition, the CT AG alleged Health Net's actions constituted unfair trade practices in violation of Conn. Gen. Stat. §42-110b (a/k/a “CUTPA”, with civil penalties of up to $5,000 per willful violation), and that the loss of the personal information was a “breach of security”, as defined by Conn. Gen. Stat. 36a-701b(a).  Further, the Complaint alleged Health Net delayed disclosing the breach within the meaning of Conn. Gen. Stat. §36a-701b(b) (“Such disclosure shall be made without unreasonable delay . . . 1to identify the individuals affected, or to restore the reasonable integrity of the data system.”).

Finally, as relief, the CT AG sought: (a) a preliminary and permanent injunction from any further such violations by Health Net; (b) statutory damages for all violations (pursuant to 42 U.S.C. §1320-5(d)(1)(A)); (c) an injunction against further violations of CUTPA and Connecticut's data breach statute; (d) civil penalties pursuant to CUTPA; and, of course, (e) attorneys' fees.

The Judgment.

After a year and a half, with a docket replete with motions to extend the defendants' time to answer the complaint and motion for preliminary judgment, the action came to a sudden head in early July with the CT AG's “Motion for judgment upon stipulation” which in the course of two days was reviewed, approved and entered as the Judgment bringing the action to a close.  (See Docket here).

The Judgment maps out a rather onerous plan of "Corrective Action" and details a variety of additional facts, beyond those in the Complaint, that serves as a warning beacon as to practices to avoid as well as those to consider and follow.

$7 Million and Counting.  As if to confirm that data breaches are not only costly, but distracting, time consuming and sure to be splashed on the front pages, the Complaint notes Health Net during its investigation and response engaged at least three consultants at a cost, including presumably Health Net's own time and efforts, “exceeding $7,000,000 to investigate the circumstances surrounding the missing portable disk drive, to notify Health Net Members, and to offer credit monitoring services and identity theft insurance.” Judgment at 6. The consultants included: Kroll, Inc., to forensically recreate the disk and determine what the missing disk contained; Navigant Consulting, Inc., to datamine the recreated disk and identify Health Net members and Connecticut residents; and, finally, Debix, Inc., to notify the affected members, 538,470 Connecticut residents and run a “dedicated call center to address their questions and concerns, and to provide credit monitoring services....” Id.  Anyone handling PHI should carefully weigh the above sobering list of costs in the face of any hesitation to purchase and install full disk encryption across the enterprise.

Disk Logs.   In addition, one item that can be gleaned from this action, both from the Complaint and Judgment, is that any portable hard drives which could, conceivably, under any circumstances, contain PII or PHI, should be, according to the CT AG's office, set up such that the OS or suitable third party software creates and maintain a “log file of the collection and transfer of [] data transferred to the disk drive.” Id. at 7.

Why a log file? The Complaint noted that:

"when the disk was discovered missing, the defendant Health Net's failure to create a log file further increased the risk of disclosure of the protected health information … and constituted a breach of the defendant's obligation to safeguard the protected health information because the defendant did not readily have information as to the contents of the disk drive. As a consequence, the defendant Health Net replicated the entire creation of the disk drive, thus delaying efforts to safeguard or otherwise mitigate the data breach. ” Complaint at 5. 

As a result, the inability to readily and quickly determine what a lost hard disk contains could appear to be viewed by the CT AG as potential negligence on the part of the data owner/maintainer/receiver in the event of any breach or loss, because the delay incurred in determining the disk's contents in the absence of a log hinders mitigation and notice efforts.

Corrective Action Plan.  A substantial portion of the eighteen page Judgment is devoted to detailing the Corrective Action Plan (“CAP”) Health Net now operates under.   And the ongoing costs, expenses and efforts of fulfilling this CAP will be added on top of the $7 million spent as of the Judgment.   Notable items from the CAP include:

• Completion of notice sent to all members and Connecticut resident whose PI or PHI was on the disk. Judgment at 7-8;

• Two years of credit monitoring services through Debix that include credit monitoring by Transunion and credit restoration services for confirmed identity thefts, along with reimbursement for security freezes and credit unfreezes, plus $1,000,000 of “Personal Internet Identity insurance.” Judgment at 8-9;

• Agreeing to enhance its existing security privacy program to include hardware/software sitting between Health Net's email services and e-mail clients designed to identity email and attachments containing PHI or PI and to then “automatically encrypt email containing such identified information prior to transmission.” Id.;

• Installation of technology to restrict the transfer of PHI and PI to removable media sufficient to comply with HIPAA standards. Judgment at 9;

• Implementation of technology to identify where PHI and PI resides on its systems and that logs actual and attempted access to any such PHI and PI as well as logging when PHI/PI is uploaded or downloaded from a desktop or latop (with an start date for implementation of Oct. 1, 2010). Id.;

• The encryption of all laptop hard drives and all desktop hard drives. Id.;

• Improved IT oversight, including the creation of a “Information Security Analyst” assigned to each new IT project with assessment duties reporting directly to Health Net's Manager of Information Security. Judgment at 10.

• Requiring all “Business Associates”, as defined by HIPAA (see http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html; see also 45 CFR 160.103, available here), to execute “HIPAA compliant Business Associate Agreements”. Id. (See also my colleague Tanya Forsheit's series of FAQS on the Proposed Modificiations to the HIPAA Rules - Part One here; Part Two here);

• Implementation of supplemental education and training of employees by the Information Security team on encryption, storage and removable media – with such training to be performed via Health Net's “online Learning Management System”. Id.;

• The requirement the Health Net's CIO includes “information security” as a regular agenda item on department's “Monthly IT All Hands” meetings. Id.;

• Requirement Health Net's IT dept to cover a “wide variety of information security topics in its monthly IT Awareness Newsletter” to be distributed to all employees. Judgment at 11;

• Providing all new employees with a one page laminated information sheet covering policies and procedures governing PHI protection. Id.;

• Showing all new employees during orientation a DVD detailing their expected information security responsibilities. Id.;

• Training all new employees on HIPAA privacy and security requirements, “including incident response procedures.” Id.;

• Conducting annual HIPAA training for all Health Net employees with electronic tracking of each employees completion of the training. Id.;

• Holding an annual “Compliance Awareness Week” for all employees to “emphasize the importance of proecting the privacy and security of PHI.” Judgment at 12;

• Providing semi-annual updates to its initial status report (no end date for these updates is provided in the Judgment) and compliance documentation as reasonably requested by the CT AG, with such documentation to be maintained for at least six years. Judgment at 13;

Further, the Judgment also provides Health Net is to pay $250,000 to the Connecticut General Fund with another $500,000 contingent payment to the State of Connecticut if Debix determines, before November 30, 2011, that any data on the missing disk was accessed and misused or any claims are made on Debix's insurance policy linked to misuse of the lost disk drive. Judgment at 13-14.

There's little doubt that while Connecticut's Attorney General has been the first to reach a settlement of this type the forty-nine other Attorneys General have taken notice.  Stay tuned.

LINKS:

Complaint: http://tinyurl.com/ILG-HealthNet-Complaint

Stipulated Judgment: http://tinyurl.com/ILG-HealthNet-Judgment

Docket Report: http://tinyurl.com/ILG-HealthNet-Docket

In summary, my article discusses some of the similarities and differences between the current state-created breach notice regime and the system set forth under the proposed DATA law.  DATA is interesting because it appears to create counter-opposing breach notice incentives.  On the one had, there are mechanisms that could lead to less breach reporting, including:

• a "risk of harm" standard that is likely higher than many existing State laws;

• preemption of existing state law, which eliminates the "least common denominator" approach taken with respect to existing state law; and

• mandating call center and credit monitoring costs (e.g. these costs may be significant, and therefore encourage non-compliance, especially if enforcement is lax)

On the other hand, DATA allows for the imposition of civil penalties of up $11,000 per violation (capped at $5 million). Each failure to send the required notification to an affected individual is treated as a separate violation.  Depending on how vigorously the law is enforced, the risk of significant civil penalties is likely to encourage compliance.

How these factors would play out is unclear and up for debate.  However, what is even more unclear is whether DATA will ever be made into a law.  The Senate is working on a similar bill, and assuming it passes the Senate it would still have to be reconciled with the House version.  Consumer advocates will likely have concerns about the higher risk of harm threshold in the law.  On the business side, I anticipate great resistance to call center and credit monitoring as mandatory costs.  Moreover, the penalties for non-compliance may be problematic, especially for smaller and medium organizations.  As such, should DATA become a law, it is likely to differ from this version.