Supreme Court Pro-Business and First Amendment - Targeted Regulations in Trouble
What do pharmaceutical and data mining companies have in common with the video game industry? For starters, both recently prevailed in front of the U.S. Supreme Court when they challenged state legislation on First Amendment grounds. By a 6-3 vote on June 23, 2011, the Court struck down a Vermont statute that prohibited pharmacies and similar entities from disclosing prescriber-identifying information for marketing purposes. The statute also barred pharmaceutical manufacturers and marketers from using prescriber-identifying (“PI”) information for marketing purposes. The Court held that the statute’s speaker- and content-based restrictions violated the First Amendment right of pharmaceutical manufacturers and data mining companies. By a 7-2 vote on June 27, 2011, the Court struck down a California statute that sought to prohibit the rental or sale of violent video games to minors for violating the First Amendment. The statute imposed a restriction on the content of protected speech and California failed to demonstrate that the statute served a compelling government interest. In both cases, the Court evidenced its commitment to free speech through broad readings of the First Amendment as well as its skepticism of government regulation controlling private behavior. What are the potential implications of these decisions? This post gives you the highlights.
Sorrell v. IMS Health, Inc.
When pharmacies fill prescriptions they collect information such as the doctor prescribing the medication, as well as the medication and dosage prescribed. Under federal law, this data excludes information that could be used to identify individual patients. Pharmacies often sell this PI information to data miners who produce reports on prescriber behavior. Data miners then lease their reports to pharmaceutical companies. Pharmaceutical companies use data miners’ reports to identify specific doctors they believe might be interested in their products. The companies dispatch sales representatives, known as “detailers,” to meet individually with these targeted doctors. Detailers pitch their company’s products, answer questions about existing products, and try to convince the doctors to prescribe their company’s products more frequently. Since advertising is most effective when it is directed at purchasers who are likely to be interested in the advertised product, detailing allows pharmaceutical companies to get more bang for their advertising buck.
Vermont’s Prescription Confidentiality Law. The Vermont legislature enacted the Prescription Confidentiality Law in 2007 in an effort to curtail detailers from convincing doctors to prescribe expensive name-brand drugs rather than low-cost generics. Vermont justified its statute, in part, by claiming it had a strong interest in promoting public health and protecting medical privacy. The statute provided that PI data could not be sold by pharmacies and similar entities, disclosed by those entities for marketing purposes, or used for marketing by pharmaceutical manufacturers absent the prescriber's consent. However, the prohibitions on sale, disclosure, and use were subject to a host of exceptions that permitted entities possessing PI data to sell and use the data for a variety of purposes other than marketing. In addition, the Vermont statute specifically prohibited pharmaceutical manufacturers and marketers from using PI data for marketing or promoting prescription drugs. Interestingly, the statute permitted insurers and benefits managers to use PI data to require or encourage doctors to prescribe generics. Similarly, another Vermont statute permits the state to use PI data in a “counter-detailing” program to target doctors and persuade them to switch to low-cost generics. Vermont itself could thus use PI data to market generic drugs while at the same time restricting pharmaceutical companies and data miners from using PI data for marketing. Three companies that sell the information they gather — IMS Health, SDI and Source Healthcare Analytics — challenged the statute on First Amendment grounds. The drug industry’s trade group, the Pharmaceutical Research and Manufacturers of America, joined the lawsuit.
Commercial Speech and Heightened Scrutiny. Whether speech protected by the First Amendment was involved at all was a contentious issue in Sorrell. Vermont argued that sales, transfer, and use of PI data are conduct, not speech. Public Citizen filed an amicus brief in support of Vermont’s position, arguing that aggregate PI data lacks the expressive element required for strong First Amendment protection. Some view aggregate information akin to an ordinary commodity (one lower court compared it to beef jerky) that the legislature has broad latitude to regulate in its discretion. The Court disagreed, noting “the creation and dissemination of information are speech for First Amendment purposes” and “Vermont’s statute could be compared with a law prohibiting trade magazines from purchasing or using ink.”
Vermont argued in the alternative that if speech was involved, heightened judicial scrutiny was unwarranted because the statute was merely a commercial regulation - restrictions on protected expression are distinct from restrictions on economic activity. Although the First Amendment does not prevent restrictions directed at commerce from imposing incidental burdens on speech, the Court noted that in addition to the burdens it imposed, the statute was aimed at particular speakers and restricted specific content. Such targeted censorship of commercial speech warrants heightened judicial scrutiny, and violates the First Amendment unless it achieves at least a substantial governmental interest.
Vermont attempted to justify the statute in part by claiming that it fulfilled “an important privacy interest in giving prescribers control over the use of their prescription-history information.” “While Vermont’s stated policy goals may be proper,” stated Justice Kennedy for the majority, the Court didn’t buy the argument. The legislative history of the statute demonstrated the Vermont legislature was mainly concerned that detailers were too effective at convincing doctors to prescribe their name-brand products – privacy concerns were a mere side note. Additionally, the statute’s many exceptions permitted those in possession of PI data to distribute it without prescribers’ consent “in almost every instance.” The only restriction on the non-consensual use of PI data was that the information couldn’t be used for marketing by drug companies. “The statute thus is not a genuine attempt to protect prescribers’ privacy,” according to the Court. Vermont’s interest in giving prescribers “a slight degree of control” over the use of their prescription history data did not justify the statute’s restrictions on free speech. “Privacy is a concept too integral to the person and a right too essential to freedom to allow its manipulation to support just those ideas the government prefers,” according to the Court.
Brown v. Entertainment Merchants Association
On October 7, 2005, Governor Schwarzenegger signed into law California Assembly Bill 1179, which prohibited the sale or rental of “violent video games” to minors and required their packaging to be labeled “18.” Representatives from the video game and software industries brought a preenforcement challenge to the statute. The Court held that the statute imposed an unconstitutional content-based restriction on protected speech.
Video Games Entitled to First Amendment Protection. Writing for the majority, Justice Scalia explained that all speech that communicates ideas, including video games, is protected by the First Amendment. The Court emphasized the basic tenet that content-based restrictions on expression – such as the California statute’s violence-based restriction - are presumptively invalid. The rule is subject to a few limited exceptions for historically unprotected speech such as obscenity, incitement, and fighting words. Essentially, California’s statute attempted to categorize violent video games as obscenity beyond reach of the First Amendment’s protection. The statute covered games “in which the range of options available to a player includes killing, maiming, dismembering, or sexually assaulting an image of a human being, if those acts are depicted” in a manner that a reasonable person “would find appeals to a deviant or morbid interest of minors,” that is “patently offensive to prevailing standards in the community as to what is suitable for minors.” According to the Court, California tried to make its content-based restriction look like obscenity regulation by excluding video games with literary, artistic, political, or scientific value from the statute’s coverage (language borrowed from Supreme Court obscenity jurisprudence). However, the Court emphasized that the obscenity exception to the First Amendment only covers depictions of sexual conduct, not “whatever a legislature finds shocking.” Just last term, the Court held in United States v. Stevens that “new categories of unprotected speech may not be added to the list by a legislature that concludes certain speech is too harmful to be tolerated.” The holding in Stevens controlled the case at issue – “violence is not part of the obscenity that the Constitution permits to be regulated.” Thus the Court determined that video games are protected speech under the First Amendment.
Strict Scrutiny Applied. The Court then subjected the statute to strict scrutiny because it imposed a content-based restriction on protected speech. In other words, California had to demonstrate that the Act was justified by a compelling government interest and was narrowly drawn to serve that interest. No doubt there is a legitimate interest in protecting children from harm. California argued that video games present a unique set of problems because they are interactive - players participate in the violent action on screen and determine its outcome. The Court rejected the argument as “all literature is interactive,” referencing Choose-Your-Own-Adventure stories where the reader makes decisions that determine the plot by following instructions about which page to turn to (remember those? I do!).
A belief shared by many – including the California legislature – is that children exposed to violence in video games are more likely to experience feelings of aggression and to exhibit violent antisocial or aggressive behavior. California justified the Act by claiming a “compelling interest in preventing violent, aggressive, and antisocial behavior, and in preventing psychological or neurological harm to minors who play violent video games.” Yet to survive strict scrutiny California was required to specifically identify an actual problem in need of solving and demonstrate that the curtailment of free speech was necessary to the solution. California didn’t meet that standard – it didn’t show a direct causal link between violent video games and harm to children. According to the Court, studies purporting to show a connection between exposure to violent video games and harmful effects on children “do not prove that violent video games cause minors to act aggressively” and “suffer from significant, admitted flaws in methodology.” Even if violent video games produce some effect on children's feelings of aggression, “those effects are both small and indistinguishable” from effects produced by exposure to other media such as violent cartoons. Since “California has (wisely) declined” to restrict other forms of violent speech, the Court considered the Act to be “wildly underinclusive” when judged against its asserted justification. According to the Court, underinclusiveness indicates that the government is disfavoring a particular speaker or viewpoint – in this case, California singled out the purveyors of video games for disfavored treatment without sufficient justification.
The Impact - Regulations for the Future… Or Not
With greater frequency, new technologies and marketing strategies introduce a profit motive into what would otherwise be protected speech. In a number of past opinions, the Court has given the government greater latitude when regulating commercial speech. Yet the majority in Sorrell gave strong First Amendment protections to speech that is commercial in nature. This may be good news for Internet advertising companies despite the growing number of recent proposals for government regulation of behavioral advertising. Using data about a user’s browsing history to deliver targeted advertisements to consumers is quite similar to the practice of “detailing” used by pharmaceutical companies. If the government tries to regulate online tracking, the industry may ask the courts to strike those regulations down using Sorrell as a precedent. Sorrell and Brown indicate that despite an industry’s profit motive, government regulations containing speaker- and content-based restrictions must address genuine, recognizable harms in order to survive heightened judicial scrutiny. However, it’s notoriously difficult to identify and quantify privacy-related harms. After Sorrell, legislatures will need to design privacy regulations more carefully, focusing on restricting industry practices that actually cause cognizable harms to individuals.
Rather than regulate in the face of this First Amendment tightrope, perhaps leaving the industry to self-regulate is preferable, particularly when the harms are nebulous and there are alternative ways to mitigate them. In Sorrell, Vermont contended that its Prescription Confidentiality Law protected doctors from “harassing sales behaviors.” Yet Vermont offered no explanation why remedies other than content-based rules would be inadequate. The Court noted that physicians can, and often do, simply decline to meet with detailers, including detailers who use PI data. Additionally, “Doctors who wish to forgo detailing altogether are free to give ‘No Solicitation’ or ‘No Detailing’ instructions to their office managers or to receptionists at their places of work.”
Justice Breyer dissented in Brown, stating “the First Amendment does not disable government from helping parents make such a choice here - a choice not to have their children buy extremely violent, interactive video games, which they more than reasonably fear pose only the risk of harm to those children.” California State Senator Leland Yee (D-San Francisco), original author of California Assembly Bill 1179, responded to the Court’s decision by stating “It is simply wrong that the video game industry can be allowed to put their profit margins over the rights of parents and the well-being of children.” Again, there are viable alternatives that address the potential harms raised in Brown – perhaps rendering regulation of protected speech unnecessary. As the National Association of Broadcasters noted in its amicus brief, “technology that can limit youth access to violent media has proven to be effective” and “the government should continue its constitutionally appropriate role in developing and promoting technological tools to assist parents in monitoring their children's use of media.” Even absent blocking technologies, the industry’s voluntary rating system informing consumers about the content of video games and responsible parenting can help protect children from violent media. Nothing prohibits parents from telling their kids “no” – they can simply (and have the right to) restrict their children’s access to media they deem inappropriate.
Conclusion
One core principle we can take away from this pair of cases was summed up by Justice Scalia in Brown: “whatever the challenges of applying the Constitution to ever-advancing technology, the basic principles of freedom of speech and the press, like the First Amendment's command, do not vary when a new and different medium for communication appears.” In Sorrell, Vermont asked for an exception to the rule that information is speech, but the Court found no need to consider Vermont’s request. Speaker- and content-based burdens on protected expression are sufficient to justify application of heightened judicial scrutiny, even if the information at issue is “a mere commodity.” Content-based restrictions were also the death of California’s violent video game statute in Brown. Brown evidences the Court’s unwillingness to expand the categories of speech that fall outside of the protections of the First Amendment. The bottom line is that the ambit of protected speech and expression is broad and the exclusions are narrow.
According to Greg Beck, who filed an amicus brief in Sorrell on behalf of Public Citizen, legislators need to be careful about the scope of regulations they enact given the Court’s recent stance on the scope of First Amendment protection. Regulations that are too narrow may unfairly target particular speakers. Regulations that are too broad may not be fully supported by the government’s rationale, thereby burdening more speech than justified. Given the Court’s recent decisions striking down statutes in the face of First Amendment challenges, perhaps regulation should take a back seat to alternative solutions when speech is involved. As Justice Kennedy wrote in Sorrell, “Many are those who must endure speech they do not like, but that is a necessary cost of freedom.”
Changes to HIPAA Privacy Rule Proposed by HHS - Find Out Who Has Accessed Your Health Records
On May 31, 2011 the Department of Health and Human Services Office for Civil Rights issued a notice of proposed rulemaking that would add substantial data privacy requirements to the HIPAA Privacy Rule. One of the requirements the HHS proposed pursuant to both the HITECH Act and its more general authority under HIPAA is for individuals to have the right to request from a covered entity (such as a health care provider or a health plan) a list of any individuals or entities that have accessed the individuals’ electronic health records. Currently, HIPAA and HHS regulations require covered entities to track access to health records, but they covered entities are not required to provide that information to patients. The proposed rule would give patients the right to request an “access report” which would document the identities of those who electronically viewed their protected health information. “This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” said Georgina Verdugo, Director of the Office for Civil Rights. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”
The right to an access report would apply only to health information that is maintained using an electronic system, as tracking access to paper records is not automated and would be unduly burdensome according to HHS. The proposed regulations would require covered entities to generate, upon request, an access report from access log data, which is collected by electronic record systems each time a user accesses protected health information. Access reports would detail the access by covered entities as well as business associates –entities that create, receive, maintain, or transmit certain health-related information on behalf of covered entities. The proposed rule requires covered entities and business to retain access logs for no less than three years so that an access reports can document access to the individual’s health information for the three years prior to the individual’s request for the report.
Covered entities and business associates are already required to comply with the HIPAA Security Rule, which obligates them to track access to protected health information. As such, HHS believes that the proposed rule will not be unduly burdensome. According to HHS, many electronic systems are already configured to log the activities that the proposed access reports would reference.
Under the proposed rule, access reports would include the date and time of access, and the name of the individual or entity accessing an individual’s health information. Additionally, if available, an access report would include a description of the information that was accessed and of the action taken by the user (e.g., whether they created, modified or deleted the information). Access reports also must include a statement informing individuals of their right to request access reports in their notices of privacy practices. Additionally, while individuals would be entitled to receive their first access report free of charge, the proposed rule would allow covered entities to charge reasonable, cost-based amounts for any subsequent reports requested within a 12-month period.
To minimize the volume of data in an access report, covered entities could give individuals the option to limit the coverage of the report by a specific date, time period, or person. For example, the individual requesting a report could elect to limit an access report to disclose only whether a particular family member accessed the individual’s health records within the last six months. Additionally, HHS is recommending – although not requiring in the proposed rule – that covered entities offer individuals the option to limit access reports to specific organizations. For example, if an individual does not wish to learn whether his or her health records were accessed by business associates, the covered entity would not need to obtain access logs from the relevant business associate to include in the access report the covered entity provides to the individual.
The proposed rule would require covered entities and business associates that implemented electronic record systems after January 1, 2009 to produce access reports beginning January 1, 2013. Entities that have implemented electronic record systems acquired on or before January 1, 2009 would be required to comply with the proposed rule beginning January 1, 2014. HHS has requested comments regarding a variety of issues the proposed rule has raised, and will receive comment submissions until August 1, 2011 (to submit a comment, click HERE ).
InfoLawGroup’s Nicole Friess and Boris Segalis collaborated on this blog post.
InfoLaw Alert: HHS Issues Proposed Mofications to HIPAA Security and Privacy Rules
The Department of Health and Human Services released proposed modifications to the privacy and security rules related to HIPAA. We are still reading through the 234 page document, but it appears that the new rules expand HIPAA responsibilities for business associates. In addition, HHS has set up a web portal that provides a summary of the breaches reported to HHS. There is a 60 day comment period on this proposed rule change. More to come from the Information Law Group in the coming days.
Quickhits: 4th Amendment & the Cloud; Dept. of Commerce Explores Privacy; Apple Plays Hardball; Kroll on Healthcare Data Security; The Senate on Facebook Privacy
- What expectation of privacy do cloud users have vis-a-vis unreasonable searches/seizures? An interesting article on the 4th Amendment and the Cloud.
- Last week the U.S. Commerce Department launched an initiative to examine how the privacy of individuals is impacted in the Internet economy, with the goal of producing a report in the early fall and advising the White House. The Commerce Department is seeking public comment from the commercial sector, the academic world, all other organizations with interest in the issue, as well as individual citizens with views on the current privacy laws in the U.S. and around the world as they apply and influence the information economy.
- The headline says it all: Apple iPhone Leak: Crime, Marketing Ploy or First Amendment Issue?
- Kroll has released its 2010 HIMSS Analytics Report: Security of Patient Data (registration required to obtain a copy of the report)
- Sen. Chuck Schumer and other Senators are not happy about Facebook's "instant personalization" functionality. They think "opt-in" is more appropriate in this context.
Code or Clear? Encryption Requirements (Part 2)
In the last post, I talked about the role of encryption in fashioning a “reasonable” security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.
State Security and Breach Notification Laws
Since California adopted SB 1386, which went into effect in 2003, nearly all US states have enacted security breach notice laws that require notice to affected individuals, and in some cases to public authorities, when a party has reason to believe that the security of protected categories of personal data has been compromised. The protected categories are typically SSN (Social Security Number), driver’s license, financial account or payment card details (usually only if the password or access code is also compromised), and, increasingly, medical data not covered by federal HIPAA privacy protections.
All of these laws make an exemption from the notice obligation if the data were encrypted (some add that this is true only if there is no reason to believe that the decryption key was also compromised). The laws, and regulations adopted under the laws, typically do not specify the level or kind of encryption. For example, California’s Office of Privacy Protection published guidance specifically on the subject of “Recommended Practices on Protecting the Confidentiality of Social Security Numbers” in April 2007, which has only this to say about encryption, on page 11:
“Protect records containing SSNs, including back-ups, during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.”
Partly as a consequence of these security and breach notice laws, organizations should limit their use and storage of these categories of personal data to the extent they are really necessary for business operations. Storage on servers or on archived media, and transmission over internal networks and VPN connections, may or may not be sufficiently secure without encryption, depending on the company’s risk assessment and IT security practices. Organizations should encrypt such data when it is resident on laptops or other portable devices and when it is in transit over the public Internet.
Massachusetts and Nevada have recently adopted stricter and more specific rules, however, that may become a model for other states. These increase the regulatory pressure for encrypting protected categories of personal data.
Massachusetts
The Massachusetts Personal Information Security Regulation (201 CMR 17.00) is now scheduled to take effect on March 1, 2010. The Regulation was promulgated by the Office of Consumer Affairs and Business Regulation (OCABR) under the authority of the Massachusetts personal information security law.
The Regulation will require all parties that “own or license” any of the protected categories of personal data concerning Massachusetts residents to encrypt the data in laptops or other portable devices, as well as in wireless transmissions and in transmission over public networks.
Note that the Regulation does not limit its coverage of financial account data to cases where the access code or PIN is compromised, as do most security and breach notice laws. The Regulation extends to any nonpublic financial account or payment card data, as well as to SSNs and driver’s license numbers. The Regulation does not cover medical information, however.
The Regulation mandates a number of “Computer System Security Requirements” (201 CMR sec. 17.04) for businesses that handle the protected categories of personal data. These expressly include the following:
“(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly . . .
(5) Encryption of all personal information stored on laptops or other portable devices . . .”
The level and type of encryption are not specified.
Nevada
Nevada recently amended its personal information security law, which already required “reasonable” security measures as well as breach notice (Nevada Rev. Stats. secs. 603A.010 et seq.). The amendments take effect on January 1, 2010.
The law covers SSNs, driver’s license numbers, and payment card or financial account data in combination with an access code or PIN. Medical information is not covered.
Under the amended law, businesses that accept payment cards (credit cards and debit cards) must comply with the Payment Card Industry Digital Security Standard (PCI DSS). In addition, a party handling any of the protected categories of information must encrypt the data if it transfers the data electronically “outside of the secure system of the data collector” or if the data is stored on a device (laptop, USB drive, etc.) that is moved “beyond the logical or physical controls of the data collector or its data storage contractor.”
“Encryption” is defined in the amendments with reference to “established standards,” specifically including FIPS and mentioning the need for standards-based key management as well as encryption protocols:
‘Encryption’ means the protection of data in electronic or optical form, in storage or in transit, using:
(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”
Thus, while the law itself does not specify the form of encryption, it puts the burden on the user to choose an appropriate and standards-based method.
HITECH
Title XIII of ARRA, the federal economic recovery legislation adopted early in 2009, is labeled the Health Information Technology for Economic and Clinical Health Act (HITECH). It amends the HIPAA medical privacy provisions by adding a federal security breach notice requirement for nonpublic, personally identifiable health information. While HIPAA applies only to certain covered entities (healthcare providers and insurance companies and clearinghouses), HITECH also applies to “business associates” that provide services to those entities. HITECH reaches as well any employers that are covered by HIPAA because, for example, they operate company clinics or manage their own health plans.
HITECH requires notice to affected individuals when there has been a security breach exposing personally identifiable health data. HIPAA already lists 18 identifiers (names, addresses, SSNs, health plan ID numbers, etc.) that must be removed to establish that health records have been “de-identified.” Where compromised records have not been fully de-identified by removing these data fields, HITECH sec. 132400 also recognizes that the information may not be personally identifiable if it is effectively encrypted:
“(b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination; . . . .”
Thus, HITECH does not specify a particular form of encryption but leaves it to IT security experts to decide whether the data are effectively unidentifiable in the hands of an unauthorized user. Note that the statute requires covered entities to maintain documentation of this professional analysis, and that the analysis must be based on “generally accepted” principles and methods – which means that professional opinions are likely to refer to published specifications and industry standards.
Red Flags
The 2007 Identity Theft Red Flags Rule (promulgated under the 2003 FACTA amendments to the federal Fair Credit Reporting Act) went into effect in November 2008, although the FTC suspended enforcement until November 1, 2009. (Similar rules were issued by the federal financial regulatory agencies, for the institutions they supervise.) The Rule requires covered entities to develop and implement written policies to prevent identity theft, including recognition of warning signs or “red flags” of suspected ID theft.
The Rule applies not only to traditional financial institutions but to “creditors,” defined as companies that “regularly defer payment for goods or services,” whether or not charging interest or finance charges, and therefore store personal information about individual debtors. Some employers, for example, sell goods or services to employees on deferred payment terms and may be treated as covered entities for that reason. (However, the Red Flag FAQs written by FTC staff take the view that an employer is not a covered entity simply because it sponsors a 401k or other qualified retirement plan that allows participants to borrow from their retirement funds.)
For covered entities, the mandatory policy to prevent ID theft must identify signs of possible security breaches involving certain data, as well as appropriate responses to those alerts. The covered data are SSNs and tax identification numbers, healthcare IDs, financial account and credit/debit card details, personally identifiable medical information, and identifying data from consumer reports (which are often used for employee background checks as well as for credit applications).
The Rule itself does not mandate encryption measures. However, most covered entities will necessarily address encryption in their written anti-ID theft policies. Their “red flags” should also include an alert if there is evidence that encryption keys have been misused, stolen, or hacked.
