SB 24, which will take effect January 1, 2012, requires the inclusion of certain content in data breach notifications, including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.  In addition, importantly, SB 24 requires data holders to send an electronic copy of the notification to the California Attorney General if a single breach affects more than 500 Californians.  This adds California to the list of states and other jurisdictions that require some type of regulator notice in the event of certain types of data security breaches (note that California already requires notice to the Department of Public Health for certain regulated entities in the event of a breach involving patient medical information, Health & Safety Code section 1280.15). Other states that require some form of regulator notice in some circumstances for certain kinds of entities (sometimes for a breach, and sometimes to explain why an entity has determined there was no breach) include Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia.

You can find the text of SB 24 here. 

The California Supreme Court reversed the Court of Appeal, holding that the definition means exactly what it says - personal identification information means any "information concerning the cardholder."  The Court cited Webster's, noting that "concerning" is "a broad term meaning “pertaining to; regarding; having relation to; [or] respecting."  The Court rejected the Court of Appeal's reasoning that a zip code pertains to a group of individuals, not a specific individual, finding that the reference to address in the definition of "personal identification information" must also include components of an address. The Court attacked the Court of Appeal's assumption that a complete address and telephone number are not specific to an individual. The Court took the position that interpreting the term "personal identification information" to mean any information of any kind "concerning" a consumer is consistent with the consumer protection goals of the statute.  The Court reasoned:

the legislative history of the Credit Card Act in general, and section 1747.08 in particular, demonstrates the Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.

The Court's discussion of "information concerning" reminds me of the boilerplate definitions we litigators always use (and then fight about) in discovery requests and meet and confers.  The litigators out there know what I am talking about:  "for purposes of these document requests, the term 'concerning' means 'discussing, describing, reflecting, containing, commenting, evidencing, constituting, setting forth, considering, pertaining to," and on, and on, and on . . . Such definitions, interpretations, and arguments may be fun for litigators, but in real life no one knows what they really mean and they have no practical application.  If "concerning" can mean anything, it kind of means nothing for purposes of providing practical guidance for reasonable business practices. 

Further, while the Court's reading of the statute might make sense in a vacuum as a matter of plain language statutory interpretation based on the phrase "information concerning," the Court's analysis seems to omit any discussion of the words "personal identification" in the term "personal identification information."  Zip codes may be information "concerning" a person, but they do not personally identify any individual.

Finally, and perhaps most significantly, it is not clear how collection of zip codes, while perhaps unnecessary to credit card transactions, is of any potential harm to the consumer. And that, as the Court notes, is the point of the statute - consumer protection.  The Court does not discuss any potential harm to the consumer from collection of zip codes.  That is not surprising since collection of zip codes does not give rise to any obvious or apparent consumer harm.  

I'm off to speak at the RSA Conference.  Look forward to hearing your thoughts on this one.  Happy weekend to all.

• If an organization has the time and resources to do only one thing to improve its privacy and data security compliance programs in 2011, what should that one thing be?
   
• What are the hottest topics in information law in 2011?
   
• What can an organization using or considering using cloud services do today to protect itself?

• GLBA (which regulates financial institutions, including organizations that insure, guarantee, or indemnify against loss, harm, damage, illness, disability or death, or provide and issue annuities, and act as principal, agent, or broker for purposes of the foregoing, in any State);
   
• California's Financial Information Privacy Act (or CalFIPA, as I like to call it, Cal. Fin. Code sections 4050-4060);
   
• California's Insurance Information and Privacy Protection Act, Section 791 et seq. (let's call it CalIIPPA, just for fun), promulgated pursuant to GLBA (although GLBA is a federal law, state insurance authorities are responsible for the enforcement of the financial institution safeguards and disclosure/opt-out procedures required by GLBA as applied to “any person engaged in providing insurance," see 15 U.S.C. § 6805(a)(6)); and
   
• California's Code of Regulations ("CCRs") promulgated pursuant to CalIIPPA. 

With me so far?  OK.

CalFIPA section 4056.5(b), which took effect more than six years ago in 2004, permits broker-agents to use nonpublic personal information without obtaining prior customer consent to shop for new policies on renewal.  However, the older CCRs resulting from GLBA and CalIIPPA (specifically, Section 2689.8(c)(3)) were inconsistent and required agents and brokers to annually mail privacy policies to all customers and to provide an opt-out that, if returned by the customer, prevented the broker-agents from using nonpublic personal information to obtain information to respond to a customer request for policy rate quote information.

On November 4, OAL approved changes to the CCRs that repealed Section 2689.8(c)(3). OAL also clarified that all brokers and agents are exempt from sending out their own privacy policies provided that the insurance company issuing the policy has complied with the notification requirements. The amendments took effect immediately.

The insurance industry noted that the changes make the CCRs consistent with CalFIPA and "prevent [consumers] from being bombarded with multiple, identical privacy policies on every insurance product they purchase."  Setting aside the question of whether those privacy policies are or should be "identical," there is a legitimate issue, noted on numerous recent occasions by the FTC and privacy advocates in a more general context, as to whether more fine print and pages in privacy policies result in more transparency or just more confusion.

Because the changes to CCRs were, as reported by the Insurance Journal, "the verbatim result of changes to previously enacted statutory law," the CA DOI was not required by the California Administrative Procedures Act to hold public hearings or otherwise initiate a new rulemaking hearing.  However, the OAL was required to approve the DOI action in order for the changes to take effect. 

It is not clear from the limited press reports whether other states like California that have adopted the 1982/1992 Model Act of the National Association of Insurance Commissioners for privacy purposes (Arizona, Connecticut, Georgia, Illinois, Kansas to some extent, Maine, Massachusetts, Minnesota, Montana, Nevada, New Jersey, North Carolina, Ohio, Oregon, and Virginia) have confronted similar inconsistencies as between their privacy regulations promulgated pursuant to GLBA, on the one hand, and their other state privacy laws, or whether they will follow California's lead in resolving any such conflicts.

It is also not clear that the changes will have any real impact on brokers and agents to the extent they serve customers in other states that still require notice and opt-out.  But, for those few California brokers and agents that serve only California customers, the amendments are likely to result in significant savings with respect to preparation of privacy notices and effectuating opt-outs.

My primary takeaway from all this - there is a real need for some consistency and predictability in the privacy and security regulatory scheme(s) in this country, as between and among states and industries. Having said that, I don't think the proposed federal legislation currently under consideration gets us there (at least, not beyond some of the proposed breach notification requirements).  In the meantime, the business and technology worlds are moving forward.

Here's the reality:  Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers.  This is true both from a legal ethics point of view and from a best practices data security point of view.  The issue of ethics and the use of cloud by lawyers is not new - I recommend this piece by Jeremy Feinberg and Maura Grossman and this blog post by E. Michael Power.  A few State Bar associations have opined on the subject of lawyer use of cloud computing and other technologies.  This blog post does not purport to cover that entire universe.  Instead, this post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar).  These opinions and papers all drive home the following points:  as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients’ confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology.  The question, as always, is what is "reasonable"?  Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules?  Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet.  At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions?  Read on and tell us - and the ABA - what you think.

On September 20, 2010, the ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies issued for comment its "Issues Paper Concerning Client Confidentiality and Lawyers’ Use of Technology."  The Commission is seeking public comment and has set a deadline of December 15, 2010. 

The Commission articulated its objective as follows:

The Commission is studying how lawyers use [certain] forms of technology as well as the current state of data security measures for each form of technology. The Commission’s efforts have been guided by the reality that information, whether in electronic or physical form, is susceptible to theft, loss, or inadvertent disclosure. The Commission’s goal is to offer recommendations and proposals regarding how lawyers should address these risks. To that end, the Commission invites comments on several confidentiality-related issues arising from lawyers’ use of technology.

The Commission's research to date, and the Issues Paper itself, focus on two categories of technology:  (1) cloud computing; and (2) "technology controlled by lawyers or their employees," including devices that can store or transmit confidential electronic information, such as laptops, cell phones, flash drives, scanners, and photocopiers.   The Issues Paper broadly defines "cloud computing" as "any service provided online and operated by a third party" or "services that are controlled by third-parties and accessed over the Internet."  That means everything from webmail (Hotmail, Gmail, etc.) to online data storage to software as a service (SaaS), e.g., Salesforce.com.

In the information security and privacy law community, we often talk about the problem of organizations conflating "compliance" with "security."  The Commission immediately recognizes this issue, noting that there is likely to be a difference between attorney use of these technologies that would be unethical and attorney use that would not be unethical but might be ill-advised from a security point of view.  Some of my information security friends might be troubled by the following statement by the Commission:

the Commission recognizes that there may be a gap between technology-related security measures that are ethically required and security measures that are merely consistent with “best practices.” For example, it may be consistent with best practices to install sophisticated firewalls and various protections against malware (such as viruses and spyware), but lawyers who fail to do so or who install a more basic level of protection are not necessarily engaged in unethical conduct. Similarly, it might be inadvisable to use a cloud computing provider that does not comply with industry standards regarding encryption, but it is not necessarily unethical if a lawyer decides to do so.

As a result of this perceived distinction, the Commission is considering three non-mutually exclusive options in terms of what its work product might be:  (1)  white paper/guidance; (2)  online resource; and/or (3)  proposed amendments to the Model Rules of Professional Conduct, such as Model Rules 1.1 (competency), 1.6 (duty of confidentiality), 1.15 (safeguarding client property), or the comments to those Rules.

Thus, as a preliminary matter, it is important to recognize that many lawyers who use the cloud and other technologies may take the view that they need NOT employ security best practices or even standard, cheap and easily implemented security controls because it is technically not "unethical" for them to opt against doing so.  The ABA will undoubtedly consider the consequences of this possibility in preparing its final work product.

Interestingly, the Commission also recognizes the existence of data security statutory law in a number of states that already requires lawyers and other organizations to maintain certain security controls:

The Commission recognizes that any guidance or rule amendments that it offers would have to operate within an increasingly large body of law that governs data privacy, some of which already applies to lawyers. For example, Massachusetts recently adopted a rigorous law on data privacy, . . . which applies to many lawyers and law firms (including those outside of Massachusetts) that have confidential information about Massachusetts residents.

You can read more about the Massachusetts data security regulations here.

Cloud Computing Confidentiality Issues

The ABA Commission has identified a number of confidentiality issues with respect to lawyer use of the cloud.  Notably, many of these issues have existed and still exist in contexts independent of cloud, including more traditional outsourcing and use of contract lawyers and staff.  It is curious that the cloud computing hype has brought these issues to the attention of the mainstream legal community for the first time.  Following are the confidentiality issues identified by the ABA Issues Paper:

● unauthorized access to confidential client information by a vendor’s employees (or sub-contractors) or by outside parties (e.g., hackers) via the Internet;

● the storage of information on servers in countries with fewer legal protections for electronically stored information [for more on this subject, read on here];

● a vendor’s failure to back up data adequately;

● unclear policies regarding ownership of stored data;

● the ability to access the data using easily accessible software in the event that the lawyer terminates the relationship with the cloud computing provider or the provider changes businesses or goes out of business;

● the provider’s procedures for responding to (or when appropriate, resisting) government requests for access to information;

● policies for notifying customers of security breaches;

● policies for data destruction when a lawyer no longer wants the relevant data available or transferring the data if a client switches law firms;

● insufficient data encryption;

● the extent to which lawyers need to obtain client consent before using cloud computing services to store or transmit the client’s confidential information.

Acknowledging that cloud computing is a form of outsourcing, the Commission invites feedback on the extent to which the procedures outlined in ABA Formal Ethics Opinion 08-451 (describing a lawyer’s obligations when outsourcing work to lawyers and non-lawyers) should apply in the cloud computing context and seeks input into whether cloud computing should affect the Commission’s ongoing examination of possible amendments to Model Rule of Professional Conduct 5.3.

InfoLawGroup has written extensively about the due diligence and contract negotiation process for organizations looking to use the cloud.  The Commission acknowledges that those issues are equally relevant to lawyers considering using the cloud.  Specifically, the Commission seeks to determine which terms and conditions are essential for lawyers, such as:

● the ownership and physical location of stored data;

● the provider’s backup policies;

● the accessibility of stored data by the provider’s employees or sub-contractors;

● the provider’s compliance with particular state and federal laws governing data privacy (including notifications regarding security breaches);

● the format of the stored data (and whether it is compatible with software available through other providers);

● the type of data encryption; and

● policies regarding the retrieval of data upon the termination of services.

Interestingly, the Commission asks for comments on whether lawyers have an obligation to negotiate particular terms and conditions before incorporating cloud computing services into their law practices.

"Traditional" Technology Confidentiality Concerns

The ABA Commission also addresses more "traditional" technology issues in its Issues Paper. 

I have heard many lawyers express shock at the notion that they might not be able to use traditional email - whether locally-hosted or cloud-based webmail - to transmit sensitive information to a client.  What do you mean I can't send the HR data as an excel spreadsheet attached to an email? Lawyers assume that the attorney-client privilege has them covered.  However, the confidentiality concerns related to personally identifying information (Social Security numbers, medical information, financial account information, credit card numbers) raise new concerns and lawyers cannot forget that their clients - and their employees - are entrusting them with that information with an expectation that it will be protected in accordance with the laws and standards applicable to everyone else.  The ABA is starting to take notice and seems particularly concerned with mobile media in this regard:

[T]he Commission is considering whether to recommend that lawyers take certain precautions, such as:

● providing adequate physical protection for devices (e.g., laptops) or having methods for deleting data remotely in the event that a device is lost or stolen

● encouraging the use of strong passwords

● purging data from devices before they are replaced (e.g., computers, smart phones, and copiers with scanners

●installing appropriate safeguards against malware (e.g., virus protection, spyware protection)

● installing adequate firewalls to prevent unauthorized access to locally stored data

● ensuring frequent backups of data

● updating computer operating systems to ensure that they contain the latest security protections

● configuring software and network settings to minimize security risks

● encrypting sensitive information, and identifying (and, when appropriate, eliminating) metadata from electronic documents before sending them

● avoiding “wifi hotspots” in public places as a means of transmitting confidential information (e.g., sending an email to a client)

Do Lawyers Need Cyberinsurance?

Finally, the Commission goes as far as to seek comment on whether lawyers need to be procuring cyberinsurance and/or cyber liability insurance in addition to traditional professional liability coverage:  "The Commission seeks more information about cyberinsurance and cyberliability insurance, including the underwriting requirements for such insurance and whether typical professional liability policies provide inadequate coverage for technology-related claims and losses."

There is still ample time for interested persons and entities to comment on the ABA's Issues Paper - the deadline is December 15, 2010 and you can contact us for more information.

The New York State Bar Association Formal Opinion

In the meantime, on September 10, 2010, the New York State Bar Association Committee on Professional Ethics issued Opinion 842 on lawyer use of an outside online storage (i.e., cloud) provider to store client confidential information.  New York reached the same conclusion as the ABA in its preliminary assessment: 

A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with the lawyer's obligations under Rule 1.6.  In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and should monitor the changing law of privilege to ensure that storing the information online will not cause loss or waiver of any privilege.

(Emphasis added).  What is "reasonable care"?  The NYSBA finds that "reasonable care" may include "consideration" of the following:

• ensuring that the cloud provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
   
• investigating the provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate;
   
• employing "available" technology to guard against reasonably foreseeable attempts to infiltrate the data; and/or
   
• investigating the provider's ability to purge and wipe any copies of the data and to move the data to a different host if the lawyer becomes dissatisfied or otherwise wants to change providers.

The NYSBA also points out that the lawyer must periodically reconfirm that the provider's security measures remain effective as technology changes.  Further, and not surprisingly, the NYSBA states that if the lawyer has information to suggest that the provider's security measures are not longer adequate, or if the lawyer learns of a breach of confidentiality at the provider, the lawyer must investigate whether there has been a breach of confidentiality of its client information, must notify clients, and must discontinue use of the service unless the lawyer receives assurances that the problems have been sufficiently remediated.  This sounds a lot like the first ever mandated breach notice requirement for attorney-client privileged information. 

Importantly and interestingly, in the hypothetical addressed by the NYSBA, the online system is password protected AND the data stored is encrypted.  Many, if not most, cloud solutions do not encrypt the data and rely on the user to do so himself or herself.  Query how the NYSBA would change its opinion in the absence of encryption.

The NYSBA also states that lawyers using cloud services must monitor not only changes in technology, but changes in the law relating to technology, citing recent cases like Quon and Stengart.

I am ready to bet that many lawyers already using the cloud (a)  do not encrypt their data; (b) have not investigated their cloud provider's security measures; and/or (c)  do not have a contractual provision requiring the cloud provider to notify them in the event of a data breach.  The NYSBA opinion should be a wake-up call to those lawyers to address these issues immediately.  Many will be lucky if they even have the ability to retrieve their information and transfer to a different provider with better security measures without incurring significant cost and burden.

California State Bar Standing Committee on Professional Responsibility and Conduct Proposed Formal Opinion Interim No. 08-0002 (Confidentiality and Technology)

The California State Bar Standing Committee on Professional Responsibility and Conduct (COPRAC) Proposed Formal Opinion Interim No. 08-0002 (Confidentiality and Technology), while still not final, also speaks to lawyer use of the cloud. 

The procedural history, and time that has already been devoted to this Proposed Opinion, demonstrates the difficulty that Bar associations face in keeping up with technology and technology law.  COPRAC tentatively approved the Proposed Opinion at its September 10, 2009 meeting, more than a year ago, for a 90‑day public comment distribution with a January 4, 2010 deadline. Subsequently, at its August 6 & 7, 2010 meeting, COPRAC revised the opinion in response to the public comments received and tentatively approved Formal Opinion Interim No. 08-0002 for an additional 30-day public comment distribution.  The most recent comment period closed on September 20, 2010.

The Proposed Opinion examines whether an attorney violates the duties of confidentiality and competence he or she owes to a client by using technology to transmit or store confidential client information when the technology may be susceptible to unauthorized access by third parties.  (Thus the question presented is somewhat more broad than the question addressed in the NYSBA opinion, which only looked at storage of encrypted data.)  Relying on Rules 3-100 and 3-110 of the Rules of Professional Conduct of the State Bar of California, as well as Cal. Bus. & Prof. Code section 6068(e)(1), the Proposed Opinion says - well, "it depends."

Specifically, the Proposed Opinion finds that the answer depends on the particular technology being used and the circumstances surrounding such use. Thus,

Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client‟s instructions and circumstances, such as access by others to the client‟s devices and communications.

It is a safe bet that most lawyers using the cloud today have never undertaken such a risk assessment.

The hypothetical scenario addressed by the CA Proposed Opinion is also fascinating in that lawyers do it every day and the conduct implicates security concerns beyond cloud computing - specifically, use of public wifi:

Attorney is an associate at a law firm that provides a laptop computer for his use on client and firm matters and which includes software necessary to his practice. As the firm informed Attorney when it hired him, the computer is subject to the law firm‟s access as a matter of course for routine maintenance and also for monitoring to ensure that the computer and software are not used in violation of the law firm‟s computer and Internet-use policy. Unauthorized access by employees or unauthorized use of the data obtained during the course of such maintenance or monitoring is expressly prohibited. Attorney‟s supervisor is also permitted access to Attorney‟s computer to review the substance of his work and related communications.

Client has asked for Attorney‟s advice on a matter. Attorney takes his laptop computer to the local coffee shop and accesses a public wireless Internet connection to conduct legal research on the matter and email Client. He also takes the laptop computer home to conduct the research and email Client from his personal wireless system.

The CA Bar, not unlike the NYSBA, enumerates a number of factors attorneys should consider before using particular technology, as follows:

• The attorney's ability to assess the level of security afforded by the technology, including:
  
  
  • consideration of how the particular technology differs from other media use;
     
  • whether reasonable precautions may be taken when using the technology to increase the level of security; and
     
  • limitations on who is permitted to monitor the use of the technology, to what extent and on what grounds.

It is worth pausing here to note, as does the CA Bar in its Proposed Opinion, that many such reasonable precautions, such as encryption, firewalls, and password protection, are free or inexpensive and easily implemented: 

encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous. . . . if an attorney can readily employ encryption when using public wireless connections and has enabled his or her personal firewall, the risks of unauthorized access may be significantly reduced. Both of these tools are readily available and relatively inexpensive, and may already be built into the operating system. Likewise, activating password protection features on mobile devices, such as laptops and PDAs, presently helps protect against access to confidential client information by a third party if the device is lost, stolen or left unattended.

Some free encryption services out there include Secret 1-2-3 for Outlook email, and TrueCrypt for disk encryption.

The Proposed Opinion also goes out of its way to admonish attorneys who are not comfortable with technology to get assistance from others who are conversant with technology and technology law:

Many attorneys, as with a large contingent of the general public, do not possess much, if any, technological savvy. Although the Committee does not believe that attorneys must develop a mastery of the security features and deficiencies of each technology available, the duties of confidentiality and competence that attorneys owe to their clients do require a basic understanding of the electronic protections afforded by the technology they use in their practice. If the attorney lacks the necessary competence to assess the security of the technology, he or she must seek additional information or consult with someone who possesses the necessary knowledge, such as an information technology consultant.

(Emphasis added.) 

But I digress.  Back to the list of factors the Ca Bar proposes attorneys should consider before using various technologies:

• legal ramifications to third parties of intercepting, accessing or exceeding authorized use of another person's electronic information.
   
• the degree of sensitivity of the information. If the information is of a highly sensitive nature and there is a risk of disclosure when using a particular technology, the attorney should consider alternatives unless the client provides informed consent.
   
• Possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product, including possible waiver of the privileges.
   
• "The urgency of the situation. If use of the technology is necessary to address an imminent situation or exigent circumstances and other alternatives are not reasonably available, it may be reasonable in limited cases for the attorney to do so without taking additional precautions."
   
• Client instructions - if a client has instructed an attorney not to use certain technology or an attorney is aware that others have access to the client's electronic devices or accounts and may intercept or be exposed to confidential client information, then such technology should not be used in the course of the representation.

It seems unlikely that most attorneys today have a provision in their engagement letters that describes "the nature of the information to be transmitted with the technology, the purpose of the transmission and use of the information, the benefits and detriments that may result from transmission (both legal and nonlegal)."  Query whether it is even possible to obtain such informed consent in the initial engagement letter given the rapid changes in technology and security risks.  Does this mean that the attorney must email the client to obtain consent each time he/she logs in at a hotel or at Starbucks?  What about BlackBerry and iPhone use?

Like the NYSBA, the CA Bar is not merely concerned with privilege - it also proposes requiring assessment of the impact of disclosure of non-privileged but still confidential information, something lawyers rarely consider:  "[h]arm from waiver of attorney-client privilege is possible depending on if and how the information is used, but harm from disclosure of confidential client information may be immediate as it does not necessarily depend on use or admissibility of the information, including as it does matters which would be embarrassing or would likely be detrimental to the client if disclosed."

So, how does the CA Bar answer the hypothetical question about the associate's use of wifi in the coffee shop and/or at home?  The answer may surprise you:

• wifi in the coffee shop (or at a hotel or in the airport, etc.) is off limits unless the attorney uses security measures and/or notifies the client and obtains informed consent: 

"due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection . . . to work on Client‟s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall."  The Proposed Opinion provides a non-exhaustive list of local security features available for use on individual computers (operating system firewalls, antivirus and antispam software, secure username and password combinations, and file permissions) as well as network safeguards that may be employed (network firewalls, network access controls such as virtual private networks (VPNs), inspection and monitoring).

But that's not all the Bar thinks would be required in some (unidentified) circumstances:  "Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so." 

And the Bar is quick to note its belief that client files stored on a computer may be at risk regardless of whether the attorney has a file open when an attorney is using an unsecure network connection without firewalls.

• wifi at home is fine IF the wireless systems has been configured with appropriate security features - otherwise, notice and client informed consent may be necessary. 

So, at least according to the ABA, the NYSBA and the CA Bar, cloud computing and technology are no longer just for us technogeek lawyers.  That's enough ethics and cloud for now (and probably for the month, right?).  More to come soon.

The Bulletin defines "information security incident" very broadly to include

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

The requirement that covered organizations provide notice, even where the information is encrypted, is contrary to Connecticut's existing breach notification law and to most of the 46 state breach notification statutes, the majority of which provide a safe harbor from notice to organizations that encrypt covered information (according to the definitions of encryption set forth in each particular statute).  These safe harbors for encrypted data in most state laws are designed to incentivize organizations to put in place safeguards such as encryption to protect data such that it cannot be read or reconstructed in the event of an incident.  As the Connecticut Insurance Department itself recognizes in the Bulletin, "with the overwhelming amount of information obtained and maintained by all businesses[, . . .] there will be at times information security incidents which are beyond the control of the best management practices."  Thus, it is strange that the the Department does not exempt organizations from notification requirements when the organization has taken steps to implement best practices and appropriate controls such as encryption.

• When do I have to provide notice to the Insurance Commissioner?

Immediately.  Really.  Covered organizations must notify the Department of an information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified. 

You read that correctly - five (5) calendar days.  This is one of the shortest (if not THE shortest) notification timeframes on the books, outdoing even California's statutory five business day breach notice requirement for clinics, health facilities, home health agencies, and hospices reporting to the State Department of Public Health and to affected individuals (California Health & Safety Code section 1280.15).

• What should be included in the notice to the Insurance Commissioner?

Once again, the Connecticut Insurance Department goes beyond existing state laws, stating that notification should include as much the following as is known:

1. Date of the incident;
    
2. Description of incident (how information was lost, stolen, breached);
    
3. How discovered?;
    
4. Has lost, stolen, or breached information been recovered? If so, how?;
    
5. Have individuals involved in the incident (both internal and external) been identified?;
    
6. Has a police report been filed?;
    
7. Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc);
    
8. Was information encrypted?;
    
9. Lost, stolen or breached information covers what period of time?;
    
10. How many Connecticut residents affected?;
     
11. Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed;
     
12. Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur;
     
13. Copies of the licensee's/registrant's Privacy Policies and Data Breach Policy;
     
14. Regulated entity contact person for the Department to contact regarding the incident (someone who is both familiar with the details and able to authorize actions for the licensee or registrant); and
     
15. Other regulatory or law enforcement agencies notified (who, when).

• How should notice be sent?

Notice must be sent to the Insurance Commissioner via first class mail, overnight delivery service or electronic mail.  (Given the five calendar day notice requirement, organizations should strongly consider electronic mail as a first step to ensure notice arrives in time).

• Can I notify the affected individuals first?

No.  The Connecticut Insurance Department wants to review the draft notices to individuals before they go out.  the Bulletin states as follows:

The Department will want to review, in draft form, any communications proposed to be made to affected insureds, members, subscribers, policyholders or providers advising them of the incident. Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time. 

The Department Market Conduct Division has the responsibility for monitoring the activities associated with any information security incident and will contact the designated licensee or registrant contact for additional information as necessary and to set up a monitoring process. . . .

• Do I have to notify the Connecticut Insurance Department if one of my vendors is responsible for a breach?

Yes.  The Bulletin provides that an information security incident at or by a vendor or business associate of a licensee or registrant, which has the potential of affecting personal health, financial, or personal information of a Connecticut insured, member, subscriber, policyholder or provider of a licensee or registrant, should be reported by the licensee or registrant to the Department.  The Department also states that it will want to be kept informed of how the licensee or registrant is managing the vendor's activities and what protections and remedies are being put in place by the vendor for the Connecticut consumers.

• Does the Insurance Commissioner intend to enforce these requirements?

Yes.  The Bulletin states that "some situations may warrant imposition of administrative penalties by the Department."

•  How can I avoid an enforcement action?

The Bulletin urges licensees and registrants to follow the procedures set forth in the Bulletin (and described above) to minimize the potential for administrative penalties being imposed.

• Does the Connecticut Insurance Department have authority to impose these requirements?

The Bulletin states that the authority to compel this notification to the Department is provided to the Commissioner under Conn. Gen. Stat. §38a-8 which provides the Commissioner with "all powers specifically granted, and all further powers that are reasonable and necessary to enable the Commissioner to protect the public interest" in accordance with the duties imposed on the Commissioner by the insurance statutes.  The Bulletin also states that, in order to maintain licenses to do business in Connecticut, insurers and health care centers are required to exhibit evidence of good management as required by Conn. Gen. Stat. §38a-41 and that the other licensee and registrant entities have similar requirements to do business in Connecticut. The Bulletin also cites Conn. Gen. Stat. §38a-4780 as requiring that each managed care organization conform to all applicable state and federal antidiscrimination and confidentiality statutes and that it ensure that the confidentiality of specified enrollee patient information and records in its custody is protected.  Finally, the Bulletin notes that, under the insurance laws, the Commissioner has been given additional authority to protect the personal information of insurance consumers pursuant to the relevant portions of Conn. Gen. Stat. §42-471.  

As you can probably tell, the attorneys of InfoLawGroup have been quite busy of late.  We promise to bring you new posts very soon on recent developments in breach notification, cloud, and even ethics.  Stay tuned.

Most recently, on August 5, Sens. Pryor and Rockefeller introduced the "Data Security and Breach Notification Act of 2010" - S. 3742 (hereinafter "S. 3742" or the "Act").  S. 3742 is much more akin to the more traditional proposed breach notification and data security legislation  mentioned above, and not nearly as ambitious as the draft Boucher Bill or the BEST PRACTICES Act.  This post summarizes the key provisions in S. 3742.

The proposed legislation would apply to persons and entities over which the FTC has authority AND non-profits.

Definition of Personal Information

Interestingly, the proposed definition of personal information looks like the traditional definition used in this country and not the more expansive definitions proposed in the Boucher Bill and BEST PRACTICES ACT. The bill defines personal information as "an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number. (ii) Driver's license number, passport number, military identification number, or other similar number issued on a government document used to verify identity. (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account."

However, the bill would allow the FTC to modify this definition by rulemaking (a) for purposes of the information security program and information broker provisions to the extent that the modification would not unreasonably impede interstate commerce and would accomplish the purposes of this Act; or (b) for purposes of the breach notification requirements to the extent that the modification is necessary to accommodate changes in technology or practices, would not unreasonably impede interstate commerce, and would accomplish the purposes of this Act.

Preemption

S. 3472 would preempt any state law that expressly (1) requires information security practices and treatment of data containing personal information similar to any of those required by the bill; and (2) requires notification to individuals of a breach of security resulting in unauthorized access to or acquisition of data in electronic form containing personal information.  The Act also makes clear that no person other than State Attorneys General may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of the Act.

Information Security Policies, Procedures and Programs

Like several of the other proposed federal bills, S. 3742 would require the FTC to promulgate regulations to require every covered entity that owns or possesses data containing personal information, or contracts to have any third party entity maintain such data for such covered entity, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information.  Reminiscent of some existing state and sectoral privacy and data security laws, this bill would require that such policies and procedures take into consideration (a) the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity; (b) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and (c) the cost of implementing such safeguards. 

Such policies and procedures would include (a) a security policy with respect to the collection, use, sale, other dissemination, and maintenance of personal information; (b) the identification of an officer or other individual as the point of contact with responsibility for the management of information security; (c) a process for identifying and assessing any reasonably foreseeable vulnerabilities in the system or systems maintained by the covered entity, including regular monitoring for a breach of security; (d) a process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process, which might include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software; (e) a process for disposing of data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or indecipherable; and (f) a standard method or methods for the destruction of paper documents and other non-electronic data containing personal information.

All of this sounds very similar to the Gramm-Leach-Bliley Act and Massachusetts' data security regulations, 201 CMR 17.00 et seq. (which took effect in March of this year) and therefore should not come as a surprise to most national or multinational organizations.

Special Requirements for Information Brokers

Not unlike the Leahy bill, S. 1490, S. 3472 includes a number of provisions that impose additional burdens and requirements on the collection, use, and disclosure of information by "information brokers."  These requirements include accuracy, access, and dispute requirements similar to the Fair Credit Reporting Act's (FCRA) requirements for consumer reporting agencies.  Indeed, the bill explicitly provides that information brokers engaged in activities subject to FCRA and who are in compliance with sections 609, 610, and 611 of FCRA shall be deemed to be in compliance with certain of the bill's information broker provisions.

So the first question is - well, who is an "information broker"?  An "information broker" under the bill:

(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and

(B) does not include a commercial entity to the extent that such entity processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party directly or through parties acting on its behalf to: (1) provide benefits for its employees; or (2) directly transact business with its customers.

The bill explicitly exempts from its information broker provisions "a service provider for any electronic communication by a third party to the extent that the service provider is exclusively engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication."

Information brokers would be required to submit their security policies to the FTC in conjunction with a notification of a breach of security or upon request of the Commission.  Further, for any information broker required to provide notification of a security breach, the proposed legislation gives the FTC authority to conduct audits of the information security practices of such information broker, or require the information broker to conduct independent audits of such practices (by an independent auditor who has not audited such information broker's security practices during the preceding 5 years).

In addition, information brokers would be required, with certain limited exceptions, to establish reasonable procedures to assure the maximum possible accuracy of the information they collect, assemble, or maintain regarding individuals other than information which merely identifies an individual's name or address. 

The bill also would require information brokers to provide to each individual whose personal information they maintain, at the individual's request at least one time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review their information, and to place a conspicuous notice on their websites instructing individuals how to request access to such information and, as applicable, how to express a preference with respect to the use of personal information for marketing purposes.  (This refers to another portion of the bill that requires an information broker that maintains any information which is used, shared, or sold by such information broker for marketing purposes to, in lieu of complying with the normal access and dispute requirements, provide each individual whose information it maintains with a reasonable means of expressing a preference not to have his or her information used for such purposes. If the individual expresses such a preference, the information broker may not use, share, or sell the individual's information for marketing purposes.)

Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, would be required to correct any inaccuracy.  There are exceptions to the access and dispute requirements in certain limited circumstances.

Information brokers would also be required to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmission of, any data containing personal information that they collect, assemble, or maintain.

The bill includes anti-pretexting provisions that would make it unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by (i) making a false, fictitious, or fraudulent statement or representation to any person; or (ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation.

Breach Notification Requirements

The breach notification provisions of S. 3742 would require that any covered entity that owns or possesses data in electronic form containing personal information, not later than 60 days following the discovery of a breach of security of the system maintained by such covered entity that contains such data, (1) notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security; and (2) notify the FTC.  The bill requires that a covered entity notify the major national credit reporting agencies of the timing and distribution of the notices if the covered entity must provide notification to more than 5,000 individuals.  Such notice must be provided prior to distribution of the notices to affected individuals if it will not delay notice to those individuals.

Before discussing in detail the breach notification requirements, it is important to note a major exemption and presumption built into the bill.  There is a risk of harm threshold in this bill.  A covered entity is exempt from the requirements if, following a breach of security, such covered entity determines that there is "no reasonable risk of identity theft, fraud, or other unlawful conduct."  Significantly, and reminiscent of the breach notification provisions in the HITECH Act, if the data in electronic form containing personal information is rendered unusable, unreadable, or indecipherable through a security technology or methodology (if the technology or methodology is generally accepted by experts in the information security field), there would be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the security technologies or methodologies in a specific case, have been or are reasonably likely to be compromised. 

It is clear that encryption is only one such technology or methodology anticipated by the bill.  The bill directs that, not later than one year after the date of the enactment and biannually thereafter, the Commission, after consultation with the National Institute of Standards and Technology (NIST), relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies, issue rules or guidance to identify security methodologies or technologies, such as encryption, which render data in electronic form unusable, unreadable, or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. 

The law would require provision of two years of credit monitoring services.  A covered entity required to provide notification must, upon request of an individual whose personal information was included in the breach of security, provide or arrange for the provision of, to each such individual and at no cost to such individual (A) consumer credit reports from at least one of the major credit reporting agencies beginning not later than 60 days following the individual's request and continuing on a quarterly basis for a period of 2 years thereafter; or (B) a credit monitoring or other service that enables consumers to detect the misuse of their personal information, beginning not later than 60 days following the individual's request and continuing for a period of 2 years.  (There is an exception if the only personal information which has been the subject of the security breach is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code.)  As part of the FTC's obligation to promulgate regulations on breach notification, the FTC must "establish a simple process under which a covered entity that is a small business or small non-profit organization may request a partial waiver or a modified or alternative means of responding if providing or arranging for such reports, monitoring, or service is not feasible due to excessive costs relative to the resources of the small business or small non-profit entity and the level of harm to consumers caused by the data breach."

The notification to individuals must include:

(i) the date, estimated date, or estimated date range of the breach of security;

(ii) a description of the personal information that was acquired or accessed by an unauthorized person;

(iii) a telephone number that the individual may use, at no cost to such individual, to contact the covered entity to inquire about the breach of security or the information the covered entity maintained about that individual;

(iv) notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 2 years, or credit monitoring or other service that enables consumers to detect the misuse of their personal information for a period of 2 years, and instructions to the individual on requesting such reports or service from the covered entity, except when the only information which has been the subject of the security breach is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code;

(v) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and

(vi) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft.

In the event of a breach of security of the system maintained by any third party entity contracted to maintain or process data in electronic form containing personal information on behalf of any other covered entity who owns or possesses such data, such third party entity would be required to notify the covered entity of the breach of security.

Interestingly, the bill includes special provisions for "service providers," defined as covered entities "that provide[] electronic data transmission, routing, intermediate and transient storage, or connections to [their] system or network, where the covered entit[ies] providing such services do[] not select or modify the content of the electronic data, [are] not the sender or the intended recipient of the data, and such covered entit[ies] transmit[], route[], store[], or provide[] connections for personal information in a manner that personal information is undifferentiated from other types of data that such covered entity transmits, routes, stores, or provides connections."  For breach notification purposes, the bill provides that, if a service provider becomes aware of a breach of security of data in electronic form containing personal information that is owned or possessed by another covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider is required to notify only the covered entity who initiated such connection, transmission, routing, or storage if such covered entity can be reasonably identified.

Notification of individuals may be delayed if a covered entity can show that providing notice within 60 days of discovery is not feasible due to circumstances necessary to accurately identify affected consumers, or to prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system, in which case the notification must be made as promptly as possible.  As in most federal proposed bills and many existing state breach notification laws, if a law enforcement agency determines that the notification would impede a civil or criminal investigation, notification must be delayed upon the written request of the law enforcement agency (in this case for 30 days or such lesser period of time which the law enforcement agency determines is reasonably necessary and requests in writing). A law enforcement agency may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request if further delay is necessary.  Similarly, if a Federal national security agency or homeland security agency determines that the notification would threaten national or homeland security, notification may be delayed for a period of time which the national security agency or homeland security agency determines is reasonably necessary and requests in writing. The agency may revoke such delay or extend the period of time set forth in the original request by a subsequent written request if further delay is necessary.

Notification must be provided in writing by mail (or email under certain circumstances).  Substitute notification is allowed if the covered entity owns or possesses data in electronic form containing personal information of fewer than 1,000 individuals and such direct notification is not feasible due to (i) excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity, as determined in accordance with the regulations issued by the FTC or lack of sufficient contact information for the individual required to be notified.  Like California's SB 1386 (Civil Code section 1798.82), such substitute notification must include (i) e-mail notification to the extent that the covered entity has e-mail addresses of individuals to whom it is required to provide notification; (ii) a conspicuous notice on the website of the covered entity; and (iii) notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside.

The bill requires the FTC to promulgate regulations regarding breach notification AND to provide and publish general guidance on compliance, including (i) a description of written or e-mail notification that complies with the requirements; and (ii) guidance on the content of substitute notification.

The bill grants the FTC authority to place any breach notifications it receives in a clear and conspicuous location on its website if the Commission finds that doing so would be in the public interest or for the protection of consumers.

Enforcement

The FTC and State Attorneys General may enforce the bill.

• Later this week, August 5 and 6, all of us will be in San Francisco for, among other things, the meetings of the Information Security Committee of the Science and Technology Law Section at this year's American Bar Association Annual Meeting.  We look forward to some great presentations, including "Breaking Down Walls: The Confluence of Security, Privacy and Law," one of our favorite subjects, moderated by our friend Peter McLaughlin of Foley & Lardner and featuring John Tomaszewski of TRUSTe and Bob West, CEO of Echelon One, LLC.
   
• In a couple of weeks, InfoLawGroup will be in Seattle for the pii2010 - privacy identity innovation conference. Taking place August 17-19 during "Seattle Geek Week," pii2010 will explore how emerging technologies and business models are impacting the way data is created, shared and aggregated, and how to strike a balance between protecting sensitive information and enabling innovation. Areas of focus will include:
  
  
  • Effective approaches for building online trust with users
  • Ways in which user preferences and social norms are shifting
  • Changes in the regulatory landscape, in the U.S. and internationally
  • The role of anonymity and the future of reputation management on the Web
  • The latest developments in user-centric identity management

In addition, pii2010 will serve as the official launch pad for pii Labs, an open forum for brainstorming and collaborating, taking place at the Space Needle building on August 19. For more information and to register, visit http://pii2010.com.  Speakers will include Michelle Dennedy of Oracle, Jim Reavis of the Cloud Security Alliance, and Chris Hoofnagle of Berkeley's Center for Law & Technology and the Samuelson Law, Technology & Public Policy Clinic.  We expect this to be a great event.  I will be blogging on location at pii2010, so keep an eye out for that.

Best wishes to all for a wonderful August!

Yes, the proposed modifications make clear, consistent with the HITECH Act, that, where provided, the standards, requirements, and implementation specifications of the Privacy Rule apply to business associates.  Specifically, among other things:

1. a business associate may not use or disclose PHI except as permitted or required by the Privacy Rule or the Enforcement Rule;
    
2. a business associate may use or disclose PHI only as permitted or required by its business associate contracts or as required by law;
    
3. if a covered entity and business associate have failed to enter into a business associate contract or other arrangement, then the business associate may use or disclose PHI
   only as necessary to perform its obligations for the covered entity (pursuant to whatever
   agreement sets the general terms for the relationship between the covered entity and
   business associate) or as required by law;
    
4. a business associate may not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity, except that the business associate may use or disclose PHI for uses and disclosures for the proper management and administration of the business associate and the provision of data aggregation services for the covered entity, if such uses and disclosures are permitted by its business associate contract or other arrangement;
    
5. a business associate must disclose PHI either when required by the Secretary in connection with an investigation or determination of the business associate's compliance, or to the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of PHI (see more on access rights below);
    
6. when a business associate uses, discloses, or requests PHI, it must limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request;
    
7. a business associate may disclose PHI to a business associate that is a subcontractor, and may allow the subcontractor to create or receive PHI on behalf of the business associate, if the business associate obtains satisfactory assurances that the subcontractor will appropriately safeguard the information.  See 8 below;
    
8. as discussed with respect to the proposed modifications to the Security Rule in Part One,  a covered entity is not required to obtain satisfactory assurances from a business associate that is a subcontractor.  Instead, the business associate must obtain satisfactory assurances, through a written contract or other arrangement, from subcontractors that provide that the subcontractor will comply with the applicable requirements of the Rules. A business associate must enter into business associate contracts, or other arrangements that comply with the Privacy and Security Rules, with their business associate subcontractors in the same manner that covered entities are required to enter into contracts or other arrangements with their business associates;
    
9. like coverd entities, if a business associate knows of a pattern or practice of activity of its business associate subcontractor that constitutes a material breach or violation of the subcontractor’s contract or other arrangement, it must take reasonable steps to cure the breach of the subcontractor or to terminate the contract, if feasible;
    
10. with respect to business associate agreements, all such contracts must now specify that a business associate (a) comply, where applicable, with the Security Rule with regard to ePHI, (b) report breaches of unsecured PHI to covered entities, (c) ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information, and (d) to the extent it is to carry out a covered entity’s obligation, comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of such obligation (to clarify that a business associate is contractually liable not only for uses and disclosures of PHI, but also for all other requirements of the Privacy Rule, as they pertain to the performance of the business associate’s contract). 

HHS notes that it need not add references to business associates everywhere in the Privacy Rule because a business associate generally may only use or disclose PHI  in the same manner as a covered entity, and therefore any Privacy Rule limitation on how a covered entity may use or disclose protected health information "automatically extends to business associates."

• Do the modifications change business associate responsibilities regarding notices of privacy practices?

The proposed modifications would require organizations that currently issue notices of privacy practices to make material changes to those notices (for more, read on below).  However, the proposed modificaitons do not appear to change the existing rules as to who is responsible for issuing the notice of privacy practices.  Ordinarily that is the covered entity, although the covered entity may require a business associate to do so by contract.  If a business associate fails to do so, although it may have contractual liability, the covered entity is still liable under the statute since it has the ultimate responsibility to maintain and distribute the notice.

• Does HHS really expect all covered entities and business associates to amend their business associate contracts within 180 days of the new Rules going into effect?

No.  HHS proposes to relieve some of the burden on covered entities and business associates in complying with the revised business associate provisions by adding a transition provision to grandfather certain existing WRITTEN contracts for a specified period of time - specifically, the transition period would allow covered entities and business associates (and business associates and business associate subcontractors) to continue to operate under existing contracts for up to one year beyond the compliance date of the revisions to the Rules if, prior to the publication date of the modified Rules, the covered entity or business associate had an existing contract or other written arrangement with a business associate or subcontractor, that complied with the prior provisions of the HIPAA Rules and such contract or arrangement was not renewed or modified between the effective date and the compliance date of the modifications to the Rules.  The transition period would also apply to contracts that renew automatically without any change in terms or other action by the parties ("evergreen contracts”) - deemed compliance would not terminate when these contracts automatically roll over.  The transition period applies ONLY to amendments of contracts; it has no other application to the compliance date for the new Rules, discussed in Part One.

• Does the NPRM address notices of privacy practices (NPPs)?

Yes, there are important changes.  The proposed modifications would require that all NPPs include a statement that describes the uses and disclosures of PHI that require an authorization under §164.508(a)(2) through (a)(4), and to provide that other uses and disclosures not described in the notice will be made only with the individual’s authorization. HHS explains that "[t]he proposed provision would ensure that covered entities provide notice to individuals indicating that most disclosures of protected health information for which the covered entity receives remuneration would require the authorization of the individual. Such uses and disclosures may have previously been permitted under other provisions of the Rule but now require authorization."

The changes would also require that covered entities provide notice that most uses and disclosures of psychotherapy notes and for marketing purposes require an authorization.  Further, a covered entity that intends to send treatment communications to the individual concerning treatment alternatives or other health-related products or services where the provider receives financial remuneration in exchange for making the communication would be required to inform the individual in advance in the NPP, as well as inform the individual that he or she has the opportunity to opt out of receiving such communications.  In addition, the proposed modifications would add a requirement that the NPP inform individuals that they have a right to opt out of receiving fundraising communications.  For more on the other changes to requirements for communications for which the provider receives financial remuneration, and fundraising communications, see below.

Due to implementation of the HITECH Act requirements in the proposed modifications to the Rule, the NPP can no longer state that a covered entity is not required to agree to an individual's request for restrictions.  There will be certain circumstances where a covered entity is required to agree.  For more information, see below.  

HHS seeks comment as to whether the Privacy Rule should require a specific statement in the NPP regarding breach notification duties, and on what particular aspects of this new duty would be important for individuals to be notified of in the NPP.

• Wouldn't these modifications require material changes to the NPP that would trigger a requirement to revise and redistribute the NPP?

Indeed.  As noted by HHS, these modifications would constitute a material change to the NPP of a covered entity.  The existing Rule requires that, when there is a material change to the NPP, covered entities must promptly revise and distribute the NPP, and that health plans provide notice to individuals covered by the plan within 60 days of any material revision to the NPP.

HHS recognizes that revising and redistributing a NPP may be costly for health plans and seeks  comment on ways to inform individuals of this change to privacy practices without unduly burdening health plans. HHS is considering the following and seeks comment thereon:  "(1) replace the 60-day requirement with a requirement for health plans to revise their NPPs and redistribute them (or at least notify members of the material change to the NPP and how to obtain the revised NPP) in their next annual mailing to members after a material revision to the NPP, such as at the beginning of the plan year or during the open enrollment period; (2) provide a specified delay or extension of the 60-day timeframe for health plans; (3) retain the provision generally to require health plans to provide notice within 60-days of a material revision but provide that the Secretary will waive the 60-day timeframe in cases where the timing or substance of modifications to the Privacy Rule call for such a waiver; or (4) make no change, and thus, require that health plans provide notice to individuals within 60 days of the material change to the NPP that would be required by this proposed rule."

By contrast, HHS does not think the following existing requirements will be overly burdensome on providers and does not propose any changes:  when a health care provider with a direct treatment relationship with an individual revises the NPP, the health care provider must make the NPP available upon request on or after the effective date of the revision and must have the NPP available at the delivery site and post the notice in a clear and prominent location.  Nonetheless, HHS seeks comment on this issue.

• Can an individual restrict disclosure of certain PHI to a health plan under the proposed modifications?

Yes.  The proposed modifications would require a covered entity, upon request from an individual, to agree to a restriction on the disclosure of PHI to a health plan if: (A) the disclosure is for the purposes of carrying out payment or healthcare operations and is not otherwise required by law; and (B) the PHI pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full. In cases where an individual has exercised his or her right to have such a restriction placed, the covered entity is also prohibited from making such disclosure to a business associate of the health plan.

HHS notes its belief that the HITECH Act provides the individual with the right to determine for which health care items or services the individual wishes to pay out of pocket and restrict, and therefore does not believe a covered entity could require individuals who wish to restrict disclosures about only certain health care items or services to a health plan to restrict disclosures of PHI regarding all health care to the health plan - " i.e., to require an individual to have to pay out of pocket for all services to take advantage of this right regardless of the particular health care item or service about which the individual requested the restriction."

The requirement would not apply where the individual fails to pay in full.  However, HHS expects covered entities to make some attempt to resolve the payment issue with the individual prior to sending the PHI to the health plan, "such as by notifying the individual that his or her payment did not go through and to give the individual an opportunity to submit payment."  HHS seeks comment on the extent to which covered entities must make reasonable efforts to secure payment from the individual prior to submitting PHI to the health plan for payment.

HHS recognizes that this provision may be difficult to implement in some circumstances, providing some examples, and requests comment "on the types of interactions between individuals and covered entities that would make requesting or implementing a restriction more difficult."  

HHS wonders how this provision will function as to HMOs, and seeks comments.  Specifically, HHS is concerned that individuals who belong to an HMO may have to use an out-of-network provider if they wish to ensure that certain PHI is not disclosed to the HMO.

HHS is also concerned about whether covered entities should be required to communicate these restrictions downstream to new providers, and seeks comment thereon, providing another real life example.

Even if such restrictions are in place, a covered entity may make disclosures "required by law," as defined in the Rule.  HHS seeks comment on examples of the types of disclosures that may fall under this provision.

HHS also seeks comments on how termination of a restriction would impact a covered entity's ability to share PHI regarding prior treatment.

• Do the proposed modifications provide guidance on the "minimum necessary" standard?

No. However, HHS takes the opportunity to "solicit public comment on what aspects of the minimum necessary standard covered entities and business associates believe would be most helpful to have the Department address in the guidance" required by the HITECH Act "and the types of questions entities may have about how to appropriately determine the minimum necessary for purposes of complying with the Privacy Rule."

• Would the proposed modifications to the Privacy Rule have any impact on marketing conducted by covered entities and their business associates?

Yes.  The proposed modifications implement and attempt to clarify a number of changes effected by the HITECH Act that limit permissible marketing communications without written authorization. Specifically, the proposed modifications would change the definition of "marketing" under the Rule as follows:

(1) revise the exceptions to marketing to better distinguish the exceptions for treatment communications from those communications made for health care operations;

(2) add a definition of “financial remuneration” [to mean direct or indirect payment from or on behalf of a third party whose product or service is being described, and to exclude any direct or indirect payment for the treatment of an individual];

(3) provide that health care operations communications for which financial remuneration is received are marketing and require individual authorization;

(4) provide that written treatment communications for which financial remuneration is received are subject to certain notice and opt out conditions [set forth in the notice of privacy practices and in the treatment communication itself] . . . ;

(5) provide a limited exception from the remuneration prohibition for refill reminders; and

(6) remove the paragraph regarding an arrangement between a covered entity and another entity in which the covered entity receives remuneration in exchange for protected health information [because this is now a prohibited "sale" of PHI under the HITECH Act].

HHS appears to acknowledge that the distinctions mentioned in (1) above will not always be clear.  The NPRM states that, "[w]ith respect to subsidized communications by a health care provider about health-related products or services for case management or care coordination or to recommend alternative treatments or settings of care, whether the communication would require individual authorization, or a statement in the notice and an opportunity to opt out, would depend on to what extent the provider is making the communication in a population-based fashion (health care operations) or to further the treatment of a particular individual based on that individual’s health care status or condition (treatment)."  Acknowledging that some cases will involve close judgment calls, HHS solicits comments on its proposal "as well as the alternatives of excluding treatment communications altogether even if they involve financial remuneration from a third party or requiring individual authorization for both treatment and health care operations communications made in exchange for financial remuneration."  HHS is clear that face-to-face communications about products or services between a covered entity and an individual and promotional gifts of nominal value provided by a covered entity are not impacted by the proposed modifications and do not require authorization.  HHS also clarifies that communications promoting health in general are still not marketing because they are not promoting a specific product or service; communications regarding government and government-sponsored programs also do not constitute marketing.

With respect to "financial remuneration," (2) above, the proposed modifications would make clear that it must be in exchange for making the communication itself and be from or on behalf of the entity whose product or service is being described.

With respect to (4) above, HHS explicitly seeks comment on (a) how the opt out should apply to future subsidized treatment communications (e.g., should it prevent all future subsidized treatment
communications or just those dealing with the particular product or service described in the current communication); and (b) the workability of requiring health care providers that intend to send subsidized treatment communications to individuals to provide an individual with the opportunity to opt out of receiving such communications prior to the individual receiving the first communication
and what mechanisms could be put into place to implement the requirement.

As to (5) above, the proposed modifications would also include the exception to marketing for communications regarding refill reminders or otherwise about a drug or biologic that is currently being prescribed for the individual, provided any financial remuneration received by the covered entity for making the communication is "reasonably related" to the covered entity’s cost of making the communication.  HHS expressly solicits comment with respect to this exception on (a)  scope, "that is, whether communications about drugs that are related to the drug currently being prescribed, such as communications regarding generic alternatives or new formulations of the drug, should fall within the exception," and (b) on the types and amount of costs that should be allowed.

•  Do the proposed modifications address sale of PHI?

Yes, the proposed modifications would implement the new restrictions of the HITECH Act with respect to sales of PHI.  Among other things, the Rules would require covered entities and business associates to obtain an authorization for any disclosure of PHI in exchange for direct or
indirect remuneration. The authorization must state that the disclosure will result in remuneration to the covered entity (and/or business associate).  Not surprisingly, the recipient covered entity or business associate could not redisclose that PHI in exchange for remuneration unless it also obtains a valid authorization. 

The exceptions to this Rule would generally track the statutory language of the HITECH Act.  However, HHS has proposed a few exceptions not found in the HITECH Act.  HHS proposes an exception for disclosures made for payment for health care to make clear that it does not consider the exchange of PHI to obtain “payment” to be a sale of PHI.  HHS also proposed an exception for disclosures of PHI where required by law, even if the covered entity receives remuneration for the disclosure.  Finally, HHS proposed an exception for disclosure of PHI for any other purpose permitted by and in accordance with the applicable requirements of subpart E, as long as the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or is a fee otherwise expressly permitted by other law.

• Do the proposed modifications have any impact on research uses and disclosures of PHI?

Yes.  The proposed modifications would allow a covered entity to combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components and clearly allows the individual the option to opt in to the unconditioned research activities.  HHS seeks comment regarding methods that would "clearly differentiate."

In addition, although it is not currently proposing changes, HHS is considering whether to modify its interpretation that an authorization for the use or disclosure of PHI for research be research-study specific. HHS is looking at the following options, and seeks comments thereon at this time (and on how a revocation would operate with respect to future research studies):

(1) the Privacy Rule should permit an authorization for uses and disclosures of protected health information for future research purposes to the extent such purposes are adequately described in the authorization such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research;

(2) the Privacy Rule should permit an authorization for future research only to the extent the description of the future research included certain elements or statements specified by the Privacy Rule, and if so, what should those be; and

(3) the Privacy Rule should permit option (1) as a general rule but require certain disclosure statements on the authorization in cases where the future research may encompass certain types of sensitive research activities, such as research involving genetic analyses or mental health research, that may alter an individual’s willingness to participate in the research.

• Would the proposed modifications change the current restrictions on use and disclosure for fundraising purposes?

Yes, to some extent.  Consistent with the requirements of the HITECH Act, the proposed modifications would "strengthen the opt out by requiring that a covered entity provide, with each fundraising communication sent to an individual under these provisions, a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications" and by requiring that "the method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than nominal cost."  HHS explicitly states (as it does elsewhere in the NPRM) that requiring an individual to write and send a letter would constitute an undue burden.  HHS encourages a toll-free number, an e-mail address, or similar opt out mechanisms.  HHS seeks comments as to whether the Rule should allow a similarly simple method for an individual to opt back in.

Because such an opt out constitutes a revocation of authorization under the HITECH Act, the proposed modifications would also prohibit a covered entity from conditioning treatment or payment for care on an individual’s choice of whether to receive fundraising communications.

HHS also proposes to prohibit a covered entity from sending fundraising communications to an individual who has elected not to receive such communications (this would be a change from the current requirement to make "reasonable efforts").

HHS seeks comment as to which fundraising communications the opt out should apply (e.g., all future, or just the campaign at issue).

The current Rule limits disclosures for fundraising purposes to demographic information and dates of health care provided.  In light of feedback received by HHS over many years, HHS seeks comment on "whether and how the current restriction on what information may be used and disclosed should be modified to allow covered entities to more effectively target fundraising and avoid inappropriate solicitations to individuals, as well as to reduce the need to send solicitations to all patients."  Specifically, HHS seeks comments on "(1) whether the Privacy Rule should allow additional categories of protected health information to be used or disclosed for fundraising, such as department of service or similar information, and if so, what those categories should be; (2) the adequacy of the minimum necessary standard to appropriately limit the amount of protected health information that may be used or disclosed for fundraising purposes; or (3) whether the current limitation should remain unchanged."  HHS also solicits comment on "whether, if additional information is permitted to be used or disclosed for fundraising absent an authorization, covered entities should be required to provide individuals with an opportunity to opt out of receiving any fundraising communications before making the first fundraising solicitation, in addition to the opportunity to opt out with every subsequent communication," and invites comment on workability and what mechanisms could be put in place to implement such a requirement.

• Would access rights be changed?

Yes.  HHS  proposes to strengthen the right of access provided under the HITECH Act "more uniformly to all protected health information maintained in one or more designated record sets
electronically, regardless of whether the designated record set is an electronic health
record."  Specifically, if the PHI requested is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.  Covered entities "should ensure that reasonable safeguards are in place to protect the information" in providing the individual with an electronic copy of PHI through a web-based portal, e-mail, on portable electronic media, or other means.

In addition, the modifications would require that a covered entity transmit a copy of PHI directly to another person designed by the individual, if the individual so requests in a signed writing and the choice is "clear, conspicuous, and specific."  The covered entity must have reasonable policies and procedures in place to verify the identity of the requesting individual and to safeguard the information.

The modifications would make some additional changes with respect to the charges that a covered entity can pass along to an individual requesting information, but would not change the existing timeframe for doing so.  HHS seeks comment on these issues.

• Under the modifications, can the signed writing from the individual requesting that the PHI be disclosed to another person by electronically signed?

This one is for my friends who study electronic and digital signatures.  Yes, an electronic signature would be permissible to the extent it is valid under applicable law.

• How would the proposed modifications affect PHI of decedents?

There are two primary proposed changes.

The proposed modifications would permit covered entities to disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to death (in addition to the decedent's personal representative), unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.

As discussed in Part One, HHS has proposed to modify the definition of PHI to include individually identifiable health information of a person who has been deceased for 50 or fewer years.  In addition, the proposed modifications would require a covered entity to comply with the Privacy Rule with regard to the PHI of a deceased individual for a period of 50 years following the date of death.  The 50 year period (which would take us back to individuals deceased since 1960) is new.  

• So why 50 years?

HHS explains the timeframe as appropriate "because by approximately covering the span of two generations we believe it will both protect the privacy interests of most, if not all, living relatives, or other affected individuals, and it reflects the difficulty of obtaining authorizations from personal representatives as time passes."  HHS seeks comment on the appropriateness of this time period. 

Query whether this time period is sufficiently limited and whether HHS should be concerned with the privacy of individuals deceased decades before HIPAA became law in the first instance, and before the widespread use of personal computers and the Internet.  It is also worth considering that many records containing PHI of decedents going back to 1960 have made their way into the hands of non-covered entities and non-business associates (e.g., libraries, museums, publishers, schools).  While covered entities and business associates are still required to comply with the Privacy Rule and its restrictions on use and disclosure, these third party organizations are not.

• I have heard that the proposed Rules would eliminate the need for parents to provide written consent for disclosure of children's immunization records to schools-is that true?

Yes.  The proposed modifications would permit covered entities to disclose proof of immunization to schools in States that have school entry or similar laws. The covered entity would still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual him- or herself, if the individual is an adult or emancipated minor. HHS seeks comment on whether the Privacy Rule should require that a provider document any oral agreement or whether a requirement for written documentation would be overly cumbersome, and whether the Rule should mandate that these disclosures go to a particular school official (and, if so, which official).

Interestingly, HHS also seeks comment on the appropriate scope of the term "school" and on whether "school" should be defined.  HHS also solicits comments on whether schools not subject to entry or similar laws should be included within this regulation regarding public health disclosures.

HHS notes that, once the school obtains the records, they are protected by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99, not HIPAA, and encourages readers to consult the Joint HHS/ED Guidance on the Application of FERPA and HIPAA to Student Health Records.

• What did HHS actually do?

HHS issued this NPRM to modify the Standards for Privacy of Individually Identifiable Health Information (known as the HIPAA Privacy Rule), the Security Standards for the Protection of Electronic Protected Health Information (referred to as the HIPAA Security Rule), and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (the HIPAA Enforcement Rule) issued under HIPAA.  HHS's articulated purpose in issuing these proposed modifications "is to implement recent statutory amendments under the" HITECH Act, "to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of these HIPAA Rules."  The NPRM includes several sections:

1. a description of the statutory and regulatory background of the proposed rules;
    
2. a section-by-section description of the proposed modifications;
    
3. the impact statement and other required regulatory analyses; and
    
4. the proposed modifications themselves [hint:  these begin at page 176 of the NPRM].

• Have the proposed modifications been published in the Federal Register?

No, not yet.  We expect them to be published this Wednesday, July 14, 2010.

• Will there be an opportunity to comment on these proposed modifications before they become final?

Yes, the public comment period will begin when the proposed modifications are published in the Federal Register.  Therefore, organizations and individuals will have until approximately September 12, 2010, to comment.  Note, however, that September 12 is a Sunday, so individuals and organizations should plan to submit any comments by September 10, 2010, at the latest.

• What is the compliance deadline for the proposed modifications?

There is time.  These are only proposed modifications.  As noted above, there will be 60 days after publication for public comment, and it will take HHS more time to issue the final rule.  HHS also states in the NPRM that it intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule's provisions.  (However, this 180 default rule would NOT apply to modifications to the HIPAA Enforcement Rule, which will be in effect and apply at the time the final rule becomes effective or as otherwise specifically provided, or where HHS expressly provides a different compliance period in the regulation for one or more provisions.)

• Does the NPRM address breach notification?

No.  That was the subject of previous rulemaking, reported here.  However, the practical impact of the proposed modifications would be to require subcontractors that are acting as business associates (see more on that below) to report breaches and other security incidents to business associates (which requirement must be included in the contract between the business associate and the subcontractor).  As noted in the NPRM, "if a breach of unsecured protected health information occurs at or by a subcontractor, the subcontractor must notify the business associate of the breach, which then must notify the covered entity of the breach. The covered entity then notifies the affected individuals, the Secretary, and, if applicable, the media, of the breach, unless it has delegated such responsibilities to a business associate."

• Does the NPRM cover all of the changes effected by the HITECH Act?

No, the NPRM does not address breach notification, the modified civil money penalty structure, the accounting for disclosures requirement, the penalty distribution methodology requirement, the new authority of the State Attorneys General to enforce the HIPAA Rules, or the required studies, reports, guidance, audits, or education efforts.

General Impact on Business Associates

•  How would the proposed modifications affect business associates?

As business associates already know, the HITECH Act makes the Security and Privacy Rules, and certain other aspects of HIPAA, directly applicable to business associates.  The proposed modifications would make this crystal clear.  Consistent with the requirements of the HITECH Act, the proposed modifications "would make clear that, where provided, the standards, requirements, and implementation specifications of the HIPAA Privacy, Security, and Breach Notification Rules apply to business associates."

• Would the NPRM include additional entities within the definition of business associate?

Yes.  The proposed definition would make clear that the following entities are all business associates covered by the Rule:  Patient Safety Organizations, Health Information Organizations, E-prescribing Gateways, other persons that provide data transmission services with respect to protected health information to a covered entity and that require routine access to such protected health information, persons who offer a personal health record to one or more individuals on behalf of a covered entity, and certain subcontractors (see below for elaboration on subcontractors).  HOWEVER, importantly, "data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates."  This is a narrow category.  HHS is careful to note that "entities that manage the exchange of protected health information through a network, including providing patient locator services and performing various oversight and governance functions for electronic health information exchange, have more than 'random' access to protected health information" and therefore would be business associates.

• I am hearing a lot of concern about the possibility that subcontractors might be treated as business associates even if they don't have a business associate agreement.  What is that all about?

Yes, the proposed modifications would make subcontractors of a covered entity business associates to the extent they require access to protected health information, even if the agent or other person who acts on behalf of a business associate does not have a contract with the business associate.  In other words, such an agent or other organization would not be able to rely on the fact that a business associate has not made it execute a business associate agreement in taking the position that it is not actually a business associate.  If it acts on behalf of a business associate and it requires access to protect health information for some or all of its functions, it would be deemed a business associate for purposes of the Rule and must comply.  This would be a major change. 

The NPRM states as follows:

We propose to add language in . . . the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” . . .  to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person."

(Emphasis added.)

In today's business world, with ever-expanding multi-level arrangements for outsourcing, offshoring, and cloud computing, such a change in the HIPAA regulatory structure would have a tremendous impact.  This appears to be exactly what HHS has in mind.  As noted by the NPRM, "we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance." 

It is quite possible that many such vendors have no idea that they serve in such a capacity, or fail to do due diligence to determine if they are an agent of a business associate.  Going forward, if the proposed modifications become final in their current form, vendors MUST determine whether they are playing such a role and set up contracts/handle compliance obligations accordingly.  It will be the business associate's responsibility to set up a contract (and a business associate will be liable for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency).  However, lack of such a contract (i.e., the business associate's failure to comply with its own responsibility in this regard) would not let the agent off the hook.

The NPRM provides the following example:

under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

• OK, but if the covered entity fails to set up a contract with me as a business associate in the first place, I am not a business associate, right?

Wrong.  Even if there is no contract, under the proposed modifications, you are a business associate if you meet the definition of business associate: 

a person is a business associate if it meets the definition of “business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required contract with the business associate."

(Note that a covered entity is not off the hook if it fails to set up a contract.  To the contrary, under the proposed modifications, a covered entity would remain liable for the acts of its business associate agents, "regardless of whether the covered entity has a compliant business associate agreement in place.")

Definition of PHI

• Does the NPRM alter the definition of protected health information in any way?

Yes, the definition would be modified to make clear that the Privacy and Security Rules "do not protect the individually identifiable health information of persons who have been deceased for more than 50 years," so those who have been deceased since at least 1960 (assuming the final Rule becomes effective this year).

Proposed Modifications to the HIPAA Security Rule

As discussed above, the proposed modifications would add references to business associates in the Security Rule to make clear that, consistent with the requirements of the HITECH Act, business associates are now directly responsible for complying with the Security Rule.

• Is a covered entity required to obtain by contract assurances regarding security of ePHI from subcontractors acting as business associates under the new definition?

No. That is the responsibility of the business associate. The proposed modifications would "clarify that covered entities are not required to obtain satisfactory assurances in the form of a contract or other arrangement with a business associate that is a subcontractor" but instead would "make clear that it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information."

Proposed Modifications to the HIPAA Enforcement Rule

• How would be proposed modifications impact enforcement in cases of willful neglect?

The HITECH Act established four tiers of penalty amounts to correspond with levels of culpability. The lowest penalty tier addresses situations where the covered entity or business associate did not know, and by exercising reasonable diligence would not have known, of a violation. The second category applies to violations due to reasonable cause and not to willful neglect. The third and fourth categories apply to circumstances where the violation was due to willful neglect that is corrected within a certain time period and willful neglect that is not so corrected.  Consistent with the changes under HITECH, the proposed modifications would make clear that the Secretary will investigate any complaint filed when a preliminary review of the facts indicates a possible violation due to willful neglect.  As a practical matter, this may not change much, as the NPRM states that "HHS currently conducts a preliminary review of every complaint received and proceeds with the investigation in every eligible case where its preliminary review of the facts indicate a possible violation of the HIPAA Rules."  HHS is not required to attempt to resolve by informal means cases of noncompliance due to willful neglect.

Further, under the proposed modifications, the Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provision when a preliminary review of the facts indicates a possible violation due to willful neglect. 

The NPRM includes a few examples of willful neglect, as follows, two of which highlight the importance of written policies and procedures:

1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.

2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.

3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

• Do the proposed modifications otherwise speak to the penalty tiers established by the HITECH Act?

Yes.  HHS proposes to modify the definition of “reasonable cause” to clarify the full scope of violations that will come within the reasonable cause category of violations, including those
circumstances that would make it unreasonable for the covered entity or business associate, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provisions violated, as well as those circumstances in which a covered entity or business associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with the willful neglect category of violations.  Specifically, HHS proposes to replace the current definition of “reasonable cause” with the following:

an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.

The NPRM provides the following example:

A covered entity received an individual’s request for access but did not respond within the time periods provided for in § 164.524(b)(2). HHS’s investigation reveals that the covered entity had compliant access policies and procedures in place, but that it had received an unusually high volume of requests for access within the time period in question. While the covered entity had responded to the majority of access requests received in that time period in a timely manner, it had failed to respond in a timely manner to several requests for access. The covered entity did respond in a timely manner to all requests for access it received subsequent to the time period in which the violations occurred.

HHS also notes that the modified definition of reasonable cause would encompass those circumstances in which a covered entity or business associate has knowledge of the violation but lacks the conscious intent or reckless indifference associated with willful neglect, and provides the following example:

A covered entity presented an authorization form to a patient for signature to permit a disclosure for marketing purposes that did not contain the core elements required by § 164.508(c). HHS’s investigation reveals that the covered entity was aware of the requirement for an authorization for a use or disclosure of protected health information for marketing and had attempted to draft a compliant authorization but had not included in the authorization the core elements required under § 164.508.

• Do the nature and extent of the violation and the harm resulting from the violation matter for purposes of penalties?

Yes.  The proposed modifications would require the Secretary’s consideration of the nature and extent of the violation, as well as the nature and extent of the harm resulting from violation, in assessing civil monetary penalties, working under the tiered structure described above.  This would include considering the time period during which the violation(s) occurred and the number of individuals affected. 

With respect to the nature and extent of the harm, "HHS proposes to add reputational harm to make clear that reputational harm is as cognizable a form of harm as physical or financial harm." 

The history of an entity's compliance is also relevant-HHS proposes to revise the term "violations" to “indications of noncompliance” to confirm to "HHS’ policy of considering a covered entity’s general history of HIPAA compliance."

• Are civil monetary penalties barred if the act is criminally punishable?

After February 18, 2011, HHS’s authority to impose a civil money penalty would only be barred to the extent a covered entity or business associate can demonstrate that a criminal penalty has been imposed under 42 U.S.C. 1320d-6 with respect to such act (not merely "criminally punishable").  42 U.S.C. 1320d-6 provides that a person who knowingly (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

• What makes cloud computing different from computing in-house or "normal" IT outsourcing?
   
• What are the key benefits?
   
• What are the key risks?
   
• Should in-house lawyers and compliance, privacy and security officers be concerned?
   
• What do in-house lawyers and compliance, privacy and security officers look for to identify cloud computing activities?
   
• How do in-house lawyers and compliance, privacy and security officers quickly understand the new risks and implement controls to reduce these risks?
   
• What can in-house lawyers and compliance, privacy and security officers do to educate executive management?
   
• What does it look like when a company does a great job selecting a cloud vendor?  What do they do up front before beginning the due diligence process?  What do they do during the due diligence and contract negotiation processes?  What risks do they mitigate?  What controls do they put into place?
   
• What are important compliance, security and privacy elements for cloud contracts?

You can find some of our thoughts on these questions and more here.

Part Two covers comments (linked here) submitted by:

• American Business Media (ABM), which focuses on the Business-to-Business online information market;
   
• the Association of National Advertisers (ANA);
   
• the Marketing Research Association (MRA), an association of the survey and opinion research profession;
   
• the National Retail Federation and Shop.org (collectively, NRF); and
   
• the U.S. Chamber of Commerce. 

Although the media reports that both Facebook and Google submitted comments, it appears that those comments have not been made public.

Like the comments described in Part One, many of these commenters expressed concern that the draft goes too far, that consumers benefit from the free flow of information, and that proposed draft would stifle innovation and the retail economy. 

ABM "cautions against government regulations that go beyond the threshold of transparency, notice and choice for business users" and urges the drafters "to consider the possible, unintended consequences of establishing new requirements for content providers that may disadvantage the innumerable American businesses that rely on business information products and services to receive targeted and customized information solutions."

The ANA notes that, "[s]ince e-commerce is one of the most vibrant parts of our economy, particularly during this difficult period it is critical that Congress not do anything prematurely to restrict the growth of this marketplace."  The ANA also suggests that Congress consider the harm that such legislation is meant to address, unlike the specific harms anticipated by existing sectoral (health and financial) legislation:  "What is the potential harm that can come to a consumer from the use or transfer of . . . [information such as how many shirts someone orders from a retailer and what color, size and price they were]? Does that potential harm justify a sweeping, virtually all-inclusive new privacy regime that imposes substantial costs and burdens on every business in America?"

The MRA identifies concerns for the research survey industry that include perhaps unintended consequences of the bill for the greater economy, noting that the discussion draft would make it even harder "to reach research participants, increase non-response bias and adversely impact the accuracy of research results." In addition, the MRA points out:

This wouldn’t just impede bona fide survey and opinion research. It would ultimately result in higher costs for research -- costs which would be passed on to the individuals you are trying to protect, in the form of:

• higher prices for goods and services;
   
• lengthier time before new or better goods and services are brought to the marketplace;
   
• delayed introduction of new or better public policies; and
   
• a decreased amount of research ordered by companies, who might then bring less well-tested and researched products and services to market, harming consumers in the end because the goods and services did not fulfill consumer expectations or needs.

NRF also cautions that the economy may suffer:  "The information collected ensures that stores are opened in locations where demand is the highest, the right merchandise is stocked on those shelves, and customers are offered the best sales and promotions to get them in the door."

The U.S. Chamber of Commerce also identifies potential consequences for the economy, including potential restrictions on content currently available for free on the Internet:

Advertising revenue frequently allows Web sites to offer consumers content for free. This ad-supported business model has been a key to the success of many Internet ventures and has helped to make the Internet an engine of growth in the U.S. economy. Unfortunately, the draft bill would disrupt this pro-consumer business.

Self-Regulation

ANA argues that legislation is not necessary at this time:  "We believe that consumers can be best protected through a combination of existing privacy laws and regulations, privacy enhancing technology, effective self-regulation and the backstop of the FTC’s current powers to stop false, deceptive or unfair acts or practices."  ANA highlights the existing industry Self-Regulatory Principles, discussed in Part One, and identifies several pending industry projects regarding online behavioral advertising (OBA):

• Developing an industry icon that will appear on OBA-served web ads
   
• An outreach program to educate consumers about the benefits of OBA
   
• An industry webpage where consumers can go to opt-out of OBA
   
• An accountability program to be operated by the CBBB (the DMA has a separate accountability program for DMA member companies)

The NRF echoes the comments of other industry and advertiser commenters in calling for self-regulation and industry oversight in lieu of government mandated restrictions:  "We do believe that selfregulation and, in the case of retailing, industry leadership (or 'leading practices') are among the most effective ways to protect consumers while allowing businesses the flexibility to continue to innovate and adopt new technologies to better serve their customers." 

The U.S. Chamber of Commerce also favors self-regulation, arguing that "[s]elf-regulatory practices promulgated by . . . industry groups or the FTC should be granted 'safe harbor' status along with the concepts outlined in the law specifically for 'network advertisers.'”  The Chamber also maintains that the bill should take into consideration browser privacy controls:  "[t]here is also a burgeoning privacy-by-design business model being developed using 'plug-ins' and other tools to give browsers more privacy features and user controls. Increasing emphasis should be given to this self-regulatory vehicle. However, this draft would curtail the incentive for innovation regarding these browser controls."

Coverage of Offline Information

ABM argues for an exemption of "offline collection of basic information from persons acting in clear business capacities" or, at a minimum, "a variation of a 'business card' exception – that is, the information normally found on a business card or related to professional services or other public occupational and industry information [including a home or office address used for business purposes] should not be subject to the opt-in rules or other requirements when collected offline."

ANA seeks an equal playing field that takes into account the different manner in which advertisers work in the online and offline worlds:

any new laws or regulations should provide sufficient flexibility to reflect different ways of communicating with consumers. If the Subcommittee pursues legislation in this area, we strongly urge you to avoid any policy choices that provide a competitive advantage (or disadvantage) to either the online or offline business community. The focus should be on maintaining and enhancing a fair regulatory playing field for online and offline businesses, rather than on a one-size fits all regulatory regime.

NRF argues that inclusion of offline information in the bill is "fundamentally unworkable."

The U.S. Chamber of Commerce echoes the sentiments of the ANA:  "in the offline arena, covered information may be collected in different formats and technologies, so more flexibility is needed for the timing and content of notice and how and where to offer choice."  

"Covered Information"

ABM expresses concern that "covered information" might include information regarding individuals within businesses or the businesses themselves, arguing that businesses do not enjoy rights to privacy in the same way that individuals do, and that individuals acting in a professional capacity have different expectations of privacy than individuals operating in a personal capacity.  Footnote One of the ABM comments includes the following citations in support of this argument: 

""[C]orporations can claim no equality with individuals in the enjoyment of a right to privacy." United States v. Morton Salt Co., 338 U.S. 632, 652 (1950); see also Restatement (Second) of Torts § 652I cmt. c ("A corporation, partnership or unincorporated association has no personal right of privacy."); Browning-Ferris Indus. v. Kelco Disposal, Inc., 492 U.S. 257, 284 (1989) (O'Connor, J., concurring in part, dissenting in part) ("[A] corporation has no ... right to privacy."). Indeed, the Supreme Court has recognized that "a business, by its special nature and voluntary existence, may open itself to intrusions that would not be permissible in a purely private context." G.M. Leasing Corp. v. United States, 429 U.S. 338, 353 (1977). Moreover, many courts have found that business employees, acting as such, often have lower privacy interests in their business conduct than they would have in their private capacities. E.g., Curto v. Medical World Communications, Inc., 2006 WL 1318387 (E.D.N.Y. 2006) ("Employees expressly waive any right of privacy in anything they create, store, send, or receive on the computer or through the Internet or any other computer network.").

ABM also opposes the inclusion of IP addresses within the definition of "covered information": 

Expanding the definition of covered information to include defining an IP address would make it extremely difficult to continue, as B-to-B content providers, to serve relevant content or even contextual first-party advertising. Allowing a consumer to an ABM publication to opt-out of all usages of covered information, including IP addresses, would pose a great danger to the ad-based models currently used by every major publisher.  . . .  One potentially damaging consequence would be the inability of ABM members and other content providers to enforce their intellectual property rights by determining where piracy of their materials has occurred because of customer activities. At the very least, the bill should acknowledge and allow for collection of IP addresses for use in connection with legal proceedings, investigations of crimes or other wrongdoing.

ABM also seeks limitation of the definition to exclude publicly available and public domain information about individuals:

the current draft covers as well all information collected about individuals, meaning that it covers information obtained from published and public domain sources. The "about" restriction therefore means that it would become unlawful merely to reprint, disseminate, or use certain information that has already been publicly distributed and widely used. Already published information is by nature not private and should not be treated as such. Moreover, serious First Amendment and state-federal preemption issues would be raised by classifying as “private,” or making it unlawful to use, information that is already in the public sphere. Cf. Cox Publishing Co. v. Cohn, 420 U.S. 469 (1975) (“…the First and Fourteenth Amendments command nothing less than that the States may not impose sanctions on the publication of truthful information contained in official court records open to public inspection”)."

ANA objects to the breadth of the draft overall and the definition of "covered information," maintaining that it would conflict with numerous existing federal laws, and that the catch-all provision would "swallow up and cover the entire information universe."

NRF, like other advertisers, objects to the broad definition of "covered information":  "SSN’s and financial account numbers are listed together with much less sensitive and widely available data such as name, address, and phone number. Additionally, non-personal identifiers such as Internet Protocol addresses, preference profiles, and cookies are, for the first time, also covered."  NRF worries that this broad definition puts the draft in conflict with legislation such as the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and state data breach notification laws.  (Note, however, that the discussion draft would preempt conflicting state laws.) 

The U.S. Chamber of Commerce also objects to the broad definition, arguing that it should encompass "only data elements that could be used to commit identity theft or other direct consumer harm," and that "data elements such as 'unique identifier,' 'persistent identifier,' 'Internet Protocol address,' 'telephone number,' and 'fax number' should be removed from the definition "except where such data has already been merged with other personal information elements."  The Chamber also maintains that "the definition of 'personally identifiable information' should specifically exclude any personal information that has been rendered anonymous or 'de-identified' prior to its use."  Like DMA (described in Part One), the Chamber also objects to the term "render anonymous" and recommends harmonizing the definition "with HIPAA’s existing de-identification standard such that compliance with a similar de-identification process would provide a similar exclusion from this legislation."  Like ABM, the Chamber objects to the inclusion of publicly available information in the definition of "covered information."

Highlighting a concern not identified by most commenters, the Chamber also seeks an exclusion from the coverage of the legislation for information collected from or about a former, existing or prospective employee by an employer:

Not only are employers required under federal tax and other laws to collect much of the data that would meet the definition of "covered information" in this draft bill, there are numerous existing federal and state laws that already protect the privacy and security of such employee information, not to mention court decisions that have sought to strike the proper balance between employer and employee rights to the information. It would be well beyond the stated purpose of this bill to re-write the laws on employer/employee data collection and use. Moreover, if employee information were to be covered, the proposed legislation would arguably affect nearly every employer in the nation, including the smallest of commercial entities, forcing them to modify employee data management practices.

Definition and Treatment of "Sensitive Information"

The MRA expresses concern regarding the inclusion in the definition of "sensitive information" of numerous categories of information often used in survey research:

the definition of sensitive information in the draft bill is so broad that it includes “. . . race or ethnicity”, one of the most commonly used categories of demographic data in all research. While “. . . religious beliefs” and “. . . sexual orientation” are not as standard, they are still relatively common demographic questions in survey and opinion research.

. . . While MRA understands the concern for privacy of medical records, the definition of “. . . medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional” could be construed to mean far more than actual records of a doctor or hospital. If a telephone survey were to ask a research participant, “Have you ever suffered from one of the following illnesses”, would the resulting data constitute a medical record according to your draft bill? How about responses to a question such as, “How are you feeling today? Are you feeling better or worse than yesterday?” Such questions are quite common in research studies and would seem to run afoul of the draft bill’s restrictions on sensitive information.

MRA also would like clarification on “. . . financial records” to ensure that it does not include data on a research participant’s individual or household income – again, one of the most common categories of demographic data in any research study.

NRF objects to the inclusion within the definition of "sensitive information" of " race or ethnicity, religious beliefs, account information, and geolocation information." 

The U.S. Chamber of Commerce also finds the definition of "sensitive information" to be overbroad, noting, like the MRA, that it might "include self-reported financial and health information in survey data," and arguing that it would resulting in conflicting requirements for organizations under different federal laws.  The Chamber expresses concern that "'[r]ace or ethnicity' could cover ads delivered in different languages" and argues that the definition of “[m]ental or physical condition" should "relate a [sic] specific diagnosis."  The Chamber also argues that precise geographical information should not be covered by the law and should be left to self-regulation at this time.

Covered Entities

The U.S. Chamber of Commerce argues that the bill should exempt from the definition of "covered entities" organizations already regulated by federal privacy legislation such as GLBA, FCRA and HIPAA.

Detailed Notice/Privacy Policy Requirements

ABM points out that its members already provide privacy notices offline with opt-out rights.  ABM also seeks a "blanket exemption of any collection of [individual’s name, address, phone number and email address] from the notice provisions of the bill, without the limitation . . . to collection as 'part of a first party transaction'” and objects to any requirement that an organization include retention periods in privacy notices since those time periods will vary significantly depending on the circumstances.

Like other advertisers, ANA notes criticism by regulators of long and dense privacy notices that consumers are unlikely to read or understand, and objects to requirements in the discussion draft that would require even more detail:  "Many policymakers and critics argue that the privacy policies that are now on most commercial websites are too long, complex and legalistic. The notice requirements of the Discussion Draft would provide little assistance in this regard to consumers and are likely to exacerbate this problem."

The MRA expresses a concern related to the anticipated difficulty of distributing written privacy notices prior to collection of certain information by telephone for research purposes:

Making a copy of the privacy notice “available to an individual in writing before the covered entity collects any covered information from that individual” would mean mailing potential research participants a copy of the privacy notice in advance of contact. Even that action would require some data collection, because the researcher would need to know the individual’s name and mailing address in order to send the notice. This would dramatically increase the cost of a research study and the time required to complete it. Time-sensitive studies, like most political and public opinion polling, would be imperiled. In situations where timely data is as critical as accurate data, information will not be readily deliverable to companies, government agencies, and other entities that need to make swift decisions.

As such, the MRA recommends a revision "to help clarify how a privacy notice could be made 'available' in the context of data collection for research purposes over the telephone."  That revision would require that, where "the covered entity collects covered information by phone for bona fide survey and opinion research purposes, the covered entity . . .  instruct an individual on where to find the privacy notice . . . on the Internet . . . or offer to send a copy of the privacy notice by mail to an individual, before the covered entity collects any covered information from that individual."  The MRA also suggests the addition of a new definition of "bona fide survey and opinion research" as follows:  "the collection and analysis of data regarding opinions, needs, awareness, knowledge, views, experiences and behaviors of a population, through the development and administration of surveys, interviews, focus groups, polls, observation, or other research methodologies, in which no sales, promotional or marketing efforts are involved and through which there is no attempt to influence a participant’s attitudes or behavior."

The U.S. Chamber of Commerce includes comments reminiscent of those submitted by the DMA, described in Part One, regarding the practical difficulties resulting from a requirement that notice be provided prior to collection of information, in the online and offline worlds alike. The Chamber recommends elimination of this requirement:

Data collection begins immediately when a consumer enters a Web site address in a browser and clicks the go or return function, as an IP address must be collected before a Web site can be delivered to the browser for display. Also, each third party conducting business on the Web site, whether for marketing, fraud detection, or setting a time and data stamp, begins collecting information before the Web site actually loads. Therefore, significant amounts of covered information, as defined in the proposed bill, could be collected before a consumer would actually read a privacy policy and be able to make a choice. In many cases, consumers rarely if ever choose to read a privacy policy, so presumably all data collected to display the Web site would be in violation of the proposed law.
 

Opt-Out for Certain First Party Practices

ABM argues for an exemption for all "first-party online advertising, including specific contextual advertising."  ANA also objects to opt-out requirements for first party transactions, noting that this goes beyond current practices and FTC policies.

Like ABM, ANA and DMA, NRF objects to the opt-out requirements for first-party marketing:  "retailers have engaged in extensive CRM (Customer Relationship Management) in both the catalog and brick and mortar world for years. As retailing moved online, CRM moved to the web as well, with first-party customer interaction being vitally important to both the retailer and to the consumer. It is our belief that the current draft creates the potential for a 'small-print web' where even common firstparty processes would have to be disclaimed by site operators and customers would be constantly bombarded with marketing 'choices.'”  NRF notes that it made the same comments on the original FTC Self-Regulatory Guidelines, and that the final version of those Guidelines contained a clear first-party exemption.

NRF also raises questions about the practicality of such a rule:

If consumers don’t even open their mail, it becomes hard to conceptualize a practical mechanism by which a consumer would have a privacy policy delivered and exercise a real-time opt-out without significantly disrupting their shopping session. Also, would the retailer have to provide an opt-out every time a customer placed something in their shopping cart and a cookie was simultaneously placed on their computer if that same cookie might be used to “save the cart” for 30 days or deliver promotional information the next time the customer visited the site? Would the same type of notice have to be provided before a consumer could knowingly and voluntarily provide personally identifying information such e-mail, shipping and credit card information to complete a transaction?

NRF maintains that consumers do not take advantage of opt-outs, in any event:  "In fact, by our estimates, only 6 percent of retail customers exercised their right to opt-out of marketing e-mails in 2007."

The U.S. Chamber of Commerce also opposes any first party opt-out requirement, noting that, among other things, it would "hinder[] fraud prevention, disabl[e] basic Web site monitoring and advertising metrics, and hamper[] content customization and retail product recommendations online."

Opt-In Requirements

ABM opposes opt-in requirements "for the offline collection of basic information from individuals wishing to establish business relationships, or acting within an established business capacity, and believes that the offline collection of basic business information, like that found on a business card or other public industry information, should be exempted from the bill."  ABM also objects to opt-in requirements for transfers to third parties, and seeks clarification as to what would be included, particularly in the offline world.  ABM opposes opt-in for material changes to privacy policies.  Finally, ABM seeks clarification of the definition of "precise geolocation," so that businesses know whether " geolocation would include data points such as a zip code, IP address, area code or even mailing address" and "urges [the drafters] to carefully consider innovation in serving advertising supported content to mobile devices by clarifying the term 'precise geolocation information' to ensure that first party transactions involving the location of a mobile device are exempted from an opt-in requirement."

The ANA objects to all opt-in requirements as unduly costly and unlikely to be productive, citing studies on opt-in by various organizations and companies.  For example, it cites a study from the Privacy Leadership Initiative finding that, "[i]n the apparel sales area alone, it was demonstrated that if catalog sellers were unable to use routine data that they collect from customers and obtain third party data, they would have to raise their prices by more than $1.4 billion annually." 

The MRA expresses concerns with respect to the opt-in restrictions on third party transfers as they would effect the research industry, noting that,

[a]lthough no personally identifiable data is shared with the clients requesting a study without the consent of the research participants, identifiable data must be transferred between various companies involved in conducting the study in order to complete the work. The average research study requires multiple organizations that divide the labor: one company is hired by a client to conduct a study and it contracts with others to get the study completed. For instance, one company might do the recruitment of research participants or provide the “sample”, another would collect the data, yet another might translate any responses from foreign languages, one more would process and analyze the data -- all before the original hired company puts together the study results (presenting aggregate de-identified data) into a report for the client.

As such, MRA suggests a revision to the opt-in requirement that would provide as follows:  "The consent requirements of this subsection shall not apply to the disclosure of covered information as part of a bona fide survey and opinion research study, provided that-(A) only aggregate information will be shared with the end user who requested or sponsored the study; and (B) all unaffiliated parties to whom covered information is disclosed agree to use such covered information solely for the purpose of conducting the bona fide survey and opinion research study and not to disclose the covered information to any other person."

NRF, like other advertisers, objects to any opt-in requirement in any context, focusing on the impracticality of such requirements.  Among other things, NRF argues the chance of a consumer even obtaining and opening an opt-in notice is slim:  "If these marketing statistics bear out in the context of opt-in, a retailer has an 88-94 percent chance that an opt-in could not be obtained every time a material change is made."

The U.S. Chamber of Commerce disapproves of an opt-in for sharing with third parties, noting that this requirement does not focus on the "intended purpose" or protect any perceived harm, echoing some of the concerns evinced by the ANA described in "General Observations" above.  The Chamber also maintains that affiliated parties should include entities that operate websites as joint ventures.  Further, the Chamber objects to opt-in restrictions for undefined "material changes" to privacy policies.

Operational and Transactional Purpose Exception

ABM seeks clarification of the transactional purpose definition, proffering the following example: "when an ABM member company produces a trade show, and a business signs up to attend the trade show, that should be viewed as a transaction, so that exchanges and sharing of information collected from the attendees at the trade show fall within the transactional exemption."

The U.S. Chamber of Commerce argues that the operational purpose exception is too narrow because it "does not apply if the data is also used for marketing, advertising, or sales," and that "[t]he draft bill should be technology-neutral and should not favor one type of advertising over another." The Chamber further recommends that "operational purpose" include "'detecting, preventing, or acting against actual or suspected fraud targeting the individual.'” The Chamber also seeks clarification of the "transactional purpose" definition to make sure "[m]arketing efforts designed to encourage transactions or sales" are covered.

Exception for "Individual Managed Preference Profiles"

ABM argues that "the in-ad notice and preference profile requirements necessary to achieve exemption from 'opt-in' for advertisements served by unaffiliated third party ad networks should be the responsibility of the ad network, not the first party publisher."

The U.S. Chamber argues that all entities engaged in OBA should be similarly regulated, independent of the business model:

the draft allows entities that construct and maintain user preference profiles to utilize opt-out consent for the collection and use of covered information, but appears to preclude any new or different business models from doing so.

The draft should provide all entities involved in OBA with equal opportunities to utilize opt-out consent for the collection and use of covered information. It should not disfavor particular business models with more burdensome regulatory obligations, since doing so would deter entry, harm innovation, and undermine competition and choice in the OBA marketplace.

Conflict with First Amendment Rights

Like NetChoice (comments described in Part One), the ANA argues that "[s]ome courts and legal scholars believe that [an opt-in requirement] raises serious First Amendment issues. In 1999 in U.S. West v. Federal Communications Commission, 182 F.3d 1224, the 10th Circuit Court of Appeals held that the government must carry out a careful calculation of costs and benefits associated with burdens on speech imposed by an opt-in rule. In that case, the court struck down an FCC rule that contained an opt-in requirement, concluding that the rule violated the First Amendment."

Data Accuracy Requirements

As noted in our FAQ on the bill here, the discussion draft would require "in very general terms that a covered entity 'establish reasonable procedures to assure the accuracy of the covered information it collects.'"  ANA, unlike most commenters, specifically calls out this provision as problematic due to the possibility of providing unlimited access rights to consumers that might actually create additional privacy and security risks:  "We are concerned that this provision could under the Draft possibly lead to a broad right of consumer access to all information held about them by a company and the right to 'correct' that information. Providing consumers with such broad access to all information, without adequate protections, can create, if not carefully developed, a new set of major privacy and security risks."

Status

Last Wednesday, Rep. Boucher told Tech Daily Dose that "most business groups believe the legislation is 'too strict,' while privacy advocates and public interest groups say it doesn't go far enough to protect consumer privacy."  As such, Boucher told Tech Daily Dose, he believes he has a "very centrist proposal."  In any event, Boucher indicated that he intends to make some modifications to the bill based on the feedback, "including lawmakers on both sides of the aisle in meetings with stakeholders," but did not specify a timeframe for completion of that process.

We are thrilled to have David and Rich join InfoLawGroup. They supplement our existing in-depth knowledge and resources in privacy and data security compliance, data breach response, and outsourcing transactions. Beyond that, David’s practice adds considerable breadth to our litigation capabilities, Rich gives us added flexibility in servicing existing and new East Coast clients, and both lawyers share our commitment to providing the highest quality, lowest cost, and most practical and business-oriented legal services. It is a great fit.

As we continue to see an uptick in privacy and data security related litigations and investigations, David’s decades in the courtroom are an invaluable addition to our existing litigation group. Both lawyers, like Dave, Scott, and myself, are passionate about technology and the law and share a vision for using technology to provide clients around the world with AmLaw 100-quality legal services at a fraction of the price.