In late 2011, Shasta officials disclosed detailed information about a patient’s medical treatment to three separate media outlets without the patient’s authorization. In addition, Shasta distributed an email to its entire workforce of approximately 800-900 individuals that described the patient’s medical condition and treatment, also without the patient’s authorization. Shasta officials failed to sanction any of its workforce members for these impermissible disclosures of PHI in violation of the HIPAA Privacy Rule.

Pursuant to the resolution agreement, Shasta has agreed to pay a $275,000 settlement to HHS. In addition, the Corrective Action Plan attached to the resolution agreement requires Shasta to:

• develop policies and procedures that comply with the HIPAA Privacy Rule and that must specifically address permissible and impermissible uses and disclosures of PHI, how workforce members should communicate with the media regarding patient-related inquires, and how PHI should be shared within Shasta;
• distribute these policies and procedures to its workforce and require written or electronic certification that all workforce members will comply with them;
• investigate and report any violations of the HIPAA policies and procedures to HHS; and
• conduct training for its workforce.

In announcing the settlement, the Director of the HHS Office for Civil Rights Leon Rodriguez noted that Shasta’s senior management had “intentionally and repeatedly” violated the HIPAA Privacy Rule and stated that “OCR will respond quickly and decisively to stop such behavior.” The Shasta settlement marks the second enforcement action taken by OCR in 2013, following a May 2013 settlement with Idaho State University.

View the resolution agreement.

Since the 1990s, Rich has been deeply involved in setting the Commission’s tone when it comes to privacy issues. Her appointment may signal a continuation of the Consumer Protection Bureau’s approach under former Director David Vladeck.

Rich’s appointment was one of seven senior leadership appointments announced by Chairwoman Ramirez.

In an article to be published this month in the Seton Hall University Law Review, Hunton & Williams partners Terry Connor and Kevin White question whether the Equal Employment Opportunity Commission (“EEOC”) had the statutory authority to publish its April 2012 Guidance interpreting Title VII to impose disparate impact liability on employers who consider applicants’ criminal backgrounds as part of the hiring process.

The article first reviews the cases in which employers were found liable for failing to perform sufficient background checks after an employee caused harm to a customer or another employee. The article summarizes the history of the disparate impact theory of discrimination that has developed from the Supreme Court’s 1971 decision in Griggs v. Duke Power and argues that this EEOC initiative is an inappropriate extension of that theory.

Based on that history, Connor and White argue that Title VII does not stretch so far as the EEOC has taken it in this Guidance and that the Guidance does not include sufficient analysis to persuade the courts to give deference to its interpretation.

Thus far, the EEOC has not persuaded courts to adopt its position. In EEOC v. Peoplemark, the District Court for Western Michigan granted summary judgment to the employer after the EEOC failed to produce evidence of a statistically significant racial disparity in Peoplemark’s use of the conviction criterion to screen for risk. Another case, EEOC v. Freeman, is pending in the district court for the District of Maryland on the employer’s motion for summary judgment.

Not deterred, on June 11, 2013, the EEOC continued to pursue this theory by filing cases in the District of South Carolina against BMW Manufacturing, and in the Northern District of Illinois against retailer Dollar General. White and Connor have extensive experience representing employers in employment matters and significant expertise on this issue specifically, having followed the development of the Guidance and represented employers who have been subjected to similar challenges.

Download the full article.

The plaintiffs alleged that comScore’s Terms of Service did not disclose the extent of the data collection, and that comScore used the data it collected without their authorization to develop analytics products focused on consumer behavior.

The creation of this working group was triggered by the fact that many non-EU countries have passed legislation allowing some of their public authorities to access the personal data of European citizens under certain conditions. The CNIL quoted examples of such legislation as the USA PATRIOT Act of 2001, the U.S. Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 and the Indian Information Technology Act 2000.

The CNIL also noted that the development of cloud computing services raises concerns about the level of security and confidentiality of the personal data of European citizens stored in the cloud. In the CNIL’s view, the recent revelation of the U.S. PRISM surveillance program confirms the need to clarify these issues.

The FDA advised medical device manufacturers to improve the security of the devices by:

• Limiting device access to only authorized users;
• Strengthening password protections for the devices;
• Sending regular security patches to the devices; and
• Developing data recovery and incident response plans in the event of a compromise of medical device security.

The FDA also advised hospitals and other health care facilities to take certain actions, such as:

• Restricting access to networked medical devices;
• Updating antivirus software and firewalls;
• Monitoring network activity;
• Disabling any unnecessary ports and services; and
• Developing strategies to ensure that the critical functionality of medical devices are maintained.

The FDA’s guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, advises device manufacturers to incorporate cybersecurity when designing the devices so as to produce “more robust and efficient mitigation of cybersecurity risks.” In addition, the guidance highlights five key items that medical device manufacturers are recommended to provide in their premarket submissions to the FDA:

1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with a specific device;
2. A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks;
3. A systematic plan for providing validated updates and patches to operating systems or medical device software;
4. Documentation that the device will be provided to purchasers and users free of malware; and
5. Instructions for anti-virus software and the use of firewalls.

Following a 90-day comment period, the FDA will then finalize the guidance. The guidance will represent the FDA’s views on cybersecurity, but will not create any legal obligations on the part of medical device manufacturers.

Under Section 36 of the DPA, individuals who process personal data for their personal, family or household affairs are exempt from complying with the obligations of the DPA with respect to such processing. This exemption does not, however, apply to processing by organizations, nor to individuals processing personal data for business purposes (e.g., operating as a sole trader).

Application of the Data Protection Act 1998

The DPA applies to any individual or organization that determines (alone or jointly) the purposes for which and manner in which personal data are processed (“data controllers”). The guidance underscores that a site operator will be considered a data controller if it processes contact information of its users or subscribers. Whether a site operator acts as a data controller in relation to personal data posted on its website depends on a number of factors, in particular whether the site operator moderates content before it is posted, or if users are able to post content directly, but only in accordance with site rules (and the site operator may immediately remove any content breaching those rules). Where the site operator acts as a data controller, it must take reasonable steps to ensure that posted personal data presented as a matter of fact (as opposed to an expression of opinion) are accurate and up-to-date. The ICO’s expectations in terms of “reasonable steps” will depend on the circumstances. Where the vast majority of site content is posted directly by third parties, the volume of posts is significant, and the site content is not moderated in advance, “reasonable steps” would not include checking the accuracy of individual posts, but would include:

• having a clear and prominent acceptable use policy;
• having clear and easy to find procedures for individuals who wish to dispute the accuracy of posts relating to them and request the removal of such posts;
• responding to accuracy disputes quickly; and,
• having procedures to suspend or remove disputed content.

Individuals who have complaints about their personal data posted on a site can contact the ICO, but should first contact the website administrator or the individual or organization responsible for the post. Further, the guidance clarifies that the ICO will not take any action with respect to complaints made against individuals processing personal data for personal purposes, no matter now unfair, derogatory or distressing the content.

The guidance also identifies other UK laws that may be relevant to social networking sites and online forums, including the Protection from Harassment Act 1997, the Malicious Communications Act 1988 and the common law of defamation.

Application of the Personal Purposes Exemption

In practice, organizations tend to focus more on their compliance obligations with respect to more established forms of online media, such as corporate websites, than they do when it comes to new media. The guidance makes clear, however, that organizations’ obligations under the DPA remain the same, specifically referencing organizations using social media to:

• post personal data on their own or a third party’s website (e.g., posting customer reviews or “I just bought…” advertisements);
• download personal data from a third party website (e.g., data scraping from public profiles); or,
• run a website allowing users to publish comments and posts, such as a blog.

Whether an individual’s use of online media is considered personal or non-personal depends on the particular facts. A sole trader setting up a website to promote his or her own business, including customer reviews, would constitute a non-personal, business purpose. An individual selling a few possessions online and messaging prospective buyers through an auction site would constitute a personal purpose exempt under Section 36, notwithstanding the fact that the individual will earn money from the sales.

The guidance also addresses the status of groups of individuals, such as clubs and societies, that create sites for their shared recreational purposes. An example of this type of shared site might be a photo-sharing webpage for friends to compile pictures from a group holiday. For those types of groups, the Section 36 exemption will still apply. A group-developed site with an evolving membership is less likely to qualify for the personal purposes exemption, since a group that exists independent of specific individuals is more likely to process personal data for its own purposes as opposed to the personal purposes of individual members. In relation to processing by groups, the presence of the following factors make it less likely that the personal purposes exemption will apply:

• the site is commercial and generates income through subscription or advertising;
• the site has been set up to pursue a professional or commercial objective;
• personal data are processed for the purposes of the group itself, rather than for the purposes of its individual members;
• personal data are posted by the group, rather than by individuals;
• the group is separately legally constituted in some way;
• the group would continue to exist even its membership changed; or,
• the group has its own set of rules, which exist separately from its members.

Conclusions

This new guidance will no doubt serve as a timely reminder to organizations that they must comply with data protection requirements with respect to of all their processing activities, including corporate social media accounts, microsites and blogs. It also may signal that the ICO intends to focus its attention more on online operators and their processing activities.

Although this guidance focuses on the personal purposes exemption with respect to social media, there also is clear overlap with the Section 32 exemption (applicable to data processing for the purposes of journalism, art, literature and the public interest). In accordance with a recommendation contained in the Leveson Inquiry, the ICO will publish guidance on the Section 32 exemption shortly.

Currently APEC and the European Commission are exploring interoperability between the APEC Cross-Border Privacy Rules program and European Binding Corporate Rules.

As we previously reported, on November 30, 2012, the FTC issued an interim final rule (“Interim Final Rule”) that limited the application of the Red Flags Rule by narrowing the definition of “creditors” to make it consistent with the Red Flag Program Clarification Act of 2010. As initially promulgated in 2007, the Red Flags Rule’s broad definitions of “financial institutions” and “creditors” were the subject of confusion and controversy that led to Congressional clarification in 2010.

The Guide outlines a two-step analysis to determine if an entity must comply with the Red Flags Rule. According to the Guide, “[t]he determination isn’t based on the industry or sector, but rather on whether a business’ activities fall within the relevant definitions. A business must implement a written program only if it has covered accounts.” The first step consists of assessing if the business falls within the Red Flags Rule’s definitions of a “financial institution” or “creditor.” The second step requires a determination as to whether the “financial institution” or “creditor” has “covered accounts” as that term is defined in the Red Flags Rule. The Guide provides that, as part of the assessment, organizations should look “at existing accounts and new ones” as well as both categories of accounts that are covered.

The FAQs contained in the Guide provide additional information on the applicability of the Red Flags Rule. Some of the questions contained in the FAQs include:

• What if I occasionally get credit reports in connection with credit transactions?
• In my legal practice, I often make copies and pay filing, court, or expert fees for my clients. Am I “advancing funds”?
• Our company is a “creditor” under the Rule and we have credit and non-credit accounts. Do we have to determine if both types of accounts are “covered accounts”?

The Guide also includes a four-step compliance process involving (1) identifying relevant Red Flags; (2) detecting Red Flags; (3) preventing and mitigating identity theft; and (4) updating the organization’s identity theft program.

For more information on the Red Flags Rule, visit the FTC’s website on Fighting Fraud with the Red Flags Rule.

Hunton & Williams has published a second update to its Executive Briefing Paper on the Proposed Regulation (the first update analyzed lead rapporteur Jan Philipp Albrecht’s draft report on the same issue), examining the Irish Presidency’s proposed amendments in detail. In particular, the analysis considers the Presidency’s proposals in relation to consent, legitimate grounds for processing, pseudonymization, data minimization, profiling, and the right to be forgotten. Each of the Executive Briefing Papers, together with further analyses prepared by Hunton & Williams, is available in the Hunton & Williams Resources section of our EU Data Protection Regulation Tracker website.