Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

In the letter to Congressman Markey, Mr. Leibowitz promised the FTC would collaborate with “copier manufacturers, resellers, and retail copy and office supply stores to ensure that they are aware of the privacy risk associated with digital copiers and to determine whether they are warning their customers about these risks, whether they are providing education and guidance on this subject, and whether manufacturers and resellers are providing options for secure copying.”  He also stated that the FTC would “provide additional guidance to both consumers and businesses specifically addressing how to protect personal information that may be stored on hard drives of digital copiers and other devices.”

By not erasing personal information stored on the hard drives of digital copiers, businesses may be violating numerous state records disposal laws that require businesses to take reasonable steps to ensure that records containing personal information be destroyed such that the information is unreadable or undecipherable through any means.  Personal information stored on digital copiers also may trigger federal and state breach notification laws if that information is not erased.  In April 2010, Affinity Health Plan notified over 400,000 current and former customers that their personal information had been stored on the hard drives of a leased office copier that Affinity later returned to the leasing company.  The copier containing the Affinity customers’ information was featured in the CBS News exposé when reporters found information from “drug prescriptions, to blood test results, to a cancer diagnosis.”

To help ensure compliance with applicable privacy and information security laws, businesses should destroy or erase any hard drives in digital copiers before selling or discarding those machines, and should contractually require that the hard drives of leased digital copiers be erased at the termination of the lease.

In a statement, the Attorney General indicated that “unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce” and that he would “seek strong and significant sanctions, if warranted by the facts.”

Passed as part of the economic stimulus legislation in 2009, the HITECH Act authorizes state attorneys general to enforce HIPAA.  Attorney General Blumenthal was the first state attorney general to file a suit pursuant to this HITECH Act enforcement authority.  For more information on the first HITECH Act suit, please see our previous blog post. 

The complaint, filed January 12, 2010, alleges that on or about May 14, 2009 Health Net learned that a portable disk drive had disappeared from one of its offices.  The disk contained unencrypted protected health information, social security numbers and bank account numbers for approximately 1.5 million past and present enrollees, including 446,000 Connecticut residents.  Health Net did not begin notifying affected individuals until November 2009.

On January 13, 2010, the Attorney General filed a motion for a preliminary injunction.  The proposed injunction mandates that Health Net and related defendants (i) comply with the privacy, security and other requirements of HIPAA; (ii) take corrective action and make “all efforts” to protect affected citizens against identity theft and other harm; and (iii) conduct “effective training of all members of their respective workforces (including independent contractors) on the policies and procedures with respect to protected health information, and personal information as defined under state law, regarding the requirements of federal and state law.”

The Contribution maintains that the fundamental principles of European data protection law remain valid.  However, it also notes that both improvements in implementation of the existing data protection framework and changes to it should be considered, in particular regarding the following points:

• implementation of the legal framework for data protection in the EU Member States should be improved;
• the system for issuing “adequacy decisions” by the European Commission regarding the level of data protection in third countries should be made more efficient;
• a provision on binding corporate rules should be introduced;
• the position of “privacy by design” in the legal framework should be strengthened;
• a general security breach notification regime (i.e., one not limited to telecom service providers and ISPs as is now the case) should be introduced;
• requirements to notify data processing with national data protection authorities should be simplified or even eliminated in some cases;
• the responsibilities of data controllers should be increased by introducing an accountability principle into the new legal framework (in this regard, the Contribution explicitly mentions the work of the Centre for Information Policy Leadership at Hunton & Williams);
• the use of consent as a legal basis for data processing should be made more restrictive;
• the role of the data protection authorities should be strengthened and clarified, and cooperation between the DPAs should be reinforced, particularly through improvements to the Article 29 Working Party’s working methods.

The European Commission will now evaluate all the contributions received under the Consultation and consider whether changes to the EU legal framework should be proposed.  It should be noted that any changes to the framework would likely take a minimum of five years to be enacted.

The Australian government’s report addressed 197 of the 295 ALRC recommendations and promised to implement almost 90% of those recommendations.  Some of the more notable recommendations that will be implemented include: strengthening the Privacy Commissioner’s powers of investigation and enforcement; adding biometric information to the definition of “sensitive information” in the Privacy Act; enacting new rights for individuals to transfer their health records between health care providers; and requiring agencies and organizations to notify individuals if their personal information is reasonably likely to be transferred overseas.

The Australian parliament intends to draft legislation to implement the ALRC recommendations in early 2010.  After this first stage response to the ALRC report has progressed, the Australian government intends to consult with the public and privacy sectors to address the remaining 98 ALRC recommendations, which focus on sensitive issues such as data breach notification and the handling of personal information under the Telecommunications Act 1997.

The FTC Final Rule requires PHR vendors and PHR related entities to notify U.S. citizens and residents if their PHR identifiable health information is subject to a security breach, and requires additional notification of the FTC and prominent media outlets for breaches that affect 500 or more individuals.  Third party service providers must notify the PHR vendor, or PHR related entities to which they provide services, of any breaches they discover.  To facilitate the notification process, the FTC has developed a standard form entitled “Notice of Breach of Health Information” that PHR vendors and PHR related entities can complete and send to the FTC.  Both the form and the FTC Final Rule are available on the FTC’s website.
 
On August 19, 2009, as required by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Department of Health and Human Services ("HHS") issued an interim final rule ("HHS Interim Final Rule") addressing security breaches of unsecured protected health information ("PHI").  The regulations will apply to all breaches occurring on or after September 23, 2009 that are discovered by covered entities and business associates, but the HHS Interim Final Rule indicates that HHS will not impose sanctions for failure to notify with respect to breaches that are discovered within the first 180 days after the effective date. 

Notably, unlike the FTC Final Rule, the HHS Interim Final Rule includes a harm threshold limiting the breach notification requirement to breaches that present a significant risk of harm.  This disparity may be due to the fact that breaches common to HIPAA-covered entities, such as those involving disclosures to other HIPAA-covered entities, are less likely to result in actual harm than the kinds of breaches suffered by the service providers and vendors covered under the FTC's Final Rule.  Similar to the FTC Final Rule, the HHS Interim Final Rule requires covered entities to (1) notify individuals if their PHI is subject to a security breach, and (2) notify the Secretary of HHS and prominent media outlets in the event of a breach that affects 500 or more individuals.  Business associates must notify the covered entity to which they provide services of any breaches they discover.  Finally, the HHS Interim Final Rule updated the  information security guidance issued by HHS in April 2009 to emphasize encryption and destruction as the only methods for securing PHI in a manner consistent with the HITECH Act’s breach notification provisions.  The HHS Interim Final Rule is available on the HHS website.

On July 9, Missouri Governor Jay Nixon signed a data security breach bill into law leaving Alabama, Kentucky, Mississippi, New Mexico and South Dakota as the only remaining states without a breach notification requirement.  The Missouri law’s noteworthy provisions include a broad definition of personal information that encompasses medical and health insurance information and a requirement to notify consumer reporting agencies and the state attorney general if more than 1,000 consumers are being notified of a security breach.  The Missouri law goes into effect August 28, 2009.

On July 22, Senator Patrick Leahy (D-VT) reintroduced a privacy bill that includes federal data security breach notification requirements.  The Personal Data Privacy and Security Act would require businesses engaged in interstate commerce to notify individuals if their computerized sensitive personally identifiable information (SPII) is subject to a data security breach.  Notably:

• The bill requires notification of: (1) major media within any state where more than 5,000 individuals are affected by a breach; (2) consumer reporting agencies if more than 5,000 individuals are affected; and (3) the Secret Service if more than 10,000 individuals are affected or if the breach involves a federal database, national security officials or a database containing information on more than 1,000,000 individuals. 
• Businesses that collect, use or access the SPII of more than 10,000 individuals must implement a comprehensive data security and privacy program (financial institutions that are subject to the Gramm-Leach-Bliley Act (GLB) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) are exempt from this requirement). 
• The notification provisions of the proposed federal law would not preempt existing state data breach notification laws, but they would supersede any other provision of federal law or any provision of any state law relating to notification by a business engaged in interstate commerce. 

Similar federal privacy legislation has been approved by the Senate Judiciary Committee in prior sessions of Congress, but has never been voted upon by the full Senate.  Senator Leahy’s bill is the third major federal data privacy bill to be introduced in 2009.  Senator Diane Feinstein introduced a data breach notification law in January; in April, Representative Bobby Rush introduced H.R. 2221 (the Data Accountability and Trust Act), a bill  which is strongly supported by the FTC's Acting Director of the Bureau of Consumer Protection.

Finally, on July 27, North Carolina Governor Beverly Perdue signed a bill amending that state’s data breach notification law.  As of October 1, 2009, any time a business provides notice pursuant to the North Carolina statute, the business must also notify the Consumer Protection Division of the North Carolina Attorney General’s Office.  The notice must include information on the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future and information regarding the timing, distribution and content of the notice being sent to affected individuals.   Previously, North Carolina required notification of the state attorney general only when a business provided notice to more than 1,000 persons at one time, and such notification needed to include only the timing, distribution and content of the notice to consumers.

Alaska Stat. § 45.48.010 et seq. will apply to breaches of unencrypted personal information in both paper and electronic records.  Personal information is defined as first name or first initial and last name plus one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) account number, credit card number or debit card number, combined with any security code, access code, personal identification number or password needed to access an account, and (iv) passwords, personal identification numbers or other access codes for financial accounts.  Notification is not required if, after an appropriate investigation and written notification to the attorney general of Alaska, the entity experiencing the breach determines that there is not a reasonable likelihood that harm to the individuals whose personal information has been acquired has resulted or will result from the breach.  An entity is also exempt from notification in the event of an unauthorized but good-faith acquisition of personal information by an employee of the entity, so long as the employee does not use the personal information for an illegitimate purpose or make further unauthorized disclosure of the information.  The statute authorizes a state agency to promulgate implementing regulations at any point after the effective date.

South Carolina. Code Ann. § 39-1-90 will apply to breaches of unencrypted personal identifying information in both paper and electronic records.  Personal identifying information is defined as first name or first initial and last name in combination with and linked to one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) financial account number, or credit card or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial account, and (iv) other numbers or information that may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.  The law does not require notification in the event of an unauthorized but good-faith acquisition of personal identifying information by an employee of the entity for the purposes of its business if the personal identifying information is not used or subject to further unauthorized disclosure.

For the first time in EU law the amendments introduce a definition of “personal data breach” and a data breach notification requirement. 

The amendments provide that, in the event of a breach, the provider must, without undue delay, notify the breach to the competent national authority.  The notification to the competent national authority must, in addition to the elements included in the notification to the subscriber or individual outlined below, describe the consequences of and the measures proposed or taken by the provider to address the breach.  Furthermore, providers must maintain an inventory of personal data breaches, including details of the facts surrounding such breaches, their effect and the remedial action taken, sufficient for the purpose of enabling the competent national authorities to verify compliance with the notification requirement. 

In cases where the breach is likely to affect adversely the personal data and privacy of a subscriber or an individual, the provider also must notify the subscriber or individual of the breach without undue delay.  At a minimum, the notification to the subscriber or individual must describe the nature of the breach and provide contact details for further information.  The notification also must recommend measures to mitigate the possible adverse effects of the breach.  Notification of the breach to a subscriber or individual is not required if the provider has demonstrated to competent authority’s satisfaction that it has implemented appropriate technical measures and those measures were applied to the affected data.  Such technical measures must render the data unintelligible to persons who are not authorized to access the data.  The amendments do provide that, without prejudice to the provider’s obligation to notify subscribers and individuals of a data breach, the competent national authority, having considered the likely adverse effects of the breach, may require the provider to do so in any event.  

There is some disagreement regarding unrelated elements of the telecom package currently under consideration.  As a result, the entire telecom package will undergo a conciliation procedure, but the proposed amendments to the e-Privacy Directive are not likely to be challenged.

It is not clear when the revision will be adopted.  The timing is particularly significant given the forthcoming EU elections.  If agreement on the unrelated elements of the telecoms package cannot be reached before June 4, the new parliament may revisit the telecom package in the fall of 2009.  If agreement is reached before June 4, the Council could agree on the telecoms package on June 12.  Member States will have 18 months from the date of adoption to implement the new requirements into their domestic legislation.

The parliament’s adopted position is available here.
 

Interestingly, the guidance specifies only two methods for securing PHI in a manner that would avoid the application of the HITECH Act’s breach notification provisions.  First, the guidance provides that PHI will be deemed unusable, unreadable or indecipherable if it has been encrypted, provided the encryption key has not also been breached.  In this regard, HHS has followed the lead of more than 45 state breach notification laws that likewise provide “safe harbors” for encrypted information.  HHS does, however, specify that encryption must comply with the HIPAA Security Rule’s provisions and further provides two specific examples of encryption that have been deemed to meet this standard: (1) for data at rest, encryption consistent with National Institute of Standards and Technology Special (NIST) Publication 800-111 and; (2) for data in transit, encryption that complies with Federal Information Processing Standard 140-2. 

Second, the guidance provides that PHI will be deemed unusable, unreadable or indecipherable if media on which it is stored or recorded has been destroyed by one of the following methods: (1) paper, film or other hard copy media have been shredded or destroyed such that PHI cannot be read or reconstructed; and (2) electronic media have been cleared, purged or destroyed consistent with NIST Special Publication 800-88 such that PHI cannot be retrieved. 

The guidance is clear that its recitation of information safeguards, though a proposal pending public comment, is intended to be exhaustive.  The guidance, developed jointly by the Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and Centers for Medicare and Medicaid Services, acknowledges that use of the technologies and methodologies described therein are not required but, if used, “create the functional equivalent of a safe harbor” with respect to the breach notification provision contained in the HITECH Act.  The guidance also notes that any other applicable requirements, such as mitigation requirements contained in the Privacy Rule and state breach notification laws, must be followed to the extent applicable, regardless of adherence to the guidance.

As above, this information security guidance relates to two sets of forthcoming breach notification regulations.  The first, applicable to covered entities and business associates, will be issued by HHS and the second, applicable to vendors of personal health records and certain other non-HIPAA covered entities, was issued by the Federal Trade Commission in proposed form on April 16.

Public comments on the HHS information security guidance are due by May 21, 2009.  HHS has specifically signaled interest in receiving comments regarding whether limited data sets of PHI should be considered, by definition, to render PHI unusable, unreadable or indecipherable such that the HITECH Act’s breach notification provisions would not apply. 

In addition to the guidance, HHS also issued a request for information soliciting public comment on the breach notification provisions of the HITECH Act to inform its future rulemaking and its annual updates to the guidance.  The guidance is available here  and both the guidance and the request for information are available here.

Pinero contended that sometime in early 2008, defendants disposed of her 2005 federal and state tax returns intact in a public dumpster.  An unrelated individual found Pinero’s tax returns, as well as those of over 100 other people, and alerted a local television news station.

Pinero brought a putative class action, asserting state law claims of fraud, breach of contract, negligence, invasion of privacy, violation of the Louisiana Database Security Breach Notification Law ("LDSBNA") and violation of the Louisiana Unfair Trade Practices Act (LUTPA).  She also alleged that Jackson Hewitt violated 26 U.S.C. § 6103, which restricts certain disclosures of tax returns.  Pinero sought general damages for fear, panic, anxiety, sleeplessness, nightmares, embarrassment, hassle, anger, lost time, loss of consortium, and other emotional and physical distress, as well as special damages for credit monitoring, credit insurance, reimbursement for all out-of-pocket expenses related to notifying creditors of the improper disclosure, and reimbursement for all out-of-pocket expenses related to identity theft.

Jackson Hewitt moved to dismiss all claims.  Highlights of the court’s decision include:

• Dismissal of the negligence claim because the increased risk of identity theft is too speculative to qualify as actual damage;
• dismissal of the LDSBNA claim, in part because it only applies to breaches of computerized data;
• dismissal of the contract claim, in part because expenses related to credit monitoring to guard against future identity theft are not compensable damages;
• dismissal of the fraud and LUTPA claims (with leave to re-plead) for failure to explain why the representations in the privacy policy were misleading, since the mere breach of those promises does not alone establish that they were fraudulent;
• dismissal of the claim under 26 U.S.C. § 6103, since that statute only prohibits disclosure of tax returns by persons to whom access to tax returns was granted by the IRS; and
• denial of the motion to dismiss the invasion of privacy claim, since the alleged facts supported a claim for unreasonable public disclosure of private facts.

In response to this decision, Pinero filed an amended class-action complaint, re-pleading the fraud and LUPTA claims and maintaining the invasion of privacy claim.