Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

The complaint, filed January 12, 2010, alleges that on or about May 14, 2009 Health Net learned that a portable disk drive had disappeared from one of its offices.  The disk contained unencrypted protected health information, social security numbers and bank account numbers for approximately 1.5 million past and present enrollees, including 446,000 Connecticut residents.  Health Net did not begin notifying affected individuals until November 2009.

On January 13, 2010, the Attorney General filed a motion for a preliminary injunction.  The proposed injunction mandates that Health Net and related defendants (i) comply with the privacy, security and other requirements of HIPAA; (ii) take corrective action and make “all efforts” to protect affected citizens against identity theft and other harm; and (iii) conduct “effective training of all members of their respective workforces (including independent contractors) on the policies and procedures with respect to protected health information, and personal information as defined under state law, regarding the requirements of federal and state law.”

The Contribution maintains that the fundamental principles of European data protection law remain valid.  However, it also notes that both improvements in implementation of the existing data protection framework and changes to it should be considered, in particular regarding the following points:

• implementation of the legal framework for data protection in the EU Member States should be improved;
• the system for issuing “adequacy decisions” by the European Commission regarding the level of data protection in third countries should be made more efficient;
• a provision on binding corporate rules should be introduced;
• the position of “privacy by design” in the legal framework should be strengthened;
• a general security breach notification regime (i.e., one not limited to telecom service providers and ISPs as is now the case) should be introduced;
• requirements to notify data processing with national data protection authorities should be simplified or even eliminated in some cases;
• the responsibilities of data controllers should be increased by introducing an accountability principle into the new legal framework (in this regard, the Contribution explicitly mentions the work of the Centre for Information Policy Leadership at Hunton & Williams);
• the use of consent as a legal basis for data processing should be made more restrictive;
• the role of the data protection authorities should be strengthened and clarified, and cooperation between the DPAs should be reinforced, particularly through improvements to the Article 29 Working Party’s working methods.

The European Commission will now evaluate all the contributions received under the Consultation and consider whether changes to the EU legal framework should be proposed.  It should be noted that any changes to the framework would likely take a minimum of five years to be enacted.

The FTC Final Rule requires PHR vendors and PHR related entities to notify U.S. citizens and residents if their PHR identifiable health information is subject to a security breach, and requires additional notification of the FTC and prominent media outlets for breaches that affect 500 or more individuals.  Third party service providers must notify the PHR vendor, or PHR related entities to which they provide services, of any breaches they discover.  To facilitate the notification process, the FTC has developed a standard form entitled “Notice of Breach of Health Information” that PHR vendors and PHR related entities can complete and send to the FTC.  Both the form and the FTC Final Rule are available on the FTC’s website.
 
On August 19, 2009, as required by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Department of Health and Human Services ("HHS") issued an interim final rule ("HHS Interim Final Rule") addressing security breaches of unsecured protected health information ("PHI").  The regulations will apply to all breaches occurring on or after September 23, 2009 that are discovered by covered entities and business associates, but the HHS Interim Final Rule indicates that HHS will not impose sanctions for failure to notify with respect to breaches that are discovered within the first 180 days after the effective date. 

Notably, unlike the FTC Final Rule, the HHS Interim Final Rule includes a harm threshold limiting the breach notification requirement to breaches that present a significant risk of harm.  This disparity may be due to the fact that breaches common to HIPAA-covered entities, such as those involving disclosures to other HIPAA-covered entities, are less likely to result in actual harm than the kinds of breaches suffered by the service providers and vendors covered under the FTC's Final Rule.  Similar to the FTC Final Rule, the HHS Interim Final Rule requires covered entities to (1) notify individuals if their PHI is subject to a security breach, and (2) notify the Secretary of HHS and prominent media outlets in the event of a breach that affects 500 or more individuals.  Business associates must notify the covered entity to which they provide services of any breaches they discover.  Finally, the HHS Interim Final Rule updated the  information security guidance issued by HHS in April 2009 to emphasize encryption and destruction as the only methods for securing PHI in a manner consistent with the HITECH Act’s breach notification provisions.  The HHS Interim Final Rule is available on the HHS website.

On July 9, Missouri Governor Jay Nixon signed a data security breach bill into law leaving Alabama, Kentucky, Mississippi, New Mexico and South Dakota as the only remaining states without a breach notification requirement.  The Missouri law’s noteworthy provisions include a broad definition of personal information that encompasses medical and health insurance information and a requirement to notify consumer reporting agencies and the state attorney general if more than 1,000 consumers are being notified of a security breach.  The Missouri law goes into effect August 28, 2009.

On July 22, Senator Patrick Leahy (D-VT) reintroduced a privacy bill that includes federal data security breach notification requirements.  The Personal Data Privacy and Security Act would require businesses engaged in interstate commerce to notify individuals if their computerized sensitive personally identifiable information (SPII) is subject to a data security breach.  Notably:

• The bill requires notification of: (1) major media within any state where more than 5,000 individuals are affected by a breach; (2) consumer reporting agencies if more than 5,000 individuals are affected; and (3) the Secret Service if more than 10,000 individuals are affected or if the breach involves a federal database, national security officials or a database containing information on more than 1,000,000 individuals. 
• Businesses that collect, use or access the SPII of more than 10,000 individuals must implement a comprehensive data security and privacy program (financial institutions that are subject to the Gramm-Leach-Bliley Act (GLB) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) are exempt from this requirement). 
• The notification provisions of the proposed federal law would not preempt existing state data breach notification laws, but they would supersede any other provision of federal law or any provision of any state law relating to notification by a business engaged in interstate commerce. 

Similar federal privacy legislation has been approved by the Senate Judiciary Committee in prior sessions of Congress, but has never been voted upon by the full Senate.  Senator Leahy’s bill is the third major federal data privacy bill to be introduced in 2009.  Senator Diane Feinstein introduced a data breach notification law in January; in April, Representative Bobby Rush introduced H.R. 2221 (the Data Accountability and Trust Act), a bill  which is strongly supported by the FTC's Acting Director of the Bureau of Consumer Protection.

Finally, on July 27, North Carolina Governor Beverly Perdue signed a bill amending that state’s data breach notification law.  As of October 1, 2009, any time a business provides notice pursuant to the North Carolina statute, the business must also notify the Consumer Protection Division of the North Carolina Attorney General’s Office.  The notice must include information on the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future and information regarding the timing, distribution and content of the notice being sent to affected individuals.   Previously, North Carolina required notification of the state attorney general only when a business provided notice to more than 1,000 persons at one time, and such notification needed to include only the timing, distribution and content of the notice to consumers.

Alaska Stat. § 45.48.010 et seq. will apply to breaches of unencrypted personal information in both paper and electronic records.  Personal information is defined as first name or first initial and last name plus one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) account number, credit card number or debit card number, combined with any security code, access code, personal identification number or password needed to access an account, and (iv) passwords, personal identification numbers or other access codes for financial accounts.  Notification is not required if, after an appropriate investigation and written notification to the attorney general of Alaska, the entity experiencing the breach determines that there is not a reasonable likelihood that harm to the individuals whose personal information has been acquired has resulted or will result from the breach.  An entity is also exempt from notification in the event of an unauthorized but good-faith acquisition of personal information by an employee of the entity, so long as the employee does not use the personal information for an illegitimate purpose or make further unauthorized disclosure of the information.  The statute authorizes a state agency to promulgate implementing regulations at any point after the effective date.

South Carolina. Code Ann. § 39-1-90 will apply to breaches of unencrypted personal identifying information in both paper and electronic records.  Personal identifying information is defined as first name or first initial and last name in combination with and linked to one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) financial account number, or credit card or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial account, and (iv) other numbers or information that may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.  The law does not require notification in the event of an unauthorized but good-faith acquisition of personal identifying information by an employee of the entity for the purposes of its business if the personal identifying information is not used or subject to further unauthorized disclosure.

For the first time in EU law the amendments introduce a definition of “personal data breach” and a data breach notification requirement. 

The amendments provide that, in the event of a breach, the provider must, without undue delay, notify the breach to the competent national authority.  The notification to the competent national authority must, in addition to the elements included in the notification to the subscriber or individual outlined below, describe the consequences of and the measures proposed or taken by the provider to address the breach.  Furthermore, providers must maintain an inventory of personal data breaches, including details of the facts surrounding such breaches, their effect and the remedial action taken, sufficient for the purpose of enabling the competent national authorities to verify compliance with the notification requirement. 

In cases where the breach is likely to affect adversely the personal data and privacy of a subscriber or an individual, the provider also must notify the subscriber or individual of the breach without undue delay.  At a minimum, the notification to the subscriber or individual must describe the nature of the breach and provide contact details for further information.  The notification also must recommend measures to mitigate the possible adverse effects of the breach.  Notification of the breach to a subscriber or individual is not required if the provider has demonstrated to competent authority’s satisfaction that it has implemented appropriate technical measures and those measures were applied to the affected data.  Such technical measures must render the data unintelligible to persons who are not authorized to access the data.  The amendments do provide that, without prejudice to the provider’s obligation to notify subscribers and individuals of a data breach, the competent national authority, having considered the likely adverse effects of the breach, may require the provider to do so in any event.  

There is some disagreement regarding unrelated elements of the telecom package currently under consideration.  As a result, the entire telecom package will undergo a conciliation procedure, but the proposed amendments to the e-Privacy Directive are not likely to be challenged.

It is not clear when the revision will be adopted.  The timing is particularly significant given the forthcoming EU elections.  If agreement on the unrelated elements of the telecoms package cannot be reached before June 4, the new parliament may revisit the telecom package in the fall of 2009.  If agreement is reached before June 4, the Council could agree on the telecoms package on June 12.  Member States will have 18 months from the date of adoption to implement the new requirements into their domestic legislation.

The parliament’s adopted position is available here.