Privacy Bulletin: Issue No. 57

Maryland Enacts Credit History Bill; Takes Up Health Privacy

The Maryland Legislature has been active in the Privacy arena, passing the Job Applicant Fairness Act (SB 132/H.B. 87), which was signed into law by Governor Martin O’Malley on April 12 and moving forward on legislation which would require the Maryland Health Care Commission (“MHCC”) to develop regulations focused on the privacy and security of protected health information transmitted via a health information exchange (SB 723/HB 784).

Effective October 1, 2011, the Job Applicant Fairness Act prohibits employers from using an applicant’s or employee’s credit report or history in determining whether to (i) hire the applicant, (ii) fire the employee, (iii) or determine employee compensation or other terms, conditions, or privileges of employment. The bill is applicable to all employers excluding employers who are required to inquire into an employee or applicant’s credit report or history by law, financial institutions who accept federally insured deposits, a credit union share guaranty corporations, or entities that are registered with the SEC as an investment advisor. In addition, the bill contains provisions which authorize an employer to request or use an employee’s credit report in specific instances, such as when the employer has a bona fide purpose that is substantially job-related for requesting or using a credit report and discloses such request in writing to the affected individual. Violations of the act may be reported to the Commissioner of Labor and Industry who may resolve the matter informally or assess civil penalties up to $500 for an initial violation or $2,500 for a repeated violation. With the passage of this law, Maryland is one of four other states that have laws limiting the use of credit data for employment purposes.

The Maryland Legislature also concurrently sent identical House and Senate bills to Governor O’Malley for approval that would require the MHCC to adopt regulations governing privacy and security that would ensure that personal health information transmitted via a health information exchange is protected consistent with the federal Health Insurance Portability and Accountability Act. If enacted, the law would prohibit the sale of data obtained or released through a health information exchange until regulations are adopted by MHCC and would require the MHCC to adopt regulations that promote technology standards that conform to the standards of the Office of the National Coordinator for Health Information Technology and limit the scope of clinical information to information that is exchanged to purposes that promote improved access to clinical records or uses of the state designated exchange important to public health agencies. Governor O’Malley has until May 31 to sign or veto this measure, which would be effective October 1, 2011, if enacted.

PlayStation Data Breach Puts 77 Million Customers at Risk

Most gamers wouldn’t think their personal, confidential information could be compromised simply by playing a video game online. But an attack on Sony’s PlayStation Network, as reported on TheHill.com, may impact up to 77 million consumers worldwide.

The extent of the breach has yet to be fully determined. But Sony confirmed that user account information was compromised, including users’ names, addresses, email addresses, birthdates, passwords, and logins. Perhaps most damaging is the possible exposure of credit card numbers. Sony said that while it does not believe that its customers’ credit card numbers were compromised, it cannot rule out that possibility.

Sony has come under some criticism for waiting more than a week to inform customers of the data breach. It is alleged that the lag in reporting could give the hackers more time to potentially exploit stolen customer information. Senator Richard Blumenthal (D-CT) sent Sony a letter criticizing the company for its failure to inform its customers.

As a result of this security breach, Sony reportedly has shut down its servers and hired an outside firm to strengthen its security protections. So far, Sony has not provided any details as to how the breach happened. The Chicago-Sun Times reports that the FBI is investigating.

This incident has already launched a lawsuit against Sony. The first class-action lawsuit was filed by Kristopher Jones of Alabama in the United States District Court for the North District of California. The lawsuit accuses Sony of breach of warranty, negligent data security, and violations of consumers’ rights of privacy. Given the scope of the breach, it seems inevitable that more lawsuits will follow.

On May 3, 2011, Sony communicated that a second breach had taken place April 16-17, before the PlayStation intrusions. Sony said that hackers may have stolen about 12,700 credit or debit card numbers (but not credit card security codes) of users in other countries outside the United States and about 10,700 direct debit records of customers in Austria, Germany, Netherlands, and Spain.

U.S. Supreme Court Examines Prescription Privacy Laws in Connection with Data Mining

On Tuesday, April 26, 2011, oral arguments were heard before the Supreme Court in Sorrell v. IMS Health Inc. on whether a Vermont law prohibiting the sale of raw patient data by pharmacies to data mining companies constitutes an impermissible restriction on commercial speech. Vermont passed its law in 2007. The state claimed it was protecting patient privacy and stopping an unwanted “data mining” practice. The drug companies challenged the state law on the grounds it violated the First Amendment by restricting commercial speech.

In Vermont, it was alleged that pharmacies collected information on patient drug prescriptions, and then sold that raw data (redacting personal information about the patients) to data collection agencies. The collection agencies then sold the information to pharmaceutical companies, which used that data to drive their marketing decisions.

The Vermont law was upheld at the District Court level but was found to be an impermissible restriction on commercial speech by the U.S. Court of Appeals for the Second Circuit. Should the Supreme Court rule in favor of the state, it is likely that other state legislatures will pass similar restrictions on prescription data mining. Both Maine and New Hampshire enacted similar laws; both of these statutes were also challenged in court and are in various stages of adjudication.

Womble Carlyle will continue to monitor this case and its potential impact on the number of companies that collect and sell consumers’ personal information.

Texas Agency Accidentally Exposes Personal Data of 3.5 Million

Texas State Comptroller Susan Combs recently said her office inadvertently exposed personal information—including Social Security numbers—of approximately 3.5 million people on its public Web site. The information was exposed for close to a year before the breach was discovered. Most of the people affected were state employees or retired state workers.

Combs' office is offering one year of free credit monitoring to the affected individuals to ensure their accounts aren’t being misused. Combs’ campaign fund (not the state) will pay to restore the identity of anyone whose information is misused as a result of the breach. A special Web site, http://www.txsafeguard.org/, and toll-free number have been set up to answer questions and respond to inquiries.

On April 29th, Thomson Reuters reported that the first class action lawsuit was filed over this privacy breach and it appears another lawsuit may be imminent.

“I am deeply sorry this incident occurred and I take full responsibility for it,” Combs said in her April 28th press release. “This incident has affected the lives of Texans that I have dedicated my life to serving, and I am determined to restore their faith in the Comptroller's office. That's why we are taking additional actions to assist those who were affected and implementing new policies and procedures to help ensure this never happens again.”

Senate to Hold Hearing on iPhone, Android Collection of User Data

Senator Al Franken (D-Minn.) announced that he will hold a Senate Judiciary Subcommittee on Privacy, Technology and the Law hearing on Apple and Google’s collection of consumer data via the iPhone and smart phones using Google’s Android system. According to recent media reports, some iPhone and Android users are reporting that their locations are being tracked. The hearing is scheduled for May 10th. Representatives from Apple and Google have been invited to appear.

“The same technology that has given us smart phones...has also allowed these devices to gather extremely sensitive information about users, including detailed records of their daily movements and location,” Franken said. Yahoo News also reported that Illinois Attorney General Lisa Madigan expressed similar concerns in a separate letter.

This is not Franken’s first inquiry into this issue. In a letter to Apple’s Steve Jobs dated April 20, 2011, Franken asked why the company was “secretly compiling” the data and what it would be used for. Franken’s letter further emphasized that this information is stored in an unencrypted format, which as a result makes it more susceptible for a malicious person to access this data. In addition, the letter raised serious concerns about the millions of children and teenagers who use iPhone or iPad devices.