Privacy Bulletin: Issue No. 60

U.S. Supreme Court strikes down Vermont law protecting prescription privacy

In a blow to medical privacy and a victory for the direct marketing industry, the Supreme Court ruled that Vermont’s Prescription Confidentiality Law violates the rights of data miners under the Free Speech Clause of the First Amendment. The Court found issue with the law’s provision that absent prescriber consent, pharmacies and similar entities may not sell or otherwise provide prescriber-identifying information for marketing purposes; yet, the same information may be disseminated and used for other purposes, such as education or research. On the surface, the decision is a victory for drug manufacturers and data marketing firms that use doctors’ prescribing history to create more informed and targeted marketing efforts. Many feel the Court’s ruling calls into question the constitutionality of prescription privacy legislation pending in other states, such as Massachusetts, Maine and New Hampshire.

So does this ruling finally answer the question of what the Supreme Court holds more sacred: corporate First Amendment rights or individual privacy concerns? The Center for Democracy and Technology argues no, and that from the beginning the Justices questioned whether the Vermont law was ever intended to protect patient privacy, especially given the federal protections already in place. “The Supreme Court explicitly states that a statute imposing a more comprehensive privacy regime ‘would present quite a different case than the one presented here.’ The court explained that had the state restricted all disclosure except in ‘a few narrow and well-justified circumstances,’ then the court would have viewed the challenge through a quite difference lens.”

Sony hit with additional lawsuits from mid-April breach

The mid-April data breach at Sony that exposed the personal data of over 77 million users of its PlayStation Network and Sony Online Entertainment network has prompted yet another class-action lawsuit–this time by three New York users of the game console. In their complaint, filed in the Southern District of California, plaintiffs allege Sony spent “lavishly” to protect its own data, while cutting costs and corners with respect to their customer’s data security. The 30-page complaint also alleges Sony did not encrypt customers’ personal data and laid off a substantial portion of its Sony Online Entertainment workforce just weeks before the breach.

Two geolocation bills introduced in Senate

In an effort to prevent government and industry abuse of location data, members of Congress recently announced two federal geolocation privacy bills. The Geolocation Privacy and Surveillance (GPS) Act, introduced by Representative Jason Chaffetz (R-Utah) and Senator Ron Wyden (D-Ore.), would require law enforcement to show probable cause and obtain a warrant to track location through mobile devices.

Addressing the geolocation issue with regard to the entities aggregating the actual data, a bill introduced by Senators Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) requires: (1) the express consent of users prior to sharing geolocation data, and (2) the deletion of user geolocation data upon request.

While both bills seek to protect citizens from unwanted physical tracking, they also both rely on the presumption that the geolocation privacy is in fact desired. At least one writer argues that the bills may be undermined by promotions, coupons and other incentives encouraging consumers to make available their personal geolocation data.

Illinois updates and adds teeth to Personal Information Protection Act

An amendment to Illinois’ Personal Information Protection Act (PIPA) has passed both houses and is now awaiting the governor’s approval to become law. The amendment specifies new minimum disclosure notices that data collectors must issue in the event of a breach, and also adds civil penalties for improper disposal of personal information. The new provision requires materials containing personal information to be disposed of “in a manner that renders the personal information unreadable, unusable, and undecipherable.” Furthermore, “any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance policies and procedures” to protect the information throughout the collection and disposal process.

Any person, business or government entity may be subject to a maximum $100 penalty for each individual whose personal information is disposed of in violation of the Act, with the total penalty not to exceed $50,000 per “instance” of improper disposal. Absent from the Act is a definition of what exactly constitutes an “instance.” We will likely have to wait for the first major violation to see how the Illinois Attorney General interprets the statute’s new language.

Help for small business website security

A joint effort among the Department of Homeland Security (DHS), SANS Institute, MITRE, and many top software security experts in the US and Europe has produced a detailed list of software vulnerabilities aimed at helping businesses set up a secure website and judge potential programming errors. While the federal program has been in development for years, the costs of programming oversight has been front page news with recent cyber attacks resulting in the theft of credit card and other personal information. Included in the publicly available research is the Top 25 List of programming errors that have been exploited in many of the recent attacks. For example, the top error is not preventing SQL-injection attacks on websites, an oversight exploited by hacking group LulzSec to retrieve user names and passwords from sites such as FBI’s InfraGard program and NATO’s online bookstore.

There is hope among IT security contractors that this latest guidance by the DHS team will prompt organizations to address the real and growing threat software security poses to their operations.

If you have any questions, please contact one of the following lawyers or any member of the Privacy and Data Protection Team:

Ted Claypoole: (704) 331-4910

Stephanie Shaw: (202) 857-4509

*Special thanks to Summer Associate Dan Tracey for his contributions to this edition of the Privacy Bulletin.

Privacy Bulletin: Issue No. 59

Twitter’s OPT-OUT Confirmations May Violate TCPA

A lawsuit was filed in a California federal court that claims that Twitter violated the Telephone Consumer Protection Act (TCPA). The plaintiffs in this case are asking for class action certification. The suit alleges a violation of the TCPA’s requirement that a consumer give express consent before commercial text messages are sent to a consumer’s phone. Plaintiffs allege that Twitter sent a confirmation text message to them in response to their text messages opting out of receiving further text messages from Twitter. The plaintiffs argue that Twitter’s confirmation message violated the TCPA because it was sent without the plaintiffs’ prior express consent. The plaintiffs argue that their request to opt out of any further text messaging from the defendants revoked any express consent given prior to the opt out. Text message confirmations of a request to opt out of receiving further text messages are relatively standard in the industry. In fact, the Mobile Marketing Association’s U.S. Consumer Best Practices recommends that a confirming message should be sent to the consumer.

These cases could have an impact on companies that use text messaging to communicate with consumers or as a marketing tool. A court resolution of these cases should provide valuable guidance to similarly situated firms in the future.

Senator Introduces Legislation regarding National Standard for Notifications of Data Security breach

The recent rash of security breaches, including those at Sony and Lockheed Martin, have helped to galvanize the focus of the U.S. government towards business practices regarding safeguarding consumer data and notifying the general public about data breaches. Senator Patrick Leahy, a Vermont Democrat, said in a statement: “The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”

Senator Leahy introduced a bill, known as the Personal Data Privacy and Security Act of 2011, which would set a national standard for notifying consumers of a data-breach. Senator Leahy summarized the legislation in his press release:

- Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the breach causes economic damage to consumers;

- A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security;

- An update to the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense; and

- A requirement that the government ensure sensitive data is protected when the government contracts with third-party contractors.

The current state of the law regarding data breach notification requirements is unclear and difficult to comply with because most states have a slightly different reporting requirement. Robert Holleyman, the president of the Business Software Alliance, urged Congress to pass “a single, national standard to replace the unwieldy state patchwork we have today.” The Business Software Alliance represents software makers.

Co-sponsors of this bill are Senator Chuck Schumer (D-NY), Senator Ben Cardin (D-MD) and Senator Al Franken (D-MN). We will continue to monitor the progress of this legislation through the halls of Congress.

Leahy Introduces Legislation Regarding Email Privacy

Senator Patrick Leahy (D-Vt.) also introduced legislation to update the Electronic Communications Privacy Act (ECPA), a key source of legal protection for email privacy. Leahy was the lead author of ECPA, which was enacted in 1986 to protect the privacy of American’s electronic communications. However, the electronic world has changed dramatically since the law’s enactment and the law may not adequately protect the privacy of individuals in this new world.

Senator Leahy’s bill would require a government agency to obtain a search warrant from a court any time it wants to read an email. Further, Senator Leahy states that this legislation:

- Includes new protections for Americans’ location information that is collected, used or stored by service providers, smartphones and other mobile technologies.

- Includes a provision to enhance the cybersecurity of U.S. computer networks, by allowing service providers to voluntarily disclose content to the government that is pertinent to addressing a cyber-attack involving their computer network.

- Improves law enforcement tools, including a provision to allow the government to temporarily delay notification of its access of stored electronic communications, if notification would endanger national security.

Data Breaches

In a new section of our Privacy Bulletin, we will provide information we’ve come across about recent data breaches. The following breaches have been publicized since our last Privacy Bulletin:

- Lockheed Martin confirmed that its information systems network had been attacked by hackers on May 21. The Company does not believe the breach, which was thwarted following detection, resulted in the release of any personally identifiable or other private information from its customers or employees. Lockheed is continuing to investigate the incident, which may be related to a data breach that occurred at RSA Systems in March.

- Hackers breached a European server belonging to the computer manufacturing company Acer the weekend of June 4th. The incident may have compromised the data of approximately 40,000 customers from its Packard Bell unit in Europe.

- In early June 2011, Citigroup announced that during routine monitoring it uncovered that the data of approximately one percent of its 21 million North American credit card customers had been breached. Citigroup noted that its customers' account information (such as name, account number and contact information, including email address) was accessed, but the customers' social security number, date of birth, card expiration date and card security code (CVV) were not compromised. Accordingly, Citigroup does not believe that the data breach revealed sufficient information to perpetrate fraud, but the company will monitor accounts and re-issue credit cards to affected customers.

- On June 8, the International Monetary Fund told staffers that the organization’s computer network was subject to a sophisticated cyberattack. As reported by the New York Times, which cited unnamed IMF officials in its discussion of the significance of the incident, the scope of the attack is still being investigated and its full ramifications are unknown. The IMF has not publicly announced details of the attack, but confirmed an investigation was underway.

- Honda Canada announced in May 2011 that hackers had accessed a Web server that held the 2009 information for about 280,000 of its customers. Officials at Honda said they detected the breach after noticing “an unusual volume of usage in the myHonda and myAcura Websites.” It has been reported that a class action lawsuit, seeking $200 million in damages against Honda was filed in Oshawa, Ontario.

Upcoming Deadlines

HIPAA Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act

Interested individuals may submit comments on the Department of Health and Human Services’ Notice of Proposed Rulemaking to modify the Health Insurance Portability and Accountability Act of 1996 Privacy Rules standard for accounting disclosures of protected health information by August 1, 2011 to http://www.regulations.gov/ (search for Proposed Rule). For Womble Carlyle’s coverage on this Notice of Proposed Rulemaking, please review our Client Alert.

Proposed Changes to HIPAA Accounting of Disclosures Provision and Proposed New Access Report Requirement

On May 31, 2011, the U.S. Department of Health and Human Services (“HHS”) published a proposed rule regarding the provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) concerning accounting of disclosures of electronic protected health information (“PHI”). The proposed rule contains two main parts: (1) modifications to the existing accounting of disclosures requirements and (2) a new “access report” requirement.

Under this proposed change, covered entities would be responsible for keeping track of which business associates have designated record set information; obtaining such information from business associates and incorporating it into the access report; and aggregating into a single access report all of the electronic designated record set information that covered entities may have in a number of distinct systems that maintain separate access logs. Comments regarding HHS’ proposed rule may be submitted until August 1, 2011.

Click here for a Womble Carlyle Client Alert with more background on this proposed change.

If you have questions regarding this proposed rule, please contact Sarah Crotts or Jill Girardeau.

No Place to Hide: First Amendment Protection for Location Privacy

The place you stand on the earth can speak volumes about you. Are you at home or at work? Are you in a meeting of political radicals or dining at an expensive restaurant? Are you peeking into a neighbor’s window or accepting an award for your contributions to humanity? Are you deep in the woods or lost in a crowd? Given the lack of public discourse on the subject, it seems that most Americans are not concerned about the privacy of their location. But the ability of family, friends, employers and the government to know where you are at any given moment is increasing dramatically with modern technology, and this loss of location privacy is affecting your fundamental rights under the Constitution.

Click here to continue reading...

-- Ted Claypoole