Sedona Conference Primer on Data Privacy - Part 2
Here's a continuation of my outline of the Sedona Conference's Data Privacy Primer, which I last blogged about on January 16, 2017.
IV. GENERAL CONSUMER PROTECTION
A. Federal Privacy Statutes of General Applicability
1. Federal Trade Commission Act
Section 5 actions against entities that fail to protect consumer privacy and fail to properly secure personal information. E.g., August 2015, the FTC announced settlements with 13 companies that claimed to be current participants in the now defunct EU-US Safe Harbor Framework but whose certifications had either lapsed or never been submitted.
2. Children’s Online Privacy Protection Act (COPPA)
protects PII of children under 13 - websites can't collect.
3. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
- prohibits deceptive header information in spam.
- requires method to opt out of further messages.
- For email messages containing sexually oriented material, the first 19 characters on the subject line must be, in all caps and as depicted “SEXUALLY-EXPLICIT:” and that same phrase must also appear when the email is opened.
4. Telemarketing Act
a. prohibits abusive or coercive calls.
b. restricts the hours of the day unsolicited calls may be made.
c. promptly disclose the purpose of the call.
d. Telemarketing Sales Rule - FTC can address at its discretion deceptive telemarketing practices. Setup Do Not Call Registry.
5. Communications Act of 1934
a. Covers Consumer Proprietary Network Information made available by the consumer to the carrier solely by virtue of their relationship; billing information, but not subscriber list information.
b. FCC Declaratory Ruling CPNI applies to information stored in mobile devices when the carriers have access to that information.
c. Feb. 2015 FCC order - ISPs made common carriers and imposed privacy and data security protections on them. Can only discloe CPNI only to the extent necessary to provide telecommunications services. Regulations also require customer approval and incident notification and response requirements. Must notify FBI of breach within 7 days.
d. FCC - failure to secure personal information violates statutory duty. April 2015 $25M civil penalty against AT&T. $7.6M penalty on Verizon for failure to generate opt-out notices.
6. Telephone Consumer Protection Act of 1991
a. Prevents telemarketing to hospitals, nursing homes and emergency lines; prerecorded telemarketing calls to residences; unsolicited ads via fax; making solicitations outside the hours of 8 AM to 9 PM.
b. June 2015 FCC Declaratory Ruling and Order - text messages require consent. Call blocking technology can be used by carriers to prevent robocalls. Some pro-consumer financial and healthcare messages are exempt.
B. State Statutes of General Applicability
1. Disclosure of PII by Non-Governmental Entities
a. California law prevents information on a credit report which is the result of identity theft, and sharing PII without the customer's consent.
2. Use of Consumer PII for Marketing Purposes
a. California 'Shine the Light' statute- customer right to know how their PII is shared and to opt out.
3. Data Disposal Requirements
California law requires businesses to shred, erase, or modify the PII when disposing of consumer records under their control.
4. Digital Assets After Death
Estate representative can gain access; In Nevada, however, the executor of the person’s estate is only granted authority to terminate the accounts.
5. Children's Online Privacy
California’s Privacy Rights for California Minors in the Digital World Act allows minors to request and obtain the removal of content about them posted on a website or other online application.
6. Breach Notification and Data Security Laws
47 states have laws requiring notification when there is unauthorized access of PII.
1. Overview of HIPAA Privacy and Security Rules
a. Health Insurance Portability and Accountability Act of 1996.
b. HIPAA Privacy Rule of 2000 - prohibits the unauthorized disclosure of protected health information (PHI).
c. HIPAA Security Rule of 2003 - safeguards for the protection of electronic healthcare information. A risk analysis is required.
2. Protected Health Information and De-Identification Standard
a. Safe Harbor Method - removal of all 18 HIPAA identifiers
b. Expert Determination Method - statistical analysis to insure there is little risk of re-identification.
3. Uses and Disclosures of PHI - authorization must disclose the use of the information., and statement regarding the individual's right to revoke the information.
a. can be disclosed to HHS for compliance investigation or enforcement action.
b. minimum necessary requirement.
c. exceptions to general requirement for authorization:
1. to individual
2. treatment or payment operations
3. when individual has opportunity to agree or object.
4. public health activities.
5. judicial and administrative proceedings.
6. law enforcement
7. facilitate organ transplants
8. essential government functions.
d. Consent required before disclosure of PHI for research purposes, but there are exceptions - Institutional Review Board - if research cannot be practicably conducted; Limited Data Set - indirect indentifiers may be used.
4. Notice of Privacy Practices (NPP)
5. Rights of Access, Amendment and Disclosure Accounting
individuals have a right to an accounting of the disclosure of their PHI to a covered entity’s business associates made in the preceding six years.
6. Administrative Requirements
a. Privacy Officer is responsible for developing policies and procedures.
b. sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule;
c. mitigating any harmful effect that may be caused by an improper use or disclosure of PHI
7. Breach Notification Under Health Information Technology for Economic and Clinical Health (HITECH) Act
a. HIPAA violation liability is extended to business associates to whom protected health information is disclosed
b. An impermissible use/disclosure is now presumed to be a breach unless it is shown, based upon a risk assessment, that there is a low probability of PHI being compromised.
c. Maximum penalty of $1.5 M per violation.
a. 2011 audit reveals the vast majority of covered entities failed to comply with mandatory HIPAA requirements.
a. HHS Office of Civil Rights enforces HIPAA. E.g., February 2015, health insurer Anthem suffered a breach involving 80 million current and former members, the largest ever disclosed by a healthcare company, which affected customers of all products lines, including Anthem Blue Cross, and Anthem Blue Cross and Blue Shield. The breach prompted a multi-state in-surance regulator investigation and more than 50 putative class action lawsuits.
B. State Laws on Privacy of Health Information
1. Alaska Genetic Privacy Act
DNA samples can't be collected without an individual's informed consent. But the law arguably has no application to routine tests a person could obtain at most doctors’ offices, and has exemptions for law enforcement and paternity testing. Statute has only been invoked rarely.
2. California Confidentiality of Medical Information Act
a. the statute expressly includes “other information that, alone or in combination with other publicly available information, reveals the individual’s identity.”
b. CMIA also expressly permits a psychotherapist to disclose information if he or she believes, in good faith, that “disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a reasonably foreseeable victim or victims, and the disclosure is made to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.”
c. Affirmative defense available if defendant issues notification; no medical identity theft; preventive actions were taken to protect the information including encryption; corrective action taken; and recipient did use the records and returned them promptly.
d. California Court of Appeals ruled that negligent storage of information does not create a cause of action, and that there is no cause of action if an unauthorized person does not view the information.
3. Texas Medical Privacy Act
a. The Texas law broadens HIPAA’s definition of “covered entity” to include any person who “comes into possession” of PHI.
b. The Texas law broadly prohibits the sale of PHI. The only exceptions to the prohibition on receiving direct or indirect remuneration in exchange of a disclosure of PHI are that a covered entity may disclose PHI to another covered entity for the purposes of treatment, payment, health care operations, certain insurance functions defined by statute, or as otherwise authorized or required by state or federal law.
c. No cause of action by individuals for disclosure.
A. The Gramm-Leach-Bliley Act
1. Overview of GLBA
a. Broke down barriers between financial services entities such as banks and securities firms.
b. Customer [entity with long term relationship]/ consumer [individual who uses services for personal reasons] distinction
2. Information Protected by GLBA
“personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution
3. Obligations of GLBA
a. Safeguard Rules - internal handing of information.
b. Privacy Rules - use and sharing of information
c. Notification Obligations - Customers receive notifications automatically when policies are changed, but consumers only information is shared with a third party.
d. Non-affiliated Parties - Section 6802 prohibits sharing of information with some exceptions such as for marketing purposes, financial services offered through joint agreements, for fraud detection, or with regulatory agencies.
e. Model Privacy Form - section 6804 allows agencies to prepare these forms which can provide safe harbor.
4. Relationships with State Regulations
Section 6807 states that no provision of GLBA supersedes any State statute or regulation. Bureau of Consumer Financial Protection determines if state regulations are inconsistent with GLBA.
a. California Financial Information Privacy Act- covers consumers who don't have continuous relationships with financial institutions.
5. Rulemaking and Enforcement
a. After Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010 CFPB takes over rulemaking from FTC. The GLBA is enforced by federal banking agencies and other federal regulatory authorities as well as state insurance authorities. The GLBA Privacy Rule is enforced by the FTC.
B. Fair Credit Reporting Act
a. Enacted in 1970 to regulate consumer reporting industry such as Equifax, TransUnion, Experian, and others.
2. Duties of Consumer Reporting Agencies
(2) Disclosure [all information in the file]
(3) Investigation [must conduct investigation when consumer questions accuracy]
(4) Free Consumer Reports [at least once a year];
(5) Permissible Uses
i. court order or subpoena
ii. to person who the report pertains
iii. use report in connection with extension of credit, employment, insurance underwriting, licensing or conferring of government benefits, legitimate business need.
iv. capacity to pay child support.
v. agency administering child support plan
vi. to FDIC or NCUA
c. Individual can opt out of sharing of information with affiliate.
3. Furnishers of Information to CRAs
Individuals can dispute accuracy of information furnished to the CRA and the furnisher must notify the CRA.