Privacy & Data Security Advisory - November 2009

U.S. lawmakers and regulators have long expressed an interest in protecting children online.  Passed over 10 years ago, the federal Children’s Online Privacy Protection Act of 1998 (“COPPA”), establishes strong privacy protections that extend to children under 13.  Over the years, the Federal Trade Commission (“FTC”) has enforced COPPA vigorously, bringing a number of enforcement actions against a range of different companies.  While initial actions resulted in relatively moderate fines, recent cases have resulted in settlements in the $1 million range.

With concerns about the safety and privacy of children online and off continuing to grow, many states are taking their own steps that supplement and, in some cases, go further than federal requirements.  For example, in December 2007, the Texas Attorney General filed three actions against companies that had violated COPPA, marking the first state-based enforcement actions brought under COPPA.  More recently, in June 2009, the state of Maine enacted new legislation that goes further than COPPA in several significant ways.  The new law, An Act to Prevent Predatory Marketing Practices Against Minors (the “Act”),¹ which became effective September 12, 2009, established very strict rules on the collection, receipt and use of personal or health-related information from Maine residents under the age of 18 (“minors”) and/or the marketing of goods or services to minors.  The Act, however, has been challenged on a number of fronts and faces an uncertain future.  On September 9, 2009, the U.S. District Court for the District of Maine dismissed a lawsuit challenging the statute without prejudice (and entering a stipulated dismissal among the parties) in light of the state government’s representation that Maine will not enforce the statute and the Legislature will reconsider the measure when it reconvenes in January 2010.²

The Act has incredibly broad reach.  It establishes that no entity may collect, receive or use personal or health-related information from a minor for marketing purposes, without first obtaining verifiable parental consent.³  It prohibits the use of any health-related or personal information regarding a minor for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product.⁴  Such use would constitute predatory marketing under the Act.  In addition, the Act also prohibits anyone from selling, offering for sale or otherwise transferring to another person health-related or personal information about a minor if that information (i) was unlawfully collected pursuant to the Act, (ii) individually identifies the minor, or (iii) will be used in connection with predatory marketing practices as defined by the Act.⁵

The Act defines personal and health-related information rather broadly.  Under the Act, “personal information” means individually identifiable information, including: (i) an individual's first name, or first initial, and last name; (ii) a home or other physical address; (iii) a social security number; (iv) a driver’s license number or state identification card number; and (v) information concerning a minor that is collected in combination with any of the foregoing identifiers.⁶  “Health-related information” is defined as “any information about an individual or a member of the individual’s family relating to health, nutrition, drug or medication use, physical or bodily condition, mental health, medical history, medical insurance coverage or claims, or other similar data.”⁷

The Act goes further than COPPA in many important ways.  First, it applies to children under the age of 18, where COPPA’s coverage is limited to children under 13.  Second, unlike COPPA, which is limited to online activities, the Act applies to the collection, receipt or use of information from a minor whether online or offline.  In addition, and quite significantly, the Act prohibits companies from using personal and/or health-related information of minors to market products or services to minors, even where verifiable parental consent is obtained.

Potential consequences of violations are significant.  However, given recent developments, the enforcement of the Act remains uncertain.  The Act provides for civil fines of (i) no less than $10,000 and no more than $20,000 for a first violation, and (ii) no less than $20,000 for a second or subsequent violation.⁸

Quite significantly, the Act also authorizes civil actions by affected individuals.  Specifically, a person about whom information is unlawfully collected or who is the object of predatory marketing in violation of the Act may bring an action in an appropriate state court for either or both of the following: (i) an injunction to stop the unlawful collection or predatory marketing, and (ii) recovery of actual damages from each violation or up to $250 in statutory damages for each violation, whichever is greater.⁹  The Act also directs the court to award reasonable attorney’s fees and costs.  Similar to the unfair trade practices statutes of many states, for willful or knowing violations, the court may award treble damages. 

A number of commentators have questioned the constitutionality of the Act.  Concerned about the implications of the Act, in late August, a group of online and offline companies, filed a lawsuit alleging that the Act violates the First Amendment and the Commerce Clause of the Constitution, as well as 42 U.S.C. § 1983, and is also preempted by COPPA.¹⁰  Meanwhile, citing constitutional concerns, Maine’s own Attorney General committed not to enforce the Act.¹¹  The stance of the state’s AG was not viewed as sufficient to assuage all concerns, however.  Because the Act does provide for a private right of action, there could still be a risk of civil lawsuits by private parties, including potential class action lawsuits.  In the district court’s Stipulated Order of Dismissal on September 9, 2009, Chief Judge John A. Woodcock Jr. warned that private lawsuits could likely face dismissal, cautioning that “third parties are on notice that a private cause of action under Chapter 230 could suffer from the same constitutional infirmities.”¹²

As noted, Maine’s legislature does not reconvene until January 2010.  Upon the completion of the legislative process, it is quite likely that lawmakers will generate a revised piece of legislation that differs considerably from the Act in its present form.  However, despite the Maine Attorney General’s position and that the district court’s order, the Act remains in effect as written, and, however impractical implementation may be, companies must consider whether their marketing practices are compliant.

The SEC approved a final rule on affiliate marketing, implementing Section 214 of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), which amends the Fair Credit Reporting Act. Section 214 of FACTA provides consumers with the right to restrict a person from using certain information obtained from an affiliate to make solicitations to that consumer.  The new rule, which applies to broker‑dealers (other than notice registered broker‑dealers), investment companies and SEC‑registered investment advisers and transfer agents, has a June 1, 2010 compliance date after a recent extension by the SEC.

FACTA required the federal banking regulatory agencies (the “Agencies”), the Federal Trade Commission (the “FTC”) and the SEC, in consultation and coordination with one another, to issue rules on affiliate marketing.  The FTC issued its final affiliate marketing rules on October 30, 2007 (the “FTC Rules”), and the Agencies released joint final rules on November 7, 2007 (the “Joint Rules”).  After submitting rules for comment on July 8, 2004, the SEC recently adopted a final set of rules (“Regulation S-AM”) governing affiliate marketing to be published at 17 CFR 248.101 et seq. 

Regulation S-AM mirrors the requirements that have been introduced by the FTC and the Agencies.  Generally, the rule will require that consumers be provided an opportunity to “opt‑out” before a person or company may use “eligibility information” provided by an affiliated company to market its products or services to the consumer.  Regulation S-AM defines “eligibility information,” by reference to the statute, as any: 

1. report containing information solely as to transactions or experiences between the consumer and the person making the report with communication of that information among persons related by common ownership or affiliated by corporate control; or
2. communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons.

Regulation S-AM does not cover aggregate or blind data that does not contain personal identifiers. 

Regulation S-AM places conditions on the use of certain information received from an affiliate to make a marketing solicitation to a consumer.  It is important to note that what constitutes a marketing solicitation for the purposes of Regulation S-AM is quite different from a solicitation under the securities laws.  Under the definition of “marketing solicitation” under Regulation S‑AM:

• A marketing solicitation generally includes any communication that is based on eligibility information provided by an affiliate, and intended to encourage the consumer to purchase or obtain the product or service. 
• General advertising directed at the general public, such as television, magazine or billboard advertising, is excluded from the definition of marketing solicitation for this purpose. 
• However, other types of marketing, such as educational seminars, customer appreciation events, and similar forms of communication, may be marketing solicitations, and will be evaluated based on the specific facts and circumstances of each occurrence. 

It is important to note that Regulation S-AM does not bar information sharing between affiliates, nor does it bar an affiliate’s use of customer information that it has collected itself in the scope of its business relationship with the customer.  Regulation S-AM does limit the use of shared customer information for marketing purposes.  A covered institution makes a marketing solicitation if it:

• accesses or receives information from an affiliate about a consumer;
• uses that information to identify a target customer or type of consumer, establishes criteria used to select customers, or tailors products offered to a particular customer; and
• provides a marketing solicitation to that identified customer. 

This general prohibition on marketing solicitations applies unless the following three conditions are met:

• it must be clearly and conspicuously disclosed to the consumer in writing or, if the consumer agrees, electronically, in a concise notice that the person may use shared eligibility information to make solicitations to the consumer;
• the consumer must be provided a reasonable opportunity and a reasonable and simple method to opt out of the use of that eligibility information to make solicitations to the consumer; and
• the consumer must not have opted out.

The notice must be provided by an affiliate that has an existing business relationship with the customer, or as part of a joint notice from two or more members of an affiliated group of companies, provided that at least one of the affiliates on the joint notice has an existing business relationship with the consumer.  An appendix to the final rule contains model forms that companies may elect to use in order to facilitate compliance with the notice and opt-out requirements of the new rule. 

One notable exception to the general affiliate marketing requirement is the concept of “constructive sharing.”  The SEC noted in the preamble to the final rule that constructive sharing arrangements, where an entity with an established relationship with a consumer uses eligibility information to market products or services on behalf of an affiliated entity, are outside the scope of the affiliate marketing rule.  Under Regulation S-AM, if an entity accesses or receives information from an affiliate about a consumer, uses that information to identify a target customer, and provides a marketing solicitation to that identified customer, the entity would normally have to comply with the opt out rules discussed above.  However, in constructive sharing, the entity with which the consumer has an established relationship can make the solicitation on behalf of the affiliate, and need not provide opt-out notice.  In addition, that entity may direct a service provider to use the entity’s own eligibility information to market products on behalf of an affiliate as well.  The SEC provided the following example of constructive sharing in the release adopting Regulation S-AM: “a broker-dealer that sells investment company shares to a consumer has a preexisting business relationship with the consumer (as does the investment company if the consumer is the record owner of its shares). The broker-dealer may make a marketing solicitation for an investment in an affiliated investment company based on eligibility information the broker-dealer obtained in connection with its pre-existing business relationship with the consumer.”

The SEC rule largely mirrors the substantive provisions of both the FTC Rule and the Joint Rules.  In fact, most of the operating language in Regulation S-AM is the same as the language in the FTC Rule.  Although the FTC Rule has additional and/or different examples and explanations, the requirements are identical.

A minor difference between Regulation S-AM and the Joint Rules and the FTC Rule is that the Joint Rules and the FTC Rule provide that compliance with an example described in the rules constitutes compliance.  The SEC has stated that its examples do not provide the same safe harbor.  The SEC examples in Regulation S-AM are intended to describe the broad outlines of situations illustrating compliance with the applicable rule.  However, the SEC believes that the specific facts and circumstances relating to a particular situation will determine whether compliance with an example constitutes compliance with the rules.

The new federal data breach notification requirements, introduced by the HITECH Act that was part of the American Reinvestment and Recovery Act signed into law by President Obama in February 2009, affect not only “covered entities” (e.g., healthcare providers, insurers and clearinghouses) but also “business associates,” (e.g.,companies that provide services – often, technology services – to such covered entities and have access to protected health information) and vendors of personal health records (“PHR”).

The HITECH Act gave the Department of Health and Human Services (“HHS”) jurisdication over the business associates for the first time, and PHR vendors are subject to the Federal Trade Commission’s jurisdiction for enforcement.  Both HHS and the FTC have published rules on the new breach notification requirement.  Generally, the breach notification rules require companies to notify individuals, the regulators and, in certain cases, the media, when unsecured protected health information is breached.  Both the FTC rule and the HHS rule are now in force.  Both HHS and FTC will assess sanctions for failure to provide the required notice for breaches discovered after February 22, 2010. 

While covered entities and PHR vendors each face their own particular compliance challenges, this article focuses on the compliance strategies for business associates.  Business associates need to act quickly to minimize the risk of being involved in a breach that triggers these new notification requirements, and also must be prepared to respond to any breach in compliance with the HITECH Act.  Business associates should also review the terms of their agreements with covered entities, and their plans for incident response in the event that a breach occurs.

Are you a business associate? 

The term “business associate” was introduced by the Health Insurance Accountability and Portability Act (“HIPAA”).  Generally, it refers to entities that provide certain services to covered entities and, in connection with those services, have access to protected health information.  A wide range of entities can be business associates – the determination depends on the function and level of access to individually identifiable health information rather than the particular industry of the company.

Our company is a business associate to one or more covered entities, what should we be doing now to prepare for these breach notification requirements?

Companies that are business associates should reduce the likelihood that they will be involved with a breach that gives rise to notification requirements under the HITECH Act, applicable state law, and/or the terms of their agreements with covered entities.  Here are several steps that business associates should take now:

If classified as a business associate, ensure that this classification is correct and accurate.  Many companies can feel pressured by their customers to execute business associate agreements whether or not they are indeed business associates.  Before the HITECH Act, there was always a certain level of risk involved with executing business associate agreements, however with the changes being ushered in by the HITECH Act, being a business associate entails a new level of risk.  Executing business associate agreements subject entities  to direct regulation by a federal agency, including enforcement and penalty provisions, and should only be done so if the entity truly meets business associate requirements.

As noted above, business associates are generally companies that provide services on behalf of HIPAA covered entities that involves the use or disclosure of protected health information.  Prior to executing a business associate agreement, companies should ensure that they do meet this definition.  As discussed further below, companies may also be able to restructure their business relationship and the performance of services to eliminate the company’s access to protected health information, and thus potentially eliminate the need for a business associate agreement and the federal regulation that comes with it. Of course, companies will still need to comply with the contractual obligations they have agreed to (whether a business associate or not), but if a company is not a business associate, then the enforcement of those obligations would be under a breach of contract theory by the other party, rather than enforcement by a federal agency, which could be the case if a company is a business associate.

Review executed business associate agreements and be very mindful of new agreements.   Given the changes to HIPAA introduced by the HITECH Act, many covered entities will soon be focusing on renegotiating existing business associate agreements to ensure that the agreements reflect the provisions of the HITECH Act. Business associates are well advised to develop and implement a strategy for negotiating business associate agreements.

Limit protected health information.   All entities, whether or not business associates, can limit their risks by limiting the amount of protected health information that they access, receive and/or possess.  If a business relationship can be structured so that such access is eliminated, or at least minimized, the risk of experiencing a reportable breach or other violations will also be reduced.

Improve security and consider encryption where possible. The new breach notification rules will only apply to information that is “unsecured.”  Business associates are advised to ensure that, to the extent possible, all information is “secured.”  HHS has issued guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals and thus, not, unsecured.  Accordingly, business associates can reduce the odds that they will be involved in a reportable breach, by, to the extent possible, encrypting all protected health information.

Train Employees. Many breaches have resulted from simple employee error. Accordingly, it is essential to ensure that all employees have appropriate training about the company’s policies and procedures for ensuring the privacy and security of all protected health information.

Develop an incident response plan.  Hopefully, there will never be a breach that necessitates a response, however all business associates should plan in advance for a worst case scenario and have a formalized incident response plan in the event of a breach.  The HITECH Act is very specific in terms of the content, timing and format of notices that most be delivered to affected individuals.  Under the regulations, the business associates’ responsibility will be to ensure that the applicable covered entity receives proper notice of the breach without unreasonable delay, but in no event more than 60 days after becoming aware of the breach.  Covered entities likely are going to push for more rapid notice from their business associates.  Any breach response plan must address not only the requirements of the HITECH Act, but also whatever terms have been agreed to with covered entities in the applicable business associate agreements.

*    *    *    *    *

While the regulators have asserted that it will not enforce the breach notification requirements until February 2010, the requirements are now in effect. Accordingly, it is vital that business associates undertake efforts to develop and implement a compliance strategy without further delay.

Preventing and Handling Data Security Breaches
Date:  December 10, 2009
Location:  Boston, MA

Date: January 12, 2010
Location:  Burlington, MA

David Goldstone is a faculty member at this MCLE program that will review the requirements of state and federal data privacy statutes and regulations that call for the development of written security programs to prevent, detect and remediate data security breaches.  

ABA’s 11^th Annual Conference on Emerging Issues in Healthcare Law
Date:  February 17-19, 2010
Location:  Phoenix, Arizona
Jackie Klosek will speak on employer-sponsored wellness programs and privacy issues at this ABA conference that brings together Health Law Section members and leadership and interest groups to exchange ideas and network with colleagues on the most critical issues in the healthcare industry.