privacy and data protection legislation: the risks and what corporate … · the risks and what...
TRANSCRIPT
© 2011 Akin Gump Strauss Hauer & Feld LLP. All Rights Reserved. Privileged and Confidential.
PRIVACY AND DATA PROTECTION LEGISLATION: THE RISKS AND WHAT CORPORATE COUNSEL NEED TO KNOW
October 5, 2011
Presented by: James R. Tucker, Jr. Francine E. Friedman (202) 887-4279 (202) 887-4143 [email protected] [email protected] Jo-Ellyn Sakowitz Klein Daniel F. McInnis (202) 887-4220 (202) 887-4359 [email protected] [email protected]
TABLE OF CONTENTS
Presentation ............................................................................................................. Tab A
Speaker Biographies ................................................................................................ Tab B
Appendix: Selected Articles ...................................................................................... Tab C
“Legislative Proposals Compete As Privacy, Data Security, and Breach Notification Continue to Draw the Attention of Federal Policymakers,” The Metropolitan Corporate Counsel (September 2011) .......................................................................... Page C1
“High-Profile Breaches Spur Congressional Activity on Privacy, Data Security Policy,” BNA Daily Report for Executives (July 2011) ....... Page C3
“Making Sense of Recent HIPAA Enforcement Activity,” The Metropolitan Corporate Counsel (April 2011) ................................. Page C9
“FTC and Commerce Privacy Reports Point to Obama Administration Promoting Privacy Legislation,” Privacy and Data Protection Alert (February 2011) .................................................................... Page C11
PRIV
AC
Y A
ND
DA
TA P
RO
TEC
TIO
N L
EGIS
LATI
ON
: TH
E R
ISK
SA
ND
WH
AT
CO
RPO
RA
TE C
OU
NSE
L N
EED
TO
KN
OW
Oct
ober
5, 2
011
Pre
sent
ed b
y:
Jam
es R
. Tuc
ker,
Jr.
Fran
cine
E. F
riedm
an(2
02) 8
87-4
279
(202
) 887
-414
3jtu
cker
@ak
ingu
mp.
com
ffrie
dman
@ak
ingu
mp.
com
Jo-E
llyn
Sak
owitz
Kle
inD
anie
l F. M
cInn
is(2
02) 8
87-4
220
(202
) 887
-435
9js
klei
n@ak
ingu
mp.
com
dmci
nnis
@ak
ingu
mp.
com
© 2
011
Aki
n G
ump
Stra
uss
Hau
er &
Fel
d LL
P
Priv
acy
and
Dat
a P
rote
ctio
n Le
gisl
atio
n:
ThR
ik
dW
htC
tC
lNd
tK
The
Ris
ksan
d W
hat C
orpo
rate
Cou
nsel
Nee
d to
Kno
w
Con
gres
sion
al D
ata
Sec
urity
and
Priv
acy
Pro
posa
ls
Rec
ent A
dmin
istra
tion
Act
iviti
es S
uppo
rting
Leg
isla
tion
Of
Out
look
for L
egis
lativ
e an
d R
egul
ator
y P
ropo
sals
Less
ons
Lear
ned
From
HIP
AA
and
HIT
EC
H
Rec
ent F
TC P
rivac
y E
nfor
cem
ent a
nd Im
plic
atio
ns
Pot
entia
lIm
pact
onB
usin
esse
san
dN
onpr
ofit
Org
aniz
atio
nsP
oten
tial I
mpa
cton
Bus
ines
ses
and
Non
-pro
fit O
rgan
izat
ions
Ste
ps to
Tak
e N
ow
1
Con
gres
sion
alD
ata
Sec
urity
and
Priv
acy
Pro
posa
lsC
ongr
essi
onal
Dat
a S
ecur
ity a
nd P
rivac
y P
ropo
sals
Con
stan
t stre
am o
f bre
ache
s ha
s fo
cuse
d th
e pu
blic
and
med
ia
ttti
id
dt
iti
atte
ntio
n on
con
sum
er p
rivac
y an
d da
ta s
ecur
ity is
sues
Law
mak
ers
feel
com
pelle
d to
resp
ond
Ver
y fe
w is
sues
hav
e re
ceiv
ed b
ipar
tisan
, bic
amer
al a
ttent
ion
in th
e 11
2th
Con
gres
s, b
ut p
rivac
y an
d da
ta s
ecur
ity a
re a
mon
g th
em18
bills
have
been
intro
duce
d-b
ym
embe
rsof
both
parti
es,i
nbo
thch
ambe
rs,
18 b
ills h
ave
been
intro
duce
d by
mem
bers
of b
oth
parti
es, i
n bo
th c
ham
bers
, so
me
with
bip
artis
an s
pons
orsh
ipA
t lea
st 1
7 he
arin
gs a
cros
s fo
ur c
ongr
essi
onal
com
mitt
ees
in 2
011
Doz
ens
of to
wn
halls
, pol
icy
roun
dtab
les,
and
sta
keho
lder
con
vers
atio
ns
2
Legi
slat
ive
Pro
posa
ls:
AV
ilG
idA
Vis
ual G
uide
3
Legi
slat
ive
Pro
posa
ls:
ATi
liA
Tim
elin
e
JAN
UA
RY
FEBR
UAR
Y•H
.R. 6
11 (F
eb. 1
0)M
AR
CH
•H.R
. 654
(Feb
. 11)
JUN
E•S
. 115
1 (J
une
7)•C
itibr
each
(Jun
e 9)
HR
2168
/S12
12(J
15)
MAY
•H.R
. 170
7 (M
ay 4
)•S
. 913
(May
9)
()
AP
RIL
•Eps
ilon
brea
ch (A
pril
2)•S
. 799
(Apr
il 12
)H
R15
28(A
il13
)•H
.R. 2
168/
S. 1
212
(Jun
e 15
)•S
. 120
7 (J
une
15)
•S. 1
223
(Jun
e 16
)
•H.R
. 184
1 (M
ay 1
1)•H
.R. 1
895
(May
13)
•S. 1
011
(May
17)
• H.R
. 152
8 (A
pril
13)
•SS
Abr
each
(Apr
il 14
)•i
Pho
ne/A
ndro
id tr
acki
ng (A
pr. 2
0)•S
ony
brea
ch (A
pril
27)
JULY
•H.R
. 257
7 (J
uly
18)
•S. 1
408
(Jul
y 22
)•S
. 143
4 (J
uly
28)
AU
GU
ST
•Con
gres
sion
al R
eces
sS
EP
TEM
BE
R•S
. 153
5 (S
ep. 8
)•S
AIC
brea
ch (S
ep. 2
9)
4
Legi
slat
ive
Pro
posa
ls:
Dt
Sit
Bh
Ntif
iti
Dat
a S
ecur
ity, B
reac
h N
otifi
catio
n
Sen
. Fei
nste
in (D
-CA
): D
ata
Bre
ach
Not
ifica
tion
Act
of 2
011
(S. 1
408)
Cre
ates
new
brea
chno
tific
atio
nst
anda
rds
that
wou
ldbe
trigg
ered
inbr
each
esw
here
Cre
ates
new
bre
ach
notif
icat
ion
stan
dard
s th
at w
ould
be
trigg
ered
in b
reac
hes
whe
re
ther
e is
risk
of i
dent
ity th
eft,
econ
omic
loss
, or h
arm
to th
e af
fect
ed in
divi
dual
sD
oes
not a
ddre
ss d
ata
secu
rity
Rec
ently
repo
rted
out o
f the
Jud
icia
ry C
omm
ittee
Sen
. Lea
hy (D
-VT)
: Per
sona
l Dat
a P
rivac
y an
d S
ecur
ity A
ct (S
. 115
1)S
en. L
eahy
Cha
irs th
e S
enat
e Ju
dici
ary
Com
mitt
eeC
alls
for b
usin
esse
s to
ena
ct s
ecur
ity p
roce
dure
s to
pro
tect
sen
sitiv
e da
taC
reat
es n
ew b
reac
h no
tific
atio
n st
anda
rds
that
wou
ld b
e tri
gger
ed in
cas
es w
here
th
ere
is ri
sk o
f ide
ntity
thef
t, ec
onom
ic lo
ss, o
r har
m to
the
affe
cted
indi
vidu
als
Rec
ently
repo
rted
out o
f the
Jud
icia
ry C
omm
ittee
Sen
Blu
men
thal
(DC
T):P
erso
nalD
ata
Pro
tect
ion
and
Bre
ach
Acc
ount
abili
tyS
en. B
lum
enth
al (D
-CT)
: Per
sona
l Dat
a P
rote
ctio
n an
d B
reac
h A
ccou
ntab
ility
A
ct o
f 201
1 (S
. 153
5)R
equi
res
new
saf
egua
rds
for s
tore
d in
form
atio
n an
d pu
ts in
pla
ce n
ew b
reac
h no
tific
atio
n, b
reac
h re
med
y, a
nd b
reac
h in
vest
igat
ion
stan
dard
sR
ecen
tly re
porte
d ou
t of t
he J
udic
iary
Com
mitt
ee
5
Legi
slat
ive
Pro
posa
ls:
Dt
Sit
Bh
Ntif
iti
Dat
a S
ecur
ity, B
reac
h N
otifi
catio
n
Sen
s. R
ocke
felle
r (D
-WV
) and
Pry
or (D
-AR
): D
ata
Sec
urity
and
Bre
ach
()
y(
)y
Not
ifica
tion
Act
of 2
011
(S. 1
207)
Sen
ator
Roc
kefe
ller C
hairs
the
Com
mer
ce C
omm
ittee
Req
uire
s bu
sine
sses
and
non
-pro
fit o
rgan
izat
ions
to im
plem
ent s
ecur
ity m
easu
res
and
aler
tcon
sum
ers
whe
nda
taha
sbe
enco
mpr
omis
edan
d al
ert c
onsu
mer
s w
hen
data
has
bee
n co
mpr
omis
edIn
the
even
t of a
bre
ach,
affe
cted
indi
vidu
als
wou
ld b
e en
title
d to
free
cre
dit
mon
itorin
g se
rvic
es fo
r tw
o ye
ars
This
bill
broa
dens
the
defin
ition
of c
over
ed e
ntiti
es to
go
beyo
nd b
usin
esse
s,
ifill
ili
fii
isp
ecifi
cally
sin
glin
g ou
t non
-pro
fit o
rgan
izat
ions
Sen
s. C
arpe
r (D
-DE
) and
Blu
nt (R
-MO
): D
ata
Sec
urity
Act
of 2
011
(S. 1
434)
Req
uire
sen
titie
sth
atpo
sses
sse
nsiti
vein
form
atio
nto
build
safe
guar
dsR
equi
res
entit
ies
that
pos
sess
sen
sitiv
e in
form
atio
n to
bui
ld s
afeg
uard
sE
nact
pol
icie
s fo
r inv
estig
atin
g se
curit
y br
each
es a
nd n
otify
ing
cons
umer
s w
hen
a su
bsta
ntia
l ris
k of
iden
tity
thef
t or a
ccou
nt fr
aud
exis
ts
6
Legi
slat
ive
Pro
posa
ls:
Dt
Sit
Bh
Ntif
iti
Dat
a S
ecur
ity, B
reac
h N
otifi
catio
n
Rep
. Bon
o M
ack
(R-F
L): S
AFE
Dat
a A
ct (H
.R. 2
577)
RB
Mk
Ch
ih
CM
fi
dT
dS
bi
fR
ep. B
ono
Mac
k C
hairs
the
Com
mer
ce, M
anuf
actu
ring,
and
Tra
de S
ubco
mm
ittee
of
the
Hou
se E
nerg
y &
Com
mer
ce C
omm
ittee
Req
uire
s no
tific
atio
n of
con
sum
ers
and
the
FTC
afte
r a b
reac
h is
con
tain
ed a
nd
asse
ssed
Cal
ls fo
r stro
nger
dat
a se
curit
y sy
stem
sE
ntitl
es a
ffect
ed in
divi
dual
s to
free
cre
dit m
onito
ring
serv
ices
for t
wo
year
s
Rep
. Ste
arns
(R-F
L): D
ATA
Act
of 2
011
(H.R
. 184
1)R
equi
res
tight
er p
rote
ctio
ns o
f dat
a st
orag
e C
reat
es a
sta
ndar
d fo
r not
ifyin
g af
fect
ed in
divi
dual
s an
d go
vern
men
t aut
horit
ies
in
the
even
tofa
brea
chth
e ev
ent o
f a b
reac
h
Rep
. Rus
h (D
-IL):
Dat
a A
ccou
ntab
ility
and
Tru
st A
ct (H
.R. 1
707)
Man
date
s st
ricte
r dat
a se
curit
y po
licie
s an
d cr
eate
s a
natio
nal s
tand
ard
for b
reac
h y
pno
tific
atio
n
7
Legi
slat
ive
Pro
posa
ls:
Pi
Priv
acy
Sen
. Roc
kefe
ller (
D-W
V):
Do-
Not
-Tra
ck O
nlin
e A
ct o
f 201
1 (S
. 913
)G
ith
bilit
tt
tfh
ith
ili
dt
tk
dd
Giv
es c
onsu
mer
s th
e ab
ility
to o
pt o
ut o
f hav
ing
thei
r onl
ine
data
trac
ked
and
stor
edG
oes
one
step
furth
er th
an o
ther
priv
acy
bills
by
also
impo
sing
lim
its o
n da
ta
colle
ctio
n fro
m m
obile
dev
ices
Sen
s. K
erry
(D-M
A) a
nd M
cCai
n (R
-AZ)
: Com
mer
cial
Priv
acy
Bill
of R
ight
s A
ct o
f 201
1 (S
. 799
)R
equi
res
opt-o
ut m
echa
nism
s fo
r dat
a sh
arin
g, a
s w
ell a
s op
t-in
cons
ent f
or th
e co
llect
ion,
sto
rage
, or s
harin
g of
sen
sitiv
e pe
rson
al in
form
atio
n
8
Legi
slat
ive
Pro
posa
ls:
Pi
Priv
acy
Rep
s. M
arke
y (D
-MA
) and
Bar
ton
(R-T
X):
Do-
Not
-Tra
ck-K
ids
Act
(H.R
. 189
5)M
kd
Bt
CC
hi
fth
Bi
tiC
ilP
iC
Mar
key
and
Bar
ton
are
Co-
Cha
irs o
f the
Bip
artis
an C
ongr
essi
onal
Priv
acy
Cau
cus
Forb
ids
onlin
e co
mpa
nies
from
usi
ng p
erso
nal i
nfor
mat
ion
for t
arge
ted
mar
ketin
g to
ch
ildre
n un
der t
he a
ge o
f 18
Em
pow
ers
pare
nts
to d
elet
e th
eir c
hild
ren’
s di
gita
l foo
tprin
t, an
d re
quire
s pa
rent
al
pp
gp
,q
pco
nsen
t for
any
dat
a tra
ckin
g on
line
or o
n m
obile
dev
ices
Rep
. Spe
ier (
D-C
A):
Do
Not
Tra
ck M
e O
nlin
e A
ct o
f 201
1 (H
.R. 6
54)
Req
uire
s op
t-out
mec
hani
sms
for t
he c
olle
ctio
n or
use
of o
nlin
e an
d pe
rson
al d
ata
Rep
. Rus
h (D
-IL):
BE
ST
PR
AC
TIC
ES
Act
(H.R
. 611
) R
equi
res
opt-o
ut m
echa
nism
s fo
r dat
a co
llect
ion
and
stor
age,
as
wel
l as
opt-i
n co
nsen
t for
third
par
ty in
form
atio
n sh
arin
g
Rep
. Ste
arns
(R-F
L): C
onsu
mer
Priv
acy
Pro
tect
ion
Act
of 2
011
(H.R
. 152
8)A
llow
s co
nsum
ers
to o
pt o
ut o
f hav
ing
thei
r per
sona
lly id
entif
iabl
e in
form
atio
n sh
ared
w
ith th
ird p
artie
sTh
isbi
llbr
oade
nsth
ede
finiti
onof
cove
red
entit
ies
and
spec
ifica
llysi
ngle
sou
tTh
is b
ill br
oade
ns th
e de
finiti
on o
f cov
ered
ent
ities
and
spe
cific
ally
sin
gles
out
50
1(c)
(3) o
rgan
izat
ions
as
cove
red,
in a
dditi
on to
bus
ines
ses
9
Legi
slat
ive
Pro
posa
ls:
Mbi
lD
iP
iM
obile
Dev
ice
Priv
acy
Sen
. Wyd
en (D
-OR
) and
Rep
. Cha
ffetz
(R-U
T): G
eolo
catio
n an
d P
rivac
y S
urve
illan
ce (G
PS
) Act
(S. 1
212,
H.R
. 216
8)
Rel
ease
d as
com
pani
on b
ills in
the
Sen
ate
and
Hou
seP
rohi
bit c
ompa
nies
from
col
lect
ing
or s
harin
g ge
oloc
atio
n in
form
atio
n w
ithou
t the
us
er’s
exp
ress
con
sent
Sen
s. F
rank
en (D
-MN
) and
Blu
men
thal
(D-C
T): L
ocat
ion
Priv
acy
Pro
tect
ion
Act
of 2
011
(S. 1
223)
Req
uire
s an
y co
vere
d en
tity
to o
ffer u
pfro
nt n
otic
e an
d re
ceiv
e in
form
ed c
onse
nt
from
use
rs to
trac
k th
eir g
eolo
catio
n in
form
atio
ng
Sen
. Lea
hy (D
-VT)
: Ele
ctro
nic
Com
mun
icat
ions
Priv
acy
Act
Am
endm
ents
A
ct o
f 201
1 (S
. 101
1)E
nact
ed in
198
6, th
e E
CP
A re
stric
ts th
ird-p
arty
acc
ess
to p
rivat
e el
ectro
nic
com
mun
icat
ions
, suc
h as
onl
ine
activ
ity a
nd e
-mai
ls
Leah
y’s
prop
osal
add
s ge
oloc
atio
n in
form
atio
n as
a n
ew c
lass
of p
rivat
e co
mm
unic
atio
ns s
ubje
ct to
the
prot
ectio
ns o
f the
EC
PA
Oth
erbi
llsin
the
wor
ks?
Oth
er b
ills
in th
e w
orks
?
Rec
ent S
enat
e le
tter t
o O
nSta
r, cr
itici
zing
its
geol
ocat
ion
track
ing
polic
ies
10
Legi
slat
ive
Pro
posa
ls:
It
lW
ithC
tLIn
terp
lay
With
Cur
rent
Law
Will
exi
stin
g FE
DE
RA
L st
atut
es re
tain
juris
dict
ion
whe
re o
verla
p oc
curs
with
g
jp
new
priv
acy
legi
slat
ion?
Und
er m
ost p
ropo
sals
, yes
.Fa
mily
Edu
catio
nal R
ight
s an
d P
rivac
y A
ct (F
ER
PA
)H
ealth
Insu
ranc
e P
orta
bilit
y an
d A
ccou
ntab
ility
Act
(HIP
AA
)G
ram
m-L
each
-Blile
y A
ct (G
LBA
) Fa
ir C
redi
t Rep
ortin
g A
ct (F
CR
A)
Hea
lth In
form
atio
n Te
chno
logy
for E
cono
mic
and
Clin
ical
Hea
lth A
ct (H
ITE
CH
)
Will
exi
stin
g S
TATE
sta
tute
s re
tain
juris
dict
ion
whe
re o
verla
p oc
curs
with
new
pr
ivac
y le
gisl
atio
n? U
nder
mos
t pro
posa
ls, n
o.R
epla
cing
the
patc
hwor
k of
sta
te la
ws
with
a s
ingl
e na
tiona
l sta
ndar
dp
gp
g
11
Priv
acy
and
Dat
a P
rote
ctio
n Le
gisl
atio
n:
ThR
ik
dW
htC
tC
lNd
tK
The
Ris
ksan
d W
hat C
orpo
rate
Cou
nsel
Nee
d to
Kno
w
Con
gres
sion
al D
ata
Sec
urity
and
Priv
acy
Pro
posa
ls
Rec
ent A
dmin
istra
tion
Act
iviti
es S
uppo
rting
Leg
isla
tion
Of
Out
look
for L
egis
lativ
e an
d R
egul
ator
y P
ropo
sals
Less
ons
Lear
ned
From
HIP
AA
and
HIT
EC
H
Rec
ent F
TC P
rivac
y E
nfor
cem
ent a
nd Im
plic
atio
ns
Pot
entia
lIm
pact
onB
usin
esse
san
dN
onpr
ofit
Org
aniz
atio
nsP
oten
tial I
mpa
cton
Bus
ines
ses
and
Non
-pro
fit O
rgan
izat
ions
Ste
ps to
Tak
e N
ow
12
Rec
ent A
dmin
istra
tion
Act
iviti
es:
Oi
Ove
rvie
w
The
Oba
ma
Adm
inis
tratio
n is
act
ivel
y en
gage
d in
the
priv
acy
deba
teFe
dera
l Tra
de C
omm
issi
onD
epar
tmen
t of C
omm
erce
In
tera
genc
y S
ubco
mm
ittee
on
Priv
acy
and
Inte
rnet
Pol
icy
12de
partm
ents
and
agen
cies
parti
cipa
ting
12 d
epar
tmen
ts a
nd a
genc
ies
parti
cipa
ting
Goa
l is
to fo
ster
con
sens
us in
legi
slat
ive,
regu
lato
ry, a
nd in
tern
atio
nal i
nter
net p
olic
y
Eve
n if
Con
gres
s fa
ils to
act
, the
Adm
inis
tratio
n an
d FT
C W
ill S
eek
to
Exp
and
Priv
acy
Obl
igat
ions
13
FTC
Priv
acy
Pol
icy
Deb
ate
&Le
gisl
ativ
eFo
cus
FTC
Priv
acy
Pol
icy
Deb
ate
& L
egis
lativ
e Fo
cus
FTC
sup
port
for c
urre
nt le
gisl
ativ
e ac
tivity
FTC
hig
hly
legi
slat
ivel
y fo
cuse
d g
yg
y
Dec
embe
r 201
0 In
terim
Sta
ff R
epor
t: “P
rote
ctin
g C
onsu
mer
Priv
acy
in a
n E
ra o
f Rap
id C
hang
e: A
Pro
pose
d Fr
amew
ork
forB
usin
esse
san
dP
olic
ymak
ers”
Fram
ewor
k fo
r Bus
ines
ses
and
Pol
icym
aker
sTh
ree
Par
t Foc
us: (
1) P
rivac
y by
Des
ign,
(2) C
hoic
e, (3
) Not
ice
& A
cces
sM
odel
ed u
pon
fair
info
rmat
ion
prac
tices
Con
trove
rsia
l“do
nott
rack
”pro
posa
lC
ontro
vers
ial
do n
ot tr
ack
pro
posa
lH
uge
num
ber o
f ope
n is
sues
and
que
stio
ns
Stro
ng “d
isse
nts”
/con
curr
ence
s by
Rep
ublic
an c
omm
issi
oner
s
Nin
e FT
C a
ppea
ranc
es b
efor
e C
ongr
ess
supp
ortin
g le
gisl
atio
nC
ontin
ued
“dis
sent
s” b
y C
omm
issi
oner
s R
osch
& K
ovac
ic
Fina
l FTC
Sta
ff R
epor
t exp
ecte
d la
te th
is y
ear
14
Boo
k-E
nds
ofth
eFT
CP
olic
yD
ebat
eB
ook
End
s of
the
FTC
Pol
icy
Deb
ate
Com
preh
ensi
ve R
efor
m v
s. L
earn
Mor
eD
o w
e w
ant t
o be
mor
e lik
e E
urop
e?C
hang
ing
tech
nolo
gy
Ros
chha
s su
gges
ted
a 6(
b) In
dust
ry w
ide
stud
y
FIP
vs. H
arm
-Bas
edD
oubt
s ab
out n
otic
e an
d ch
oice
Opt
-in/o
pt-o
ut c
ontro
vers
yB
enef
its o
f “ac
cess
”Le
gal m
anda
te v
s. s
elf-r
egul
atio
n
DN
tTk
Do
Not
Tra
ckP
ract
ical
?D
o N
ot C
all p
rece
dent
Indu
stry
effo
rtsto
mee
tact
ualc
onsu
mer
dem
and
forp
rivac
ypr
otec
tion
Indu
stry
effo
rts to
mee
t act
ual c
onsu
mer
dem
and
for p
rivac
y pr
otec
tion
15
The
FTC
of t
he F
utur
e:H
Mi
htth
FTC
Ch
Ud
Pd
Li
lti
?H
ow M
ight
the
FTC
Cha
nge
Und
er P
ropo
sed
Legi
slat
ion?
New
Pow
ers
AP
AR
ule-
Mak
ing,
Civ
il P
enal
ties,
Fed
eral
Cou
rt Li
tigat
ion
New
Sub
stan
ceFT
Cm
ayin
cons
ulta
tion
with
the
Atto
rney
Gen
eral
issu
ere
gula
tions
asit
FTC
may
, in
cons
ulta
tion
with
the
Atto
rney
Gen
eral
, iss
ue re
gula
tions
as
it de
term
ines
nec
essa
ry to
car
ry o
ut th
e se
curit
y br
each
not
ifica
tion
prov
isio
nsFT
C m
ay tr
eat a
ny d
ata
secu
rity
man
date
or b
reac
h no
tific
atio
n vi
olat
ion
as a
n un
fair
and
dece
ptiv
e tra
de p
ract
ice
FTC
wou
ld b
e re
quire
d to
dev
elop
sta
ndar
ds fo
r a “D
o N
ot T
rack
” mec
hani
smFT
C w
ould
be
able
to p
rom
ulga
te ru
les
(afte
r con
duct
ing
a st
udy)
to re
quire
st
anda
rd d
estru
ctio
n m
etho
ds fo
r pap
er a
nd n
on-e
lect
roni
c da
taFT
Cld
bi
dt
lt
lii
dtit
it
tFT
C w
ould
be
requ
ired
to p
rom
ulga
te ru
les
requ
iring
cov
ered
ent
ities
to e
nact
se
curit
y m
easu
res,
pro
vide
priv
acy
notic
es, a
nd o
btai
n op
t-in
cons
ent f
or c
erta
in
disc
losu
res
to th
ird p
artie
s.
16
Dep
artm
ento
fCom
mer
ceD
epar
tmen
t of C
omm
erce
Dec
embe
r 201
0: I
nter
net P
olic
y Ta
sk F
orce
gre
en p
aper
, “C
omm
erci
al
Dat
aan
dP
rivac
yIn
nova
tion
inth
eIn
tern
etE
cono
my:
AD
ynam
icP
olic
yD
ata
and
Priv
acy
Inno
vatio
n in
the
Inte
rnet
Eco
nom
y: A
Dyn
amic
Pol
icy
Fram
ewor
k”S
tarte
d th
e co
nver
satio
n, s
olic
ited
feed
back
to in
form
the
final
repo
rtFi
nal r
e por
t exp
ecte
d in
the
near
term
(Dem
ocra
ts in
Con
gres
s ha
ve c
alle
d on
p
p(
gC
omm
erce
to a
ct q
uick
ly)
June
201
1: I
nter
net P
olic
y Ta
sk F
orce
repo
rt, “C
yber
secu
rity,
Inno
vatio
n,
and
the
Inte
rnet
Eco
nom
y”an
d th
e In
tern
et E
cono
my
N
atio
nal s
tand
ard
to m
inim
ize
data
sec
urity
vul
nera
bilit
ies
on th
e in
tern
etN
atio
nal d
ata
brea
ch n
otifi
catio
n st
anda
rdS
trict
erpe
nalti
esto
com
batd
ata
secu
rity
thre
ats
Stri
cter
pen
altie
s to
com
bat d
ata
secu
rity
thre
ats
Incr
ease
d da
ta s
ecur
ity e
duca
tion
and
rese
arch
Inte
rnat
iona
l coo
rdin
atio
n to
cre
ate
a co
mm
on s
tand
ard
and
shar
e be
st
prac
tices
17
Priv
acy
and
Dat
a P
rote
ctio
n Le
gisl
atio
n:
ThR
ik
dW
htC
tC
lNd
tK
The
Ris
ksan
d W
hat C
orpo
rate
Cou
nsel
Nee
d to
Kno
w
Con
gres
sion
al D
ata
Sec
urity
and
Priv
acy
Pro
posa
ls
Rec
ent A
dmin
istra
tion
Act
iviti
es S
uppo
rting
Leg
isla
tion
Of
Out
look
for L
egis
lativ
e an
d R
egul
ator
y P
ropo
sals
Less
ons
Lear
ned
From
HIP
AA
and
HIT
EC
H
Rec
ent F
TC P
rivac
y E
nfor
cem
ent a
nd Im
plic
atio
ns
Pot
entia
lIm
pact
onB
usin
esse
san
dN
onpr
ofit
Org
aniz
atio
nsP
oten
tial I
mpa
cton
Bus
ines
ses
and
Non
-pro
fit O
rgan
izat
ions
Ste
ps to
Tak
e N
ow
18
Pro
spec
ts fo
r Leg
isla
tive
Act
ion:
Rt
EtS
tl
tR
easo
ns to
Exp
ect S
tale
mat
e
Too
man
y co
oks
in th
e ki
tche
n?M
ultip
le S
enat
e an
d H
ouse
com
mitt
ees
jock
eyin
g fo
r jur
isdi
ctio
n
Sen
ate
Judi
ciar
y C
omm
ittee
(Lea
hy)
Sub
com
mitt
ee o
n P
rivac
y, T
echn
olog
y, a
nd th
e La
w (F
rank
en)
Sen
ate
Com
mer
ce C
omm
ittee
(Roc
kefe
ller)
Sub
com
mitt
ee o
n C
onsu
mer
Pro
tect
ion,
Pro
duct
Saf
ety,
and
Insu
ranc
e (P
ryor
)S
ubco
mm
ittee
on
Com
mun
icat
ions
, Tec
hnol
ogy,
and
the
Inte
rnet
(Ker
ry)
Hou
se J
udic
iary
Com
mitt
ee (L
amar
Sm
ith)
HE
&C
Citt
(Ut
)H
ouse
Ene
rgy
& C
omm
erce
Com
mitt
ee (U
pton
)S
ubco
mm
ittee
on
Com
mer
ce, M
anuf
actu
ring,
and
Tra
de (B
ono
Mac
k)
18 b
ills in
trodu
ced,
and
mor
e lik
ely
to c
ome
Con
gres
sion
al p
aral
ysis
in g
ener
al
19
Pro
spec
ts fo
r Leg
isla
tive
Act
ion:
Rt
EtC
iR
easo
ns to
Exp
ect C
ompr
omis
e
Bip
artis
an a
nd b
icam
eral
sup
port
exis
ts fo
r new
priv
acy
regu
latio
nsD
ata
secu
rity
and
brea
ch n
otifi
catio
n as
pot
entia
l are
as fo
r com
prom
ise
Indu
stry
lead
ers
open
to a
fede
ral d
ata
secu
rity
and/
or b
reac
h no
tific
atio
n st
atut
eM
any
wou
ldpr
efer
a(r
easo
nabl
e)na
tiona
lsta
ndar
dto
apa
tchw
ork
ofst
ate
law
sM
any
wou
ld p
refe
r a (r
easo
nabl
e) n
atio
nal s
tand
ard
to a
pat
chw
ork
of s
tate
law
s
Mut
ual s
igna
ls b
etw
een
Con
gres
s an
d th
e A
dmin
istra
tion
that
act
ion
is
need
ed
Pre
ssur
e fro
m c
onsu
mer
gro
ups
How
man
ym
ore
high
-pro
file
brea
ches
befo
retip
ping
poin
tis
reac
hed?
How
man
y m
ore
high
prof
ile b
reac
hes
befo
re ti
ppin
g po
int i
s re
ache
d?
20
Priv
acy
and
Dat
a P
rote
ctio
n Le
gisl
atio
n:
ThR
ik
dW
htC
tC
lNd
tK
The
Ris
ksan
d W
hat C
orpo
rate
Cou
nsel
Nee
d to
Kno
w
Con
gres
sion
al D
ata
Sec
urity
and
Priv
acy
Pro
posa
ls
Rec
ent A
dmin
istra
tion
Act
iviti
es S
uppo
rting
Leg
isla
tion
Of
Out
look
for L
egis
lativ
e an
d R
egul
ator
y P
ropo
sals
Less
ons
Lear
ned
From
HIP
AA
and
HIT
EC
H
Rec
ent F
TC P
rivac
y E
nfor
cem
ent a
nd Im
plic
atio
ns
Pot
entia
lIm
pact
onB
usin
esse
san
dN
onpr
ofit
Org
aniz
atio
nsP
oten
tial I
mpa
cton
Bus
ines
ses
and
Non
-pro
fit O
rgan
izat
ions
Ste
ps to
Tak
e N
ow
21
Whe
n R
egul
atio
n H
appe
ns:
Tl
fth
Hlth
St
Tale
s fro
m th
e H
ealth
Sec
tor
HIP
AA
and
its
impl
emen
ting
regu
latio
ns c
reat
e a
com
plex
fede
ral
sche
me
that
prot
ects
the
priv
acy
and
secu
rity
ofhe
alth
info
rmat
ion
sche
me
that
pro
tect
s th
e pr
ivac
y an
d se
curit
y of
hea
lth in
form
atio
n,
laye
red
atop
mor
e st
ringe
nt s
tate
law
sE
nact
ed in
199
6, H
IPA
A w
as im
plem
ente
d th
roug
h pr
imar
y ru
lem
akin
gs
gene
rally
taki
ngef
fect
in20
03(p
rivac
y)an
d20
05(s
ecur
ity)
gene
rally
taki
ng e
ffect
in 2
003
(priv
acy)
and
200
5 (s
ecur
ity)
Ear
ly fo
cus
on v
olun
tary
com
plia
nce
and
educ
atio
nIn
itial
ly e
nfor
cem
ent s
trate
gy la
rgel
y co
mpl
aint
-driv
en
Cha
nges
to th
e H
IPA
A re
gim
e un
der t
he H
ITE
CH
Act
in 2
009
Ca
ges
tot
eeg
eu
det
eC
ct00
9dr
amat
ical
ly e
nhan
ced
risks
rela
ting
to p
rivac
y an
d se
curit
yE
xten
ded
reac
h to
mor
e en
titie
sIn
crea
sed
pena
lties
N
ew e
nfor
cem
ent m
echa
nism
s N
ew a
udits
Bre
ach
notif
icat
ion
requ
irem
ents
New
Era
of E
nfor
cem
ent
22
HIP
AA
Cor
e C
once
pts:
W
hN
dt
Cl
?W
ho N
eeds
to C
ompl
y?
Cov
ered
Ent
ities
Hea
lth p
lans
, hea
lth c
are
clea
ringh
ouse
s, a
nd c
erta
in h
ealth
car
e pr
ovid
ers
are
HIP
AA
cov
ered
ent
ities
Bus
ines
sA
ssoc
iate
sB
usin
ess
Ass
ocia
tes
HIP
AA
bus
ines
s as
soci
ates
pro
vide
ser
vice
s fo
r or o
n be
half
of c
over
ed
entit
ies,
whi
ch in
volv
e P
HI
Incl
udes
man
y so
ftwar
e ve
ndor
s an
d ot
hers
in th
e te
chno
logy
spa
ceM
ust e
nter
into
a “b
usin
ess
asso
ciat
e ag
reem
ent”
New
und
er H
ITE
CH
: B
usin
ess
Ass
ocia
tes
Trea
ted
as C
over
ed
Ent
ities
Ent
ities
In
add
ition
to c
ontra
ctua
l lia
bilit
y, b
usin
ess
asso
ciat
es n
ow a
lso
face
dire
ct
liabi
lity
to re
gula
tors
for p
enal
ties
if th
ey fa
il to
com
ply
with
HIP
AA
priv
acy
and
secu
rity
requ
irem
ents
23
HIP
AA
Cor
e C
once
pts:
W
htI
fti
iC
d?W
hat I
nfor
mat
ion
is C
over
ed?
HIP
AA
Pro
tect
ed H
ealth
Info
rmat
ion
The
HIP
AA
regu
latio
ns g
ener
ally
app
ly to
pro
tect
ed h
ealth
info
rmat
ion
(“PH
I”), w
hich
incl
udes
any
info
rmat
ion,
whe
ther
ora
l or w
ritte
n, th
at is
:C
reat
ed o
r rec
eive
d by
a h
ealth
car
e pr
ovid
er, h
ealth
pla
n, e
mpl
oyer
, or
heal
th c
are
clea
ring
hous
e;R
elat
es to
the
past
, pre
sent
, or f
utur
e ph
ysic
al o
r men
tal h
ealth
or
cond
ition
of a
n in
divi
dual
, the
pro
visi
on o
f car
e to
an
indi
vidu
al, o
r the
pas
t pr
esen
t or f
utur
e pa
ymen
t for
the
prov
isio
n of
hea
lth c
are
to a
n in
divi
dual
; an
dId
entif
ies
the
indi
vidu
al (o
r cou
ld re
ason
ably
be
expe
cted
to b
e us
ed to
id
entif
y th
e in
divi
dual
)
24
HIP
AA
Priv
acy
Rul
eH
IPA
A P
rivac
y R
ule
Cor
e te
net o
f the
HIP
AA
Priv
acy
Rul
eD
o no
t use
or d
iscl
ose
PH
I with
out a
utho
rizat
ion,
unl
ess
you
are
expr
essl
y pe
rmitt
ed o
r req
uire
d to
do
soE
xam
ples
of p
erm
itted
use
s an
d di
sclo
sure
s: tr
eatm
ent,
paym
ent,
and
heal
thca
re o
pera
tions
(“TP
O”)
Exa
mpl
es o
f req
uire
d us
es a
nd d
iscl
osur
es: r
equi
red
by la
w, p
ursu
ant t
o a
cour
t ord
er
Oth
erke
yco
ncep
tsO
ther
key
con
cept
sM
inim
um n
eces
sary
Indi
vidu
al ri
ghts
25
HIP
AA
Sec
urity
Rul
eH
IPA
A S
ecur
ity R
ule
Cor
e G
oals
of t
he H
IPA
A S
ecur
ity R
ule
Ens
ure
the
conf
iden
tialit
y, in
tegr
ity, a
nd a
vaila
bilit
y of
ele
ctro
nic
PH
I (“e
PH
I”) c
reat
ed, r
ecei
ved,
mai
ntai
ned,
or t
rans
mitt
ed b
y co
vere
d en
titie
sP
rote
ct a
gain
st re
ason
ably
ant
icip
ated
thre
ats
and
haza
rds
to th
e se
curit
y or
inte
grity
of e
PH
IP
rote
ct a
gain
st re
ason
ably
ant
icip
ated
HIP
AA
priv
acy
rule
vio
latio
ns
Bas
ic F
ound
atio
n fo
r Com
plia
nce
Ass
essm
ent a
nd m
anag
emen
t of r
isk
Rea
sona
ble
and
appr
opria
te p
olic
ies
and
proc
edur
es
HIP
AA
Sta
ndar
ds a
nd Im
plem
enta
tion
Spe
cific
atio
nsA
ddre
ssab
le (A
) ver
sus
Req
uire
d (R
)N
ot a
one
-siz
e-fit
s-al
l app
roac
h
Adm
inis
trativ
e, P
hysi
cal a
nd T
echn
ical
Saf
egua
rds
26
HIT
EC
HB
reac
hN
otifi
catio
nR
ule
HIT
EC
H B
reac
h N
otifi
catio
n R
ule
The
HIT
EC
H A
ct c
reat
ed a
new
fede
ral b
reac
h no
tific
atio
n re
quire
men
tre
quire
men
t H
HS
Rul
e: H
IPA
AC
over
ed E
ntiti
es a
nd th
eir B
usin
ess
Ass
ocia
tes
FTC
Rul
e: V
endo
rs o
f PH
Rs
and
certa
in P
HR
rela
ted
entit
ies
(FTC
)
Est
ablis
hes
anex
pans
ive
prot
ocol
forp
rovi
ding
notic
ew
hen
anE
stab
lishe
s an
exp
ansi
ve p
roto
col f
or p
rovi
ding
not
ice
whe
n an
in
divi
dual
's “u
nsec
ured
” PH
I has
bee
n br
each
edD
epen
ding
on
the
circ
umst
ance
s, b
reac
h no
tific
atio
n m
ust b
e pr
ovid
ed to
indi
vidu
als,
HH
S, a
nd/o
r the
med
iap
ode
dto
ddu
as,
S,a
d/o
te
eda
27
HH
S B
reac
h N
otifi
catio
n R
ule:
“Wll
fSh
”“W
all o
f Sha
me”
28
HIP
AA
and
HIT
EC
H:
Plti
Pen
altie
s
Enh
ance
d pe
nalti
es a
pply
to c
over
ed e
ntiti
es (a
nd b
usin
ess
asso
ciat
es)
Civ
il pe
nalti
es –
$100
to $
50,0
00 fo
r ind
ivid
ual v
iola
tions
bas
ed o
n le
vel o
f in
tent
or n
egle
ct; a
nnua
l max
imum
of $
1.5
milli
on fo
r vio
latio
ns o
f an
iden
tical
pr
ovis
ion
Unk
now
ing
viol
atio
n –
$100
to $
50,0
00 p
er v
iola
tion
Rea
sona
ble
caus
e –
$1,0
00 to
$50
,000
per
vio
latio
nW
illfu
l neg
lect
–if
corr
ecte
d , $
10,0
00 to
$50
,000
per
vio
latio
nW
illfu
l neg
lect
–if
not c
orre
cted
, $50
,000
per
vio
latio
n
Crim
inal
pen
altie
s –
up to
$50
,000
and
a y
ear i
n pr
ison
; the
sta
tute
spe
cifie
s th
is c
an a
pply
to in
divi
dual
s as
wel
l as
entit
ies
Pen
alty
incr
ease
s to
$10
0,00
0 an
d up
to 5
yea
rs in
pris
on if
the
wro
ngfu
l con
duct
i
lf
lt
invo
lves
fals
e pr
eten
ses
Pen
alty
incr
ease
s to
$25
0,00
0 an
d up
to 1
0 ye
ars
impr
ison
men
t if t
he w
rong
ful c
ondu
ct
invo
lves
the
inte
nt to
sel
l, tra
nsfe
r, or
use
iden
tifia
ble
heal
th in
form
atio
n fo
r com
mer
cial
ad
vant
age,
per
sona
l gai
n or
mal
icio
us h
arm
29
HIP
AA
and
HIT
EC
H:
Plti
Pen
altie
s
All
mon
ey th
at th
e O
ffice
for C
ivil
Rig
hts
(OC
R) r
ecei
ves
from
set
tlem
ents
an
dpe
nalti
esgo
esst
raig
htto
OC
R's
coffe
rsan
d pe
nalti
es g
oes
stra
ight
to O
CR
s co
ffers
Fund
s H
IPA
A a
nd H
ITE
CH
enf
orce
men
t, ed
ucat
ion,
and
oth
er a
ctio
ns
Lang
uage
from
HIT
EC
HS
EC
1341
0(c)
:La
ngua
ge fr
om H
ITE
CH
SE
C. 1
3410
(c):
(1) I
N G
EN
ER
AL—
Sub
ject
to th
e re
gula
tion
prom
ulga
ted
purs
uant
to p
arag
raph
(3),
any
civi
l mon
etar
y pe
nalty
or m
onet
ary
settl
emen
t col
lect
ed w
ith re
spec
t to
an
offe
nse
puni
shab
le u
nder
this
sub
title
or s
ectio
n 11
76 o
f the
Soc
ial S
ecur
ity A
ct (4
2 p
y(
U.S
.C.1
320d
–5) i
nsof
ar a
s su
ch s
ectio
n re
late
s to
priv
acy
or s
ecur
ity s
hall
be
trans
ferre
d to
the
Offi
ce fo
r Civ
il R
ight
s of
the
Dep
artm
ent o
f Hea
lth a
nd H
uman
S
ervi
ces
to b
e us
ed fo
r pur
pose
s of
enf
orci
ng th
e pr
ovis
ions
of t
his
subt
itle
and
subp
arts
C a
nd E
of p
art 1
64 o
f titl
e 45
, Cod
e of
Fed
eral
Reg
ulat
ions
, as
such
pr
ovis
ions
are
in e
ffect
as
of th
e da
te o
f ena
ctm
ent o
f thi
s A
ct.
30
HIP
AA
and
HIT
EC
H:
Fd
lEf
tAti
Fede
ral E
nfor
cem
ent A
ctio
ns
Pro
vide
nce
Hea
lth &
Ser
vice
s (2
008)
($10
0,00
0 se
ttlem
ent)
()(
)
CV
S (2
009)
($2.
25M
settl
emen
t)
Rite
Aid
(201
0)($
1Mse
ttlem
ent)
Rite
Aid
(201
0) ($
1Mse
ttlem
ent)
Man
agem
ent S
ervi
ces
Org
aniz
atio
n (2
010)
($35
,000
set
tlem
ent)
Cig
netH
ealth
(201
1)($
43M
pena
lty)
Cig
net H
ealth
(201
1) ($
4.3M
pena
lty)
Mas
sach
uset
ts G
ener
al H
ospi
tal (
2011
) ($1
Mse
ttlem
ent)
$U
CLA
Hea
lth S
yste
m (2
011)
($86
5,00
0 se
ttlem
ent)
31
Cas
e S
tudy
: M
htt
GlH
itlE
ftA
tiM
assa
chus
etts
Gen
eral
Hos
pita
l Enf
orce
men
t Act
ion
In F
ebru
ary
2011
, Mas
sach
uset
ts G
ener
al H
ospi
tal (
“MG
H”)
ente
red
into
aR
esol
utio
nA
gree
men
twith
HH
Sre
quiri
ngit
topa
y$1
mill
ion
into
a R
esol
utio
n A
gree
men
t with
HH
S re
quiri
ng it
to p
ay $
1 m
illio
n to
set
tle p
oten
tial H
IPA
A p
rivac
y ru
le v
iola
tions
The
agre
emen
tste
mm
edfro
mth
elo
ssof
PH
Iof1
92pa
tient
sof
anTh
e ag
reem
ent s
tem
med
from
the
loss
of P
HI o
f 192
pat
ient
s of
an
MG
Hin
fect
ious
dis
ease
out
patie
nt p
ract
ice
The
brea
ch o
ccur
red
whe
n an
em
ploy
ee in
adve
rtent
ly le
ft do
cum
ents
co
ntai
ning
pat
ient
sch
edul
es a
nd b
illing
form
s on
a s
ubw
ay tr
ain
whi
le
com
mut
ing
tow
ork
com
mut
ing
to w
ork
The
docu
men
ts c
onta
ined
sen
sitiv
e in
form
atio
n, in
clud
ing
nam
es, d
ates
of
birth
, med
ical
reco
rd n
umbe
rs, d
iagn
oses
, and
hea
lth in
sura
nce
data
HIV
/AID
S p
atie
nts
wer
e am
ong
thos
e af
fect
ed b
y th
e br
each
Cas
e S
tudy
: M
htt
GlH
itlE
ftA
tiM
assa
chus
etts
Gen
eral
Hos
pita
l Enf
orce
men
t Act
ion
OC
R’s
sub
sequ
ent i
nves
tigat
ion
reve
aled
that
MG
H fa
iled
to
impl
emen
trea
sona
ble
and
appr
opria
tesa
fegu
ards
impl
emen
t rea
sona
ble
and
appr
opria
te s
afeg
uard
s
In a
dditi
on to
the
$1 m
illio
n pa
ymen
t am
ount
, the
Res
olut
ion
Agr
eem
enti
nclu
ded
aC
AP
requ
iring
the
hosp
italt
o:A
gree
men
t inc
lude
d a
CA
P re
quiri
ng th
e ho
spita
l to:
deve
lop
and
impl
emen
t pol
icie
s an
d pr
oced
ures
on
phys
ical
rem
oval
and
tra
nspo
rt of
PH
I, la
ptop
enc
rypt
ion,
and
US
B d
rive
encr
yptio
ntra
in e
mpl
oyee
s on
thes
e po
licie
s, a
ndsp
ecia
lly d
esig
nate
an
inte
rnal
mon
itor t
o co
nduc
t ass
essm
ents
of M
GH
’sco
mpl
ianc
e w
ith th
e C
AP
sem
i-ann
ually
for a
3-y
ear p
erio
d
Sta
teA
ttorn
eyG
ener
alA
ctio
nsU
nder
HIT
EC
HS
tate
Atto
rney
Gen
eral
Act
ions
Und
er H
ITE
CH
Con
nect
icut
was
the
first
sta
te to
use
HIT
EC
H a
utho
rity
to e
nfor
ce
HIP
AA
HIP
AA
Con
nect
icut
’s A
ttorn
ey G
ener
al s
ued
insu
rer H
ealth
Net
whe
re
unen
cryp
ted
data
con
tain
ing
finan
cial
info
rmat
ion
and
med
ical
reco
rds
of
near
ly h
alf a
milli
on o
f Con
nect
icut
enr
olle
es w
as b
reac
hed
Hea
lth N
et a
lso
faile
d to
pro
vide
tim
ely
notif
icat
ion
of th
e br
each
, wai
ting
over
five
mon
ths
befo
re a
lerti
ng in
sura
nce
com
mis
sion
ers
Hea
lth N
et s
ettle
d th
e ca
se, p
ayin
g $2
50,0
00 to
Con
nect
icut
in d
amag
es
and
a co
ntin
gent
$50
0,00
0 pa
ymen
t if i
t is
esta
blis
hed
that
the
brea
ched
g
py
info
rmat
ion
was
use
d ille
gally
and
impa
cted
pla
n m
embe
rs
Ver
mon
t’s A
ttorn
ey G
ener
al in
itiat
ed th
e se
cond
HIP
AA
en
forc
emen
t act
ion
of it
s ki
nd, a
lso
agai
nst H
ealth
Net
Vt’
li
tt
fth
bh
thC
tit
Ver
mon
t’s c
ompl
aint
aro
se o
ut o
f the
sam
e br
each
as th
e C
onne
ctic
ut
case
, in
whi
ch in
form
atio
n on
525
Ver
mon
t res
iden
ts w
ere
also
lost
Th
e co
mpl
aint
alle
ged
viol
atio
ns o
f HIP
AA
, Ver
mon
t’s S
ecur
ity B
reac
h N
otic
e A
ct, a
nd th
e C
onsu
mer
Fra
ud A
ctH
ealth
Net
ulti
mat
ely
agre
ed to
a s
ettle
men
t with
Ver
mon
t for
$55
,000
for
the
brea
ch
34
HIT
EC
HA
udit
Pro
gram
HIT
EC
H A
udit
Pro
gram
His
toric
ally
, OC
R h
as in
vest
igat
ed p
oten
tial v
iola
tions
of t
he H
IPA
A
priv
acy
and
secu
rity
rule
sba
sed
onth
ere
ceip
tofc
ompl
aint
sor
priv
acy
and
secu
rity
rule
s ba
sed
on th
e re
ceip
t of c
ompl
aint
s or
m
edia
repo
rts
Und
erth
eH
ITE
CH
Act
,HH
Sis
requ
ired
toco
nduc
tper
iodi
cau
dits
Und
er th
e H
ITE
CH
Act
, HH
S is
requ
ired
to c
ondu
ct p
erio
dic
audi
ts
of c
over
ed e
ntiti
es a
nd b
usin
ess
asso
ciat
es to
ens
ure
com
plia
nce
with
HIP
AA
rule
s
IJ
2011
HH
Sd
dj
ld
In J
une
2011
, HH
S a
war
ded
two
maj
or c
ontra
cts
rela
ted
to
cond
uctin
g H
ITE
CH
aud
its p
ursu
ant t
o th
is s
tatu
tory
requ
irem
ent
Boo
z A
llen
Ham
ilton
was
aw
arde
d a
$180
,000
con
tract
for “
audi
t ca
ndid
ate
iden
tific
atio
n”K
PM
G w
as a
war
ded
a $9
.2 m
illion
con
tract
to d
evel
op a
n au
dit p
roto
col
and
cond
uct p
rivac
y an
d se
curit
y au
dits
with
OC
R s
uper
visi
on
35
Bur
den
ofC
ompl
ianc
eB
urde
n of
Com
plia
nce
Det
erm
ine
cove
red
entit
y/bu
sine
ss a
ssoc
iate
sta
tus
Dev
elop
and
upd
ate
writ
ten
polic
ies
and
proc
edur
esP
olic
ies
and
proc
edur
es n
eed
to b
e ta
ilore
d to
you
r org
aniz
atio
nP
olic
ies
and
proc
edur
es s
houl
d be
reev
alua
ted
on a
regu
lar b
asis
, as
wel
l as
whe
nsp
ecifi
cin
cide
nts
aris
eas
whe
n sp
ecifi
c in
cide
nts
aris
e
Ens
ure
com
plia
nce
in p
ract
ice
Con
firm
full
com
plia
nce
with
your
own
polic
ies
and
proc
edur
esth
roug
hC
onfir
m fu
ll co
mpl
ianc
e w
ith y
our o
wn
polic
ies
and
proc
edur
es th
roug
h th
ough
tful i
nter
nal m
onito
ring
and
audi
tsE
ngag
e in
wor
kfor
ce tr
aini
ng a
nd re
visi
t san
ctio
n po
licie
s
Dev
elop
gam
e pl
ans
Pre
pare
for s
tate
and
fede
ral i
nves
tigat
ions
, dat
a br
each
es, a
nd a
udits
36
Priv
acy
and
Dat
a P
rote
ctio
n Le
gisl
atio
n:
ThR
ik
dW
htC
tC
lNd
tK
The
Ris
ksan
d W
hat C
orpo
rate
Cou
nsel
Nee
d to
Kno
w
Con
gres
sion
al D
ata
Sec
urity
and
Priv
acy
Pro
posa
ls
Rec
ent A
dmin
istra
tion
Act
iviti
es S
uppo
rting
Leg
isla
tion
Of
Out
look
for L
egis
lativ
e an
d R
egul
ator
y P
ropo
sals
Less
ons
Lear
ned
From
HIP
AA
and
HIT
EC
H
Rec
ent F
TC P
rivac
y E
nfor
cem
ent a
nd Im
plic
atio
ns
Pot
entia
lIm
pact
onB
usin
esse
san
dN
onpr
ofit
Org
aniz
atio
nsP
oten
tial I
mpa
cton
Bus
ines
ses
and
Non
-pro
fit O
rgan
izat
ions
Ste
ps to
Tak
e N
ow
37
FTC
Enf
orce
men
tFoc
usFT
C E
nfor
cem
ent F
ocus
Priv
acy
prom
ises
Dat
a se
curit
y
Sifi
tt
tt
dl
til
Spe
cific
sta
tuto
ry o
r tra
de re
gula
tion
rule
cas
esC
OP
PA
as e
xam
ple
Wha
twe
are
nots
eein
gW
hat w
e ar
e no
t see
ing
No
brea
d-an
d-bu
tter c
ases
: big
dat
a br
each
es a
nd re
taile
rsN
o id
entit
y th
ieve
s ca
ses
No
bric
kan
dm
orta
rN
o br
ick
and
mor
tar
No
non-
prof
its/c
olle
ges
and
univ
ersi
ties/
gove
rnm
ent
38
Not
able
Priv
acy
Pro
mis
eC
ases
Not
able
Priv
acy
Pro
mis
e C
ases
Twitt
er (f
inal
ord
er)
Ver
y la
x in
tern
al p
assw
ord
and
emai
l sec
urity
allo
wed
hac
kers
to tw
ice
gain
“adm
inis
trativ
e co
ntro
l” of
ser
vice
and
sen
d un
auth
oriz
ed m
essa
ges
Pro
mis
e to
pro
vide
reas
onab
le a
nd a
ppro
pria
te s
ecur
ityG
LB-li
keS
afeg
uard
sre
quire
men
tsG
LBlik
e S
afeg
uard
s re
quire
men
ts
Bor
ders
ban
krup
tcy
(lette
r to
cour
t fro
m b
urea
u di
rect
or)
Ban
krup
tcy
cour
t ove
rsee
ing
liqui
datio
n –
Priv
acy
Om
buds
man
Sale
ofP
IIto
Bar
nes
&N
oble
poss
ible
cont
rary
topr
ivac
ypo
licie
s?S
ale
of P
IIto
Bar
nes
& N
oble
pos
sibl
e co
ntra
ry to
priv
acy
polic
ies?
Blo
cked
and
then
app
rove
d th
is w
eek
with
15
day
opt-o
ut
Dan
ger o
f inf
lexi
ble
priv
acy
prom
ises
ove
r tim
e
Goo
gle
Buz
z H
eavi
ly c
ritic
ized
roll-
out o
f soc
ial n
etw
ork
serv
ice,
Goo
gle
Buz
zB
asic
issu
e vi
olat
ion
of s
tate
men
ts o
n us
e of
Goo
gle
cust
omer
PII
Pre
cede
nt s
ettin
g in
:Fi
ti
hih
GLB
likli
fid
itht
dt
bh
Firs
t cas
e in
whi
ch G
LB-li
ke re
lief i
mpo
sed
with
out a
dat
a br
each
Firs
t cas
e in
whi
ch s
ubst
antiv
e vi
olat
ion
of U
S-E
U S
afe
Har
bor F
ram
ewor
k al
lege
d
39
Not
able
Dat
aS
ecur
ityC
ases
Not
able
Dat
a S
ecur
ity C
ases
Set
tlem
entO
ne C
redi
t (an
d tw
o re
late
d m
atte
rs)
Cre
dito
r rep
ort c
onso
lidat
or w
hose
cus
tom
ers
wer
e ha
cked
and
cre
dit
repo
rt in
form
atio
n st
olen
Mus
t be
read
in li
ght o
f FC
RA
, GLB
, and
Saf
egua
rds
Rul
e ov
ervi
ewN
oci
vilp
enal
ties
this
time
(Cha
irman
Leib
owitz
and
Com
mis
sion
erB
rill)
No
civi
l pen
altie
s th
is ti
me
(Cha
irman
Lei
bow
itzan
d C
omm
issi
oner
Bril
l)
Cer
idia
nTh
ird-p
arty
ser
vice
s pr
ovid
er fo
r bus
ines
ses
and
empl
oyee
info
rmat
ion.
Pay
roll
and
back
offi
ce –
sens
itive
PII
Aro
und
28,0
00 e
mpl
oyee
reco
rds
hack
ed &
acc
esse
d vi
a S
QL
atta
ckA
llege
d m
ost b
asic
pre
caut
ions
not
take
n fo
r wel
l kno
w &
pre
viou
sly
chal
leng
ed
vuln
erab
ilitie
s
Look
outS
ervi
ces
Look
out S
ervi
ces
Look
out p
rovi
des
imm
igra
tion/
citiz
ensh
ip v
erifi
catio
n su
ppor
t37
,000
con
sum
er fi
les
acce
ssed
by
Look
out e
mpl
oyee
with
out
auth
oriz
atio
n; n
ot c
lear
why
Look
out d
iscl
osed
thro
ugh
brea
ch n
otifi
catio
n le
tters
40
Sta
tuto
ry E
xam
ple:
C
OP
PA
CO
PP
A CO
PP
Aru
le re
view
See
king
com
men
t on
prop
osed
cha
nges
to C
hild
ren’
s O
nlin
e P
rivac
y P
rote
ctio
n R
ule
to a
dapt
to ra
pidl
y ch
angi
ng te
chno
logy
Bro
ader
def
initi
on o
f PI b
ut e
xem
pt in
tera
ctiv
e co
mm
uniti
esM
ore
flexi
bilit
y fo
r par
enta
l con
sent
Saf
egua
rds
for v
endo
rs, l
imite
d re
tent
ion,
and
app
ropr
iate
del
etio
nA
udits
for s
afe
harb
or p
artic
ipan
ts
Bro
ken
Thum
bs A
pps
Firs
tMob
ileA
pps
settl
emen
ton
line
gam
ing
and
soci
alne
twor
kFi
rst M
obile
App
s se
ttlem
ent—
onlin
e ga
min
g an
d so
cial
net
wor
k$5
0,00
0 ci
vil p
enal
ty
Pla
ydom
Onl
ine
virtu
alw
orld
oper
ator
Onl
ine
virtu
al w
orld
ope
rato
rA
llege
d to
hav
e co
llect
ed a
nd d
iscl
osed
PII
of c
hild
ren
unde
r 13
with
out
pare
ntal
con
sent
$3
milli
on c
ivil
pena
lty—
larg
est C
OP
PA
fine
to d
ate
41
Priv
acy
and
Dat
a P
rote
ctio
n Le
gisl
atio
n:
ThR
ik
dW
htC
tC
lNd
tK
The
Ris
ksan
d W
hat C
orpo
rate
Cou
nsel
Nee
d to
Kno
w
Con
gres
sion
al D
ata
Sec
urity
and
Priv
acy
Pro
posa
ls
Rec
ent A
dmin
istra
tion
Act
iviti
es S
uppo
rting
Leg
isla
tion
Of
Out
look
for L
egis
lativ
e an
d R
egul
ator
y P
ropo
sals
Less
ons
Lear
ned
From
HIP
AA
and
HIT
EC
H
Rec
ent F
TC P
rivac
y E
nfor
cem
ent a
nd Im
plic
atio
ns
Pot
entia
lIm
pact
onB
usin
esse
san
dN
onpr
ofit
Org
aniz
atio
nsP
oten
tial I
mpa
cton
Bus
ines
ses
and
Non
-pro
fit O
rgan
izat
ions
Ste
ps to
Tak
e N
ow
42
Pot
entia
l Im
plic
atio
ns:
Wh
tWill
NR
lti
MF
YO
iti
?W
hat W
ill N
ew R
egul
atio
ns M
ean
For Y
our O
rgan
izat
ion?
Litig
atio
n an
d Fi
nanc
ial L
iabi
lity
Aut
horit
y to
brin
g a
civi
l act
ion
Aut
horit
y to
brin
g a
priv
ate
right
of a
ctio
nFr
ee c
redi
t mon
itorin
g or
cre
dit s
core
s to
affe
cted
indi
vidu
als
in th
e ev
ent o
f a b
reac
h
Com
plia
nce
Cos
ts, H
eada
ches
Pro
hibi
tions
aga
inst
sha
ring
info
rmat
ion
with
non
-affi
liate
third
par
ties
Lim
itsto
dura
tion
ofm
aint
aini
ngpe
rson
alin
form
atio
nLi
mits
to d
urat
ion
of m
aint
aini
ng p
erso
nal i
nfor
mat
ion
Ove
rhau
ling
IT n
etw
orks
to “b
uild
in” d
ata
secu
rity
mea
sure
s ra
ther
than
laye
ring
on
new
pat
ches
Per
iodi
c ris
k as
sess
men
ts a
nd e
mpl
oyee
/vol
unte
er tr
aini
ng
Rep
utat
ion
Req
uire
men
ts to
not
ify la
w e
nfor
cem
ent,
affe
cted
indi
vidu
als,
ser
vice
pro
vide
rs,
busi
ness
partn
ers,
and
the
med
iain
case
ofa
brea
chbu
sine
ss p
artn
ers,
and
the
med
ia in
cas
e of
a b
reac
h
43
Priv
acy
and
Dat
a P
rote
ctio
n Le
gisl
atio
n:
ThR
ik
dW
htC
tC
lNd
tK
The
Ris
ksan
d W
hat C
orpo
rate
Cou
nsel
Nee
d to
Kno
w
Con
gres
sion
al D
ata
Sec
urity
and
Priv
acy
Pro
posa
ls
Rec
ent A
dmin
istra
tion
Act
iviti
es S
uppo
rting
Leg
isla
tion
Of
Out
look
for L
egis
lativ
e an
d R
egul
ator
y P
ropo
sals
Less
ons
Lear
ned
From
HIP
AA
and
HIT
EC
H
Rec
ent F
TC P
rivac
y E
nfor
cem
ent a
nd Im
plic
atio
ns
Pot
entia
lIm
pact
onB
usin
esse
san
dN
onpr
ofit
Org
aniz
atio
nsP
oten
tial I
mpa
cton
Bus
ines
ses
and
Non
-pro
fit O
rgan
izat
ions
Ste
ps to
Tak
e N
ow
44
Nex
t Ste
ps:
Wh
tSh
ldC
tC
lDR
iht
N?
Wha
t Sho
uld
Cor
pora
te C
ouns
el D
o R
ight
Now
?
Kno
w y
our f
low
s, a
nd k
now
whi
ch e
xist
ing
priv
acy
and
data
pro
tect
ion
law
s ap
ply
toyo
urbu
sine
ssap
ply
to y
our b
usin
ess
Con
firm
you
r priv
acy
polic
ies
and
proc
edur
es a
re w
ritte
n, u
nder
stan
dabl
e,
and
curr
ent
Eva
luat
epo
licie
san
dpr
oced
ures
vis-
à-vi
sex
istin
gla
wan
din
dust
rybe
stpr
actic
esE
valu
ate
polic
ies
and
proc
edur
es v
is-à
-vis
exi
stin
g la
w a
nd in
dust
ry b
est p
ract
ices
If
your
org
aniz
atio
n do
es n
ot m
eet t
he s
tand
ards
alre
ady
in p
lace
, adj
ustin
g to
mee
t new
re
gula
tions
will
be
that
muc
h m
ore
diffi
cult
Eva
luat
e yo
ur p
olic
ies
and
proc
edur
es v
is-à
-vis
risk
s sp
ecifi
c to
you
r org
aniz
atio
n
Ass
ess
oper
atio
nal c
ompl
ianc
e w
ith w
ritte
n po
licie
s an
d pr
oced
ures
Ass
ign
one
pers
on (o
r a d
esig
nate
d te
am) r
espo
nsib
ility
ove
r priv
acy
and
secu
rity
conc
erns
Trai
n yo
ur w
orkf
orce
on
priv
acy
mat
ters
and
ens
ure
that
all
empl
oyee
s un
ders
tand
the
impo
rtanc
e of
dat
a se
curit
y an
d pr
ivac
yLo
okin
g ah
ead,
it is
impo
rtant
to m
onito
r the
pol
icy
deba
te in
Was
hing
ton
and
toun
ders
tand
how
prop
osal
sca
nim
pact
your
orga
niza
tion
to u
nder
stan
d ho
w p
ropo
sals
can
impa
ct y
our o
rgan
izat
ion
45
PRIV
AC
Y A
ND
DA
TA P
RO
TEC
TIO
N L
EGIS
LATI
ON
: TH
E R
ISK
SA
ND
WH
AT
CO
RPO
RA
TE C
OU
NSE
L N
EED
TO
KN
OW
Oct
ober
5, 2
011
Pre
sent
ed b
y:
Jam
es R
. Tuc
ker,
Jr.
Fran
cine
E. F
riedm
an(2
02) 8
87-4
279
(202
) 887
-414
3jtu
cker
@ak
ingu
mp.
com
ffrie
dman
@ak
ingu
mp.
com
Jo-E
llyn
Sak
owitz
Kle
inD
anie
l F. M
cInn
is(2
02) 8
87-4
220
(202
) 887
-435
9js
klei
n@ak
ingu
mp.
com
dmci
nnis
@ak
ingu
mp.
com
© 2
011
Aki
n G
ump
Stra
uss
Hau
er &
Fel
d LL
P
SPEAKER BIOGRAPHIES
1
FRANCINE E. FRIEDMAN, Senior Policy Counsel [email protected] Washington, D.C.
T +1 202.887.4143
F +1 202.887.4288
Practice Areas: Public Law and Policy Policy and Regulation Tax Privacy and Data Protection
Francine Friedman brings a decade of government affairs and lobbying experience to the firm. She advises clients on a variety of issues including tax policy, involving housing, energy and new markets tax credits; financial services reform; data security; and energy issues.
Prior to joining Akin Gump, Ms. Friedman was senior vice president of Parven Pomper Strategies (PPS) Inc. and served as counsel in the government relations group at a global law firm.
In 2005, she was an instrumental part in the establishment of the GO Zone housing tax credits after Hurricane Katrina. She has worked with the IRS and Congress to encourage common-sense solutions to regulatory roadblocks impacting rebuilding in the Gulf States. Ms. Friedman has also led efforts to educate Congress on the appropriate point of regulation of natural gas liquids under a cap and trade regime. She has represented numerous client groups and coalitions on a variety of tax credit and tax preference issues with a focus on Section 29 and 45 (energy) and Section 42 (low-income housing) tax credits.
Ms. Friedman began her experience on Capitol Hill as an intern at the Democratic Senate Campaign Committee, working for then-Chairman Sen. John Breaux, D-La. She later played a key role in opening Sen. Dianne Feinstein’s national fundraising office for her 1992 senate race, the first senatorial campaign in which the challenger raised more money than the incumbent.
Ms. Friedman serves on the board of directors of the National Kidney Foundation for the National Capital Area, the Washington Area Lawyers for the Arts and the Capitol Area Reach Program. She has served as pro bono outside general counsel to the Capitol Area Reach Program, and in 2005 was named St. Luke’s House Volunteer of the Year. In 2006, Ms. Friedman was named one of the “Greater Washington Legal Elite” by Washington SmartCEO
Bar Admissions District of Columbia Maryland Virginia
Education J.D. College of William and Mary School of Law, 1999 B.A. Georgetown University, 1995
2
magazine. She hosted a legal talk show broadcast on several Washington, D.C. radio stations from 2000 through 2009. From 2002 until 2007, she served as a monthly panelist on “Metrotalk,” a local public interest talk show.
Ms. Friedman received her B.A. in government in 1995 from Georgetown University and her J.D. from William & Mary Law School in 1999. She is admitted to practice in Virginia, Maryland and the District of Columbia.
3
JO-ELLYN SAKOWITZ KLEIN, Senior Counsel [email protected] Washington, D.C.
T +1 202.887.4220
F +1 202.887.4288
Practice Areas: Policy and Regulation Health Industry Privacy and Data Protection
Jo-Ellyn Sakowitz Klein devotes much of her practice to regulatory, transactional and legislative matters affecting the health industry. She also advises clients outside the health care sector that are affected by health care or privacy law and regulation.
Ms. Klein leads the firm's interdisciplinary privacy and data protection initiative. She devotes a substantial portion of her practice to assisting clients from across the spectrum with issues arising under state, federal and international privacy, security and data breach notification laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the American Recovery and Reinvestment Act of 2009 (ARRA), the FTC Red Flags Rule adopted under the Fair and Accurate Credit Transactions Act (FACTA) of 2003, and the Genetic Information Nondiscrimination Act (GINA). She has examined privacy and security issues arising in settings ranging from hospitals to pharmacy chains to clinical research to professional sports.
Representative engagements in this area include—
assisting clients with regulatory compliance questions arising in the course of their day-to-day operations—under the federal HIPAA and GINA regulations as well as under state privacy provisions
evaluating whether contemplated marketing activities comply with federal and state privacy laws
tailoring software license agreements and related transactional documents to address privacy issues
drafting and negotiating targeted business associate agreements that meet the individualized needs of clients—whether they are covered entities, business associates, or downstream agents or subcontractors
Bar Admissions District of Columbia Virginia
Education J.D. Georgetown University Law Center, 1998 A.B. Duke University, 1994
4
assisting clients facing allegations raised by individuals in HIPAA complaints filed with federal regulators
helping clients prepare for and respond to data breaches, including evaluating whether notice of data breach requirements have been triggered and drafting appropriate breach notification correspondence
addressing health information privacy issues arising in the course of litigation and in bankruptcy proceedings
working with clients to identify risks relating to potential FTC enforcement activity, including evaluating whether an entity needs to comply with the FTC’s Red Flags Rule.
Ms. Klein is a frequent speaker on topics relating to the health industry and data privacy issues. Recent speaking engagements include—
“From the FTC to HHS: Making Sense of Recent Enforcement Activity,” IAPP Washington DC KnowledgeNet (September 27, 2011)
“Facebook and Twitter: Legal Liabilities and HIPAA Compliance in Healthcare,” Progressive Healthcare Conferences (February 23, 2011)
“HIPAA Compliance in a HITECH Age,” National Constitution Conferences CLE webcast (October 6, 2010)
“Comprehensive Privacy Legislation: Implications and Concerns for Business and Institutions,” West LegalEdcenter webcast (July 22, 2010)
“Facebook and Health Care Providers: Reaping the Benefits, While Managing the Risks,” Progressive Healthcare Conferences (March 25, 2010)
“New Red Flag Rules for Healthcare Providers: Are You Ready?” Panel convened by Strafford Publications (June 24, 2009 and October 7, 2009)
“Social Networking and Healthcare Providers: Understanding the Risks,” Webinar convened by Strafford Publications (October 22, 2009)
“From HIPAA to ARRA and Beyond: Making Sense of Health Information Privacy and Security Requirements for Community Health Centers,” Texas Association of Community Health Centers' 26th Annual Conference, Dallas (November 2, 2009)
Ms. Klein also assists clients, such as hospital systems, health plans and pharmaceutical companies, with regulatory and policy issues arising under the Medicare and Medicaid programs. She has focused on issues concerning Medicaid programs across the nation.
5
Ms. Klein received her A.B. in public policy studies and a certificate in education from Duke University in 1994. Prior to entering law school, she worked as a policy analyst at the University of California, Office of the President. She received her J.D. in 1998 from the Georgetown University Law Center, where she was an articles editor of The Georgetown Law Journal. Ms. Klein is a member of the Virginia and District of Columbia bars and the American Health Lawyers Association.
6
DANIEL F. MCINNIS, Partner [email protected] Washington, D.C.
T +1 202.887.4359
F +1 202.887.4288
Practice Areas: Antitrust and Unfair Competition Commercial Litigation Class Action Privacy and Data Protection Food and Drug Law Policy and Regulation
Daniel F. McInnis’ practice focuses on antitrust cases and government investigations, consumer protection matters and litigation, and civil lawsuits involving complex issues of federal practice and procedure.
Mr. McInnis principally concentrates on antitrust matters. He has broad experience in antitrust litigation, investigations and counseling. He has represented clients in civil and criminal antitrust litigation in both federal and state courts. He has counseled and represented clients on matters relating to mergers and acquisitions and related investigations by the Department of Justice and the Federal Trade Commission in diverse industries such as supermarket retailing, soft drinks, commodities, oil and gas, and advertising. In addition, he has had significant involvement in antitrust counseling and designing and implementing effective antitrust compliance programs. Mr. McInnis has represented clients in legislative matters involving antitrust law and policy.
Mr. McInnis also focuses on consumer protection investigations and enforcement actions by the Federal Trade Commission’s Bureau of Consumer Protection and by state and local law enforcement officials, including the investigation of companies for deceptive or unfair acts or practices. He has also represented clients in private litigation under state consumer protection statutes and the Lanham Act. Mr. McInnis counsels clients on appropriate advertising and marketing practices.
Mr. McInnis has represented clients, both as plaintiffs and defendants, in a variety of complex civil litigation matters and class actions. His cases have included a variety of federal and state lawsuits involving complex, commercial controversies, at both the trial and appellate levels.
Bar Admissions District of Columbia Virginia
Clerkships U.S.C.A., DC Circuit U.S.C.A., 5th Circuit
Education J.D. Georgetown University Law Center, cum laude, 1994 B.A. Yale University, 1989
7
From 1994 to 1995 Mr. McInnis served as a law clerk for the Honorable Jerry E. Smith of the U.S. Court of Appeals for the 5th Circuit. From 1993 to 1994 he was an extern clerk for the Honorable James L. Buckley of the U.S. Court of Appeals for the D.C. Circuit.
Mr. McInnis received his B.A. in English in 1989 from Yale University and his J.D. cum laude in 1994 from the Georgetown University Law Center, where he was an editor of the Georgetown Law Journal. Prior to attending law school, he was a policy analyst for the Competitive Enterprise Institute, a Washington-based free market think tank. He is active in the ABA’s Section of Antitrust Law, the Federalist Society and the Republican National Lawyers Association. Mr. McInnis is a member of the Virginia and District of Columbia bars.
8
JAMES R. TUCKER, JR., Partner [email protected] Washington, D.C.
T +1 202.887.4279
F +1 202.887.4288
Practice Areas: Climate Change Policy and Regulation Public Law and Policy Privacy and Data Protection
Jamie Tucker has more than 15 years of political and policy experience. He combines this knowledge with a network of government contacts to provide strategic advice to and advocacy on behalf of clients at the federal and state levels.
Prior to joining Akin Gump in 1999, Mr. Tucker served as legislative counsel to Rep. Bob Inglis, R-S.C. In that capacity, he was responsible for advising the congressman on all issues before the House Judiciary Committee. He also served as an aide to former Speaker of the House Newt Gingrich in 1996 and to Sen. Paul D. Coverdell, R-GA, in 1993-94. Mr. Tucker also has significant political experience, having worked on the 2000 and 2004 Bush/Cheney campaigns, the 1996 Dole/Kemp campaign and the 1992 Bush/Quayle campaign. He also served in various capacities at the 2000 and 1992 Republican National Conventions. He has also worked for or volunteered on behalf of a number of Senate and congressional races and is active with the Republican Governors Association.
His practice in the public policy arena spans many disciplines including—
Strategic Advocacy
Mr. Tucker works collaboratively with clients to develop a comprehensive strategy to achieve their public policy objectives, whether they are offensive or defensive in nature. He combines an in-depth knowledge of the policy making process and an extensive network of contacts in Congress and the Administration to achieve results. He has worked effectively on behalf of such clients in the energy, healthcare, technology, telecommunications, transportation and agricultural sectors.
Bar Admissions District of Columbia Georgia
Education J.D. Mercer University Walter F. George School of Law, 1997 B.A. Washington & Lee University, 1992
9
Congressional Investigations
The power of Congress to investigate is as broad as its power to legislate, and organizations engaged in such proceedings are confronted with a unique set of challenges. The legal proceedings involved in congressional investigations are distinct from those in any other forum, and investigations have political and public relations pitfalls as well. Mr. Tucker has helped clients navigate these proceedings while successfully protecting their legal, political and reputational standing.
Federal Marketing and Appropriations
Mr. Tucker works with clients to position themselves to secure federal appropriations and grants for meritorious projects. Competition for these funds is often intense and the process for securing them has grown increasingly complex. Mr. Tucker has a proven track record of working with clients to identify relevant sources of funding, developing compelling proposals to policy makers and navigating the process to ensure that key application and disclosure deadlines are met.
Additionally he works with clients to maximize opportunities for sales of products and services to federal and state governments. The public sector represents a significant opportunities for companies of all sizes and Mr. Tucker helps clients navigate the unique and often complex aspects of this market.
Mergers and Acquisitions (M&A) Political Counsel
Mr. Tucker works with companies and investors to identify and minimize the political risks associated with mergers and acquisitions. He has helped develop and execute targeted strategies to condition the environment in which a transaction is reviewed in including those deals subject to antitrust review by the Department of Justice (DOJ) or the Federal Trade Commission (FTC) or a national security review by the Committee on Foreign Investment in the United States (CFIUS).
Political Intelligence
Changes in the legislative and regulatory landscape in Washington can have a profound impact on a company’s economic outlook. Mr. Tucker works with corporate managers and investors to identify and analyze the economic implications of policy decisions. He works to provide clients with real-time information and also to identify long-term trends that will impact a company’s or sector’s bottom line.
Grassroots / Stakeholder Advocacy
Mr. Tucker often manages grassroots or stakeholder advocacy campaigns on behalf of clients. Such efforts focus on identifying, educating and mobilizing local and state opinion leaders in support of a policy objective. This may involve providing community support for or opposition
10
to a regulatory filing or legislative proposal or simply advancing an organization’s broader community relations objectives.
Local Counsel Management
Legislative or regulatory issues will often play out across multiple venues and jurisdictions simultaneously. Mr. Tucker works with clients to ensure that their positions are well positioned by identifying local counsel suited to the issue and coordinating messaging so that the client maintains a unified approach.
Mr. Tucker received his J.D. in 1997 from Mercer University, where he was presented the award for Outstanding Achievement in Legal Writing and his B.A. in politics in 1992 from Washington and Lee University. He is a member of the District of Columbia and Georgia bars.
APPENDIX:
SELECTED ARTICLES
Corporate CounselThe Metropo l i tan
Volume 19, No. 9 © 2011 The Metropolitan Corporate Counsel, Inc. September 2011
®
The Obama administration and Con-gress view regulations regarding privacy,data security and breach notification asareas where bipartisan agreement may bepossible. Well over a dozen bills havebeen introduced this year alone, and fed-eral agencies ranging from the FederalTrade Commission and the Departmentof Commerce to the Department ofHomeland Security and the Departmentof Justice have added their input to thedebate.
New proposals would change how
data is collected, stored and used. Theypertain to three areas that often overlap:online and point-of-sale privacy, mobiledevice and geolocation privacy, and datasecurity and breach notification. Thescope of recent proposals is sufficientlybroad that a range of industries and sec-tors would be directly impacted. Retail-ers, website operators, banks, largeemployers, data brokers, online mar-keters, law enforcement, credit reportingagencies, nonprofit organizations and
many other entities need to prepare forthe possibility of new regulations.
Array Of Online And Point-Of-SalePrivacy Bills Introduced
Six bills pertain primarily to onlineand point-of-sale privacy. These billsimpose new standards on the collection,use and sharing of consumer information.Key proposals include:
• Rep. Jackie Speier (D-CA): Do NotTrack Me Online Act of 2011 (H.R. 654).This bill requires opt-out mechanisms forthe collection or use of online and per-sonal data.
• Sens. John Kerry (D-MA) and JohnMcCain (R-AZ): Commercial PrivacyBill of Rights Act of 2011 (S. 799). Thisbill requires opt-out mechanisms for datasharing, as well as opt-in consent for thecollection, storage or sharing of sensitivepersonal information.
• Rep. Bobby Rush (D-IL): BESTPRACTICES Act (H.R. 611). This bill issimilar in structure to the Kerry-McCainproposal. It calls for opt-out mechanismsfor data collection and storage, as well asopt-in consent for third-party informationsharing.
Legislative Proposals Compete As Privacy, Data Security, And Breach Notification Continue To Draw The Attention Of Federal Policymakers
www.metrocorpcounsel.com
Please email the authors at [email protected],[email protected], [email protected] and
[email protected] with questions about this article.
Francine E. Friedman, Jo-Ellyn Sakowitz Klein, JamesR. Tucker Jr. and Kristofer A.
Ekdahl
AKIN GUMP STRAUSS HAUER &FELD LLP
Jo-EllynSakowitz Klein
Francine E.Friedman
James R.Tucker Jr.
Kristofer A.Ekdahl
Francine E. Friedman is Senior PolicyCounsel in Akin Gump’s privacy anddata protection practice and has adecade of government affairs and lobby-ing experience. She advises clients on avariety of issues including tax policyinvolving housing, energy and new mar-kets tax credits; financial servicesreform; data security; and energy issues.Jo-Ellyn Sakowitz Klein is Senior Coun-sel and leads the firm’s interdisciplinaryprivacy and data protection initiative.She devotes much of her practice to reg-ulatory, transactional and legislativematters affecting the health industry. She
also advises clients outside the health-care sector that are affected by health-care or privacy law and regulation.James R. Tucker Jr. is a Partner in thefirm’s data privacy and data protectionpractice and has 15 years of political andpolicy experience. He combines thisknowledge with a network of governmentcontacts to provide strategic advice toand advocacy on behalf of clients at thefederal and state levels. Kristofer A.Ekdahl is a Senior Public Policy Spe-cialist. All authors are resident in thefirm’s Washington, DC office.
C1
Volume 19, No. 9 © 2011 The Metropolitan Corporate Counsel, Inc. September 2011
Leahy chairs the Judiciary Committeeand has been active in privacy debates.Enacted in 1986, the ECPA restrictsthird-party access to private electroniccommunications, such as online activityand e-mails. Because the ECPA does notcover GPS-based information, Leahy’sproposal adds geolocation information asa new class of private communicationssubject to the protections of the ECPA.
Data Security And BreachNotification Bills Gaining TractionSeven bills have been introduced that
primarily focus on data security andbreach notification. These bills requireentities that collect or store data to imple-ment safeguards to protect data and cre-ate a standard for notifying governmentagencies and consumers if an organiza-tion’s files are breached. Key proposalsinclude:
• Rep. Mary Bono Mack (R-FL):SAFE Data Act (H.R. 2577). As chair ofthe Commerce, Manufacturing, andTrade Subcommittee, Bono Mack is oneof the key leaders in the House. Her pro-posal requires businesses to notify con-sumers and the FTC after a breach iscontained and assessed. It also calls fordata minimization and stronger security,and it would entitle affected individualsto free credit monitoring services for twoyears.
• Sens. Rockefeller and Mark Pryor(D-AR): Data Security and Breach Noti-fication Act of 2011 (S. 1207). This billrequires businesses and nonprofit organi-zations that store personal information toimplement reasonable security measuresand alert consumers when their data hasbeen compromised. In the event of abreach, affected individuals would beentitled to free credit monitoring servicesfor two years.
• Sen. Leahy: Personal Data Privacyand Security Act (S. 1151). This bill issimilar to bills he has introduced in pre-vious Congresses. His proposal calls forbusinesses to enact security proceduresto protect sensitive data, and it creates afederal standard for notifying appropriateparties in the event of a breach.
• Sens. Tom Carper (D-DE) and RoyBlunt (R-MO): Data Security Act of2011 (S. 1434). This bill requires entitiesthat possess sensitive information to
• Rep. Cliff Stearns (R-FL): Con-sumer Privacy Protection Act of 2011(H.R. 1528). This bill allows consumersto opt out of having their personally iden-tifiable information shared with thirdparties.
• Sen. John Rockefeller (D-WV):Do-Not-Track Online Act of 2011 (S.913). As chair of the Commerce Com-mittee, Sen. Rockefeller will play a cen-tral role in shaping Senate privacyproposals. His bill gives consumers theability to opt out of having their onlinedata tracked and stored. His proposalgoes one step further than the aforemen-tioned privacy bills by also imposinglimits on data collection from mobiledevices.
• Reps. Ed Markey (D-MA) and JoeBarton (R-TX): Do-Not-Track-Kids Act(H.R. 1895). Markey and Barton are co-chairs of the congressional Bi-PartisanPrivacy Caucus. Their proposal forbidsonline companies from using personalinformation for targeted marketing tochildren, empowers parents to deletetheir children’s digital footprint andrequires parental consent for any datatracking online or on mobile devices.
Mobile Privacy And Geolocation BillsBecoming More Common
While the Rockefeller and Barton-Markey proposals touch on many aspectsof consumer privacy, including mobileprivacy, a second group of bills focusessolely on mobile devices. These billsrestrict the collection and sharing ofgeolocation data. Key proposals include:
• Sen. Ron Wyden (D-OR) and Rep.Jason Chaffetz (R-UT): Geolocation andPrivacy Surveillance (GPS) Act (S. 1212,H.R. 2168). Released as companion billsin the Senate and House, these bills pro-hibit companies from collecting or shar-ing geolocation information without theuser’s express consent.
• Sens. Al Franken (D-MN) andRichard Blumenthal (D-CT): LocationPrivacy Protection Act of 2011 (S. 1223).This bill requires any covered entity tooffer up-front notice and receiveinformed consent from users to tracktheir geolocation information.
• Sen. Patrick Leahy (D-VT): Elec-tronic Communications Privacy ActAmendments Act of 2011 (S. 1011). Sen.
build safeguards, as well as to enact poli-cies for investigating security breachesand notifying consumers when a substan-tial risk of identity theft or account fraudexists.
• Sen. Dianne Feinstein (D-CA):Data Breach Notification Act of 2011 (S.1408). Unlike some other proposals inthis category, this bill only applies tobreach notification standards. This is thefifth consecutive session of Congress inwhich Sen. Feinstein has introduced abreach notification bill.
• Rep. Rush: Data Accountabilityand Trust Act (H.R. 1707). This bill man-dates stricter data security policies andcreates a national standard for breachnotification.
• Rep. Stearns: DATA Act of 2011(H.R. 1841). Stearns’ security and breachnotification bill is similar to Rush’s in itscall for tighter protections of data storageand a standard for notifying affected indi-viduals and government authorities in theevent of a breach.
Despite Obstacles, New RegulationsMay Still Be Implemented
A highly partisan atmosphere cer-tainly clouds the prospects for congres-sional approval of new data security andprivacy regulations. Moreover, the sheernumber of bills complicates attempts tobuild a coalition behind a single pro-posal, and congressional committeescontinue to jockey for their claim to juris-diction over these issues. Yet, given theloud drumbeat from privacy advocatesand the seemingly incessant revelationsof high-profile breaches, policymakerswill continue to push forward in the areasof privacy, data security and breach noti-fication regulations. Even in the absenceof meaningful congressional action, theObama administration may opt to enactits own changes based on its existing reg-ulatory authority. The realm of consumerprivacy and data security in the digitalera is fast-evolving, and as federal poli-cymakers try to keep pace, much is atstake for everyone involved.
Portions of this article originallyappeared in BNA Daily Report for Exec-utives, 139 DER B-1, 7/20/11, copyright2011, and are reproduced with permis-sion of The Bureau of National Affairs,Inc. (800-372-1033), http://www.bna.com.
C2
Reproduced with permission from Daily Report for Ex-ecutives, (139 DER B-1, 7/20/11) , 07/20/2011. Copy-right � 2011 by The Bureau of National Affairs, Inc.(800-372-1033) http://www.bna.com
P r i v a c y
Data security and consumer privacy issues are gaining traction in Washington and the in-
terest may yield a new regulatory framework, write Francine Friedman, Jamie Tucker, Jo-
Ellyn Sakowitz Klein, and Kris Ekdahl of Akin Gump Strauss Hauer & Feld LLP. More than
a dozen bills have been introduced this year, and the Federal Trade Commission and De-
partment of Commerce have published their own recommendations. Covered entities
should establish privacy and security policies, assess risks and assign oversight, and pre-
pare workforces for future changes.
High-Profile Breaches Spur Congressional Activity on Privacy, Data Security Policy
BY FRANCINE FRIEDMAN, JAMIE TUCKER, JO-ELLYN
SAKOWITZ KLEIN, AND KRIS EKDAHL
W ith a Republican-controlled House opposite aDemocratic-controlled Senate, and presidentialand congressional elections looming in less than
sixteen months, few proposals of significance are ca-pable of advancing to become law. Data security andconsumer privacy, however, are hot-button issues thatare gaining traction and may yield consensus for a newregulatory framework. Bipartisan and bicameral sup-port exists in Congress for updated data security andprivacy laws, and the Obama administration is activelyengaged. New regulations could directly impact any en-tity that collects, stores, or shares data on a large scale.Data brokers, online marketers, advertising agencies,ad networks, retailers, banks and other financial ser-vices companies, media and publishing companies, au-
tomobile manufacturers, mobile application developers,companies selling consumer packaged goods, law en-forcement, web browsers, large employers, website op-erators, credit reporting agencies, and nonprofit organi-zations (including universities) need to be aware ofthese policy debates and prepare for the possibility ofnew regulation in the near future.
A string of high-profile incidents has accelerated thedrumbeat in Washington for increased regulation. Ma-jor corporations and even government entities havefallen victim to large-scale data breaches, and manymobile devices have been discovered to allow trackingand recording of users’ locations (97 DER A-28,5/19/11). Names, birth dates, Social Security numbers,e-mail addresses, passwords, locations, and even creditor debit card numbers increasingly seem at risk, fuelingthe anger of privacy watchdogs and galvanizing policy-makers (85 DER A-3, 5/3/11).
COPYRIGHT � 2011 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 0148-8155
Daily Report for Executives
C3
Congress, Administration Respond to BreachesCongress and federal agencies have scrambled to re-
spond to privacy advocates’ outcry for increased regu-lation. More than a dozen bills have been introducedthis year, and the Federal Trade Commission (FTC) andDepartment of Commerce have published their ownrecommendations.
The proposals pertain to three areas that often over-lap: online and point-of-sale privacy, mobile device pri-vacy, and data security and breach notification. Thescope of the various proposals is sufficiently broad thatif enacted in part or in full, entities across the spectrumwould be impacted.
With so much at stake, this is a critical moment forcovered entities to educate themselves and consideradding their voices to the policy debate in Washington,D.C. Moreover, now is an ideal time for these groups toassess their privacy and security procedures to ensurecompliance with legal and industry best practicesframeworks currently in place on both the national andstate levels.
This article will help covered entities navigate theevolving consumer privacy debate. An analysis is setforth of key pending regulatory proposals in Congressand the federal agencies, the practical implications ofproposed regulations, how these proposals might inter-act with existing law, and what companies and non-profit organizations should do today to comply with thecomplicated patchwork of privacy regulations currentlyin place.
Bills on Consumer Privacy, Data SecurityRecent proposals pertain to three general topics.First, consumer privacy bills seek to help consumers
control what personal information is collected, used,stored, or shared based on their online and point-of-salebehavior. Second, mobile privacy bills seek to help con-sumers take control of what information is collected,used, stored, or shared based on their mobile device us-age and their geolocation footprint. Third, data securityand breach notification bills seek to implement newprotocols for protecting data and to create a nationalstandard for notifying affected individuals and govern-ment agencies when a breach has occurred. Some ofthe proposals under discussion by policymakers spanmore than one of these categories.
Various Approaches to Privacy IssuesSix bills have been introduced this year that pertain
primarily to online and point-of-sale privacy. By brows-ing the internet or making purchases at a store, con-sumers reveal valuable information that is used to builduser profiles based on their location, their tastes and in-terests, their contact information, and perhaps eventheir debit or credit card numbers. This data can bevery valuable for behavioral marketers, which is whythe practice of collecting and selling consumer data hasgrown so rapidly.
Privacy bills seek to change how consumer informa-tion is collected, stored, used, and shared, and whatconsumers are told about these practices. Bills regard-ing data collection call for opt-out or opt-in mechanismsthat require express consent from the consumer beforeany personal information can be collected. Bills ad-
dressing data storage place new limits on the scope andduration of data retention and also impose new securityprocedures to safeguard information. Bills regardingdata use and data sharing impose limits on the pur-poses for which data may be used, restrict with whom adata collector (e.g., a retailer) can share information,and set new standards for whether consumer consentor notification is necessary before information can beused in certain ways or shared with a third party.
Each of the privacy-focused bills differs slightly, butthe above themes generally characterize this group ofproposals. Key privacy proposals include:
s Rep. Jackie Speier (D-Calif.): Do Not Track MeOnline Act of 2011 (H.R. 654). This bill would re-quire opt-out mechanisms for the collection or useof online and personal data (30 DER A-6, 2/14/11).
s Sens. John Kerry (D-Mass.) and John McCain (R-Ariz.): Commercial Privacy Bill of Rights Act of2011 (S. 799). This bill would require opt-outmechanisms for data use or sharing, as well asopt-in consent for the collection, storage, or shar-ing of sensitive personal information (126 DERA-15, 6/30/11).
s Rep. Bobby Rush (D-Ill.): BEST PRACTICES Act(H.R. 611). This bill is similar in structure to theKerry-McCain proposal. It calls for opt-out mecha-nisms for data collection and storage, as well asopt-in consent for certain third-party informationsharing.
s Rep. Cliff Stearns (R-Fla.): Consumer Privacy Pro-tection Act of 2011 (H.R. 1528). This bill would al-low consumers to opt out of having their person-ally identifiable information shared with third par-ties (94 DER A-2, 5/16/11).
s Sen. John D. Rockefeller IV (D-W.Va.): Do-Not-Track Online Act of 2011 (S. 913). As Chairman ofthe Senate Commerce Committee, Senator Rock-efeller will play a central role in shaping Senateproposals on privacy and data security (90 DERA-15, 5/10/11). His bill would give consumers theability to opt out of having their online datatracked and stored. Rockefeller’s proposal wouldgo one step further than the aforementioned pri-vacy bills by also imposing limits on data collec-tion from mobile devices.
s Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas): Do-Not-Track-Kids Act (H.R. 1895). Mar-key and Barton are co-chairmen of the BipartisanCongressional Privacy Caucus. Their proposalwould forbid online companies from using per-sonal information for targeted marketing to chil-dren, would empower parents to delete their chil-dren’s digital footprint, and would require paren-tal consent for any data tracking online or onmobile devices (94 DER A-12, 5/16/11).
Mobile Device Privacy Getting AttentionWhile the Rockefeller and Barton-Markey proposals
touch on many aspects of consumer privacy, includingmobile privacy, a separate group of bills focuses solelyon mobile devices. When users access GPS-enabled ap-plications on their cell phones, smartphones, and tabletdevices, they leave a valuable virtual trail of breadcrumbs that can be used to reveal their present or pastlocations.
2
7-20-11 COPYRIGHT � 2011 BY THE BUREAU OF NATIONAL AFFAIRS, INC. DER ISSN 0148-8155
C4
Proposals in this area seek to restrict the collectionand sharing of geolocation data. The key proposals in-clude:
s Sen. Ron Wyden (D-Ore.) and Rep. Jason Chaffetz(R-Utah): Geolocation and Privacy Surveillance(GPS) Act (S. 1212, H.R. 2168). Released as com-panion bills in the Senate and House, these billswould prohibit companies from collecting or shar-ing geolocation information without the user’s ex-press consent (116 DER A-26, 6/16/11).
s Sens. Al Franken (D-Minn.) and Richard Blumen-thal (D-Conn.): Location Privacy Protection Act of2011 (S. 1223). This bill would require any cov-ered entity to offer upfront notice and receive in-formed consent from users to track their geoloca-tion information (116 DER A-16, 6/16/11).
s Sen. Patrick Leahy (D-Vt.): Electronic Communi-cations Privacy Act (ECPA) Amendments Act of2011 (S. 1011). Senator Leahy is the Chairman ofthe Judiciary Committee and has been active inmany aspects of the privacy debate. Enacted in1986, the ECPA restricts third-party access to pri-vate electronic communications, such as onlineactivity and e-mails. Because the ECPA does notcover GPS-based information, Leahy proposedthis update to add geolocation information as anew class of private communications subject tothe protections of the ECPA (96 DER A-22,5/18/11).
Data Security, Breach NotificationFive proposals that primarily focus on data security
and breach notification have been introduced in the112th Congress. The aim of these bills is to require en-tities that collect or store data to take steps to preventnefarious actors from accessing personal informationand to create a standard for notifying government agen-cies and consumers if an organization’s data isbreached. Like some of the privacy bills discussed ear-lier, these proposals usually incorporate limits on thescope and duration of data storage, under the theorythat if less data is stored, less data is at risk. However,security and notification bills impose additional regula-tions. First, they mandate security policies to preventunauthorized third-party access to data. Second, theylay out procedures and time frames to alert affected in-dividuals and government agencies when a data breachhas occurred. Third, many of these bills require third-party data brokers to allow consumers to view their in-formation and correct any errors.
The key bills in this area include:s Sens. Rockefeller and Mark Pryor (D-Ark.): Data
Security and Breach Notification Act of 2011 (S.1207). This bill requires businesses and nonprofitorganizations that store personal information toimplement reasonable security measures and alertconsumers when their data has been compro-mised; in the event of a breach, affected individu-als would be entitled to free credit monitoring ser-vices for two years (116 DER A-23, 6/16/11).
s Leahy: Personal Data Privacy and Security Act (S.1151). This bill is similar to bills Leahy has intro-duced in previous Congresses. His proposal callsfor businesses to enact security procedures to pro-tect sensitive data, and it would create a federal
standard for notifying appropriate parties of abreach (111 DER A-7, 6/9/11).
s Bono Mack (R-Calif.): SAFE Data Act draft pro-posal. As chair of the Commerce, Manufacturing,and Trade Subcommittee, Bono Mack is one of thekey leaders in the House. Her proposal requiresbusinesses to notify consumers and the FTCwithin 48 hours of containing and assessing abreach. It also calls for data minimization, stron-ger security, and, like the Rockefeller-Pryor pro-posal, would entitle affected individuals to freecredit monitoring services for two years (114 DERA-15, 6/14/11).
s Rush: Data Accountability and Trust Act (H.R.1707). This bill mandates stricter data securitypolicies and creates a national standard for breachnotification (89 DER A-2, 5/9/11).
s Stearns: DATA Act of 2011 (H.R. 1841). Stearns’data security and breach bill is similar to Rep.Rush’s in its call for tighter protections of datastorage systems, in addition to setting a standardfor notifying affected individuals and governmentauthorities in the event of a breach (94 DER A-2,5/16/11).
Administration May Push ForwardGiven the plethora of bills and hearings on the topics
of privacy and data security, Congress has clearly indi-cated its interest in passing new legislation this year.The sheer number of competing proposals and the po-tential for jurisdictional battles in Congress, however,complicates the path to overhauling privacy and datasecurity laws. The legislative process is unpredictableand can be significantly influenced by external events,including data breaches and coverage of new and ex-panded uses of data. It is more likely that privacy advo-cates and industry can coalesce around a data breachnotification proposal than agree on how to regulate thecollection, use, and sharing of consumer information. Itis noteworthy that business leaders recently testifiedbefore Bono Mack’s subcommittee that they would sup-port reasonable federal breach notification regulations.
The Obama administration is preparing its own blue-print for consumer privacy and data security in theevent that Congress is unable to pass a meaningful bill.A White House cybersecurity proposal has been thesubject of several hearings on Capitol Hill. While theadministration’s cybersecurity proposal primarily per-tains to securing critical infrastructure against cyber at-tacks, it also calls for a national standard for breach no-tification.
Additionally, the FTC and the Department of Com-merce have issued their own recommendations ad-dressing online and point-of-sale privacy, mobile deviceprivacy, data security, and breach notification. Coregoals of the comprehensive FTC and Commerce plansinclude limits on what information can be collected andhow long it can be stored, privacy policies that areshorter and simpler, persistent do-not-track prefer-ences that follow a user from website to website, moretransparency on the part of data collectors, and requir-ing companies to build security and privacy measuresinto products rather than layering on features as an af-terthought. In the absence of meaningful congressionalaction on these points, it is possible that one or bothagencies may utilize regulatory tools under their exist-
3
DAILY REPORT FOR EXECUTIVES ISSN 0148-8155 BNA 7-20-11
C5
ing authority, such as rulemaking, enforcement actions,and issuing guidance. Action along these lines could beundertaken without an act of Congress.
Possible Impact of Increased RegulationCongress and the administration are debating wide-
ranging changes, and consequently the effects couldtouch nearly every consumer, business, and nonprofitorganization in the country, either directly or indirectly.For instance, data privacy regulations, as currently en-visioned in ‘‘do not track’’ and geolocation proposals,would significantly change operations for entities thatpurchase consumer information for behavioral market-ing purposes. Third-party purchasers would be affectedby stricter privacy regulations because they rely on thepersonal data that point-of-contact entities collect. Newstandards could change the advertising landscape on-line, on mobile phones, and on the ground because dataprivacy and geolocation bills could curtail data-driven,targeted marketing. Under many of the proposals, re-tailers, strategic advertising companies, and websitesthat host personalized ads would likely have a dimin-ished ability to tailor and target their outreach to poten-tial customers.
Practical Implications Could Be Far-ReachingThe true breadth of the new proposals is revealed by
looking at the wide range of covered entities that couldbe affected.
The list includes browsers, ad networks, retailers,content websites, consumer research groups and databrokers, mobile network providers, mobile applicationdevelopers, financial institutions, universities, non-profit organizations, employers, and any other entitythat collects and stores large amounts of personal infor-mation. If proposed online or point-of-sale privacy andgeolocation regulations are adopted, this diverse groupof covered entities would be limited in its ability to col-lect, store, use, or share consumer information. If datasecurity and breach notification proposals are adopted,covered entities would be compelled to adhere to spe-cific methods for storing consumer information and re-sponding to breaches.
Practically speaking, new privacy regulations wouldcreate significant hurdles to sharing information, whichwould cause a substantial reduction in the informationtrade. With stricter privacy or geolocation restrictions,data collectors (e.g., a newspaper website or a mobile‘‘app’’ provider):
s would collect less useful information about con-sumer preferences and interests;
s would be permitted to retain that information fora shorter duration than ever before; and
s may no longer be able to share the more relevantinformation with outside entities.
As a result, third parties will be less inclined to paysuch a high premium for less robust consumer datafiles.
For example, advertisers strive to place their promo-tions in front of only those people who fit their profileof a likely customer. It can be more profitable to target10 likely buyers than to broadcast to a random cross-section of 1,000 people. The information profiles thatdata collectors build and sell are what enable such tar-geted, high-yield, efficient marketing. If consumer pro-
files are no longer robust and insightful, they are nolonger valuable.
The end result may lead to less data collector revenuefrom data sales, an impersonal user experience for con-sumers, lower yields on each advertising dollar spent,and ultimately a shift in the behavioral advertising busi-ness model. Web services that were sustained by adver-tising revenue may either go out of business or begincharging users for previously-gratis services. Free mo-bile ‘‘apps’’ that collected valuable GPS informationmay no longer be available. And Internet users will stillsee the same quantity of advertisements (if not more),but those ads will be less relevant to users’ interests orneeds.
Moreover, new breach notification regulations couldhave implications for consumer confidence, the reputa-tions of breached entities, and internal investigations. Ifnew rules lower the threshold at which a breach mustbe reported (in terms of the size or sensitivity of thedata compromised), more breaches should be dis-closed. Consumers who receive too many breach notifi-cations that do not affect them may be lulled into com-placency and not take proper action when a true risk isidentified.
Possible Impact on Industry, Consumers
An increase in breach reporting can also undermineconsumer confidence in institutions that store sensitiveinformation, as a group. Whether or not a particular or-ganization suffered a breach, the mere fact that a simi-lar organization suffered one breach can have a corro-sive effect on the universe as a whole. And for the enti-ties that actually fall victim to a breach, the impact ofnegative publicity can be devastating. In either sce-nario, it is plausible that growing numbers of peoplewould avoid sharing personal information with any out-side entity. In the case of nonprofit organizations, thatwould mean fewer people contributing. In the case ofbusinesses, that would mean fewer customers.
Regarding internal investigations after a breach, aquick notification deadline would give the breached en-tity very little time to conduct an internal review beforethe firestorm of journalists, government investigators,and angry customers make such a review infinitelymore complicated. As a result, the organization may notbe able to spot its vulnerabilities as quickly, leaving itsusceptible to repeated attacks.
If implemented, these proposals would also translateinto increased compliance costs and technical hurdlesfor both businesses and nonprofit organizations. Imple-menting new security features can be expensive andmay necessitate an overhaul of computer systems, in-cluding migrating massive amounts of data from oneplatform to another. Not only that, but detailed securityrequirements may perversely increase the threat ofbreaches by providing would-be hackers with a roadmap of network security features. Potential complica-tions arise with the privacy and geolocation proposals,as well. Deleting consumer data logs poses technicalchallenges if that data is stored on a ‘‘cloud’’ or on mul-tiple networks. Adding opt-out or opt-in consents intoevery application would be cumbersome for data collec-tors, and such requirements would certainly reduce thenumber of consumers sharing their information.
4
7-20-11 COPYRIGHT � 2011 BY THE BUREAU OF NATIONAL AFFAIRS, INC. DER ISSN 0148-8155
C6
Reasonable Uniform Breach NotificationFor all of the implications that may be received nega-
tively by data collectors and third party purchasers, oneaspect of data security reform might be embraced bycovered entities. Assuming strong state law preemp-tion, a new federal standard would replace a disparatepatchwork of state laws governing data security andbreach notification. Generally speaking, reasonableuniform compliance requirements would be a welcomedevelopment for many organizations operating acrossstate borders. In the realm of data security, a uniformfederal standard may be palatable because complyingwith multiple state laws is untenable. Moreover, manyorganizations already have a strong self-interest in bol-stering their internal security measures; therefore, asingle federal security guideline could be welcomed byindustry.
Considering Interplay With Existing LawsOne final item that covered entities need to monitor
in the ongoing privacy debate is how new regulationsmight interplay with existing data security and privacylaws. The Health Insurance Portability and Account-ability Act (HIPAA), the Health Information Technologyfor Economic and Clinical Health Act (HITECH), theFair Credit Reporting Act (FCRA), and the Gramm-Leach-Bliley Act (GLBA) are some of the key federalprivacy laws currently under enforcement.
Not all of the recent proposals mention existing fed-eral statutes, but those that do (e.g., Leahy’s databreach bill, Bono Mack’s breach draft, and Stearns’ pri-vacy bill) indicate that existing statutes will trump thenew proposals wherever overlap occurs. That may indi-cate Congress is likely to leave existing federal regimeslike HIPAA and GLBA in place even if broader privacyand security regulations are adopted this year. Even so,entities that are currently covered by industry-specificregulations might still feel an additional regulatory bur-den if they collect, store, use, or share data for any pur-poses outside the purview of existing laws.
State privacy laws of similar scope would be pre-empted by most of the congressional proposals. Forty-seven states have their own breach notification laws,and every state has privacy or data security laws ofsome sort, which often differ from one state to the next.That patchwork of local laws places a high complianceburden on entities operating across state lines, so fed-eral preemption may be a welcome change for somecovered entities.
Speier’s privacy bill is an exception, as it would notpreempt state law if state law offers greater privacy pro-tection than the federal law. The vast majority of con-gressional proposals, however, would supersede statelaws wherever overlap occurs. If Congress passes acomprehensive privacy and data security bill this year,it is likely to reflect that consensus.
In the Meantime, Companies Should ActIn spite of all that is at stake in the ongoing policy de-
bate regarding privacy and data security, the immediate
priority for any covered entity should be to evaluatetheir policies vis-a-vis existing law and industry bestpractices. If an organization does not meet the stan-dards already in place, adjusting to meet new regula-tions will be that much more difficult.
Unfortunately, evaluating a company’s current posi-tion is made more complicated by the fact that no com-prehensive federal privacy law governs the collection,use, storage, and sharing of consumer information.Rather, an ever-changing patchwork of sector-specificand data-specific state and federal privacy laws makessuch compliance assessments difficult.
In light of these realities, some organizations mayfind it helpful to approach the issue from the perspec-tive of attempting to identify steps that can be taken tominimize data privacy and security risks, rather thantrying to develop a comprehensive checklist of all pos-sible laws that may apply. While due attention must bepaid to specific compliance mandates, privacy issuestend to be less linear, generally warranting a more dy-namic approach.
Taking Steps to Minimize ExposureCovered entities can take several steps to minimize
exposure:s First, companies should not underestimate the
value of having reasonable written privacy and securitypolicies. Policies and procedures should be reevaluatedat regular intervals, as well as when incidents occur.
s Second, entities should conduct assessments toidentify risks specific to their organizations and shouldbe sure to incorporate low-tech and high-tech solutions.
s Third, entities should consider assigning one per-son responsibility over privacy and security concerns.The position of Chief Privacy Officer is becoming morecommon in the senior ranks of organizations.
s Finally, companies should train their workforceson privacy matters and ensure that all employees un-derstand the importance of data security and privacy.Many breaches are the result of employee error, ratherthan external cyber attack.
The prospect for new federal data security and pri-vacy regulations remains in flux. Given the attentionthat Congress and the administration have alreadydedicated to these issues, paired with the seeming inevi-tability of continued high-profile data breaches, it isplausible that a revamped national privacy frameworkcould be agreed upon in the relatively near future. Yetwith more than a dozen proposals already releasedfrom competing congressional committees, it remainsdifficult to predict what the final regulations might looklike. Looking ahead, it is also important for companiesto monitor or become engaged in the policy debate inWashington, D.C., and to better understand how pro-posals can impact their business. The realm of con-sumer privacy and data security in the digital era is fast-evolving, and as federal policymakers try to keep pace,much is at stake for all entities—and individuals—involved.
5
DAILY REPORT FOR EXECUTIVES ISSN 0148-8155 BNA 7-20-11
C7
ONLINE, POINT-OF-SALE PRIVACYONLINE, POINT-OF-SALE PRIVACY MOBILE DEVICE PRIVACYMOBILE DEVICE PRIVACYONLINE, POINT-OF-SALE PRIVACY MOBILE DEVICE PRIVACY
H.R. 654 (Speier)H.R. 654 (Speier)S. 913
(Rockefeller)S. 913
(Rockefeller) S. 1212 (Wyden)S. 1212 (Wyden)
S. 1223 (Franken‐Blumenthal)S. 1223 (Franken‐Blumenthal)
H.R. 2168 (Chaffetz)H.R. 2168 (Chaffetz)
H.R. 654 (Speier)S. 913
(Rockefeller) S. 1212 (Wyden)
S. 1223 (Franken‐Blumenthal)
H.R. 2168 (Chaffetz)
S. 1011 (Leahy)S. 1011 (Leahy)S. 1011 (Leahy)
H.R. 611 (Rush)H.R. 611 (Rush)
H.R. 1528 (Stearns)H.R. 1528 (Stearns)
H.R. 1895(Barton‐Markey)
H.R. 1895(Barton‐Markey)
H.R. 611 (Rush)
H.R. 1528 (Stearns)
H.R. 1895(Barton‐Markey)
S. 799 (Kerry‐McCain)S. 799 (Kerry‐McCain)
SAFE DATA A t d ft (B M k)SAFE DATA A t d ft (B M k)
S. 799 (Kerry‐McCain)
SAFE DATA A t d ft (B M k)
S. 1207 (Rockefeller‐Pryor)S. 1207 (Rockefeller‐Pryor)
S. 1151 (Leahy)S. 1151 (Leahy)
SAFE DATA Act draft (Bono Mack)SAFE DATA Act draft (Bono Mack)
H.R. 1707 (Rush)H.R. 1707 (Rush)
H.R. 1841 (Stearns)H.R. 1841 (Stearns)
S. 1207 (Rockefeller‐Pryor)
S. 1151 (Leahy)
SAFE DATA Act draft (Bono Mack)
H.R. 1707 (Rush)
H.R. 1841 (Stearns)
( y)( y)
DATA SECURITY OR BREACH NOTIFICATIONDATA SECURITY OR BREACH NOTIFICATION
( y)
DATA SECURITY OR BREACH NOTIFICATION
6
7-20-11 COPYRIGHT � 2011 BY THE BUREAU OF NATIONAL AFFAIRS, INC. DER ISSN 0148-8155
C8
Corporate CounselThe Metropo l i tan
Volume 19, No. 4 © 2011 The Metropolitan Corporate Counsel, Inc. April 2011
®
In the first few months of 2011, the U.S.Department of Health and Human ServicesOffice for Civil Rights issued its first-evercivil monetary penalty, against CignetHealth, for alleged privacy violations underthe Health Insurance Portability andAccountability Act of 1996 (HIPAA),exacted a $1 million resolution amount fromMassachusetts General Hospital for allegedHIPAA privacy violations, issued a budgetrequest seeking substantial funding forHIPAA compliance and enforcement activi-ties, and announced a new program to trainstate attorneys general to enforce HIPAA.
Many HIPAA-covered health careproviders, health plans and health care clear-inghouses are struggling to put these devel-opments into perspective. The sheer size ofthe Cignet penalty – over $4.3 million – andthe fact that the Office for Civil Rights(OCR) exercised its authority to assess civilmonetary penalties (CMPs) for the first timeled stakeholders to wonder if this develop-ment marked a sea change in enforcementattitudes. But concerns were tempered some-what by the facts of the case, as theprovider’s abject noncompliance and refusalto cooperate with authorities made it seemlike an outlier. The Massachusetts GeneralHospital (MGH) million-dollar resolutionset the HIPAA community more on edge, asthe breach – an employee accidentally leftfiles containing medical records on a subwaytrain while commuting – seemed like the
type of incident that could occur despite anentity’s sincere compliance efforts.
The OCR budget request and announce-ment of the new state attorney general train-ing program added to an already tenseenvironment. OCR is requesting about $46.7million for fiscal year 2012, compared to its$44.3 million request for fiscal year 2011and the $41.1 million enacted amount forfiscal year 2010. OCR is also reaching out tostate attorneys general, offering substantialsupport in their efforts to enforce HIPAAusing new authority granted under theHealth Information Technology for Eco-nomic and Clinical Health (HITECH) Act of2009. OCR announced a series of intensetwo-day state attorney general trainingworkshops, starting in April 2011, that willinclude instruction on issues ranging fromHIPAA, HITECH and state legal require-ments to investigative techniques for identi-fying and prosecuting potential violations toresources available to state attorneys generalpursuing alleged HIPAA violations. Notably,HITECH allows courts to award damages(capped at $25,000 per calendar year for vio-lations of the same requirement), as well ascosts and attorney’s fees, in such actions.
This article considers recent enforcementactivity against the backdrop of the broaderHIPAA enforcement timeline. When placedin context in this manner, the Cignet andMGH settlements seem to be more a contin-uation of a trend that has been slowly build-ing over time than a shocking newdevelopment calling for drastic measures.Given the current environment, prudent cov-ered entities should reinvigorate theirHIPAA compliance efforts. This article con-tinues to extract several lessons for coveredentities from the enforcement timeline.
Putting Recent HIPAA EnforcementActions Into Perspective
In the early days of HIPAA, outreach andeducation were the buzzwords of choice, ascovered entities became acquainted with thenew requirements. The promulgation of theinterim final HIPAA privacy rule in Decem-
ber of 2000 marked the beginning of a periodthat would extend until compliance with theHIPAA security rule was mandated in 2005,during which covered entities focused onlearning the regime and building complianceprograms. Revisions to the regulations andthe issuance of guidance documents madeheadlines. There were no seven-figure settle-ments, no resolution agreements with correc-tive action plans (CAPs) and no CMPs.Providence: A Beginning
Then, in July 2008, the U.S. Departmentof Health and Human Services (HHS)announced the first HIPAA resolution agree-ment, in which Providence Health Systemand a pair of related entities (Providence)agreed to a detailed CAP and a $100,000 res-olution amount for alleged privacy and secu-rity violations. The incident giving rise to theresolution agreement involved the loss ofbackup tapes, optical disks and laptops ladenwith unencrypted protected health informa-tion (PHI) on 386,000 individuals, whichwere removed from the entity’s premises andleft unattended in a car. Affected individualswere notified as required under state laws,and HHS received over 30 complaints. TheCAP required Providence to revise itsHIPAA policies and procedures, train work-force members accordingly, conduct moni-toring and submit compliance reports to HHSfor three years. This litany will becomerather common. In its press release announc-ing the resolution agreement, HHS empha-sized that Providence’s cooperation withregulators allowed HHS to resolve the casewithout imposing a CMP. These words willtake on an almost eerie significance, post-Cignet.Rite Aid and CVS: Underscoring theSignificance of Major Regulatory andLegislative Developments
Fast forward to February 2009, and thepassage of the HITECH Act brings majorchanges to the HIPAA regime. Beyondenhancements to privacy requirements andthe extension of HIPAA to business associ-ates, HITECH dramatically increased penal-
Making Sense Of Recent HIPAA Enforcement Activity
www.metrocorpcounsel.com
Please email the author at [email protected] with questionsabout this article.
Jo-Ellyn Sakowitz Klein andKristen L. Henderson
AKIN GUMP STRAUSS HAUER &FELD LLP
Jo-Ellyn Sakowitz Klein is Senior Counselin the health industry practice group andleads the privacy and data protection groupat Akin Gump. Kristen Henderson is anAssociate in the health industry practicegroup at Akin Gump.
C9
Volume 19, No. 4 © 2011 The Metropolitan Corporate Counsel, Inc. April 2011
records. Cignet failed to comply for months,even after OCR issued a subpoena. Onlyafter OCR filed a petition to enforce its sub-poena in a U.S. district court, and the courtordered Cignet to produce the records, didCignet act. And in doing so, Cignet ran fur-ther afoul of HIPAA, producing records –without securing authorization – for severalthousand patients above and beyond the 41at issue. Before issuing its proposed determi-nation, OCR gave Cignet the opportunity tosubmit evidence of any mitigating factors oraffirmative defenses. Cignet failed torespond. In its final determination, OCRnoted that Cignet made no efforts to resolvethe complaints and, when calculating theamount of the CMP, considered the patients’inability to obtain continuing treatment andthe fact that OCR was forced to issue a sub-poena as aggravating factors. Applying theHITECH tiered penalty scheme, OCRassessed a $1.3 million penalty for the indi-vidual rights violations, plus a $3 millionpenalty for its “willful neglect” in failing tocooperate with the investigation. Massachusetts General: The Wheels Churn,Not So Quietly
On the heels of the Cignet announce-ment, on February 24, 2011, OCRannounced a $1 million settlement withMGH for alleged HIPAA privacy violations.An employee commuting on the subwayinadvertently left behind files containingPHI for around 200 infectious disease prac-tice patients, including records containingsensitive HIV/AIDS information. OCR’sinvestigation indicated MGH failed toimplement reasonable and appropriate safe-guards where PHI is removed from the hos-pital’s premises. MGH agreed to a CAPrequiring the hospital to develop policies andprocedures (notably, addressing USB andlaptop encryption as well as physicalremoval and transport of PHI) and trainworkforce members accordingly. A speciallydesignated monitor will oversee implemen-tation of the CAP for a three-year period andreport back to HHS.
There is no sign that the timeline will notcontinue from here. Indeed, the enforcementwheels continue to churn. OCR officialshave noted that every complaint received byOCR is reviewed and analyzed, and aninvestigation is initiated if the facts and cir-cumstances alleged indicate a compliancefailure. As a result of the HITECH breachnotification requirements, reports of sizeablebreaches have been mounting, posted on awebsite for all to see. OCR has indicated thatthe agency is following up on those inci-dents. Presumably, some will be resolvedthrough a long-term resolution agreementand CAP, while others will be addressedthrough voluntary compliance without sanc-tions. In the MGH press release, OCR Direc-
ties (raising maximums from $25,000 to$1.5 million), created an elaborate tieredpenalty structure, added a new mandatoryfederal breach notification requirement andcreated new enforcement tools – includingHIPAA enforcement authority for state attor-neys general.
Almost in the same breath, on February18, 2009, HHS announced that OCR hadconcluded a joint investigation with the Fed-eral Trade Commission (FTC) into allegedHIPAA privacy violations by CVS pharma-cies, and that the chain had agreed to pay a$2.25 million resolution amount and to takecorrective action. The investigation beganfollowing media reports that CVS was dis-posing of pill bottles and other items con-taining PHI in open dumpsters. OCR’sthree-year CAP called for new policies andprocedures relating to disposal of PHI(including workforce training and sanctionsfor noncompliance), internal monitoring andthird-party audits. CVS entered into a sepa-rate consent decree with the FTC.
With the proposal of HITECH regula-tions in the summer of 2010 came anotherannouncement – this time describing a set-tlement with Rite Aid that included a $1 mil-lion payment and similar CAP terms, plus anFTC consent decree, at the conclusion of ajoint OCR/FTC investigation into similarallegations. Management Services Organization: TheWheels Churn, Quietly
Then, somewhat quietly, in December of2010, HHS announced a resolution agree-ment with a covered entity arising from factsrevealed during a Federal False Claims Actinvestigation. Coordinating with the HHSOffice for Inspector General and the U.S.Department of Justice, OCR entered into aresolution agreement and CAP with Man-agement Services Organization (MSO), acovered entity that had allegedly shared PHIwith a related entity for marketing purposeswithout the requisite authorization fromaffected individuals. HHS found that MSOintentionally did not have safeguards inplace to protect information from such unau-thorized use or disclosure. MSO agreed topay $35,000 and implement a two-year CAPcalling for policies and procedures, work-force training, monitoring and reporting. Cignet: Outliers Beware
On February 22, 2011, HHS imposed itsfirst-ever CMP for HIPAA violations: apenalty exceeding $4.3 million againstCignet. OCR found that Cignet failed to pro-vide 41 patients with access to their medicalrecords as required under HIPAA and, quiteinexplicably, obstructed OCR’s investiga-tion. On receiving complaints from affectedindividuals, OCR initiated an investigationand notified Cignet in writing of its obliga-tion to provide access to the requested
tor Georgina Verdugo noted, “We hope thehealth care industry will take a close look atthis [resolution] agreement and recognizethat OCR is serious about HIPAA enforce-ment.”
Some Lessons For Covered EntitiesThe enforcement trail yields a number of
lessons for covered entities. First, do notunderestimate the importance of having rea-sonable and appropriate written privacy andsecurity policies and procedures. Policiesand procedures should be reevaluated at reg-ular intervals, as well as when incidentsoccur. Entities should conduct commonsense assessments to identify risks specificto their organizations and should be sure toincorporate low-tech (as well as high-tech)solutions. Entities should learn from inci-dents endured by others and should reviewthe OCR breach notification website, caseexamples and statistics – as well as theCAPs – for ideas regarding potential areasof weakness.
Covered entities should take care to com-ply fully with their own policies and proce-dures. The CAPs emphasize the importanceof training – and retraining – workforcemembers. Especially in areas deemedHIPAA risks, policies and procedures shouldbe tested through thoughtfully consideredinternal monitoring and audits. Sanctionpolicies should be clearly documented andapplied as circumstances dictate. All compli-ance efforts should be documented. Thisdocumentation will be critical should OCRinitiate an investigation. And, of course, it isimportant to cooperate with OCR during anyinvestigations.
The enforcement trail also suggests thatfundamental individual rights, like the rightto access, may be held particularly sacred;that OCR may be losing patience for sloppysafeguards that result in lost or stolen data(especially where PHI is taken off-premises); and that the agency may comedown especially hard where sensitive infor-mation (like HIV/AIDS information) isinvolved. The Rite Aid and CVS settlementsalso convey the message that OCR expectsdata to remain secure throughout its lifecy-cle, from creation through destruction. And,as both Cignet and MGH learned mostrecently, it is not necessary to have thou-sands of individuals affected by an incidentfor an entity to face significant consequencesunder HIPAA and HITECH.
In conclusion, enforcement efforts havebeen building and do not seem likely to sub-side. Only with hindsight will we know forcertain whether the recent confluence ofevents should be taken as a sign that OCR isshifting to a far more aggressive tact onHIPAA enforcement. Covered entitiesshould learn what they can from the enforce-ment trail and reinvigorate HIPAA compli-ance efforts.
C10
© 2011 Akin Gump Strauss Hauer & Feld LLP This document is distributed for informational use only; it does not constitute legal advice and should not be used as such.
Privacy and Data Protection Alert FTC and Commerce Privacy Reports Point to Obama Administration Promoting Privacy Legislation
February 3, 2011
The Obama administration continues to focus on privacy issues, and this year’s agenda will include continued enforcement efforts by the Federal Trade Commission (FTC), regulatory efforts led by the FTC and the Department of Commerce and a push for legislation. This alert focuses on this last point and briefly summarizes the policy highpoints driving these efforts as detailed in extensive reports issued in late 2010 by the FTC and the Department of Commerce.
FTC and Department of Commerce Make Headlines The administration, through two key agencies—the FTC and the Department of Commerce—is attempting to shape the legislative debate over privacy issues. In December 2010, each issued a comprehensive report on its views and approaches to key privacy issues.
The FTC report, issued by its staff, is the latest in a series of privacy reports—some equally comprehensive, others industry- or issue- (identity theft, technologies, laws) specific. The FTC report, titled “Protecting Consumer Privacy in an Era of Rapid Change,” is a preliminary report—meaning that the FTC is continuing to seek comments and reactions to the report and will likely issue a follow-on report. The Commerce report is called “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Framework.” Both reports at a basic level advocate a more comprehensive and more legislative approach to privacy issues.
The FTC report is organized around three key principles based on what it terms a “privacy framework.” This framework is not really a set of concrete proposals—a key exception is a proposal for a “do-not-track” law—but, for the most part, a set of basic aspirational goals.
The first goal is termed “privacy by design”—essentially, the recommendation that companies make privacy part of their “everyday business practices.”
The second, “simplified choice,” is the FTC’s recognition that the “notice-and-choice” approach may not really be effective if consumers, as seems often to be the case, do not pay attention to the content of privacy notices. The FTC, not surprisingly, wants more effective choice.
Finally, the FTC urges “greater transparency,” which seems to be a shorter version of the Fair Information Practices Principles (FIPP), i.e., there should be notice, access, disclosure and affirmative consent for changes in data use.
However, the FTC staff is careful to suggest that these concepts may have to be modified or applied through a sliding scale conditioned by the type of data or level of acceptance of the business practices at issue. Within these broad concepts, there are discussions of more- controversial issues such as the use and regulation of depersonalized data, self-regulation versus government enforcement, exclusions for less-sensitive data, consistency with existing privacy laws and correction of consumer data being held by companies.
C11
© 2011 Akin Gump Strauss Hauer & Feld LLP This document is distributed for informational use only; it does not constitute legal advice and should not be used as such.
The Commerce report is very similar in certain ways to the FTC report. The Commerce report advocates a generalized privacy approach it terms a “Dynamic Privacy Framework.” This approach is basically a generalized privacy “bill of rights” based on an FIPP approach.
The report stresses that the focus of a baseline set of privacy principles would include transparency, i.e., better and more effective notice with effective limitations on purpose and specification uses as set forth in notices. It also would stress auditing and accountability.
These principles likely would be backed up by industry codes of conduct that may be enforceable through FTC actions. However, companies that followed the industry codes would be protected from regulatory actions by safe harbors.
Why the Different Approaches? Different agencies do different things in different ways, and there are some key differences between the two reports.
First, Commerce is an executive agency—that is, it is run by its political appointees and, by extension, the administration. As a result, it can speak with one voice. The FTC, on the other hand, is an independent agency operated through the consensus of its five commissioners, two of whom, by law, have to be Democrats, two Republicans and one independent.
As a result, the Commerce report is simply more consistent in its overall approach. The FTC report is not, and, in fact, the Republican commissioners both filed concurring statements indicating that the proposals in the FTC staff’s report are “flawed” or insufficiently based in empirical evidence. Consequently, the on-the-one-hand/on-the-other-hand quality of the FTC staff’s report is most likely a reaction to countervailing practical, philosophical or even political concerns.
Further, Commerce is known as a business-friendly agency. Not surprisingly, the Commerce report, both in substance and, to a certain extent, in form, provides some industry-friendly recommendations, e.g., a national breach notification law that preempts state laws.
The Commerce report also recommends the creation within its hierarchy of a Privacy Planning Office. While the Commerce report is careful to acknowledge the role of the FTC and other parts of the U.S. government in developing privacy policy, the administration is clearly pushing for a more hands-on role through an executive agency.
Next Steps The reports will be drivers for continued focus. Even as congressional committees will likely hold hearings on one or both of these reports to drive the dialogue and solicit feedback from stakeholders in advance of moving any legislation, each agency will try to use its report as a means of affecting legislative activity and expanding its power and authority.
CONTACT INFORMATION If you have any questions regarding this alert, please contact—
Daniel F. McInnis [email protected] 202.887.4359 Washington, D.C.
James R. Tucker, Jr. [email protected] 202.887.4279 Washington, D.C.
Jo-Ellyn Sakowitz Klein [email protected] 202.887.4220 Washington, D.C.
C12