New York Attorney General Proposes Stiffer Data Security and Breach Notification Laws

January 20th, 2015 by John Stephens

New York State Attorney General Eric Schneiderman has proposed legislation that would make the state’s data security law the strongest in the country and require “unprecedented safeguards” for personal data.

“With some of the largest-ever breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers,” Schneiderman said. “Our new law will be the strongest, most comprehensive in the nation.”

The proposal seeks to expand the type of information that employers and retailers are required to protect and require stronger technical and physical security measures for protecting that information.

In addition, the proposal seeks to broaden the state’s breach notification law to include information such as login credentials and medical history. It also seeks to expand the definition of what constitutes “private information” to include email addresses and passwords, biometric information and health insurance details.

Notably, the proposal would also provide businesses with incentives to implement robust data-security measures by offering a safe harbor that would provide some protection from liability in lawsuits if they can show that they took steps to protect private information. Under the attorney general’s proposal, companies that categorize their information systems according to the relative risk of a data breach, implement and follow a data security plan, and attain a certification, could be entitled to the safe harbor, including an elimination of liability altogether.

The proposed legislation would also protect companies that share forensic reports with law enforcement officials by guaranteeing that any disclosure will not affect any privilege or protection.

If it’s enacted, the legislation would match California’s state breach notification standards in terms of the breadth of information covered, and exceed that state’s standards in other ways related to data security.

The announcement follows President Obama’s proposal to improve cyber security standards by enacting legislation to establish a uniform federal data breach notification requirement.

Obama Sets Forth Privacy Initiatives to Federal Trade Commission

January 13th, 2015 by Paul Pittman

Yesterday, President Barack Obama addressed the Federal Trade Commission (FTC) and outlined his proposal for protecting and strengthening consumer and student personal data. President Obama called on Congress to support his initiative by passing legislation stating “this mission, protecting our information and privacy in the information age, this should not be a partisan issue.”

Specifically, President Obama proposed the following legislation:

  • Personal Data Notification and Protection Act: under this proposal Congress would establish a national     standard for companies to follow in the event of a data breach, and require companies to notify consumers within 30 days of discovery of a data breach. To deter the trade of identities of U.S. citizens in overseas market, the legislation would make the sale of identities overseas a criminal act. This legislation would provide uniformity to the patchwork of 47 states that have breach notification laws and provide companies with a clear standard on how to proceed when a data breach occurs.
  • Student Digital Privacy Act: under this proposed legislation, modeled after a similar bill enacted in California in 2014, companies would be prohibited from using or selling data collected on students in the classroom, to third parties for non-educational purposes, such as marketing and advertising.
  • Privacy Bill of Rights: under this proposed legislation, which was first introduced by the White House in a white paper in 2012, consumers would be vested with certain protections including the power to control the type of personal information collected by companies and how that data is used. President Obama also noted that consumers should expect that any company they provide consent to collect their data, will securely store their data and are accountable for its use.

The proposals set forth in President Obama’s speech builds on other consumer privacy initiatives that the administration has advanced in recent years, including the 2012 white paper on “Consumer Data Privacy in a Networked World.” Given the political climate, with Republicans holding both houses of Congress, this legislation is likely to encounter great difficulty passing into law or at the very least will differ markedly from its current form, as the interest of various sectors are accounted for. Nonetheless, since these legislative proposals may eventually become law, companies should closely follow their developments to understand their obligations and rights.

Target Takes Aim at Consumers after Banks Win Opening Round

December 14th, 2014 by Paul Pittman

On Thursday, the attorney for Target Corporation (“Target”) made oral arguments in support of its motion to dismiss consumer claims stemming from the data breach it suffered late last year when hackers stole financial and personal information of approximately 110 million consumers during the busy Christmas holiday season. Nearly 60 lawsuits were filed by consumers claiming that the data breach suffered by Target placed them at risk for identity theft and unauthorized charges, reduced their account access and impacted their credit. The cases were eventually consolidated in the U.S. District Court for Minnesota and are presided over by Judge Paul Magnuson. Target’s pending motion seeks to dismiss claims by consumers primarily for an alleged lack of standing because the consumer plaintiffs have not sufficiently alleged any actual, or future, injury or damages.

Target Counterpunched

Target’s pending motion against consumer plaintiffs comes two weeks after Judge Magnuson delivered a significant victory to financial institution plaintiffs – issuer banks that provide credit to consumers and issue payment cards – by denying Target’s motion to dismiss the financial institution plaintiffs’ claims. The financial institution plaintiffs’ complaint asserted four claims against Target: (1) negligence for failure to provide security sufficient to prevent access to customer data; (2) violation of Minnesota’s Plastic Card Security Act (“PCSA); (3) negligence per se based on the alleged violation of the PCSA; and (4) negligent misrepresentation by omission based on Target’s alleged failure to inform banks of its alleged security deficiencies.

The financial institution plaintiffs allege that Target did not take the proper precautions in protecting its computer systems, delayed its response to the breach and disabled security components, which allowed hackers to install “malware” that collected customer’s payment information and personal data at the “point of sale” terminals. Target argued that the attack was caused by hackers and that it shouldn’t be held liable to financial institution plaintiffs following a data breach.

Judge Magnuson denied Target’s motion as to the negligence and negligence per se claims, and violation of the Minnesota PCSA. He granted the motion with regard to the financial institution plaintiffs’ negligent misrepresentation claim but allowed the financial institution plaintiffs the opportunity to file an amended complaint.

Judge Magnuson determined that Target had a duty to the issuer banks to ensure that customer credit and debit card data was adequately protected, finding that there was a foreseeable risk of injury to the financial institution plaintiffs if Target did not. The court also determined that although third party hackers caused the harm to the plaintiffs, Target contributed to the harm though its own inadequate data security protocols. Judge Magnuson further found that Target violated the PCSA when it briefly retained some of the customer’s financial data on its servers, which the hackers collected.

Importantly, Judge Magnuson’s decision provides clarity to the legal relationship that may exist between retailer/merchants and issuer banks and which could increase the liability of retailer/merchants to those banks if they fail to adequately safeguard consumer personal and financial information. Unlike consumers, banks can quantify specific damages such as expenses for replacing bank cards. In addition, the decision provides some guidance on the standard of care a court might require in assessing the adequacy and propriety of a company’s data security efforts, where the court determined that Target’s reduction of certain security procedures and failure to act promptly upon learning of the potential breach, could be found to be inadequate.

Target Expects a Better Outcome in Round Two

Target’s current motion is directed at consumers and alleges that consumers lack standing to assert their claims because they have not alleged facts sufficient to establish that they have been, or will be, injured by the data breach. In addition, Target argues that the data breach statutes of several of the states where plaintiffs’ transactions occurred do not allow for a private right of action. Target’s argument that the consumer plaintiffs lack standing to maintain an action due to a lack of actual injury or damages has been successfully advanced in data breach cases over the years and has resulted in many actions being dismissed at the pleadings stage.

Notably, Target’s argument that the consumer plaintiffs lack standing relies on a recent Supreme Court decision in Amnesty Int’l v. Clapper, which held that a plaintiff must establish that any alleged future injury is “certainly impending” to establish standing. Given that injury and damages claimed by data breach plaintiffs are often based on the mere possibility that a consumer’s personal and financial information may be used fraudulently in the future, Clapper’s “certainly impending” requirement imposes a high burden for plaintiffs to establish standing in data breach cases. Recent data breach cases where the defendants have relied on the “certainly impending” standard set forth in Clapper have been mixed, ranging from dismissals in data breach cases involving Neiman Marcus and Barnes & Noble to a rejection of the lack of standing argument in a data breach case involving Sony Corporation.

As a result, given the size of the data breach and facts involved in this litigation, the court’s decision on Target’s pending motion to dismiss has the potential to have a significant influence on the issue of standing to assert claims for injury in data breach cases. At the very least, it will add substantially to a growing list of district court cases that are likely to make their way through the federal appellate court system and on to the Supreme Court for clarity on this very important issue. Stay tuned.

Federal Trade Commission Shows Willingness to Credit Responsive Data Security Efforts in Exercising Enforcement Authority

November 30th, 2014 by Paul Pittman

In a change of pace, the Federal Trade Commission (“FTC”) recently decided not to pursue an enforcement action against Verizon Communication, Inc. (“Verizon”) following an investigation into whether Verizon violated Section 5 of the Federal Trade Commission Act, by engaging in “unfair or deceptive acts or practices” when it failed to secure the routers used to provide High Speed Internet (DSL) and FIOS Internet services to its customers in “a reasonable and appropriate manner.” The FTC determined that Verizon provided routers to its customers with the outdated Wired Equivalency Privacy (“WEP”) encryption standard. The Institute of Electrical and Electric Engineers has rejected the continued use of the WEP standard due to certain weaknesses and recommends use of the Wi-Fi Protected Access 2 (“WPA2”) standard. The FTC determined that Verizon’s continued use of the outdated WEP model left customer’s networks and personal information vulnerable to unauthorized infiltration.

The FTC’s response deviates from its tendency to follow up investigations of data security and privacy issues with enforcement actions and consent decrees that force companies to employ “reasonable” security measures to protect the personal data that it collects. With Verizon, however, the FTC recognized Verizon’s efforts during the investigation to address the FTC’s concerns, such as:

• eliminated the use of WEP-defaulted routers and replacing with WPA2 set routers;
• contacted customers using WEP or no encryption to request that they update their settings to WPA2; and
• offered customers that have routers that are incompatible with WPA2 an opportunity to upgrade to units that are compatible with the latest standard.

By taking these proactive steps to address the FTC’s security concerns with the ability of Verizon’s routers to protect customer’s personal data, Verizon was able to avoid an enforcement action, and possibly a consent decree, by the FTC.

The FTC’s approach with Verizon may signal the agency’s willingness to recognize a company’s affirmative efforts to address the data privacy and security issues that are the subject of the FTC’s investigation, in deciding whether to proceed with an enforcement action. As the FTC noted, “we continue to emphasize that data security is an ongoing process. As risks, technologies and circumstances change over time, companies must adjust security practices accordingly.” Companies should continue to implement measures to protect consumer data using current industry acceptable standards, but should be encouraged that the FTC may be reluctant to exercise its full enforcement authority should a company show affirmative efforts to bring its data security program into compliance with current technology and any FTC requirements.

Connecticut Supreme Court Ruling Allows Private Plaintiff to Assert Negligence Claims Based on HIPAA

November 15th, 2014 by Paul Pittman

Recently, the Connecticut Supreme Court ruled that a plaintiff may assert state law negligence claims against a healthcare clinic that allegedly released confidential patient health data based on the Health Insurance Portability and Accountability Act (“HIPAA”). The ruling enables private plaintiffs to use the standard of care set forth under HIPAA to support a negligence claim in Connecticut and could result in a flood of litigation if other state courts follow suit.

In Emily Byrne v. Avery Center for Obstetrics and Gynecology, Byrne asserted common law claims, including negligence, alleging that the healthcare clinic impermissibly released her medical records to her ex-boyfriend while complying with a subpoena, in violation of her privacy right of confidentiality under HIPAA. Defendant argued that Byrne’s common law claims were precluded by HIPAA and the trial court agreed.

The Connecticut Supreme Court reversed, holding that “neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of the plaintiff’s medical records.” Pointing to numerous decisions by courts in other jurisdictions, the Court also held that “HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.” The Court remanded the case to the trial court to allow Byrne to proceed on her negligence claims.

The decision by the Connecticut Supreme Court expands plaintiff attorney’s arsenal when it comes to claims for breaches of health care data by providing an avenue for plaintiffs to essentially assert a private right of action based on a violation of HIPAA – an area that is traditionally reserved for federal regulators such as the Department of Health and Human Services under HIPAA. The ruling not only impacts healthcare and other covered entities, but also “business associates” of the covered entities who are also subject to the compliance requirements of HIPAA. Plaintiff attorneys will surely use this decision to assert similar claims and bolster new claims, such as unfair competition and invasion of privacy, in other states.

It’s worth noting that any favorable impact of this decision could be short lived if the trial court rejects Byrne’s negligence claims. Byrne may have a particularly difficult time proving damages under her negligence claims, which is a showing many data breach plaintiffs have traditionally had trouble establishing.

Regardless of the outcome, covered entities and their business associates are best protected by taking the steps necessary to ensure compliance with HIPAA. Doing so will allow defendants to avoid the traditional enforcement actions and fines issued by regulators for violations of HIPAA, as well as any damages sought under novel common law claims based on the HIPAA standard of care.

Federal Communications Commission Steps Loudly Into Realm of Data Privacy Enforcement

October 31st, 2014 by Paul Pittman

Last week, the Federal Communications Commission (“FCC”) announced its entrance into the data privacy enforcement realm by issuing a $10 million fine against two telecommunications companies for failing to adequately safeguard their customer’s sensitive personal information. In doing so, the FCC joined a growing list of regulatory bodies, such as the Federal Trade Commission (“FTC”) and Department of Health and Human Services, as well as state attorneys general, who have asserted enforcement authority over companies and entities who fail to protect and secure consumer data.

FCC Finds Lax Data Security “Unfair and Unreasonable Practice” Under Communications Act

The two telecommunication companies subject to the $10 million FCC privacy breach fine – TerraCom Inc. and YourTel America, Inc. – were accused of storing consumer’s personally identifiable information (“PII”), including Social Security numbers, names, addresses and driver’s license numbers on unsecured Internet servers. While the privacy policies of the two companies purported to safeguard customer information from unauthorized access or use, by employing “technology and security features,” the PII was stored in a format and at an unsecured location that allowed easy access to the information over the Internet. As a result, the PII of up to 305,000 consumers was exposed.

In issuing the fine, the FCC determined that the telecommunications companies violated their duty to protect personal information by engaging in unfair and unreasonably safe practice under section 201(b) of the Communications Act. The FCC further determined that the telecommunication companies engaged in unfair and unreasonable practices by providing deceptive and misleading representations regarding its privacy protections and failing to notify consumers of the breach.

The FCC’s data privacy breach fine follows a $7.4 million settlement with Verizon last month over allegations that Verizon used the personal information of customers to market other services without providing the customers with notice of their privacy rights and failing to obtain the customer’s consent to use their personal information.

FCC Enforcement Action Puts Companies on Notice But Provides Little Guidance

Generally, the FCC is authorized to exercise jurisdiction over communications companies which include wireless, satellite and cable companies. As a result, the FCC’s ability to bring data privacy enforcement actions is limited. Nonetheless, the imposition of such a substantial fine by the FCC for the telecommunications companies’ failure to adequately secure its network, in the absence of any actual injury to the consumer, signals an aggressive approach by the regulator against those companies handling consumer data that fall within the purview of the FCC. Further, given the breadth of services provided by communications companies, enforcement actions by the FCC may overlap with those of other agencies with a broader reach, such as the FTC, potentially subjecting companies to multiple regulatory schemes and enforcement actions.

Ultimately, the FCC’s enforcement action and $10 million fine puts companies on notice that there is an additional, active regulatory body that should be considered when developing privacy policies and implementing processes, standards and procedures. Yet, the FCC’s reliance on the Communications Act in exercising enforcement authority here is likely to be called into question in a way similar to that faced by the FTC. In fact, one of the FCC commissioners who dissented in the issuance of the proposed fine noted that the Communications Act “was never intended to address the security of the data on the Internet.”

Importantly, the FCC’s initial data privacy enforcement action here creates ambiguity about the data security standards that are actually compliant with the Communications Act, and provides little clarity about what other types of data it covers. Given these uncertainties, communications companies should tread carefully in handling consumer data, until a firm body of directives, decisions and rulemaking by the FCC in the data privacy realm is established to provide guidance.

California Passes New Data Breach Laws: Requirement to Offer Identity Theft Protection at No Cost, New Duties Imposed on “Maintainers” of Personal Information, and Sale of Social Security Numbers Banned

October 3rd, 2014 by Nora Wetzel

California added new provisions to its data breach law on October 1 by signing Bill AB 1710 into law. The amendment to California’s Civil Code (1) requires entities that experience a data breach to provide identity theft prevention and mitigation services at no cost for 12 months if the notifying entity is the “source” of the breach, (2) requires entities that “maintain” personal information to implement the same safeguards to protect personal information as already required for those that own or license personal information, and (3) prohibits the sale (or offer to sell) individuals’ social security numbers. These new provisions will undoubtedly affect any business that deals with computerized personal information.

Identity Theft Services                                                                 

The new law requires entities that own or license specified personal information to offer free identity theft protection and mitigation services for no less than 12 months to individuals affected by a data breach. Moreover, a data breach notice sent to affected individuals must include all information necessary to take advantage of the offer.

This new provision only applies if the notifying entity was the source of the breach and if specific personal information was involved. While the new law does not define “source,” the bill’s legislative history suggests that “source” refers to the location where the data breach occurred. To illustrate, a retailer would be the “source” of a data breach if hackers obtained consumers’ credit card information from the retailer’s computer system. It is not clear, however, if a retailer contracts with a third-party vendor, such as a cloud service provider, whether the vendor or the retailer is the source of the breach, where a breach of the vendor’s system occurs. Presumably, the vendor would be the source of the breach. This could create tension surrounding the notification to affected individuals because the retailer has a strong interest in preserving its relationship with its customers. The retailer likely will want to control the notification message to their customers, yet the vendor may be charged with the duty to notify the affected customers.

Likewise, the new identity theft protection provision only applies to particular personal information—an individual’s first name or initial and last name combined with a social security number, driver’s license number or California identification card when either the name or the data elements are unencrypted. Personal information in this context does not include financial account information or medical information. Entities should verify that they encrypt this type of personal information to avoid application of the identity theft protection provision.

Under most circumstances, HIPPA-covered entities will be exempt from this new provision. California’s existing law provides that HIPPA-covered entities complying “completely” with Section 13402(f) of the federal HITECH Act will be “deemed to have complied with” the section of California law requiring the offer of free identity theft protection services.

Safeguarding Personal Information Applies to Those Who “Maintain”

Another new provision requires entities that maintain personal information to: (1) implement and maintain reasonable security procedures and practices to protect that information from unauthorized access, destruction, use or modification, and (2) notify owners or licensees of that information “immediately following discovery” of a breach of the security of the data. The new law does not clearly define “maintain” but, again, looking at legislative history of the bill suggests the drafters intended “maintain” to refer to an entity that stores, gathers, or holds personal information like a retailer may do with a customer’s financial information, in contrast to the “owner” of such financial information which would be a financial institution.

This new provision encompasses a broader scope of personal information than that included in the new identity theft protection provision. Personal information here includes financial information such as account, credit or debit card numbers with any required security code or password, or medical information, in addition to an individual’s first name or initial and last name combined with a social security number, driver’s license number or California identification card.

Entities that maintain personal information should review their security practices and procedures to ensure any personal information implicated by this new provision is adequately protected against unauthorized access, destruction, use or modification. The reasonableness of an organization’s data security safeguards will likely be based upon its size, complexity and capabilities in order to take into account the resource limitations of smaller entities.

No Sale of Social Security Numbers

California also added new provisions to its data breach law prohibiting the sale, advertisements for sale, or offer to sell individuals’ social security numbers. While the new provisions specifically exempt releasing individuals’ social security numbers incident to a larger transaction and necessary to identify the person to accomplish a legitimate business purpose, releasing individuals’ social security numbers for marketing purposes is expressly banned.

The new additions to California’s data breach law can be found out at:

California Enacts Smartphone Kill Switch Law to Promote Data Security

August 29th, 2014 by Matthew Fischer

This week California enacted into law Senate Bill 962, which requires a “kill switch” on all smartphones that would render the device inoperable. The law applies to all smartphones manufactured after July 1, 2015 and sold in the state, but exempts other mobile devices such as tablets and smartwatches.

While Minnesota passed a similar law in June, its statute (as well as comparable legislation pending in New York, Illinois and Rhode Island) does not require that a kill switch is enabled as the default setting as mandated under S.B. 962. California has been a leader in privacy and data security legislation and has the nation’s largest economy and population of smartphone users. As a result, the law will have a sweeping impact since it is unlikely that cell phone manufacturers will limit the kill switch feature to those phones sold in California and Minnesota. The feature has enough supporters that similar federal legislation, “The Smartphone Prevention Act,” was introduced to the U.S. Senate in February.

Apple iPhones with the iOS 7 operating system already include an “Activation Lock” feature that is largely compliant with S.B. 962 except for the fact that it is not a default setting. Google and Microsoft are expected to add kill switches in future versions of their operating systems.

California’s law and the growing popularity of kill switches are in response to the surge in smartphone thefts over the last year. A Consumer Reports survey indicated that approximately 3.1 million Americans were victims of smartphone thefts in 2013, up from 1.6 million in 2012. Smartphone thefts are particularly prevalent in the tech-centric Bay Area where a large percent of the population carry mobile devices. Smartphones pose a huge liability for data security since consumers store everything from credit card numbers to passwords to accounts and websites, and even Social Security numbers.

The law is not without its detractors. CTIA, the trade association for the telecommunications industry, initially opposed the law out of concern that a patchwork of state-specific laws would increase costs without providing a comprehensive solution, while inhibiting competition and innovation. Opponents have pointed to the availability of other technological solutions such as remote wipe functionality. The Electronic Frontier Foundation (“EFF”) remains opposed due to concerns related to potential civil rights abuses and the possibility of criminal exploitation. EFF representatives have expressed concerns that a kill switch could be used by perpetrators of domestic violence and stalker crimes to prevent the victims from reporting the abuse, and would create a means for law enforcement to disable smartphones of protestors, akin to when cell phone access on BART subways was shut down in 2011 in response to a planned protest by commuters. Another worry is that hackers could potentially access the kill switch.

Retailers could incur a civil penalty ranging from $500 to $2,500 per smartphone sold in violation of the law.

Class Action Plaintiffs Look to Fair Credit Reporting Act for Private Relief from Data Breaches Involving Health Information

August 21st, 2014 by Paul Pittman

A recent class action brought against the University of Miami (“University”) previews what could become an emerging trend among plaintiffs’ class action attorneys to seek damages for the unauthorized disclosure of personal health information under the Fair Credit Reporting Act (“FCRA” or the “Act”). Enforcement actions for data breaches involving the unauthorized disclosure of personal health information (“PHI”) by health care systems or hospitals typically fall under the purview of the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”). However, recent class action plaintiffs’ attorneys have advanced unique arguments in an attempt to bring data breaches involving PHI under the protections afforded by the FCRA.

The FCRA governs Credit Reporting Agencies (“CRAs”) and was enacted to ensure that CRAs accurately and fairly assemble personal information on consumers while maintaining the privacy of their personal information. 15 U.S.C. § 1681a(f). Typically, CRAs assemble and sell “consumer reports” for businesses, such as credit card companies and banks, to use in evaluating a consumer’s eligibility for credit, insurance or employment purposes. 15 U.S.C. § 1681a(d). The FCRA requires that CRAs follow reasonable procedures to protect the information. 15 U.S.C. § 1681e(a). Well known CRAs include Experian, TransUnion and Equifax. Notably, the FCRA provides for statutory damages of up to $1,000 and punitive damages for willful noncompliance with the Act. 15 U.S.C. § 1681n(b). Attorney’s fees may also be collected under the Act. 15 U.S.C. §§ 1681n(c) & 1681o(b).

Class Action Claims Against the University of Miami Health System

In February, current and former patients (“Patients”) filed a class action complaint in the U.S. District Court for the Southern District of Florida against the University of Miami (“University”) alleging that the University allowed the unauthorized access of confidential records of putative class members, including PHI, held by a third-party offsite records vendor without their knowledge or consent and without sufficient security.

Patients asserted, among other things, that the hospital violated the FCRA by failing to implement adequate safeguards to protect their personally identifiable information and PHI from a data breach suffered by the third party vendors. The Patients argued that the hospital was a CRA that created “consumer reports” containing sensitive information including names, dates of birth, social security numbers, billing information and confidential health records, and disseminated this information to medical service providers affiliated with the University. Patients alleged that the University allowed employees of the outside vendor and others to gain unrestricted access to the patients’ personally identifiable information and PHI, which was allegedly misused and intentionally disclosed to third parties for profit.

The University settled these claims last week for just over $100,000, before the court could consider the viability of plaintiffs’ arguments under the FCRA. Nonetheless, there is a class action currently pending in the U.S. District Court for the Middle District of Alabama where hospital patients advanced similar arguments regarding the disclosure of medical and personal information by a hospital under the FCRA. In light of the settlement by the University, the outcome of this case in Alabama may reveal how courts will consider these arguments under the FCRA.

Fair Credit Reporting Act

Plaintiffs’ theory of liability under the FCRA is likely based on the fact that the Act specifically restricts the reporting of medical information to limited purposes and only if the patient has specifically consented to the disclosure. 15 U.S.C. § 1681b(g). The Act also allows for the distribution of consumer reports for “any legitimate business need.” 15 U.S.C. § 1681b(3)(e). However, it is questionable whether hospitals and healthcare systems are CRAs that engage in the business of “regularly assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” Hospitals have not traditionally been considered CRAs. Further, hospitals typically collect personal identity information and PHI for their own business and record keeping purposes, not for the purpose of creating and furnishing “consumer reports” to third parties as is required under the FCRA.

Emerging Cause of Action for Data Breach Involving Private Health Information

Importantly, the claims asserted by class plaintiffs in these cases illustrate a novel use of the FCRA in the context of private health data. Plaintiffs have traditionally utilized HIPAA to redress data breaches involving PHI. However, should courts accept the argument that hospitals and medical providers are CRAs subject to the requirements of the FCRA, it will enable plaintiffs to assert claims for statutory and punitive damages, rather than enlisting the HHS to institute enforcement actions under HIPAA when data breaches occur. As the recent data breach of 4.5 million patient records at Community Health Systems, Inc. illustrates, the number of patient records that may be involved in a particular incident can produce very substantial and potentially crippling statutory damages. If plaintiffs’ claims under the FCRA find traction, hospitals, medical providers and healthcare systems can certainly expect these types of private patient actions to follow.

FTC Clarifies COPPA “Verifiable Parental Consent” Requirements

July 21st, 2014 by Afigo Fadahunsi

The Federal Trade Commission (FTC) modified guidelines it issues to developers who make apps specifically for children. App developers have taken advantage of the soaring lucrative app market aimed at a younger audience that not only enjoys the fast-paced adrenaline rush of modern technology, but actually relies on technology for educational development, as more school districts have introduced the use of tablets in the classroom. The trouble is, however, with increasing and constant presence of adolescent online activity comes a greater degree of parental concern for their privacy.

The Children’s Online Privacy Protection Act (COPPA) was created primarily to protect children under the age of 13 from the collection of their personal data online for commercial use. The goal of COPPA is to keep parents in control of what their children under 13 are viewing and disclosing on the Internet. The FTC’s recent changes to a list of guidelines not only ensures that app developers and app stores notify parents of how their children are using apps, they also reaffirm these entities’ obligation to obtain verifiable parental consent before collecting personal information from children.

The FTC initially provided that charging a parental credit card was sufficient to satisfy parental consent, as the parent, at the very least, would see the charge on the monthly statement, and would have notice of the child’s activity on the website. In its revisions, the FTC now clarifies that a credit card need not be charged to obtain parental consent, so long as the collection of the credit card is supplemented with other effective safeguards, such as questions to which only parents would know the answer.

The FTC also revised its guidelines to establish that the developer of a child-related app may use a third party, such as an app store, to obtain parental consent on its behalf. In that instance, if the app store provides the required notice and consent verification prior to or at the time of the purchase of a mobile app for children under 13, the mobile app developer may rely on that consent.

Finally, the FTC suggested that it supports the creation of “multiple-operator” methods or common consent mechanisms – app stores that assist developers operating on their platform with providing a verifiable consent mechanism will not be held liable under COPPA so long as they do not “misrepresent the level of oversight [provided] for a child-directed app.”

About Us
Sedgwick provides trial, appellate, litigation management, counseling, risk management and transactional legal services to the world’s leading companies. With more than 350 attorneys in offices throughout North America and Europe, Sedgwick's collective experience spans the globe and virtually every industry. more >

Subscribe via RSS Feed
Receive blog updates via email: