Privacy: Is It Any of Your Business? A Primer on Key Emerging Privacy Issues - PowerPoint PPT Presentation

1 / 156
About This Presentation

Privacy: Is It Any of Your Business? A Primer on Key Emerging Privacy Issues


A Primer on Key Emerging Privacy Issues Wednesday, October 12, 2005 Washington, DC Seminar Overview John P. Hutchins Partner Troutman Sanders LLP 404.885.3460 john ... – PowerPoint PPT presentation

Number of Views:175
Avg rating:3.0/5.0
Slides: 157
Provided by: troutmans3


Transcript and Presenter's Notes

Title: Privacy: Is It Any of Your Business? A Primer on Key Emerging Privacy Issues

Privacy Is It Any of Your Business?A Primer on
Key Emerging Privacy Issues
  • Wednesday, October 12, 2005
  • Washington, DC

Seminar Overview
  • John P. Hutchins
  • Partner
  • Troutman Sanders LLP
  • 404.885.3460

Data Collection Everyones Doing It
  • Electronic Commerce Has Led to Explosion of Data
  • Between 2002-2005, the world will generate more
    data than all the data generated on earth over
    the last 40,000 years.
  • University of California at Berkeley Study, 2002

Read All About It!
  • February 2005 - ChoicePoint discloses that, in
    October 2004, it sold information on 145,000
    people to data thieves posing as legitimate
  • March 1 - Bank of America reports that it lost
    computer data tapes containing social security
    numbers and account information on up to 1.2
    million federal employees, including some members
    of the U.S. Senate
  • March 10 - LexisNexis reports that hackers
    commandeered one of its databases, gaining access
    to personal files of as many as 32,000 people

Read All About It!
  • Mid-March - Boston College reports that a
    computer with files on 120,000 alumni was
  • March 28 - Reports stolen laptop containing
    personal information on nearly 100,000 University
    of California at Berkeley alumni, students and
    past applicants (some data was 30 years old)
  • April 12 - Tufts University sends letters to
    106,000 alumni, warning of ''abnormal activity"
    on a computer that contained names, addresses,
    phone numbers, and some Social Security and
    credit card numbers

Read All About It!
  • April 20 - DSW Shoe Warehouse reports that
    thieves stole 1.4 million credit card numbers of
  • May 2 - Time Warner reports that a shipment of
    backup tapes with personal information of about
    600,000 current and former employees was lost
    during a routine shipment to offsite storage
  • June 1 - Washington Post reports that FBI is
    investigating theft of Justice Department laptop
    from Omega World Travel office in Fairfax, VA,
    believed to contain personal data on 80,000
    Justice Department employees

Read All About It!
  • June 6 - CitiFinancial states that it has begun
    notifying 3.9 million customers that computer
    tapes containing information about their accounts
    had been lost
  • June 18 - MasterCard International reports that
    the networks of its third- party processor,
    CardSystems Solutions, were hacked and that data
    on 40 million credit card accounts were
  • June 24 - IRS discloses that it is investigating
    whether unauthorized people gained access to
    sensitive taxpayer and bank account information.
  • Someone has estimated 50 million people!

California SB 1386
  • Effective July 1, 2003
  • ChoicePoint story breaks February 2005
    (approximately 18 months)
  • Followed by report after report, disclosure after
  • Whats going on here?

Fundamental Shift
  • Privacy breaches come in all shapes and sizes
  • Some are the result of old-fashioned con
  • Some are the result of a sophisticated computer
  • Some are the result of simple larceny
  • Some are the result of basic human error (i.e.,
    its just lost)
  • Some are the result of a third-partys
  • But all are big news

The Shift is Broader Than Data Theft
  • CardSystems Should Not Have Kept Records
    June 20, 2005, Atlanta Journal-Constitution
  • Bosses on the prowl for risqué pics June 17,
  • 119 students who failed courses get group
    e-mail June 20, 2005, USA Today

What Is Privacy Law?
  • Gramm-Leach-Bliley
  • USA Patriot Act
  • EU Data Protection Directive
  • Privacy in the workplace (i.e., background
    screening, employing monitoring, video
  • Federal Sentencing Guidelines regarding executive
    background checks
  • Customer Proprietary Network Information
  • E-mail hazards (i.e., SPAM, Phishing, Spoofing)
  • Data aggregator liability and compliance
  • Identity theft and other cybercrimes
  • Department of Homeland Security/FERC regulations
    regarding critical infrastructure information
  • ISP liability
  • Spyware
  • Document retention and destruction
  • Sarbanes-Oxley

Privacy Data Security Team
  • Multi-Disciplinary
  • Banking Finance
  • Bankruptcy
  • Compensation Benefits
  • Consumer Law
  • Governmental Law
  • Health Care
  • Homeland Security
  • Immigration
  • Intellectual Property
  • Labor Employment
  • Litigation
  • Securities
  • Technology

Rapidly Changing Legal Issues
  • Are you covered?
  • Including GLB, FCRA, CALEA, etc. (Melissa Yost)
  • Data Collection/Legislative Trends (John
  • Compliance Issues FACTA Patriot Act/Wire Tap
    HIPAA Bankruptcy (Mary Zinsner, Dan Seikaly,
    Steve Gravely, Rich Hagerty)
  • New Litigation and Legal Theories (John Anderson)
  • Communicating the Privacy Challenge (Chuck

Overview of Key Privacy Laws Are You Covered?
  • Melissa Yost
  • Associate
  • Troutman Sanders LLP
  • 404.885.3486

Are You Covered?
  • What Types of Information are Shared?
  • With Whom Do We Share Data?
  • What are the Risks?
  • How Do We Protect Against These Risks?

Are You Covered?
  • What Types of Data are Shared?
  • Consumer Information
  • Internal Company Information
  • Third Party Information
  • Information Key to National Security

Are You Covered?
  • With Whom do We Share Data?
  • Business Associates
  • Affiliates
  • Government Entities
  • Legally Required Disclosure
  • Political Reasons
  • Other Private Parties

Are You Covered?
  • What are the Risks?
  • Security
  • Undermine security of infrastructures and systems
  • Competitive Disadvantage
  • Allows competitors to obtain your nonpublic data
  • Legal Liability
  • Disclosures to Government Entities
  • Customer Privacy/Public Perception
  • Hurt customer relationships and market credibility

Legal Liability Federal Laws
  • Gramm Leach Bliley (GLB)
  • Prohibits financial institutions from disclosing
    personally identifiable information of the
    customer to non-affiliated third parties without
    satisfying certain disclosure and consent
  • Broad definition for financial institution
  • Security Safeguard Rule must implement
    reasonable policies and procedures to ensure the
    security and confidentiality of customer
  • Written security program
  • Assign employee to oversee
  • Include service providers

Legal Liability Federal Laws
  • Fair Credit Reporting Act (FCRA)
  • Regulates the use of consumer reports for
    consumer reporting agencies, and users and
    furnishers of such reports.

Legal Liability Federal Laws
  • Amended in 2003 by the Fair and Accurate
  • Credit Transaction Act (FACTA) Effective
  • Date?
  • Purpose to prevent identity theft, improve
    resolution of consumer disputes, improve accuracy
    of consumer records, make improvements in the use
    of and consumer access to credit information.
  • Fraud alerts
  • Truncation of credit cards and debit card account
  • Rights of identity theft victims
  • Free Consumer Reports
  • Special notice and opt-out rules for affiliate
    sharing of information in a consumer report with
    respect to marketing solicitations

Legal Liability Federal Laws
  • FTC adopt rules implementing several provisions
    in FACTA (more to follow. . .)
  • Prescreen Opt-Out Disclosure August 1, 2005.
  • Summaries of Rights and Notices of Duties for
    Identity Theft Victims January 31, 2005.
  • Disposal of Consumer Report Information and
  • Records June 1, 2005.
  • Related Identity Theft Definitions, Duration of
    Active Duty Alerts and Appropriate Proof of
    Identity under FCRA December 1, 2004.
  • Free Annual File Disclosures December 1, 2004.
  • Prohibition Against Circumventing Treatment as a
    Nationwide Consumer Reporting Agency June 12,

Legal Liability Federal Laws
  • Health Insurance Portability and Accountability
  • Act (HIPAA)
  • Privacy Rule
  • No covered entity (i.e., health care provider,
    health plans, or health care clearing houses) or
    business associate of a covered entity may
    access, use or disclose health information
    without first obtaining from the consumer
    informed and written permission.
  • Security Rule
  • Security Obligations
  • Business Associate Agreement/Security Rule

Legal Liability Federal Laws
  • Customer Proprietary Network Information
  • (CPNI)
  • Except as required by law or with approval of the
    customer, a telecommunication carrier that
    obtains customer proprietary network information
    (CPNI) by virtue of its provision of
    telecommunications service will only use,
    disclose or permit access to CPNI in its
    provision of telecommunications service or for
    services necessary to or used in the provision of
  • Location Based Information
  • Except as required by law . . .

Legal Liability Federal Laws
  • Childrens Online Privacy Protection Act (COPPA)
  • Commercial websites must provide notice and
    obtain parents consent prior to collecting
    personal information from children under the age
    of 13.

Legal Liability Federal Laws
  • Controlling the Assault of Non-Solicited
  • Pornography and Marketing Act (CAN SPAM
  • ACT)
  • Covers email whose primary purpose is advertising
    or promoting a commercial product or service.
  • Transactional or relationship message emails that
    facilitates an agreed upon transaction or updates
    a customer in an existing business relationship
    is exempt (except for one).
  • The Act
  • Bans false or misleading header information
  • Prohibits deceptive subject lines
  • Provide an opt-out method
  • Identify as an address and include senders valid
    physical postal address

Legal Liability Federal Laws
  • Communications Assistance for Law Enforcement Act
  • Requires telecommunications carriers to assist
    law enforcement in executing electronic
    surveillance pursuant to a court order or other
    lawful authorization and requires carriers to
    design or modify their systems to ensure that
    lawfully-authorized electronic surveillance can
    be performed.

Legal Liability Federal Laws
  • FTC Guidelines for Privacy Policies
  • The FTC recognizes information practice
    principles for protecting customer information
    and enforces these principles through a federal
    statute prohibiting unfair and deceptive trade
  • Publish information practices 1) notice, 2)
    choice, 3) access, 4) security and 5) enforcement

Legal Liability Federal Laws
  • Federal Trade Commission Act (FTC Act)
  • The FTC Act prohibits unfair and deceptive acts
    or practices in or affecting commerce.
  • To establish an unfair or deceptive act or
    practice, the FTC must show that (1) a
    representation, omission or practice was made to
    customers, (2) the representation, omission or
    practice is likely to mislead customers acting
    reasonably under the circumstances to their
    detriment, and (3) the representation, omission
    or practice is material or important to

Legal Liability Federal Laws
  • National Do-Not-Call Registry
  • Establishes a national do-not-call registry for
    residential customers who wish to avoid
    telemarketing calls.
  • Covered calls include any plan, program or
    campaign to sell goods or services through
    interstate phone calls, but do not cover calls
    from political organizations, charities,
    telephone surveyors or companies with which
    consumer has an existing business relationship
    (18 months after last purchase).

Legal Liability Federal Laws
  • Uniting and Strengthening America by Providing
    Appropriate Tools Required to Intercept and
    Obstruct Terrorism Act of 2001 (USA Patriot Act)
  • Title 6 Disclosures of Records and Information
  • Makes all federal government agency records
    available to the public unless these records are
    protected by a FOIA exemption.

Legal Liability Federal Laws
  • Department of Homeland Security
  • Protect the confidentiality of Critical
    Infrastructure Information (CII) voluntarily
    submitted to DHS.
  • CII means information not customarily in the
    public domain and (ii) related to the security of
    vital US systems or assets of which the
    incapacity or destruction of systems or assets
    would impact national security, public health or
  • Information submission requirements.

Legal Liability Federal Laws
  • Federal Energy Regulatory Commission (FERC)
  • Protect the confidentiality of critical energy
    infrastructure information (CEII).
  • CEII means existing and proposed systems and
    assets the incapacity or destruction of which
    would negatively affect security, economic
    security, public health or safety.

Legal Liability State Laws
  • Old Regime Only Case Law
  • Case law recognizes a cause of action for public
    disclosure of private facts.
  • Prove three prongs (1) facts were publicly
    disclosed, (2) the facts disclosed were private
    facts, (3) the disclosure would offend a
    reasonable person of ordinary sensibilities.
  • New regime Statutory Framework.
  • Information Security Breach Laws
  • Immediate notice when customer information may
    have been breached.

Legal Liability State Laws
  • Identity Theft Statutes
  • Requires that companies not discard customer
    information prior to ensuring that unauthorized
    persons may not access such information.
  • Directly addresses companies responsibilities
    with regards to record disposal procedures.
  • Imply obligation to protect because companies
    must protect information from unauthorized access
    prior to information destruction.

Legal Liability State Laws
  • Deceptive Trade Practices Act
  • Companies may not engage in conduct that creates
    a likelihood of confusion or misunderstanding of
    services (e.g., do not follow publish privacy
  • Open Records Act
  • All state, county and municipal records are open
    for personal inspection of any citizen of Georgia
    at a reasonable time and place.

Customer Privacy/Public Perception
  • Public perception is important.
  • What is everyone else doing? Do not want to
    employ lower standards than your industry.
  • Dont forget about third party service providers.

How Do We Protect Against These Risks?
  • Confidentiality Agreements / Provisions
  • Definition of Confidential Information
  • Require Third Parties
  • to only use your data to perform their
    obligations to you.
  • to only disclose data on a need to know basis.
  • to protect information from unauthorized
  • Address FOIA and open records act.

How Do We Protect Against These Risks?
  • Company Wide Security Policies
  • Provide formal use and disclosure data practices
    to prevent unauthorized and unnecessary
  • Proprietary and Confidential Notices
  • Limit Disclosures
  • Electronic copy vs. hard copy
  • Limit electronic access to computer systems
  • Proper destruction of information

How Do We Protect Against These Risks?
  • Customer Agreements
  • Data Privacy Provisions
  • In accordance with applicable law, we may use or
    disclose to our affiliates or other business
    associates information we collect about you to
    provide services to you, protect you, investigate
    illegal activity, comply with government requests
    or for other legally permissible purposes.
  • Privacy Policy FTC Guidelines

  • Questions?

When Are Companies Liable for Identity Theft?
Data Collection and Legislative Trends
  • John Hutchins
  • Partner
  • Troutman Sanders LLP
  • 404.885.3460

California SB 1386California Information
Practice Act or Security Breach Information Act
  • First in the nation
  • Effective July 1, 2003
  • Law uses fear and shame to make companies think
    more seriously about information security
  • ChoicePoint reported in accordance with this law
  • Opened floodgates
  • Media
  • other businesses experiencing data breaches
  • Copycat legislation, lawsuits, new legal
    theories, technical reactions (encryption)

Fundamental Shift
  • Im mad as hell, and Im not going to take this
  • Howard Beale Network (1976)

  • Copycat Legislation introduced in at least 35
  • Legislation enacted in at least 15 states in
    2005 Arkansas, Connecticut, Florida,
    Georgia, Illinois, Indiana, Maine, Minnesota,
    Montana, Nevada, New York, North Dakota,
    Tennessee, Texas and Washington
  • At least nine federal bills pending

Federal Legislation
  • Feinstein Bill
  • Modeled after California legislation
  • Specter/Leahy Legislation
  • Personal Data Privacy Security Act
  • most likely federal bill?
  • pre-emption
  • SS control
  • Other bills exploring multiple approaches
  • tax incentives for security
  • fraud alerts/credit freezes
  • Focus on identity theft?

California SB 1386 Whom Does It Affect?
  • Applies to state government agencies, for-profit
    and non-profit organizations
  • Applies to all data collectors who maintain
    computerized personal information on

What Does It Require?
  • Requires that any business that owns or licenses
    computerized data that includes personal
    information to give notice of any breach of the
    security of the data following discovery of such
    breach to any resident of the state whose
    unencrypted personal information was or is
    reasonably believed to have been acquired by an
    unauthorized person

Personal Information
  • Personal Information a person's name in
    combination with
  • social security number
  • driver's license or state issued i.d. number
  • account number or credit card number, in
    combination with security code

NOT Personal Information
  • Personal Information specifically does not
    include information lawfully made available to
    the general public from federal, state or local
    government records.

Breach of the Security of the System
  • Breach of the Security of the System -
    unauthorized acquisition of an individual's
    computerized data that compromises the security,
    confidentiality, or integrity of personal
    information of such individual.
  • Does not include good faith acquisition, as
    long as no bad faith use or subject to further
    unauthorized disclosure.
  • NOTE Not necessarily limited to a breach of a
    computer system, despite the word "system" in the

  • Notice means
  • Written notice (addressed to whom?)
  • Electronic notice, if provided consistent with
    provisions federal Electronic Signatures Act
    (basically, consumer consents)

Substitute Notice
  • Substitute notice - if information broker
    demonstrates (?) that
  • cost notice gt 250K
  • of persons gt 500K
  • insufficient contact information to provide
    written or electronic notice

Substitute Notice
  • E-mail notice (when the person or business has an
    email address)
  • Conspicuous posting on website
  • Notification to major, state-wide media.

Do-It-Yourself Notice
  • If
  • Person or business that has its own notification
    procedures, as part of an information security
    policy for the treatment of personal information
  • Policy is consistent with timing requirements of
    SB 1386
  • Then
  • Compliance with policy compliance with statute

Time Requirements
  • Most expedient time possible and without
    unreasonable delay
  • Potentially long delay for
  • legitimate needs of law enforcement
  • any measures necessary to determine scope of
    breach and restore the data systems reasonable

  • Civil suit for damages
  • Injunction

Other Approaches
  • Georgia Code 10-1-911 912

Georgia Code 10-1-911 912
  • Requires that any information broker who
    maintains computerized data that includes
    personal information to give notice of any breach
    of the security of the system following discovery
    of such breach to any resident of the state whose
    unencrypted personal information was or is
    reasonably believed to have been acquired by an
    unauthorized person
  • If more than 10,000 Georgia residents must be
    notified at one time, the information broker must
    also notify all consumer reporting agencies

Information Broker
  • Information broker - business, in whole or in
    part, is collecting, assembling, evaluating,
    compiling, reporting, transmitting, transferring,
    or communicating information concerning
    individuals for the primary purpose of furnishing
    personal information to nonaffiliated third
    parties, for a fee.

Breach of the Security of the System (I wasnt
kidding about copycats!)
  • Breach of the Security of the System -
    unauthorized acquisition of an individual's
    computerized data that compromises the security,
    confidentiality, or integrity of personal
    information of such individual.
  • Does not include good faith acquisition, as
    long as no bad faith use or subject to further
    unauthorized disclosure.
  • NOTE Not necessarily limited to a breach of a
    computer system, despite the word "system" in the

Personal Information
  • Personal Information a person's name in
    combination with
  • social security number
  • driver's license number
  • account number or credit card number (if it can
    be used without codes) ?
  • account passwords or PINs ?
  • catchall - any information listed, but not
    connected with name, which it would be sufficient
    for identity theft.

  • Does not specifically give rise to civil action
  • (Neither does SB 1386)

Additional Approaches
  • North Dakota expands the definition of personal
    information to include mother's maiden name
    and date of birth
  • Montana and Arkansas require harm or a likelihood
    of harm to individuals before the notification is
  • Several states require notification to nationwide
    consumer reporting agencies if the number of
    residents to be notified exceeds a set number
    (ranging from 500 to 10,000). 
  • Many states allow the Attorney General to
    prosecute violations. 
  • Some states go further and require companies to
    maintain adequate data protection, including
    destruction procedures.
  • Copycat to federal bills 

Where Are We Headed?
  • State Legislatures declare as follows
  • The privacy and financial security of
    individuals is increasingly at risk due to the
    ever more widespread collection of personal
    information by both the private and public
  • Credit card transactions, magazine
    subscriptions, real estate records, automobile
    registrations, consumer surveys, warranty
    registrations, credit reports, and Internet
    websites are all sources of personal information
    and form the source material for identity thieves

More Declarations
  • Identity theft is one of the fastest growing
    crimes committed in this state California
  • California legislature used three-year old data
    that shows 108 increase
  • Georgia cites no statistics
  • Victims of identity theft must act quickly to
    minimize the damage therefore, expeditious
    notification of unauthorized acquisition and
    possible misuse of a persons personal
    information is imperative
  • Implementation of technology security plans and
    security software as part of an information
    security policy may provide protection to
    consumers and the general public from identity
  • Information brokers should clearly define the
    standards for authorized users of its data so
    that a breach by an unauthorized user is easily

Federal Legislation
  • Feinstein Bill essentially mirrors SB 1386
  • no substitute notice by e-mail
  • media notice required to be in market where
    person believed to reside, and must include
    toll-free number
  • requires that data collector make burden of proof
    that all notifications were made
  • including evidence of necessity of any delay
  • requires written request of law enforcement delay
  • FTC fines of 1000 per person, up to 50,000 per
  • Enforcement by States Attorneys General,
    including damages
  • Preemption of inconsistent state laws

Personal Data Privacy Security Act
  • Likely passage?
  • Specter/Leahy
  • Chair of Judiciary Committee
  • Ranking Republican on Committee
  • Much broader than just a notice statute
  • Broader preemption

Personal Data Privacy Security Act
  • Increased criminal penalties for actual criminals
  • But, makes it a crime to conceal a security
    breach of personal data !!!!
  • Gives individuals access to and the right to
    correct personal data held by data brokers
    requires accuracy
  • Requires entities maintaining personal data to
    establish internal policies and vet third-parties
    they hire
  • Notice provisions
  • Limits the buying and selling of social security
    numbers without consent

Data Broker
  • Business entity which, for monetary fees, dues or
    on a cooperative non-profit basis, regularly
    engages, in whole or in part, in the practice of
    collecting, transmitting, or otherwise providing
    personally identifiable information on a
    nationwide basis on more than 5,000 individuals
    who are not customers or employees
  • Would include things like alumni associations,

Data Privacy and Security Programs
  • Applies to every business with electronic data on
    more than 10,000 people
  • partially exempts entities that must comply GLB
  • partially exempts entities that must comply with
    data security requirements of HIPAA
  • but parts of business not currently regulated
    would become regulated
  • like Kaiser Permanente, health information
    currently regulated by HIPAA
  • but credit card information currently unregulated

Personal Data Privacy Security Act
  • Requires covered entities to
  • regularly assess, manage and control risks to
    data privacy and security
  • publish information security policy
  • provide employee training
  • conduct system tests
  • ensure compliance by vendors
  • One year to comply

Personal Data Privacy Security Act
  • Violations
  • civil penalties of 5,000 per day, up to
    35,000 per day
  • double penalties for willful violation

Personal Data Privacy Security Act
  • Notice procedures
  • expands definition of personally identifiable
    information to include
  • the ridiculous?
  • as defined by section 1028(d)(7) of title 18,
    United States Code
  • name, social security number, date of birth,
    official State or government issued drivers
    license or identification number, alien
    registration number, government passport number,
    employer or taxpayer identification number,
    unique biometric data, such as fingerprint, voice
    print, retina or iris image, or other unique
    physical representation
  • Applies to all data collectors
  • Must give notice to U.S. Secret Service and state
    attorneys general if breach involves more than
  • Notice to CRAs if more than 1000 people impacted

Personal Data Privacy Security Act
  • Notice requirements are very explicit
  • content of notice is very robust
  • summary of rights
  • notice of state laws regarding security freezes
    on credit reports
  • Victim Assistance
  • Requires that business offer victims free monthly
    access to their credit report and credit
    monitoring services for a year
  • Exemptions
  • Risk assessment, conducted with law enforcement
    and the attorneys general of each state,
    determines de minimus
  • Fraud prevent exemption
  • Really aimed at credit card companies

Personal Data Privacy Security Act
  • Violations
  • civil penalties of 5,000 per day, up to
    55,000 per day
  • double penalties for willful violation
  • enforcement by States Attorneys General,
    including damages

Technical Reactions
  • May 2, 2005 - Time Warner reports lost personal
    data of employees during routine shipment of
    back-up tapes to storage
  • Names and Social Security numbers of up to
    600,000 employees, dependents and beneficiaries
  • May 6, 2005 - Time Warner announces that it will
    "quickly" begin encrypting all data saved to
    backup tapes
  • This makes data which was formerly accessible
    into inaccessible And thats the point!
  • Action taken to protect employee privacy may
    adversely impact companys position in discovery
    dispute over cost-shifting

Document RetentionCrossroads with Emerging
Privacy Issues
  • Cost Shifting in Discovery
  • General presumption that responding party assumes
    its own cost of production
  • Changing rules, especially regarding production
    of electronic data
  • Where is it stored?
  • How easy is it to get?
  • How much will it cost to get it?
  • Zubulake v. UBS Warburg

Whose Going To Pay?Document Retention and
  • Costs In Litigation

General Presumption Producer Pays
  • General rule, except in extreme circumstances
  • Compaq Computer Corp. v. Packard Bell
    Electronics, Inc., (N.D. Calif. 1995) (more than
    1,000 man-hours to retrieve)
  • United States v. Columbia Broadcasting Sys.,
    Inc., (9th Cir. 1982)(required staff of lawyers,
    paralegals, accountants, and clerks to review the
    thousands of boxes, 18 months to complete, at a
    cost of 2.3 million)
  • Williams v. City of Dallas, (N.D. Tex. 1998)
    (review of 30 boxes of documents, including 210
    files, 52 audio and video tapes, 23 trial
    research notebooks, hundreds of newspaper

Data Storage Matters
  • Proposed amendments to federal rules of civil
  • Judge Scheindlin on Advisory Panel thought
  • But explicit cost-shifting rules not adopted
  • So, case law still developing in court system
  • Federal legislation like the Specter/Leahy Bill
    pending at the same time

What Can Be Done?
  • Draft and Implement Information Security Policy
  • Consider FTC guidelines
  • Policy should contain administrative, technical
    and physical safeguards that are appropriate for
  • size and complexity organization
  • nature and scope of company activities
  • sensitivity of company customer information

Information Security Policy
  • Policy objectives should include
  • insuring the security and confidentiality of
    customer information
  • protecting against any anticipated threats or
    hazards to the security or integrity of such
  • protecting against unauthorized access to or use
    of such information that could result in
    substantial harm or inconvenience to any customer

Information Security Policy
  • Designate person with system-wide responsibility
    to administer and coordinate the policy
  • Continually identify internal and external
    security risks that could result in the
    unauthorized disclosure, misuse, alternation,
    destruction or other compromise of information

Information Security Policy
  • Continually assess sufficiency of safeguards put
    in place to control identified risks
  • Employee training and management
  • Information systems
  • processing
  • storage
  • disposal

Assessment, cont.
  • Detection, prevention and response to all forms
    of attacks, intrusions, or other failures of
    security (technological and human)
  • Regular audits of the effectiveness of safeguards
  • Relationships with third parties and their
    adherence to safe safeguards

  • Questions?

HIPPA A Brief Introduction
  • Steve Gravely
  • Partner
  • Troutman Sanders LLP
  • 804.697.1308

What is HIPAA?
  • Health Insurance Portability and
    Accountability Act
  • Enacted in 1996
  • Also known as the Kennedy-Kassebaum Bill
  • Insurance portability and health care information
    privacy and security

HIPAA is all about
  • Standards
  • Standards for automating the business of
    transmitting electronic claims information
  • Standards for protecting the privacy of health
  • Standards for ensuring the security of health

Core Components
  • 5 Core Components
  • Transactions and Code Sets
  • Published August 17, 2000
  • Effective October 16, 2002
  • Privacy Standards
  • Published December 29, 2000
  • Effective April 14, 2003
  • Security Standards
  • Proposed rules published August 12, 1998
  • Effective April 21, 2005
  • National Provider Identifiers
  • On hold
  • National Employer Identifiers
  • On hold

A Covered Entity
  • Health Plan
  • Individual or group plan than provides, or pays
    the cost of, medical care
  • A health insurance issuer or health maintenance
  • A group health plan that has 50 or more
    participants or is administered by an entity
    other than the employer who established and
    maintains the plan
  • An employee welfare benefit plan which is
    established or maintained for the purpose of
    offering or providing health benefits to the
    employees of 2 or more employers
  • Healthcare Clearinghouse
  • Converts non-standard data into standard
    transactions or vice versa
  • Healthcare Provider
  • Performs at least 1 standard transaction

Protected Health Information
  • Individually identifiable health information
  • Includes virtually all written or oral
    communications related to
  • Past, present or future physical or mental health
    condition of a patient
  • Includes health care services provided and
    information related to payment for services
  • PHI is Everywhere!
  • Doesnt matter what form or format
  • Doesnt matter if you created or received
  • Uses and Disclosures of PHI are regulated

Examples of Areas Housing PHI
  • Accounting
  • Administration
  • Admitting/Referral Authorization
  • Billing/Business Office
  • Clinical Functions
  • Compliance
  • Contracts
  • Customer Service/Front Office/Reception
  • Human Resources
  • Information Systems
  • Legal
  • Marketing
  • Medical Records
  • Medical Staff/Physician Functions
  • Radiology, Laboratory or Ancillary Services
  • Risk Management

Business Associates
  • Entity acting on behalf of covered entity which
    needs to use or disclose PHI
  • Requires a contract governing relationship to
    make sure privacy is protected
  • Examples
  • Accountants
  • Attorneys
  • Billing/Coding Consultants
  • Transcription Services

  • Questions?

Privacy Issues Arising Under the Bankruptcy Abuse
Prevention andConsumer Protection Act of 2005
  • Rich Hagerty
  • Partner
  • Troutman Sanders LLP
  • 703.734.4326

General Information ConcerningBAPCPA
  • The Bankruptcy Abuse Prevention and Consumer
    Protection Act of 2005 (BAPCPA) was signed by
    President George W. Bush on April 20, 2005.
  • First major revision of U.S. Bankruptcy laws
    since 1978.
  • Generally effective as to bankruptcy cases filed
    on or after October 17, 2005.

Two Major Privacy-Related Changes
  • New restrictions on transfer of personally
    identifiable information (PII)
  • New restrictions on access to and destruction of
    confidential patient records in bankruptcies by
    health care businesses

Personally Identifiable Information
  • New Code Section 101(41A) defines PII to
    generally include all personal information about
    individual consumers held by a debtor
  • Encompasses any . . . information concerning an
    identified individual that, if disclosed, will
    result in contacting or identifying such
    individual physically or electronically.
  • Includes names, addresses, e-mail addresses,
    phone numbers, social security numbers, etc.

Restrictions on Transfer ofPersonally
Identifiable Information
  • Amended Section 363(b)(1) restricts the sale of
    PII in possession of debtor if the debtor had a
    policy prohibiting or restricting the transfer of
    PII which was disclosed to consumers and in
    effect on the petition date
  • Note no restriction on sale or transfer of PII
    if debtor had no policy in effect on petition date

Restrictions on Transfer ofPersonally
Identifiable Information
  • PII may only be transferred if
  • Sale or transfer consistent with the debtors
    existing policy, or
  • A consumer privacy ombudsman is appointed and the
    court approves the sale or transfer after notice
    and a hearing

Consumer Privacy Ombudsman
  • New Section 332 regulates appointment of consumer
    privacy ombudsman (CPO)
  • Must be appointed at least 5 days before hearing
    on whether or not PII should be sold/transferred
  • Must be disinterested person other than U.S.
  • May be compensated from bankruptcy estate
    pursuant to amended Section 330(a)

Consumer Privacy Ombudsman
  • Interim Bankruptcy Rule 6004(g) requires motion
    for authority to sell or lease PII to include
    request for order directing appointment of CPO
  • Interim Bankruptcy Rule 2002(c)(1) requires
    notice of motion for authority to sell or lease
    PII to state whether proposed sale or lease is
    consistent with a policy prohibiting transfer

Privacy Issues Related toHealth Care Businesses
  • Health care business defined by new Code
    Section 101(27A) as any public or private entity
    involved in virtually any way in providing health
    care to the general public
  • Includes hospitals, nursing homes, ambulatory,
    emergency and urgent care facilities, hospices,
    and home health agencies

Restrictions on Destruction ofConfidential
Patient Records
  • New Code Section 351 requires trustee or
    debtor-in-possession to destroy confidential
    patient records of a debtor that is a health care
    business if it becomes too expensive to maintain
    the records
  • These rules apply in any case under Chapter 7, 9
    or 11 of the Bankruptcy Code

Prerequisites to Destruction ofConfidential
Patient Records
  • Trustee must publish notice in 1 or more
    appropriate newspapers of intent to destroy
    records 365 days after first publication of
  • Trustee must also attempt to notify patients and
    their health insurers directly within first 180
    days of the 365 day period after publication of

Prerequisites to Destruction ofConfidential
Patient Records
  • Interim Bankruptcy Rule 6011 requires court
    approval of notice of intended destruction of
    records, specifies required content of notice
  • Rule 6011 also requires certification of
    destruction of records and method of destruction
    within 30 days after records have been destroyed

Other Provisions AffectingConfidential Patient
  • New Code Section 333 requires court to appoint a
    patient care ombudsman within 30 days of filing
    any bankruptcy case by or against a health care
  • Among other duties, patient care ombudsman
    required to maintain confidentiality of patient
    records, and is prohibited from reviewing them
    without prior court approval, except as
    consistent with Older Americans Act of 1965 or
    state laws governing State Long-Term Care
    Ombudsman program

  • Questions?

Restrictions on Disclosure of Confidential
Financial Recordsin Maryland
  • Rich Hagerty
  • Partner
  • Troutman Sanders LLP
  • 703.734.4326

General Rules
  • Sections 1-301 through 1-306 of the Financial
    Institutions Article, Annotated Code of Maryland,
    restrict disclosure of financial records by
    fiduciary institutions

  • Financial records means virtually any
    information related to a deposit or share
    account, a loan account or an application for a
  • Includes ATM and other electronic transactions

  • Fiduciary institution means
  • National and state banks, including out-of-state
    banks with a branch in Maryland
  • National and state credit unions
  • National and state savings and loan associations
  • Any other entity organized under Maryland
    banking laws and supervised by Commissioner of
    Financial Regulation

  • Fiduciary institution does not include
  • Lenders licensed under Maryland Consumer Loan Law
    or Consumer Installment Loan Law
  • Sales Finance Companies licensed in Maryland
  • Mortgage lenders and brokers licensed in Maryland

General Prohibition onDisclosure of Financial
  • Disclosures of financial records generally
    prohibited absent
  • Consent of customer
  • Authorized requests by court-appointed counsel,
    guardians, personal representatives, or certain
    specified state agencies
  • Practice tip insist upon written consent

Permitted Disclosures ofFinancial Records
  • Section 1-303 permits disclosure in 13 cases,
  • To internal/external auditors of fiduciary
  • In reports required by Federal or state law
  • In connection with the negotiation of checks and
    other commercial paper
  • In connection with paying off or refinancing

Permitted Disclosures ofFinancial Records
  • Disclosure permitted in response to a subpoena
    issued by lawful authority if
  • Subpoena contains certification that copy has
    been served on person whose records are sought,
  • Subpoena contains certification that service has
    been waived by court for good cause

Allowable Disclosures
  • Financial records may be disclosed to an adult
    protective services program if fiduciary
    institution believes that customer is subject to
    financial exploitation
  • Financial exploitation means misuse of
    customers funds or property

Penalties for Violation
  • Knowing and willful disclosure is a misdemeanor,
    subject to fine of not more than 1,000
  • Potential civil liability at common law for
    breach of contract, as well as possible private
    cause of action under statute
  • Taylor v. NationsBank, N.A., 365 Md. 166,776
    A.2d 645 (2001)

  • Questions?

The Basics on FACTA
  • Mary Zinsner
  • Partner
  • Troutman Sanders LLP
  • 703.734.4363

What is FACTA?
  • The Fair and Accurate Transactions Act of 2003
    (FACTA or the FACT Act)
  • Amends certain provisions of the federal Fair
    Credit Reporting Act, 15 U.S.C. 1681 et. seq.
  • Expansive act with ramifications in financial,
    medical, and other business industries

The Broad Reach of FACTA
  • Under FACTA, certain federal agencies were
    required to create regulations designed to
    minimize the risk of identity theft and consumer

The Disposal Rule
  • Issued by The Federal Trade Commission in
    November 2004
  • Effective June 1, 2005
  • Purpose of rule is to minimize the risk of
    identity theft and consumer fraud by enforcing
    the proper destruction of consumer information

Who is Affected?
  • The Disposal rule applies to businesses that
    utilize consumer information
  • Affects every person and business in the United

The Rule
  • The FACTA Disposal Rule, effective June 1, 2005,
    states that any person who maintains or
    otherwise possesses consumer information for a
    business purpose is required to dispose of
    discarded consumer information, whether in
    electronic or paper form.
  • The Disposal Rule further clarifies the
    definition of compliance as taking reasonable
    measures to protect against unauthorized access
    to or use of the information in connection with
    its disposal.

What is Consumer Information?
  • The Disposal Rule applies to consumer reports or
    information derived from consumer reports.
  • The Fair Credit Reporting Act defines the term
    consumer report to include information obtained
    from a consumer reporting company that is used
    or expected to be used in establishing a
    consumers eligibility for credit, employment, or
    insurance, among other purposes.
  • Examples of consumer reports include credit
    reports, credit scores, reports which businesses
    or individuals receive with information relating
    to employment background, check-writing history,
    insurance claims, residential or tenant history,
    or medical history.

What are Reasonable Measures?
  • Burning, pulverizing, or shredding of physical
  • Erasure or destruction of all electronic media
  • Entering into a contract with a third party
    engaged in the business of information destruction

Who is Affected by FACTA?
  • Virtually every company operating in the United
    States is
  • required, as of June 1, 2005, to securely destroy
  • documents and material that contain sensitive
  • information. Specifically, this applies to
  • Businesses that use consumer information in their
    everyday operations, such as banks, lenders,
    insurers, auto dealers, realtors, employers
  • Service providers that store consumer reports and
    information, such as record management and
    information management companies
  • Service providers that destroy information, such
    as shredders, recyclers, waste management or
    technology disposal companies

The Cost of Non-Compliance
  • Federal, state and civil penalties. Under the
    Federal Credit Reporting Act (FCRA), both
    criminal and
  • civil charges can be filed with federal penalties
    up to 2,500 and civil penalties up to 1,000 per
  • violation. These fines are based on the
    occurrence, so a large processing center that
    does not
  • properly dispose of consumer records can face
    thousands of violations for a given day which
  • result in multi-million dollar fines.
  • Litigation. Courts can award punitive damages
    for individual or class action lawsuits.
  • Damage to corporate reputation. For most
    companies this is the biggest risk. If your
    company is
  • charged with violations of the FACTA Disposal
    Rule, you are likely to face the same fate as
  • companies accused of not adequately protecting
    consumer information
  • An attack of your companys reputation by privacy
  • Loss of investor confidence and shareholder value
  • Loss of revenue and market share
  • Irreparable damage to your companys brand
  • The damage to a corporations reputation is
    likely to be more expensive than the fines
  • Often times the court of public opinion is more
    critical and more costly than the sanctions.

Steps to Compliance
  • Create or modify existing policies regarding the
    disposal of consumer information
  • Identify any new procedures, training and
    involvement of necessary personnel
  • Select, after investigation, an appropriate
    information management partner if needed
  • Establish service agreements with this partner
    that specify frequent monitoring of procedures to
    ensure on-going compliance
  • Educate and train employees
  • Audit the process to identify weak links or
    performance gaps

  • Questions?

Legal and Ethics Compliance Program - Due
Diligence Activities
  • Dan Seikaly
  • Partner
  • Troutman Sanders LLP
  • 202.274.2895

Legal and Ethics Compliance Program - Due
Diligence Activities
  • Background checks on managerial employees
  • Background checks on prospective contractors,
    agents and partners
  • with responsibilities in sensitive areas
  • Fair Credit Reporting Act implications

2004 Federal Sentencing Guidelines
  • 8B2.1 Effective Compliance and Ethics Program
  • (b) (3) The organization shall use reasonable
    efforts not to include with the substantial
    authority personnel of the organization any
    individual whom the organization know, or should
    have known through the exercise of due diligence,
    has engaged in illegal activities or other
    conduct inconsistent with an effective compliance
    and ethics program.

Fighting Global Corruption Business Risk
Management 2001-2003
  • Undertake due diligence. Conducting prompt and
    thorough due diligence reviews is vital for
    ensuring that a compliance program is efficient
    and effective
  • Self-monitoring, monitoring of suppliers, and
    reports to the Board of Directors
  • Moreover, from vetting new hires, agents, or
    business partners to assessing risks in
    international business dealings (e.g., mergers,
    acquisitions, or joint ventures), due diligence
    reviews can uncover questionable conduct and
    limit liability.

Foreign Corrupt Practices Act Antibribery
ProvisionsDOJ DOC Brochure
  • U.S. firms should be aware of so-called red
    flags, i.e., unusual payment patterns or
    financial arrangements, a history of corruption
    in the country apparent lack of qualifications .
    . .to perform the services offered.

  • Questions?

When are Companies Liable for Identity Theft?
New Litigation and Legal Theories
  • John Anderson
  • Partner
  • Troutman Sanders LLP
  • 703.734.4356

Lawsuits and Legal Theories
  • Increased publicity concerning the large scale
    disclosure of personal data has drawn the
    attention of consumer class action attorneys
  • Resulted in several lawsuits being filed and the
    testing of various legal theories for liability
    and damages

Lawsuits and Legal Theories
  • Bell v. Michigan Council 25, 2005 Mich. App.
    Lexis 353 (Mich. Ct. App. 2005)
  • Huggins v. Citibank, 585 S.E.2d 275 (S.C. 2003)
  • Kuhn v. Capital One Financial, 2004 Mass. Super.
    Lexis 514 (Mass. Super. Ct. 2004)
  • Harrington v. ChoicePoint, 205cv01294 (C.D. Cal.)

Lawsuits and Legal Theories
  • Bell v. Michigan Council 25
  • Affirmed 275,000 verdict in favor of 13 union
    members whose SSNs, drivers license numbers and
    other personal information were stolen by the
    daughter of the unions treasurer
  • Relationship of union/union member was found
    sufficient to support a duty
  • Opinion states similar to the relationship
    between a bank and its account holders or any
    financial institution and its clients
  • Criminal act by a third party did not absolve the
    defendant from liability the harm of someone
    misusing the plaintiffs personal information was
  • Allowed recovery for numerous hours spent trying
    to correct the problems created by identity theft
    and the aggravation, anguish and humiliation from
    trying to purchase items on credit

Lawsuits and Legal Theories
  • Huggins v. Citibank
  • Does South Carolina recognize a cause of action
    for negligent enablement of imposter fraud?
  • Victim of identity theft sued several banks
    claiming they were negligent in allowing an
    imposter to obtain credit cards in his name
  • Straightforward analysis of negligence claim
    must have a legal duty of care to support a claim
    for negligence
  • The relationship, if any, between a credit card
    issuer and a potential victim of identity theft
    is too attenuated to rise to the level of a legal
  • Plaintiff was not a customer of any of the

Lawsuits and Legal Theories
  • Kuhn v. Capital One Financial
  • Hacker obtained plaintiffs personal information
    through a merchants server and within days 18
    accounts had been opened in plaintiffs name and
    25,000 had been charged to those accounts
  • Plaintiff sued
Write a Comment
User Comments (0)