Privacy: Is It Any of Your Business? A Primer on Key Emerging Privacy Issues

About This Presentation

Title:

Privacy: Is It Any of Your Business? A Primer on Key Emerging Privacy Issues

Description:

A Primer on Key Emerging Privacy Issues Wednesday, October 12, 2005 Washington, DC Seminar Overview John P. Hutchins Partner Troutman Sanders LLP 404.885.3460 john ... – PowerPoint PPT presentation

Number of Views:175

Avg rating:3.0/5.0

Slides: 157

Provided by: troutmans3

Category:

more less

Transcript and Presenter's Notes

Title: Privacy: Is It Any of Your Business? A Primer on Key Emerging Privacy Issues

1
Privacy Is It Any of Your Business?A Primer on
Key Emerging Privacy Issues

Wednesday, October 12, 2005
Washington, DC

2
Seminar Overview

John P. Hutchins
Partner
Troutman Sanders LLP
404.885.3460
john.hutchins_at_troutmansanders.com

3
Data Collection Everyones Doing It

Electronic Commerce Has Led to Explosion of Data
Between 2002-2005, the world will generate more
data than all the data generated on earth over
the last 40,000 years.
University of California at Berkeley Study, 2002

4
Read All About It!

February 2005 - ChoicePoint discloses that, in
October 2004, it sold information on 145,000
people to data thieves posing as legitimate
businesses
March 1 - Bank of America reports that it lost
computer data tapes containing social security
numbers and account information on up to 1.2
million federal employees, including some members
of the U.S. Senate
March 10 - LexisNexis reports that hackers
commandeered one of its databases, gaining access
to personal files of as many as 32,000 people

5
Read All About It!

Mid-March - Boston College reports that a
computer with files on 120,000 alumni was
breached
March 28 - Reports stolen laptop containing
personal information on nearly 100,000 University
of California at Berkeley alumni, students and
past applicants (some data was 30 years old)
April 12 - Tufts University sends letters to
106,000 alumni, warning of ''abnormal activity"
on a computer that contained names, addresses,
phone numbers, and some Social Security and
credit card numbers

6
Read All About It!

April 20 - DSW Shoe Warehouse reports that
thieves stole 1.4 million credit card numbers of
customers
May 2 - Time Warner reports that a shipment of
backup tapes with personal information of about
600,000 current and former employees was lost
during a routine shipment to offsite storage
June 1 - Washington Post reports that FBI is
investigating theft of Justice Department laptop
from Omega World Travel office in Fairfax, VA,
believed to contain personal data on 80,000
Justice Department employees

7
Read All About It!

June 6 - CitiFinancial states that it has begun
notifying 3.9 million customers that computer
tapes containing information about their accounts
had been lost
June 18 - MasterCard International reports that
the networks of its third- party processor,
CardSystems Solutions, were hacked and that data
on 40 million credit card accounts were
compromised
June 24 - IRS discloses that it is investigating
whether unauthorized people gained access to
sensitive taxpayer and bank account information.
Someone has estimated 50 million people!

8
California SB 1386

Effective July 1, 2003
ChoicePoint story breaks February 2005
(approximately 18 months)
Followed by report after report, disclosure after
disclosure
Whats going on here?

9
Fundamental Shift

Privacy breaches come in all shapes and sizes
Some are the result of old-fashioned con
Some are the result of a sophisticated computer
hack
Some are the result of simple larceny
Some are the result of basic human error (i.e.,
its just lost)
Some are the result of a third-partys
non-performance
But all are big news

10
The Shift is Broader Than Data Theft

CardSystems Should Not Have Kept Records
June 20, 2005, Atlanta Journal-Constitution
Bosses on the prowl for risqué pics June 17,
2005, News.com
119 students who failed courses get group
e-mail June 20, 2005, USA Today

11
What Is Privacy Law?

Gramm-Leach-Bliley
FCRA-FACTA
HIPAA
COPPA
USA Patriot Act
EU Data Protection Directive
Privacy in the workplace (i.e., background
screening, employing monitoring, video
surveillance)
Federal Sentencing Guidelines regarding executive
background checks
Customer Proprietary Network Information

CALEA
E-mail hazards (i.e., SPAM, Phishing, Spoofing)
Data aggregator liability and compliance
Identity theft and other cybercrimes
Department of Homeland Security/FERC regulations
regarding critical infrastructure information
ISP liability
Spyware
Document retention and destruction
Sarbanes-Oxley

12
Privacy Data Security Team

Multi-Disciplinary
Banking Finance
Bankruptcy
Compensation Benefits
Consumer Law
Governmental Law
Health Care
Homeland Security
Immigration
Intellectual Property
Labor Employment
Litigation
Securities
Technology

13
Rapidly Changing Legal Issues

Are you covered?
Including GLB, FCRA, CALEA, etc. (Melissa Yost)
Data Collection/Legislative Trends (John
Hutchins)
Compliance Issues FACTA Patriot Act/Wire Tap
HIPAA Bankruptcy (Mary Zinsner, Dan Seikaly,
Steve Gravely, Rich Hagerty)
New Litigation and Legal Theories (John Anderson)
Communicating the Privacy Challenge (Chuck
Palmer)

14
Overview of Key Privacy Laws Are You Covered?

Melissa Yost
Associate
Troutman Sanders LLP
404.885.3486
melissa.yost_at_troutmansanders.com

15
Are You Covered?

What Types of Information are Shared?
With Whom Do We Share Data?
What are the Risks?
How Do We Protect Against These Risks?

16
Are You Covered?

What Types of Data are Shared?
Consumer Information
Internal Company Information
Third Party Information
Information Key to National Security

17
Are You Covered?

With Whom do We Share Data?
Business Associates
Affiliates
Government Entities
Legally Required Disclosure
Political Reasons
Other Private Parties

18
Are You Covered?

What are the Risks?
Security
Undermine security of infrastructures and systems
Competitive Disadvantage
Allows competitors to obtain your nonpublic data
Legal Liability
Disclosures to Government Entities
Customer Privacy/Public Perception
Hurt customer relationships and market credibility

19
Legal Liability Federal Laws

Gramm Leach Bliley (GLB)
Prohibits financial institutions from disclosing
personally identifiable information of the
customer to non-affiliated third parties without
satisfying certain disclosure and consent
requirements.
Broad definition for financial institution
Security Safeguard Rule must implement
reasonable policies and procedures to ensure the
security and confidentiality of customer
information
Written security program
Assign employee to oversee
Include service providers

20
Legal Liability Federal Laws

Fair Credit Reporting Act (FCRA)
Regulates the use of consumer reports for
consumer reporting agencies, and users and
furnishers of such reports.

21
Legal Liability Federal Laws

Amended in 2003 by the Fair and Accurate
Credit Transaction Act (FACTA) Effective
Date?
Purpose to prevent identity theft, improve
resolution of consumer disputes, improve accuracy
of consumer records, make improvements in the use
of and consumer access to credit information.
Fraud alerts
Truncation of credit cards and debit card account
numbers
Rights of identity theft victims
Free Consumer Reports
Special notice and opt-out rules for affiliate
sharing of information in a consumer report with
respect to marketing solicitations

22
Legal Liability Federal Laws

FTC adopt rules implementing several provisions
in FACTA (more to follow. . .)
Prescreen Opt-Out Disclosure August 1, 2005.
Summaries of Rights and Notices of Duties for
Identity Theft Victims January 31, 2005.
Disposal of Consumer Report Information and
Records June 1, 2005.
Related Identity Theft Definitions, Duration of
Active Duty Alerts and Appropriate Proof of
Identity under FCRA December 1, 2004.
Free Annual File Disclosures December 1, 2004.
Prohibition Against Circumventing Treatment as a
Nationwide Consumer Reporting Agency June 12,
2004.

23
Legal Liability Federal Laws

Health Insurance Portability and Accountability
Act (HIPAA)
Privacy Rule
No covered entity (i.e., health care provider,
health plans, or health care clearing houses) or
business associate of a covered entity may
access, use or disclose health information
without first obtaining from the consumer
informed and written permission.
Security Rule
Security Obligations
Business Associate Agreement/Security Rule

24
Legal Liability Federal Laws

Customer Proprietary Network Information
(CPNI)
Except as required by law or with approval of the
customer, a telecommunication carrier that
obtains customer proprietary network information
(CPNI) by virtue of its provision of
telecommunications service will only use,
disclose or permit access to CPNI in its
provision of telecommunications service or for
services necessary to or used in the provision of
service.
Location Based Information
Except as required by law . . .

25
Legal Liability Federal Laws

Childrens Online Privacy Protection Act (COPPA)
Commercial websites must provide notice and
obtain parents consent prior to collecting
personal information from children under the age
of 13.

26
Legal Liability Federal Laws

Controlling the Assault of Non-Solicited
Pornography and Marketing Act (CAN SPAM
ACT)
Covers email whose primary purpose is advertising
or promoting a commercial product or service.
Transactional or relationship message emails that
facilitates an agreed upon transaction or updates
a customer in an existing business relationship
is exempt (except for one).
The Act
Bans false or misleading header information
Prohibits deceptive subject lines
Provide an opt-out method
Identify as an address and include senders valid
physical postal address

27
Legal Liability Federal Laws

Communications Assistance for Law Enforcement Act
(CALEA)
Requires telecommunications carriers to assist
law enforcement in executing electronic
surveillance pursuant to a court order or other
lawful authorization and requires carriers to
design or modify their systems to ensure that
lawfully-authorized electronic surveillance can
be performed.

28
Legal Liability Federal Laws

FTC Guidelines for Privacy Policies
The FTC recognizes information practice
principles for protecting customer information
and enforces these principles through a federal
statute prohibiting unfair and deceptive trade
practices.
Publish information practices 1) notice, 2)
choice, 3) access, 4) security and 5) enforcement

29
Legal Liability Federal Laws

Federal Trade Commission Act (FTC Act)
The FTC Act prohibits unfair and deceptive acts
or practices in or affecting commerce.
To establish an unfair or deceptive act or
practice, the FTC must show that (1) a
representation, omission or practice was made to
customers, (2) the representation, omission or
practice is likely to mislead customers acting
reasonably under the circumstances to their
detriment, and (3) the representation, omission
or practice is material or important to
customers.

30
Legal Liability Federal Laws

National Do-Not-Call Registry
Establishes a national do-not-call registry for
residential customers who wish to avoid
telemarketing calls.
Covered calls include any plan, program or
campaign to sell goods or services through
interstate phone calls, but do not cover calls
from political organizations, charities,
telephone surveyors or companies with which
consumer has an existing business relationship
(18 months after last purchase).

31
Legal Liability Federal Laws

Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and
Obstruct Terrorism Act of 2001 (USA Patriot Act)
Title 6 Disclosures of Records and Information
Makes all federal government agency records
available to the public unless these records are
protected by a FOIA exemption.

32
Legal Liability Federal Laws

Department of Homeland Security
Protect the confidentiality of Critical
Infrastructure Information (CII) voluntarily
submitted to DHS.
CII means information not customarily in the
public domain and (ii) related to the security of
vital US systems or assets of which the
incapacity or destruction of systems or assets
would impact national security, public health or
safety.
Information submission requirements.

33
Legal Liability Federal Laws

Federal Energy Regulatory Commission (FERC)
Protect the confidentiality of critical energy
infrastructure information (CEII).
CEII means existing and proposed systems and
assets the incapacity or destruction of which
would negatively affect security, economic
security, public health or safety.

34
Legal Liability State Laws

Old Regime Only Case Law
Case law recognizes a cause of action for public
disclosure of private facts.
Prove three prongs (1) facts were publicly
disclosed, (2) the facts disclosed were private
facts, (3) the disclosure would offend a
reasonable person of ordinary sensibilities.
New regime Statutory Framework.
Information Security Breach Laws
Immediate notice when customer information may
have been breached.

35
Legal Liability State Laws

Identity Theft Statutes
Requires that companies not discard customer
information prior to ensuring that unauthorized
persons may not access such information.
Directly addresses companies responsibilities
with regards to record disposal procedures.
Imply obligation to protect because companies
must protect information from unauthorized access
prior to information destruction.

36
Legal Liability State Laws

Deceptive Trade Practices Act
Companies may not engage in conduct that creates
a likelihood of confusion or misunderstanding of
services (e.g., do not follow publish privacy
policies).
Open Records Act
All state, county and municipal records are open
for personal inspection of any citizen of Georgia
at a reasonable time and place.

37
Customer Privacy/Public Perception

Public perception is important.
What is everyone else doing? Do not want to
employ lower standards than your industry.
Dont forget about third party service providers.

38
How Do We Protect Against These Risks?

Confidentiality Agreements / Provisions
Definition of Confidential Information
Require Third Parties
to only use your data to perform their
obligations to you.
to only disclose data on a need to know basis.
to protect information from unauthorized
disclosure.
Address FOIA and open records act.

39
How Do We Protect Against These Risks?

Company Wide Security Policies
Provide formal use and disclosure data practices
to prevent unauthorized and unnecessary
disclosures
Proprietary and Confidential Notices
Limit Disclosures
Electronic copy vs. hard copy
Limit electronic access to computer systems
Proper destruction of information

40
How Do We Protect Against These Risks?

Customer Agreements
Data Privacy Provisions
In accordance with applicable law, we may use or
disclose to our affiliates or other business
associates information we collect about you to
provide services to you, protect you, investigate
illegal activity, comply with government requests
or for other legally permissible purposes.
Privacy Policy FTC Guidelines

Questions?

42
When Are Companies Liable for Identity Theft?
Data Collection and Legislative Trends

John Hutchins
Partner
Troutman Sanders LLP
404.885.3460
john.hutchins_at_troutmansanders.com

43
California SB 1386California Information
Practice Act or Security Breach Information Act

First in the nation
Effective July 1, 2003
Law uses fear and shame to make companies think
more seriously about information security
ChoicePoint reported in accordance with this law
Opened floodgates
Media
other businesses experiencing data breaches
Copycat legislation, lawsuits, new legal
theories, technical reactions (encryption)

44
Fundamental Shift

Im mad as hell, and Im not going to take this
anymore!
Howard Beale Network (1976)

45
Legislation

Copycat Legislation introduced in at least 35
states
Legislation enacted in at least 15 states in
2005 Arkansas, Connecticut, Florida,
Georgia, Illinois, Indiana, Maine, Minnesota,
Montana, Nevada, New York, North Dakota,
Tennessee, Texas and Washington
At least nine federal bills pending

46
Federal Legislation

Feinstein Bill
Modeled after California legislation
Specter/Leahy Legislation
Personal Data Privacy Security Act
most likely federal bill?
pre-emption
SS control
Other bills exploring multiple approaches
tax incentives for security
fraud alerts/credit freezes
Focus on identity theft?

47
California SB 1386 Whom Does It Affect?

Applies to state government agencies, for-profit
and non-profit organizations
Applies to all data collectors who maintain
computerized personal information on
Californians

48
What Does It Require?

Requires that any business that owns or licenses
computerized data that includes personal
information to give notice of any breach of the
security of the data following discovery of such
breach to any resident of the state whose
unencrypted personal information was or is
reasonably believed to have been acquired by an
unauthorized person

49
Personal Information

Personal Information a person's name in
combination with
social security number
driver's license or state issued i.d. number
account number or credit card number, in
combination with security code

50
NOT Personal Information

Personal Information specifically does not
include information lawfully made available to
the general public from federal, state or local
government records.

51
Breach of the Security of the System

Breach of the Security of the System -
unauthorized acquisition of an individual's
computerized data that compromises the security,
confidentiality, or integrity of personal
information of such individual.
Does not include good faith acquisition, as
long as no bad faith use or subject to further
unauthorized disclosure.
NOTE Not necessarily limited to a breach of a
computer system, despite the word "system" in the
definition.

52
Notice

Notice means
Written notice (addressed to whom?)
Electronic notice, if provided consistent with
provisions federal Electronic Signatures Act
(basically, consumer consents)

53
Substitute Notice

Substitute notice - if information broker
demonstrates (?) that
cost notice gt 250K
of persons gt 500K
insufficient contact information to provide
written or electronic notice

54
Substitute Notice

E-mail notice (when the person or business has an
email address)
Conspicuous posting on website
Notification to major, state-wide media.

55
Do-It-Yourself Notice

If
Person or business that has its own notification
procedures, as part of an information security
policy for the treatment of personal information
and,
Policy is consistent with timing requirements of
SB 1386
Then
Compliance with policy compliance with statute

56
Time Requirements

Most expedient time possible and without
unreasonable delay
Potentially long delay for
legitimate needs of law enforcement
any measures necessary to determine scope of
breach and restore the data systems reasonable
integrity

57
Remedies

Civil suit for damages
Injunction

58
Other Approaches

Georgia Code 10-1-911 912

59
Georgia Code 10-1-911 912

Requires that any information broker who
maintains computerized data that includes
personal information to give notice of any breach
of the security of the system following discovery
of such breach to any resident of the state whose
unencrypted personal information was or is
reasonably believed to have been acquired by an
unauthorized person
If more than 10,000 Georgia residents must be
notified at one time, the information broker must
also notify all consumer reporting agencies

60
Information Broker

Information broker - business, in whole or in
part, is collecting, assembling, evaluating,
compiling, reporting, transmitting, transferring,
or communicating information concerning
individuals for the primary purpose of furnishing
personal information to nonaffiliated third
parties, for a fee.

61
Breach of the Security of the System (I wasnt
kidding about copycats!)

Breach of the Security of the System -
unauthorized acquisition of an individual's
computerized data that compromises the security,
confidentiality, or integrity of personal
information of such individual.
Does not include good faith acquisition, as
long as no bad faith use or subject to further
unauthorized disclosure.
NOTE Not necessarily limited to a breach of a
computer system, despite the word "system" in the
definition.

62
Personal Information

Personal Information a person's name in
combination with
social security number
driver's license number
account number or credit card number (if it can
be used without codes) ?
account passwords or PINs ?
catchall - any information listed, but not
connected with name, which it would be sufficient
for identity theft.

63
Remedies????

Does not specifically give rise to civil action
(Neither does SB 1386)

64
Additional Approaches

North Dakota expands the definition of personal
information to include mother's maiden name
and date of birth
Montana and Arkansas require harm or a likelihood
of harm to individuals before the notification is
mandatory.
Several states require notification to nationwide
consumer reporting agencies if the number of
residents to be notified exceeds a set number
(ranging from 500 to 10,000).
Many states allow the Attorney General to
prosecute violations.
Some states go further and require companies to
maintain adequate data protection, including
destruction procedures.
Copycat to federal bills

65
Where Are We Headed?

State Legislatures declare as follows
The privacy and financial security of
individuals is increasingly at risk due to the
ever more widespread collection of personal
information by both the private and public
sectors
Credit card transactions, magazine
subscriptions, real estate records, automobile
registrations, consumer surveys, warranty
registrations, credit reports, and Internet
websites are all sources of personal information
and form the source material for identity thieves

66
More Declarations

Identity theft is one of the fastest growing
crimes committed in this state California
California legislature used three-year old data
that shows 108 increase
Georgia cites no statistics
Victims of identity theft must act quickly to
minimize the damage therefore, expeditious
notification of unauthorized acquisition and
possible misuse of a persons personal
information is imperative
Implementation of technology security plans and
security software as part of an information
security policy may provide protection to
consumers and the general public from identity
thieves
Information brokers should clearly define the
standards for authorized users of its data so
that a breach by an unauthorized user is easily
identifiable

67
Federal Legislation

Feinstein Bill essentially mirrors SB 1386
no substitute notice by e-mail
media notice required to be in market where
person believed to reside, and must include
toll-free number
requires that data collector make burden of proof
that all notifications were made
including evidence of necessity of any delay
requires written request of law enforcement delay
FTC fines of 1000 per person, up to 50,000 per
day
Enforcement by States Attorneys General,
including damages
Preemption of inconsistent state laws

68
Personal Data Privacy Security Act

Likely passage?
Specter/Leahy
Chair of Judiciary Committee
Ranking Republican on Committee
Much broader than just a notice statute
Broader preemption

69
Personal Data Privacy Security Act

Increased criminal penalties for actual criminals
But, makes it a crime to conceal a security
breach of personal data !!!!
Gives individuals access to and the right to
correct personal data held by data brokers
requires accuracy
Requires entities maintaining personal data to
establish internal policies and vet third-parties
they hire
Notice provisions
Limits the buying and selling of social security
numbers without consent

70
Data Broker

Business entity which, for monetary fees, dues or
on a cooperative non-profit basis, regularly
engages, in whole or in part, in the practice of
collecting, transmitting, or otherwise providing
personally identifiable information on a
nationwide basis on more than 5,000 individuals
who are not customers or employees
Would include things like alumni associations,
charities

71
Data Privacy and Security Programs

Applies to every business with electronic data on
more than 10,000 people
partially exempts entities that must comply GLB
partially exempts entities that must comply with
data security requirements of HIPAA
but parts of business not currently regulated
would become regulated
like Kaiser Permanente, health information
currently regulated by HIPAA
but credit card information currently unregulated

72
Personal Data Privacy Security Act

Requires covered entities to
regularly assess, manage and control risks to
data privacy and security
publish information security policy
provide employee training
conduct system tests
ensure compliance by vendors
One year to comply

73
Personal Data Privacy Security Act

Violations
civil penalties of 5,000 per day, up to
35,000 per day
double penalties for willful violation

74
Personal Data Privacy Security Act

Notice procedures
expands definition of personally identifiable
information to include
the ridiculous?
as defined by section 1028(d)(7) of title 18,
United States Code
name, social security number, date of birth,
official State or government issued drivers
license or identification number, alien
registration number, government passport number,
employer or taxpayer identification number,
unique biometric data, such as fingerprint, voice
print, retina or iris image, or other unique
physical representation
Applies to all data collectors
Must give notice to U.S. Secret Service and state
attorneys general if breach involves more than
10,000
Notice to CRAs if more than 1000 people impacted

75
Personal Data Privacy Security Act

Notice requirements are very explicit
content of notice is very robust
summary of rights
notice of state laws regarding security freezes
on credit reports
Victim Assistance
Requires that business offer victims free monthly
access to their credit report and credit
monitoring services for a year
Exemptions
Risk assessment, conducted with law enforcement
and the attorneys general of each state,
determines de minimus
Fraud prevent exemption
Really aimed at credit card companies

76
Personal Data Privacy Security Act

Violations
civil penalties of 5,000 per day, up to
55,000 per day
double penalties for willful violation
enforcement by States Attorneys General,
including damages

77
Technical Reactions

May 2, 2005 - Time Warner reports lost personal
data of employees during routine shipment of
back-up tapes to storage
Names and Social Security numbers of up to
600,000 employees, dependents and beneficiaries
May 6, 2005 - Time Warner announces that it will
"quickly" begin encrypting all data saved to
backup tapes
This makes data which was formerly accessible
into inaccessible And thats the point!
Action taken to protect employee privacy may
adversely impact companys position in discovery
dispute over cost-shifting

78
Document RetentionCrossroads with Emerging
Privacy Issues

Cost Shifting in Discovery
General presumption that responding party assumes
its own cost of production
Changing rules, especially regarding production
of electronic data
Where is it stored?
How easy is it to get?
How much will it cost to get it?
Zubulake v. UBS Warburg

79
Whose Going To Pay?Document Retention and
Storage

Costs In Litigation

80
General Presumption Producer Pays

General rule, except in extreme circumstances
Compaq Computer Corp. v. Packard Bell
Electronics, Inc., (N.D. Calif. 1995) (more than
1,000 man-hours to retrieve)
United States v. Columbia Broadcasting Sys.,
Inc., (9th Cir. 1982)(required staff of lawyers,
paralegals, accountants, and clerks to review the
thousands of boxes, 18 months to complete, at a
cost of 2.3 million)
Williams v. City of Dallas, (N.D. Tex. 1998)
(review of 30 boxes of documents, including 210
files, 52 audio and video tapes, 23 trial
research notebooks, hundreds of newspaper
articles)

81
Data Storage Matters

Proposed amendments to federal rules of civil
procedure
Judge Scheindlin on Advisory Panel thought
leader
But explicit cost-shifting rules not adopted
So, case law still developing in court system
Federal legislation like the Specter/Leahy Bill
pending at the same time

82
What Can Be Done?

Draft and Implement Information Security Policy
Consider FTC guidelines
Policy should contain administrative, technical
and physical safeguards that are appropriate for
size and complexity organization
nature and scope of company activities
sensitivity of company customer information

83
Information Security Policy

Policy objectives should include
insuring the security and confidentiality of
customer information
protecting against any anticipated threats or
hazards to the security or integrity of such
information
protecting against unauthorized access to or use
of such information that could result in
substantial harm or inconvenience to any customer

84
Information Security Policy

Designate person with system-wide responsibility
to administer and coordinate the policy
Continually identify internal and external
security risks that could result in the
unauthorized disclosure, misuse, alternation,
destruction or other compromise of information

85
Information Security Policy

Continually assess sufficiency of safeguards put
in place to control identified risks
Employee training and management
Information systems
processing
storage
disposal

86
Assessment, cont.

Detection, prevention and response to all forms
of attacks, intrusions, or other failures of
security (technological and human)
Regular audits of the effectiveness of safeguards
Relationships with third parties and their
adherence to safe safeguards

Questions?

88
HIPPA A Brief Introduction

Steve Gravely
Partner
Troutman Sanders LLP
804.697.1308
steven.gravely_at_troutmansanders.com

89
What is HIPAA?

Health Insurance Portability and
Accountability Act
Enacted in 1996
Also known as the Kennedy-Kassebaum Bill
Insurance portability and health care information
privacy and security

90
HIPAA is all about

Standards
Standards for automating the business of
transmitting electronic claims information
Standards for protecting the privacy of health
information
Standards for ensuring the security of health
information

91
Core Components

5 Core Components
Transactions and Code Sets
Published August 17, 2000
Effective October 16, 2002
Privacy Standards
Published December 29, 2000
Effective April 14, 2003
Security Standards
Proposed rules published August 12, 1998
Effective April 21, 2005
National Provider Identifiers
On hold
National Employer Identifiers
On hold

92
A Covered Entity

Health Plan
Individual or group plan than provides, or pays
the cost of, medical care
A health insurance issuer or health maintenance
organization
A group health plan that has 50 or more
participants or is administered by an entity
other than the employer who established and
maintains the plan
An employee welfare benefit plan which is
established or maintained for the purpose of
offering or providing health benefits to the
employees of 2 or more employers
Healthcare Clearinghouse
Converts non-standard data into standard
transactions or vice versa
Healthcare Provider
Performs at least 1 standard transaction
electronically

93
Protected Health Information

Individually identifiable health information
Includes virtually all written or oral
communications related to
Past, present or future physical or mental health
condition of a patient
Includes health care services provided and
information related to payment for services
PHI is Everywhere!
Doesnt matter what form or format
Doesnt matter if you created or received
Uses and Disclosures of PHI are regulated

94
Examples of Areas Housing PHI

Accounting
Administration
Admitting/Referral Authorization
Billing/Business Office
Clinical Functions
Compliance
Contracts
Customer Service/Front Office/Reception
Human Resources

Information Systems
Legal
Marketing
Medical Records
Medical Staff/Physician Functions
Radiology, Laboratory or Ancillary Services
Risk Management

95
Business Associates

Entity acting on behalf of covered entity which
needs to use or disclose PHI
Requires a contract governing relationship to
make sure privacy is protected
Examples
Accountants
Attorneys
Billing/Coding Consultants
Transcription Services

Questions?

97
Privacy Issues Arising Under the Bankruptcy Abuse
Prevention andConsumer Protection Act of 2005

Rich Hagerty
Partner
Troutman Sanders LLP
703.734.4326
richard.hagerty_at_troutmansanders.com

98
General Information ConcerningBAPCPA

The Bankruptcy Abuse Prevention and Consumer
Protection Act of 2005 (BAPCPA) was signed by
President George W. Bush on April 20, 2005.
First major revision of U.S. Bankruptcy laws
since 1978.
Generally effective as to bankruptcy cases filed
on or after October 17, 2005.

99
Two Major Privacy-Related Changes

New restrictions on transfer of personally
identifiable information (PII)
New restrictions on access to and destruction of
confidential patient records in bankruptcies by
health care businesses

100
Personally Identifiable Information

New Code Section 101(41A) defines PII to
generally include all personal information about
individual consumers held by a debtor
Encompasses any . . . information concerning an
identified individual that, if disclosed, will
result in contacting or identifying such
individual physically or electronically.
Includes names, addresses, e-mail addresses,
phone numbers, social security numbers, etc.

101
Restrictions on Transfer ofPersonally
Identifiable Information

Amended Section 363(b)(1) restricts the sale of
PII in possession of debtor if the debtor had a
policy prohibiting or restricting the transfer of
PII which was disclosed to consumers and in
effect on the petition date
Note no restriction on sale or transfer of PII
if debtor had no policy in effect on petition date

102
Restrictions on Transfer ofPersonally
Identifiable Information

PII may only be transferred if
Sale or transfer consistent with the debtors
existing policy, or
A consumer privacy ombudsman is appointed and the
court approves the sale or transfer after notice
and a hearing

103
Consumer Privacy Ombudsman

New Section 332 regulates appointment of consumer
privacy ombudsman (CPO)
Must be appointed at least 5 days before hearing
on whether or not PII should be sold/transferred
Must be disinterested person other than U.S.
Trustee
May be compensated from bankruptcy estate
pursuant to amended Section 330(a)

104
Consumer Privacy Ombudsman

Interim Bankruptcy Rule 6004(g) requires motion
for authority to sell or lease PII to include
request for order directing appointment of CPO
Interim Bankruptcy Rule 2002(c)(1) requires
notice of motion for authority to sell or lease
PII to state whether proposed sale or lease is
consistent with a policy prohibiting transfer

105
Privacy Issues Related toHealth Care Businesses

Health care business defined by new Code
Section 101(27A) as any public or private entity
involved in virtually any way in providing health
care to the general public
Includes hospitals, nursing homes, ambulatory,
emergency and urgent care facilities, hospices,
and home health agencies

106
Restrictions on Destruction ofConfidential
Patient Records

New Code Section 351 requires trustee or
debtor-in-possession to destroy confidential
patient records of a debtor that is a health care
business if it becomes too expensive to maintain
the records
These rules apply in any case under Chapter 7, 9
or 11 of the Bankruptcy Code

107
Prerequisites to Destruction ofConfidential
Patient Records

Trustee must publish notice in 1 or more
appropriate newspapers of intent to destroy
records 365 days after first publication of
notice
Trustee must also attempt to notify patients and
their health insurers directly within first 180
days of the 365 day period after publication of
notice

108
Prerequisites to Destruction ofConfidential
Patient Records

Interim Bankruptcy Rule 6011 requires court
approval of notice of intended destruction of
records, specifies required content of notice
Rule 6011 also requires certification of
destruction of records and method of destruction
within 30 days after records have been destroyed

109
Other Provisions AffectingConfidential Patient
Records

New Code Section 333 requires court to appoint a
patient care ombudsman within 30 days of filing
any bankruptcy case by or against a health care
business
Among other duties, patient care ombudsman
required to maintain confidentiality of patient
records, and is prohibited from reviewing them
without prior court approval, except as
consistent with Older Americans Act of 1965 or
state laws governing State Long-Term Care
Ombudsman program

110

Questions?

111
Restrictions on Disclosure of Confidential
Financial Recordsin Maryland

Rich Hagerty
Partner
Troutman Sanders LLP
703.734.4326
richard.hagerty_at_troutmansanders.com

112
General Rules

Sections 1-301 through 1-306 of the Financial
Institutions Article, Annotated Code of Maryland,
restrict disclosure of financial records by
fiduciary institutions

113
Definitions

Financial records means virtually any
information related to a deposit or share
account, a loan account or an application for a
loan
Includes ATM and other electronic transactions

114
Definitions

Fiduciary institution means
National and state banks, including out-of-state
banks with a branch in Maryland
National and state credit unions
National and state savings and loan associations
Any other entity organized under Maryland
banking laws and supervised by Commissioner of
Financial Regulation

115
Definitions

Fiduciary institution does not include
Lenders licensed under Maryland Consumer Loan Law
or Consumer Installment Loan Law
Sales Finance Companies licensed in Maryland
Mortgage lenders and brokers licensed in Maryland

116
General Prohibition onDisclosure of Financial
Records

Disclosures of financial records generally
prohibited absent
Consent of customer
Authorized requests by court-appointed counsel,
guardians, personal representatives, or certain
specified state agencies
Practice tip insist upon written consent

117
Permitted Disclosures ofFinancial Records

Section 1-303 permits disclosure in 13 cases,
including
To internal/external auditors of fiduciary
institution
In reports required by Federal or state law
In connection with the negotiation of checks and
other commercial paper
In connection with paying off or refinancing
mortgages

118
Permitted Disclosures ofFinancial Records

Disclosure permitted in response to a subpoena
issued by lawful authority if
Subpoena contains certification that copy has
been served on person whose records are sought,
or
Subpoena contains certification that service has
been waived by court for good cause

119
Allowable Disclosures

Financial records may be disclosed to an adult
protective services program if fiduciary
institution believes that customer is subject to
financial exploitation
Financial exploitation means misuse of
customers funds or property

120
Penalties for Violation

Knowing and willful disclosure is a misdemeanor,
subject to fine of not more than 1,000
Potential civil liability at common law for
breach of contract, as well as possible private
cause of action under statute
Taylor v. NationsBank, N.A., 365 Md. 166,776
A.2d 645 (2001)

121

Questions?

122
The Basics on FACTA

Mary Zinsner
Partner
Troutman Sanders LLP
703.734.4363
mary.zinsner_at_troutmansanders.com

123
What is FACTA?

The Fair and Accurate Transactions Act of 2003
(FACTA or the FACT Act)
Amends certain provisions of the federal Fair
Credit Reporting Act, 15 U.S.C. 1681 et. seq.
Expansive act with ramifications in financial,
medical, and other business industries

124
The Broad Reach of FACTA

Under FACTA, certain federal agencies were
required to create regulations designed to
minimize the risk of identity theft and consumer
fraud

125
The Disposal Rule

Issued by The Federal Trade Commission in
November 2004
Effective June 1, 2005
Purpose of rule is to minimize the risk of
identity theft and consumer fraud by enforcing
the proper destruction of consumer information

126
Who is Affected?

The Disposal rule applies to businesses that
utilize consumer information
Affects every person and business in the United
States

127
The Rule

The FACTA Disposal Rule, effective June 1, 2005,
states that any person who maintains or
otherwise possesses consumer information for a
business purpose is required to dispose of
discarded consumer information, whether in
electronic or paper form.
The Disposal Rule further clarifies the
definition of compliance as taking reasonable
measures to protect against unauthorized access
to or use of the information in connection with
its disposal.

128
What is Consumer Information?

The Disposal Rule applies to consumer reports or
information derived from consumer reports.
The Fair Credit Reporting Act defines the term
consumer report to include information obtained
from a consumer reporting company that is used
or expected to be used in establishing a
consumers eligibility for credit, employment, or
insurance, among other purposes.
Examples of consumer reports include credit
reports, credit scores, reports which businesses
or individuals receive with information relating
to employment background, check-writing history,
insurance claims, residential or tenant history,
or medical history.

129
What are Reasonable Measures?

Burning, pulverizing, or shredding of physical
documents
Erasure or destruction of all electronic media
Entering into a contract with a third party
engaged in the business of information destruction

130
Who is Affected by FACTA?

Virtually every company operating in the United
States is
required, as of June 1, 2005, to securely destroy
all
documents and material that contain sensitive
consumer
information. Specifically, this applies to
Businesses that use consumer information in their
everyday operations, such as banks, lenders,
insurers, auto dealers, realtors, employers
Service providers that store consumer reports and
information, such as record management and
information management companies
Service providers that destroy information, such
as shredders, recyclers, waste management or
technology disposal companies

131
The Cost of Non-Compliance

Federal, state and civil penalties. Under the
Federal Credit Reporting Act (FCRA), both
criminal and
civil charges can be filed with federal penalties
up to 2,500 and civil penalties up to 1,000 per
violation. These fines are based on the
occurrence, so a large processing center that
does not
properly dispose of consumer records can face
thousands of violations for a given day which
could
result in multi-million dollar fines.
Litigation. Courts can award punitive damages
for individual or class action lawsuits.
Damage to corporate reputation. For most
companies this is the biggest risk. If your
company is
charged with violations of the FACTA Disposal
Rule, you are likely to face the same fate as
other
companies accused of not adequately protecting
consumer information
An attack of your companys reputation by privacy
advocates
Loss of investor confidence and shareholder value
Loss of revenue and market share
Irreparable damage to your companys brand
The damage to a corporations reputation is
likely to be more expensive than the fines
themselves.
Often times the court of public opinion is more
critical and more costly than the sanctions.

132
Steps to Compliance

Create or modify existing policies regarding the
disposal of consumer information
Identify any new procedures, training and
involvement of necessary personnel
Select, after investigation, an appropriate
information management partner if needed
Establish service agreements with this partner
that specify frequent monitoring of procedures to
ensure on-going compliance
Educate and train employees
Audit the process to identify weak links or
performance gaps

133

Questions?

134
Legal and Ethics Compliance Program - Due
Diligence Activities

Dan Seikaly
Partner
Troutman Sanders LLP
202.274.2895
daniel.seikaly_at_troutmansanders.com

135
Legal and Ethics Compliance Program - Due
Diligence Activities

Background checks on managerial employees
Background checks on prospective contractors,
agents and partners
with responsibilities in sensitive areas
Fair Credit Reporting Act implications

136
2004 Federal Sentencing Guidelines

8B2.1 Effective Compliance and Ethics Program
(b) (3) The organization shall use reasonable
efforts not to include with the substantial
authority personnel of the organization any
individual whom the organization know, or should
have known through the exercise of due diligence,
has engaged in illegal activities or other
conduct inconsistent with an effective compliance
and ethics program.

137
Fighting Global Corruption Business Risk
Management 2001-2003

Undertake due diligence. Conducting prompt and
thorough due diligence reviews is vital for
ensuring that a compliance program is efficient
and effective
Self-monitoring, monitoring of suppliers, and
reports to the Board of Directors
Moreover, from vetting new hires, agents, or
business partners to assessing risks in
international business dealings (e.g., mergers,
acquisitions, or joint ventures), due diligence
reviews can uncover questionable conduct and
limit liability.

138
Foreign Corrupt Practices Act Antibribery
ProvisionsDOJ DOC Brochure

U.S. firms should be aware of so-called red
flags, i.e., unusual payment patterns or
financial arrangements, a history of corruption
in the country apparent lack of qualifications .
. .to perform the services offered.

139

Questions?

140
When are Companies Liable for Identity Theft?
New Litigation and Legal Theories

John Anderson
Partner
Troutman Sanders LLP
703.734.4356
john.anderson_at_troutmansanders.com

141
Lawsuits and Legal Theories

Increased publicity concerning the large scale
disclosure of personal data has drawn the
attention of consumer class action attorneys
Resulted in several lawsuits being filed and the
testing of various legal theories for liability
and damages

142
Lawsuits and Legal Theories

Bell v. Michigan Council 25, 2005 Mich. App.
Lexis 353 (Mich. Ct. App. 2005)
Huggins v. Citibank, 585 S.E.2d 275 (S.C. 2003)
Kuhn v. Capital One Financial, 2004 Mass. Super.
Lexis 514 (Mass. Super. Ct. 2004)
Harrington v. ChoicePoint, 205cv01294 (C.D. Cal.)

143
Lawsuits and Legal Theories

Bell v. Michigan Council 25
Affirmed 275,000 verdict in favor of 13 union
members whose SSNs, drivers license numbers and
other personal information were stolen by the
daughter of the unions treasurer
Relationship of union/union member was found
sufficient to support a duty
Opinion states similar to the relationship
between a bank and its account holders or any
financial institution and its clients
Criminal act by a third party did not absolve the
defendant from liability the harm of someone
misusing the plaintiffs personal information was
foreseeable
Allowed recovery for numerous hours spent trying
to correct the problems created by identity theft
and the aggravation, anguish and humiliation from
trying to purchase items on credit

144
Lawsuits and Legal Theories

Huggins v. Citibank
Does South Carolina recognize a cause of action
for negligent enablement of imposter fraud?
Victim of identity theft sued several banks
claiming they were negligent in allowing an
imposter to obtain credit cards in his name
Straightforward analysis of negligence claim
must have a legal duty of care to support a claim
for negligence
The relationship, if any, between a credit card
issuer and a potential victim of identity theft
is too attenuated to rise to the level of a legal
duty
Plaintiff was not a customer of any of the
defendants

145
Lawsuits and Legal Theories

Kuhn v. Capital One Financial
Hacker obtained plaintiffs personal information
through a merchants server and within days 18
accounts had been opened in plaintiffs name and
25,000 had been charged to those accounts
Plaintiff sued

Write a Comment

User Comments (0)