Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

This settlement resulted from the first ever attorney general action under the HITECH Act, as a result of the loss by Health Net, a health insurer, of a computer disk drive that contained unencrypted protected health information such as claims forms, health plan appeals information, and other sensitive data relating to approximately 1.5 million health plan participants (approximately one-third of whom resided in Connecticut). The Connecticut AG focused upon the several month delay by Health Net in reporting the loss to law enforcement officials. 

As part of the settlement, Health Net has agreed to pay $250,000 to the state, offer two years of credit monitoring for affected participants, obtain $1 million of identity theft insurance, and reimburse affected individuals for security freezes. An additional contingent payment of $500,000 will need to be paid, under specified circumstances, in the event that the lost information is actually accessed and misused. Further, Health Net has agreed to a corrective action plan that includes various privacy and security measures to heighten protections for health information as well as other sensitive data, regular monitoring, and reporting to the attorney general’s office. Many of the steps that Health Net agreed to undertake relate to the handling of portable media and the encryption of sensitive data, such as encryption of hard drives, including those on desktop computers, as well as to the improvement of security training and awareness for personnel. 

While many commentators have understandably focused on the security breach notification provisions of the HITECH Act, the provision of the Act that authorizes state attorneys general to bring civil actions for violations of HIPAA also warrants attention. The inclusion of this provision adds an additional avenue for enforcement of privacy and security violations by HIPAA-covered entities, although the Connecticut action is the only action that has been brought to date since HITECH Act was enacted in February 2009.

The agreement is notable for its breadth. It goes well beyond the scope of the federal Children’s Online Privacy Protection Act (“COPPA”), which applies to the collection of personal information online from children 12 and under. The agreement includes some protections designed to protect teenagers under 18 with stronger protections for those under 16. Under the agreement, MySpace will take some readily achievable operational steps and work towards certain longer term goals such as developing new procedures and tools to protect children.

The more immediate steps include the following:

• continuing to dedicate resources to educate parents and educators on child safety online;
• using “best efforts” to acknowledge consumer complaints within 24 hours of receipt with a follow-up of the steps taken within 72 hours;
• retaining an “Independent Examiner” to evaluate and examine handling of complaints;
• continuing to cooperate with law enforcement on complaints, which includes continuing the law enforcement hotline number and creating a law enforcement liaison;
• implementing a series of operational changes including:
  • “age locking” to reduce the number of times a user can change their age above or below the 18 year old threshold;
  • age restrictions on certain website functions that make it harder for adults to contact children such as limiting the ability of users over 18 to search in school sections; limiting the ability of users under 18 to designate themselves as swingers; limiting being able to browse certain categories such as “body type”, “smoke” and “drink”; limiting group invites; and automatically designating profiles as private for those under 16;
  • an image monitoring policy with technology to hash inappropriate images;
  • limitations on tobacco and alcohol advertisements to those under 18 and 21 respectively;
  • expanded age specific classifications for events;
  • expanded reporting functionality for violations including a drop down for categories such as pornography, cyberbullying and unauthorized use;
  • enhancing safety tools for members such as the ability to set profiles to private, the ability to block others and requiring those under 18 to affirmatively consent to having reviewed posted safety tips before registration; and
  • enhanced tools for parents such as the ability to remove a child’s profile.

MySpace also has agreed to engage in the following longer term efforts:  

• organizing an industry-wide Internet Safety Technical Task Force to develop online safety tools – specifically, improved online identity authentication tools – with quarterly reports to the attorney generals’ task force;
• designating a senior executive to work with the task force;
• holding regular meetings with the attorney generals to discuss website design and functionality improvement to protect children;
• hiring a third party to build and host a database of email addresses for parents to register users under 18 (to prevent child registration at social networking sites);
• blocking access by those under 18 to profiles related to the entertainment industry;
• increasing staff for monitoring and increasing the use of textual searching and other technologies for monitoring.