: confidential information : Privacy Law Blog

Home > confidential information >

Prying Eyes Make Headlines

Posted on August 18, 2008 by Proskauer Rose LLP

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential.

The Los Angeles Times recently reported that over 120 employees viewed the medical records and personal information of approximately 900 celebrity patients at UCLA Medical Center between April 2003 and May 2007. According to the latest report, the unauthorized snooping continued even after the facility cracked down on peeking employees in April.

One employee, former administrative specialist Lawanda Jackson, has been indicted for obtaining individually identifiable health information for commercial advantage. Jackson allegedly sold information about Farrah Fawcett’s battle with cancer to a national media outlet.

According to an incident report by the California Department of Health Services, an unnamed celebrity patient informed the facility as early as 2004 that confidential information about his or her hospitalization had been published in a national newspaper.

The Los Angeles incident is not the only hospital snooping scandal currently making headlines. In Michigan, employees at Sparrow Hospital were disciplined for peeking at the medical records of Governor Jennifer Granholm when she was admitted in April 2008 for surgery. The hospital did not release any additional information about the incident, citing federal privacy law.

Companies that want to stay off the front page must ensure that personnel receive and are regularly trained regarding company policies and procedures governing the protection of personally identifiable information, and must consistently enforce those policies and procedures.

Tags: California, Medical Privacy, Michigan, celebrities, confidential information, data security breach, health care, personally identifying information

No Doubt No Reasonable Suspicion Required -- Laptops Now Fair Game at the Border

Posted on May 5, 2008 by Proskauer Rose LLP

My very first blog post addressed a precedent-setting decision of the Central District of California holding that federal agents could not conduct a border search of the private and personal information stored on a traveler’s computer hard drive or electronic storage devices without reasonable suspicion. Eighteen months later, the Ninth Circuit has squarely reversed that decision. In a short opinion filed April 21, 2008, Judge O’Scannlain wrote in U.S. v. Arnold, No. 06-50581, that "reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border." As far as the Ninth Circuit is concerned, for purposes of border searches under the Fourth Amendment, laptops and other electronic storage devices are not so much like a home or the human mind – they are more akin to luggage or a car.

Arnold never claimed that the government’s search of his laptop damaged it in any way, therefore not invoking the "exceptional damage to property" exception to suspicionless searches. Further, although Arnold did raise the "particularly offensive manner" exception, the court found there was nothing in the record to "indicate that the manner in which the CBP officers conducted the search was ‘particularly offensive’ in comparison with other lawful border searches." The customs officers simply asked Arnold to boot up his laptop and looked at what was there. The court failed to discern any meaningful distinction between such a search and suspicionless searches of travelers’ luggage at the border.

The court also refused to adopt Arnold’s analogy to a search of a home, noting that the Supreme Court has rejected applying Fourth Amendment protections afforded to homes to property "‘capable of functioning as a home’" simply due to its size. The Court also rejected the notion that the quality or nature of the container merited a distinction in this case. A laptop, the court reasoned, is more like a mobile home than a home or office; the Supreme Court has refused to treat a mobile home differently from other vehicles due to the fact that it is readily movable and the expectation of privacy with respect to a car is significantly less than that relating to a home or office. The court also noted that case law does not support a finding that a search is particularly offensive due to the storage capacity of the object.

Finally, the court rejected Arnold’s argument that the First Amendment requires reasonable suspicion for a border search where the risk is high that expressive material will be exposed. The court refused to create a split with the Fourth Circuit’s decision in United States v. Ickes, 393 F. 3d 501 (4th Cir. 2005). The Fourth Circuit declined to "carve out a First Amendment exception to th[e border search] doctrine because such a rule would: (1) protect terrorist communications ‘which are inherently ‘expressive’’; (2) create an unworkable standard for government agents who ‘would have to decide—on their feet—which expressive material is covered by the First Amendment'; and (3) contravene the weight of Supreme Court precedent refusing to subject government action to greater scrutiny with respect to the Fourth Amendment when an alleged First Amendment interest is also at stake."

Needless to say, the Ninth Circuit’s decision in Arnold has significant implications for anyone who travels with unencrypted confidential and/or personally identifiable information on a laptop or other electronic storage device. Companies with personnel who routinely travel with such sensitive information must reevaluate information security policies and consider measures that will protect such information from unauthorized access during international travel. It is not a given that affected entities and individuals can wipe laptops and other storage devices clean of such information prior to travel. Such procedures may create practical problems and inefficiencies, and even run afoul of legal or litigation holds requiring the preservation of data in a particular form.