Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

According to the FTC’s complaint, an unauthorized individual was able to gain access to Dave and Buster’s networks between the dates of April 30, 2007 and August 28, 2007 and intercept credit card and debit card information (and other personal information) from approximately 130,000 consumers. In addition, according to the FTC, the affected issuing banks have collectively claimed several hundred thousand dollars in fraudulent charges on some of these compromised consumer accounts.

The FTC’s complaint states that, upon its discovery of the data security breach, Dave and Buster’s notified law enforcement officials and credit card companies, and took remedial steps to prevent further unauthorized access by the intruder. However, the FTC’s complaint also alleges that it was Dave and Buster’s “failure to employ reasonable and appropriate security measures to protect personal information” that enabled the unauthorized access that caused the data breach. Among the failures cited by the FTC, Dave and Buster’s allegedly failed to employ an intrusion detection system, failed to monitor system logs, failed to use firewalls to limit access between in-store networks, failed to isolate the payment card system from the rest of the corporate network and failed to use other readily available security measures, such as limiting access to its computer networks through wireless access points on such networks.

The settlement agreement entered into between the FTC and Dave and Buster’s requires Dave and Buster’s, among other things, to establish, implement and maintain a comprehensive, written data security program that contains administrative, technical and physical safeguards designed to protect the security, confidentiality and integrity of personal consumer information. In additional Dave and Buster’s is required to obtain and endure an initial and biennial assessments (for a period of 10 years from the date of the order) from a qualified third-party regarding its implementation and maintenance of its program and safeguards in compliance with the settlement agreement.

The FTC’s news release announcing the settlement, along with the FTC’s complaint and the settlement agreement containing the consent order, can be accessed by clicking here.

The 2009 U.S. study surveyed 45 U.S. companies covering 15 various industry sectors, with the top represented industries including the financial, retail, services and healthcare industries. The size of the breaches experienced by companies surveyed ranged from approximately 5,000 compromised records to approximately 101,000 compromised records, with a cost range of approximately $750,000 up to nearly $31 million.

This year’s study revealed that the average per-record cost of the data breaches experienced by the surveyed organizations was in 2009 $204, which is just $2 more than the average per-record cost in 2008 (click here for the Privacy Blog’s posting on the Ponemon Institute’s 2008 Study), but represented a $66 dollar overall increase since 2005, the first year the Ponemon Institute conducted this same study, when the average per-record cost was $138.  

The costs of a data breach include both direct costs (such as communications costs, investigations and forensics costs and legal costs) and indirect costs (such as lost business, public relations costs and new customer acquisition costs), and the study found that some industries experience a higher customer churn rate (i.e., lost business) than others. The industries with the highest customer churn rates in 2009 were the pharmaceutical, healthcare, communications, financial services and services industries.

The study also revealed a variety of primary causes of data breaches experienced by the surveyed companies, including, for example, that:

• 42% of all breaches studied involved errors made by, or compromises otherwise incurred while a company’s data is in the possession or control of, a third party. 
• 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices. Interestingly, the study found that the per-record cost of a data breach involving a stolen laptop or mobile device was just over $224, whereas the per-record cost of a data breach not involving a stolen laptop or mobile device was only around $192.
• 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).
• 82% of all breaches studied involved organizations that had experienced more than one data breach involving the compromise of more than 1,000 records containing personal information.

This study can serve as an incredibly useful tool for companies to understand the full scope of potential costs of a data breach (including both direct and indirect costs) and in performing a cost-benefit analysis of the costs of implementing pre-breach, prophylactic measures (such as policies, training, encryption of sensitive information and other security), versus the potential costs of experiencing and dealing with the aftermath of a breach that could have been avoided, or at least mitigated.

H.R. 2221 provides for notification following discovery of a breach of security of a system maintained by any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information. The bill would require notification to each individual whose personal information was acquired by an unauthorized person as a result of such a breach of security, and to the Federal Trade Commission. The bill includes special notification requirements for third party agents, telecommunications carriers, cable operators, information services, and interactive services, and for a breach involving health information.

Personal information, as defined in the bill, is an individual’s first name or initial and last name, or address, or phone number, in combination with any one or more of the following: the individual’s social security number, driver’s license number or other State identification number, or a financial account number or credit card number and any security or access code needed to access the account. Breach notification would be exempted, however, where the person that owns or possesses the data determines that there is “no reasonable risk of identity theft, fraud or unlawful conduct” from the unauthorized data access. Breaches of encrypted data would presumptively be exempt.

Importantly, the bill expressly preempts state laws regarding data breach notification. Preemption of state laws, such as those in California that contain different “trigger” language governing when notification is required, was one reason the bill struggled when initially introduced in 2005.

Where notification is required, the bill specifies methods for and required content of notification. Written, or in some circumstances, email, notification is required; the notice must include a description of the information acquired, notice of the right to receive free consumer credit reports, and certain relevant telephone contact numbers. Substitute notification, allowing notification to be posted on the entity’s website and in print and broadcast media, is allowed for those persons owning or possessing the data of fewer than 1,000 individuals.

Other provisions in the bill call for regulations to be promulgated governing the establishment of policies and procedures regarding practices to protect data containing personal information by those who own or possess such information. State laws regarding information security practices on the treatment of such data also would again be subject to preemption. Additionally, the bill contains specific provisions covering information brokers – requiring that brokers supply their security policies to the FTC either in conjunction with a breach notification or upon the Commission’s request. Under the proposed Act, information brokers would be required to allow each individual whose personal information it maintains to review his or her own data for accuracy.

Rep. Boucher (D-Va), who is planning to introduce a bill addressing how information collected online is stored and used, and Rep. Rush are planning to hold a hearing this summer to discuss how their bills “intersect.”

Stay tuned.

The HIPAA Privacy Rule currently does not contain a requirement that individuals be notified in the event of such as breach. However, some covered entities interpret the existing HIPAA Privacy Rule requirement that covered entities mitigate harmful effects of uses or disclosures of health information in violation of either the Privacy Rule or the entity’s policies and procedures as suggesting that such notice be given, and many covered entities currently provide such notification.

Section 13402, "Notification in the Case of Breach," is just one of a number of privacy-related provisions contained in Subtitle D – Privacy of the HITECH Act. The major provisions of §13402, as well as the temporary breach notification provisions applicable to vendors of personal health records in §13407, are outlined below.

What kind of information is covered?

The notification of breach provisions apply to "protected health information" (PHI) that is "unsecured." Section 13402(a) provides that a "covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information" shall notify each individual whose information has been subject to a breach." The applicable definition provision, §13400(12), incorporates by reference the definition of "protected health information" that is currently contained in the HIPAA Privacy Rule at 45 C.F.R. § 160.103. Thus, "individually identifiable health information" as defined in the Rule that is "unsecured" is subject to the breach notification provisions.

The term "unsecured" portion of the definition is to be addressed in regulations issued by the Secretary of Health and Human Services within 180 days of the enactment of the legislation (i.e., no later than August 17, 2009 (August 16 being a Sunday)). §13402(h)(1)(A). However, the legislation goes on to define the term in the event that the required regulations are not timely issued. §13402(h)(1)(B).The "backstop" definition of the term provides that it shall mean:

protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

What is a "breach" - ?

The term "breach" is defined as "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information." §13400(1)(A).
In addition to the exception language in the above portion of the definition, there is a further exception for certain circumstances involving inadvertent acquisition, access or use of PHI by employees and agents of covered entities or business associates where the information is not further acquired, accessed, used or disclosed. §13400(1)(B)

Timing and nature of notification

Notice of the breach must be given "without unreasonable delay" and in no event later than 60 days after the date of discovery of the breach. §13402(d). Notice must be given to the individual whose PHI was subject to a breach, or to the next of kin in the case of a deceased person, to the last known address of the person or the next of kin. E-mail notice may be given only if the individual specified e-mail notice "as a preference." §13402(e)(1).

If the contact information of an individual is insufficient or out of date, "a substitute form of notice" must be provided; if the information is insufficient or out of date for 10 or more persons, such substitute notice must be given in the media and on the Web site of the covered entity, as further provided in the Act and under regulations to be adopted by the Secretary of HHS. In a case in which "urgency" is required "because of possible imminent misuse" of unsecured PHI, the covered entity may provide notice "by telephone or other means, as appropriate." §13402(e)(1)(C).

If the breach involves unsecured PHI of 500 or more individuals, both media notice and notice to the Secretary of HHS must be given. Covered entities must also report to the Secretary of HHS on an annual basis as to any breaches that have occurred, even if reporting to the Secretary was not otherwise required (i.e., the breach involved the unsecured PHI of less than 500 individuals). §13402(e)(3).

Similarly to most, if not all, state data security breach notification statutes, there is an exception to the timing requirement if requested by law enforcement officials. §13402(g).

Application to "business associates"

The notice provisions require a "business associate" (as such term is defined in the administrative simplification regulations promulgated under HIPAA) that "accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses" unsecured PHI of a covered entity to notify the covered entity in the event of a breach in the security of such information. §13402(b). The notice must include, among other things, “the identification of each individual whose unsecured protected health information” was breached. Id.

Although the HIPAA Privacy Rule and Security Rule currently mandate that covered entities include in their contracts with business associates provisions requiring that the business associate notify the covered entities of: a) uses and disclosures of protected information not provided for by its contract, and b) "security incidents" (as defined in the HIPAA Security Rule), the new law now directly imposes notification obligations on the business associate. Because the obligation on business associates to report such breaches to covered entities will now be statutory, failure to comply will be more than just a breach of contract - now business associates could be subject to civil and criminal penalties. See §13401 and §13404.

Application to "vendors of personal health records"

Section 13407 contains a separate set of "temporary" breach notification provisions that target enterprises that offer services to individuals to store their health information online as well as their service providers. The provisions reflect concerns that such vendors are not subject to the HIPAA Privacy Rule, even as the Medicare program itself is implementing programs to encourage beneficiaries to use such private services to maintain their personal health records.

These provisions are designated as "temporary" because they will lapse in the event that Congress enacts new data security breach legislation applicable to non-HIPAA entities. §13407(g).

A "vendor of personal health records" is defined in §13400(18) as "an entity, other than a covered entity [under HIPAA], that offers or maintains a personal health record." Such vendors, as well as a list of other entities involved in providing various services related to personal health records (see §13407(a), cross-referencing entities enumerated in §13424(b)(1)(A)(ii), (iii and (iv)) are required to provide notice of a breach in the security of "unsecured PHR [i.e., “personal health record”] identifiable health information that is a personal health record maintained or offered by such vendor" or other such entity. "PHR identifiable health information" is defined as “identifiable health information” that is “provided by or on behalf of the individual” and that “identifies the individual or with respect to which there is a reasonable basis to belief that the information can be used to identify the individual.” The definition of "unsecured" will be established in the regulations to be adopted by the Secretary of HHS with respect to the provisions applicable to covered entities and business associates in §13402. See §13407(f)(3).

The notice must be provided to the individual whose information was "acquired by an unauthorized person," as a result of a breach, as well as to the Federal Trade Commission. §13407(a)(1) & (2). A "breach of security" is defined broadly as the "acquisition of unsecured PHR identifiable health information … without the authorization of the individual." §13407(f)(1). Violations of the data security breach provisions are defined as an unfair or deceptive act or practice under the FTC Act, and the FTC is tasked with adopting regulations and enforcing the provisions of this section. §13407(e).

Preemption

With respect to preemption of state law, the HITECH Act references the provisions in the Social Security Act that set forth the general rule preempting contrary state laws, but excepting from that general rule a state law that "relates to the privacy of individually identifiable health information." §13421(a). The HITECH Act data breach provisions themselves are contained in Subtitle D – Privacy of the Act and the legislative history is replete with references to the provisions as protective of patient privacy, so it would be difficult to argue that state data security breach laws that apply to health information do not also "relate to the privacy of health information." Therefore, to the extent that a state security breach law similarly pertains to health information and is more protective of such information than the new federal provisions, it would appear not to be preempted by the security breach provisions in the HITECH Act, and business associates and covered entities, to the extent that they are covered by both federal and state laws, would be required to comply with both laws.

When are these provisions effective?

The effective date of the breach notification provisions depends upon when the Secretary of HHS issues implementing regulations. The legislation directs the Secretary to issue interim final regulations within 180 days of enactment of the legislation, i.e., no later than August 17, 2009. §13402(j). The notification of breach provisions (both those applicable to "covered entities" and "business associates") as well as the temporary provisions that apply to vendors, become effective 30 days following the issuance of the regulations and apply to breaches discovered on or after that date. Under that scheme the effective date should be no later than September 16, 2009.
 

National Privacy Law: Major players in the online marketing sphere, such as Microsoft and Google, already have expressed support for a generally-applicable privacy law to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information. Whether a federal law emerges governing the collection and use of personal data, including for marketing purposes, is the looming question in the new administration.

Behavioral Advertising: Behavioral advertising -- the practice of tracking of an Internet user’s activities online in order to deliver advertising targeted to an individual consumer’s interests -- which Congress examined extensively over the summer -- should continue to generate interest under an Obama administration. Indeed, the Federal Trade Commission (“FTC”) is expected to announce its final guidance concerning the self-regulation of behavioral advertising even before President-elect Obama takes office in January. We are also likely to see behavioral advertising legislative proposals at the state level, with efforts gaining traction in states like New York, where both Houses are now controlled by the Democrats.

Electronic Health Records: A key component of President-elect Obama’s health care plan is the migration of health care records from paper to more universally accessible forms of electronic media. The incoming president believes strongly that the use of technology will help lower the cost of health care. But as many commentators have suggested, greater accessibility carries greater risk, and the shift toward computerized health records is one area in which President-elect Obama’s aggressive technology and innovation policies may outgrow existing consumer protection safeguards. President-elect Obama’s commitment to providing robust protections against the misuse of this kind of sensitive information likely will require the development of additional, and more broadly-applicable, regulations to shore up existing safeguards provided under the Health Insurance Portability and Accountability Act (“HIPAA”) and other existing legal regimes. 

Data Breach Notification:  Over the past few years, states have been very active passing legislation that requires businesses that retain information about state residents to notify such residents when that information is compromised. Efforts to pass a preemptive national law have stalled largely because of the greater discretion proposed for business regarding the need to notify. That issue will likely continue to impede consensus on a national law, and the state framework is likely to be with us for a while.  

Legislative activity at the state level concerning the protection of personal information, however, is likely to continue as lawmakers try to respond to several high profile information security breaches from previous years. Moreover, as we are seeing in Massachusetts and Connecticut where new data security laws have been passed, we may see a stronger push at the state level toward requiring affirmative steps to protect personal information, rather than just requiring businesses to respond to a breach incident.

More Robust Federal Trade Commission: President-elect Obama plans to enlarge the FTC budget and enforcement power to aid in the implementation of his technology and innovation policies. The FTC’s expanded powers will likely be used to enforce the Commission’s new identity theft Red Flags Rule, which requires financial institutions and creditors to implement comprehensive written identity theft prevention programs by May 1, 2009. The FTC’s decision to extend the original November 1, 2008 compliance deadline for an additional six months portends relatively immediate enforcement activity in Summer 2009 that will help define precisely what is required, and from whom, under the Rule. The push for more enforcement power may also spur the expansion of the FTC’s authority to seek civil penalties and other monetary remedies for violations of the statutes and regulations the Commission enforces.

Location Data & Government Surveillance: President-elect Obama’s desire to develop and better utilize available technologies to create real change in America will likely create some friction in the areas of government surveillance and the collection of location data where the interests of national security and personal privacy diverge. Moreover, the private sector’s collection and use of location data and other “tracking” information to more effectively market to consumers raises concerns on both sides of the aisle since these technologies arguably can be misused to compromise national security or personal privacy. While we expect the Obama administration to back away from the aggressive government surveillance policies and programs implemented by the previous administration in the wake of September 11, 2001, the success of these efforts will require a delicate balance between a strong stance on national security and a shift toward protecting the privacy of Americans at home.

One employee, former administrative specialist Lawanda Jackson, has been indicted for obtaining individually identifiable health information for commercial advantage. Jackson allegedly sold information about Farrah Fawcett’s battle with cancer to a national media outlet.

According to an incident report by the California Department of Health Services, an unnamed celebrity patient informed the facility as early as 2004 that confidential information about his or her hospitalization had been published in a national newspaper.

The Los Angeles incident is not the only hospital snooping scandal currently making headlines. In Michigan, employees at Sparrow Hospital were disciplined for peeking at the medical records of Governor Jennifer Granholm when she was admitted in April 2008 for surgery. The hospital did not release any additional information about the incident, citing federal privacy law.

Companies that want to stay off the front page must ensure that personnel receive and are regularly trained regarding company policies and procedures governing the protection of personally identifiable information, and must consistently enforce those policies and procedures.

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)