By Alexei Alexis

Online privacy is expected to remain a hot topic in 2012, but it is unlikely that Congress will enact any major reforms in such a complex and unsettled area during an election year, observers tell Bloomberg BNA.

Privacy is expected to be an ongoing focus of congressional hearings with the Senate Commerce, Science, and Transportation Committee and the House Energy and Commerce Committee in particular weighing the need to protect consumers’ online personal data. While privacy bills are pending before both panels, and the Obama administration is finalizing its own proposal, key Republicans remain concerned about the potential impact on the business community.

“Short of a cataclysmic privacy event, I don’t see a comprehensive bill passing in 2012,” Lisa Sotto, head of the privacy and information management practice at Hunton & Williams, told Bloomberg BNA. “I do think we will see continued discussions that will build momentum toward passage of such legislation in a few years.”

For now, Sotto said, companies can expect the Federal Trade Commission to remain active on enforcement: “There’s no question that the FTC will continue to be active and probably step up formal enforcement activities.”

Behavioral Ad Legislation Momentum Waning?

Top committee Democrats have called for legislative action to address key privacy concerns, such as tracking of consumers’ web-surfing habits for behavioral advertising.

Dan Jaffe, executive vice president of government relations at the Association of National Advertisers, said industry has made progress toward convincing lawmakers that self-regulation can effectively address privacy concerns over behavioral advertising. “We’re hopeful that self-regulation, not regulation, will continue to be the focus in 2012,” he said.

Zaneis said that “with industry self-regulation beginning to succeed, there’s less pressure to move legislation. I don’t see any part of this dynamic changing in 2012.”

Early in 2011, the Senate Commerce Committee launched a series of oversight hearings on privacy. In May 2011, Sen. John D. Rockefeller IV (D-W.Va.), the panel’s chairman, introduced a “do-not-track” bill (S. 913) that would make it easier for consumers to avoid having their online activities followed by companies. Since then, however, he has not announced any specific markup plans.

Asked about Rockefeller’s position going into 2012, a committee spokesman said: “Consumers are still without sufficient safeguards to protect their privacy online. They need easy-to-use mechanisms, such as an opt-out option, when surfing their favorite websites. Ultimately, the Chairman believes that consumer privacy is a right, not a luxury, and that legislation is needed to empower consumers to protect their personal information from companies surreptitiously collecting and using that personal information for profit.”

However, the spokesman said it was too early to discuss specific committee plans for the new year.

cforms contact form by delicious:days

By Brett Coburn and Wes R. McCart, Alston & Bird, Atlanta

Nov. 21, 2011 marked the two-year anniversary of the effective date of the Genetic Information Nondiscrimination Act (GINA), which imposes limitations and special requirements on an employer’s acquisition and use of the genetic information of its employees. This article assesses the impact that GINA has had on employers by examining regulatory and judicial developments regarding the statute over the past two years, as well as recent efforts by several states to implement similar requirements at the state law level.

Summary of GINA’s Statutory and Regulatory Requirements

President Bush signed GINA into law on May 21, 2008 (7 PVLR 778, 5/26/08), and it went into effect on Nov. 21, 2009. As a general matter, GINA (1) prohibits the use of genetic information in making decisions related to any terms, conditions, or privileges of employment; (2) prohibits retaliation against individuals who oppose unlawful practices under GINA or participate in any investigation or proceeding under GINA; (3) restricts employers and other covered entities from requesting, requiring, or purchasing genetic information, with limited exceptions; and (4) generally requires employers and other covered entities to keep confidential any genetic information they have obtained about applicants and employees. GINA incorporates the enforcement provisions of Title VII, including the requirement that an aggrieved person file a charge of discrimination with the Equal Employment Opportunity Commission (EEOC) or a similar state or local agency. GINA also provides the same remedies that are available under Title VII, including compensatory and punitive damages.

EEOC is responsible for enforcing GINA. EEOC’s final regulations implementing the requirements of GINA are codified at 29 C.F.R. Part 1635 and went into effect Nov. 9, 2010 (9 PVLR 1559, 11/15/10). Among other things, the regulations provide additional detail regarding the definitions of several key terms of the statute, such as “genetic information,” “family member,” and “family medical information.” They also explain how GINA prohibits the use of genetic information in employment decisions. The regulations also make clear that GINA’s prohibition against acquisition of genetic information by employers is to be broadly construed, and they provide guidance regarding the limited circumstances in which employers may legally acquire genetic information. Additionally, the regulations detail employers’ obligations to keep genetic information confidential, as well as the limited situations in which disclosure of such information is permissible under the statute. While the regulations are ultimately helpful in providing guidance to employers about ensuring compliance with the requirements of GINA, they contain a number of technical requirements that could prove to be costly pitfalls for unwary employers. Several tips for avoiding these pitfalls are discussed in the final section of this article…

cforms contact form by delicious:days

By Kirk J. Nahra, Wiley Rein LLP, Washington

There’s a lot going on in the health care world today. Perhaps because of ongoing health care reform developments and the long-standing delay in issuing final amendment to the Health Insurance Portability and Accountability Act rules, the topic of health care privacy has been relatively quiet in 2011, as companies appear to be awaiting the final changes before making appropriate revisions to their privacy and security programs. What should we be watching for on health care privacy and security in 2012 (aside from the basic question of when the final rules amending the HIPAA regulations, which was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, will be issued)?

• The HIPAA Audit Program

As a component of its HITECH Act obligations, the Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it was commencing an audit program to review overall compliance with HIPAA and HITECH Act obligations. One hundred and fifty audits will be conducted before the end of 2012, in two phases (following an initial phase that developed an audit protocol). The first phase will involve a “limited number” (according to HHS) of audits to “test these protocols.” Following this initial test, the remainder of the 150 audits will be conducted.

HHS has been somewhat cagey about how these audits will be used. For the most part, the goal is to identify compliance trends and areas where future guidance would be helpful. For all in the health care industry, this guidance presumably would be useful. HHS, frankly, has given surprisingly little guidance in recent years about any aspect of the privacy or security rules. If these audits can lead to specific advice about areas for additional attention, the health care industry, its business partners, and health care consumers all will benefit. If, however, this guidance rewrites the rules without the need for rulemaking procedures (as HHS could be accused of doing in connection with the proposed HIPAA Accounting of Disclosures Rule, see “The HIPAA Accounting NPRM and the Future of Health Care Privacy,” BNA’s Privacy & Security Law Report (10 PVLR 1007, 7/11/11), then this guidance, while still useful, may create its own problems or otherwise create nervousness and frustration.

Moreover, covered entities clearly will be concerned about the impact of these audits on their own compliance risks. The audits are supposed to be random—although there is no clear statement that the audits won’t also have a risk factor based on complaints or other history or particular targeted areas for attention. In addition, the burden of the audit procedure likely will be significant. To start, there is a 10-day turnaround for what is expected to be a significant set of document requests. Then, HHS auditors will be on-site for “3-10 days,” which brings with it a related set of burdens…

cforms contact form by delicious:days

The Office of Management and Budget Dec. 8 issued a policy memorandum on cloud computing vendor data security authorization to support an acquisition program designed to allow federal agencies to more quickly transition to cloud computing services.

OMB said the new memo will help advance the Obama administration’s Cloud First policy (10 PVLR 307, 2/21/11) as well as its International Strategy for Cyberspace (10 PVLR 773, 5/23/11).

The OMB memorandum to chief information officers outlined agency cloud data security oversight responsibilities and mandates the use of the Federal Risk and Authorization Management Program (FedRAMP) administered by the General Services Administration.

On Nov. 2, 2010, GSA announced the FedRAMP project with a document setting forth a comprehensive set of security requirements designed to expedite the certification and accreditation process for federal agencies looking to take advantage of cloud computing (9 PVLR 1544, 11/8/10).

But as the Government Accountability Office told a congressional panel in October, FedRAMP could not proceed without the now-released OMB memorandum (10 PVLR 1496, 10/17/11)…

cforms contact form by delicious:days

BNA: We wondered first about the Safe Harbor without you there. They’re not replacing you, right?

Greer: They’re not replacing me. Another person just started … she had her baptism of fire. We had a luncheon and she said, “Now I have an appreciation of what you did while you were there.” I said, “Well, welcome to my world.”

BNA: What was that world like?

Greer: Extremely busy. I kind of characterized it as something akin to strapping yourself into the seat of a jet fighter and going off at Mach 2 at 8:30 in the morning and going all day long. Fielding telephone calls, e-mail inquiries from companies, people wanting to know how the framework works, that sort of thing. And it goes on five days a week. I used to work on Saturdays from home just to keep my head above water.

BNA: And it’s mostly inquiries from companies?

Greer: Yes. With the rate of growth in Safe Harbor right now, even the addition of this other person is not going to help them. …

I know in your BNA article on the ICO [the U.K. Information Commissioner's Office] … certifying another company for BCRs [Binding Corporate Rules], they did 11 BCRs in the last [six years] or so (10 PVLR 1686, 11/21/11). Safe Harbor used to do that in two days. BCRs … large companies can afford that—J.P. Morgan Chase, Accenture, Hyatt Hotels, General Electric. Most of the companies in Safe Harbor are smaller companies. They’re below the Fortune 1,000. It just costs so much money to go through the process, even under the streamlined format that they supposedly have. I haven’t seen a groundswell of interest among the business community to take that option.

BNA: Are the number of organizations seeking Safe Harbor status up just this year?

Greer: It’s been rising since I took over in 2006. But it’s been gradual. Now their increase on average since 2009 has been between 20 and 22 percent a year over the prior year.

BNA: What was the biggest success of your time with the Safe Harbor program? …

cforms contact form by delicious:days

Social networking giant Facebook Inc. will have to give users “clear and prominent notice” and obtain “affirmative express consent” before sharing customers’ information beyond their existing privacy settings, under a proposed administrative consent order with the Federal Trade Commission made public Nov. 29 (In re Facebook Inc., FTC, No. 092 3184, consent order proposed 11/29/11).

After promising users that it would not share information with advertisers and that they could keep their information on Facebook private, the FTC alleged in an eight-count draft complaint that Facebook broke those promises and engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by changing privacy settings without users’ knowledge or consent.

David Navetta of the Information Law Group told BNA that since the United States lacks “specific legislation concerning some of the privacy issues that social media raises, the FTC is trying to bring high-profile actions against some of the bigger players in order to demonstrate where the FTC thinks certain lines should be drawn.”

A downside of that approach, he said, is that because the FTC is using its Section 5 powers, “it is difficult for companies to know exactly which practices may be acceptable versus not acceptable.”

On the plus side, he said, more FTC actions mean more “guidance” for companies on acceptable and not-acceptable practices.

Noting that the FTC has now brought Section 5 privacy enforcement actions against Facebook, Google Inc. (10 PVLR 1565, 10/31/11) and Twitter Inc. (9 PVLR 934, 6/28/10), Christopher Wolf, a partner with Hogan Lovells in Washington, said the industry standard “for privacy has not changed: before new uses of personal data are made, there must be appropriate notice and consent” to consumers.

“The challenge with new technologies, is when and where such notice and consent should occur,” he said…

cforms contact form by delicious:days

By Donald G. Aplin and Katie W. Johnson

The recent approval of new cross-border data transfer privacy rules by Asia Pacific Economic Cooperation (APEC) ministers is a significant step toward a global system for transferring personal information despite a dizzying array of disparate data privacy regimes, Martin Abrams, senior policy advisor and executive director at the Centre for Information Policy Leadership at Hunton & Williams, told BNA Nov. 15.

At the 19th APEC Economic Leaders’ Meeting in Honolulu, Hawaii, President Obama and other APEC leaders in a Nov. 13 declaration pledged to implement the new Cross Border Privacy Rules System. Under the rules, companies adopt and agree to abide by internal privacy rules coupled with third-party oversight.

Abrams noted that the declaration was no mere “tacit endorsement but a strong active endorsement” of rules that the APEC countries recognize as having an impact on their economic health.

By including the cross-border rules in its closing declaration, the member economies elevated the issue to the same level as more traditional economic and trade concerns, he added.

According to the declaration, the economic leaders of the 21 APEC member economies said that they would implement information and communication technology policies related to data privacy and security in order to “minimize the trade-distorting impact of and promote greater global alignment in those policies.”

The APEC economies include Australia, Brunei Darussalam, Canada, Chile, China, Hong Kong, Indonesia, Japan, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, South Korea, Thailand, Taiwan, the United States, and Vietnam.

The United States strongly supported adoption of the cross-border privacy rules and pushed hard for them to be approved now rather than later, Abrams said.

“The 21 member economies in APEC comprise a market of 2.7 billion consumers, account for 55 percent of global gross domestic product and 43 percent of total global trade. In addition, APEC member economies purchase 58 percent of U.S. exports,” the U.S. Department of Commerce said in a Nov. 14 statement.

An electronic health record (EHR) captures health data for treatment at the point of care but can also serve an important role for quality reporting, surveillance, and research. EHRs contain rich clinical and administrative health data from both primary and tertiary care health providers. They include data on efficacy, effectiveness, safety, and patient-level data, such as dosing patterns and treatment combinations, making EHRs a valuable resource for a myriad of observational research studies.

The term “secondary use” is used in the industry to refer to using data for a purpose (i.e., research) other than the purpose for which the data were initially collected (e.g., treatment). Recent developments in health information technology and health information exchange have made it easier for researchers to harness the value of electronically collected and transmitted health data, presenting a unique opportunity. More specifically, with the expected widespread adoption of EHRs, secondary use research has the potential to generate research findings that are more generalizable to a diverse population, as well as improve understanding of disease processes and the impact that social and behavioral factors have on illness. Increased secondary use research will save time and resources, as data sharing will enable researchers to maximize use of an existing data set for multiple studies. This in turn will limit the time and cost of finding and recruiting potential research subjects.

As noted, the benefits of secondary use research are significant, and advances—such as better detection of areas of the country where certain diseases are increasingly prevalent—are within the public interest. However, the individual’s privacy must be taken into consideration as well. Secondary use of identifiable health data collected for clinical or administrative purposes raises concerns of patient coercion or data misuse if proper safeguards are not in place. This article explores the current regulations governing the secondary use of data for research; the increasing need for an effective, comprehensive governing framework; and recent regulatory activity. While many issues still persist, there appears to be an emerging consensus on the general principles that should govern the secondary use of EHR data for research.

cforms contact form by delicious:days

By Hugh B. Kaplan

The U.S. Supreme Court heard oral argument Nov. 8 in a criminal case that some privacy advocates are casting as one of the most important to come before the justices in decades (United States v. Jones, U.S., No. 10-1259,oral arguments 11/8/11).

The case asks the court to decide what limits, if any, the Fourth Amendment places on the government’s authority to use global positioning system devices to conduct continuous, long-term surveillance of the movements of a suspect’s vehicle.

Dozens of organizations, law professors, and others have filed friend of the court briefs urging the court to use the case to establish general constitutional principles that will guide resolution of future clashes between society’s interests in privacy, technology, and law enforcement.

None of the friends of the court, however, appeared at oral argument, and the parties themselves each presented to the court a way to decide the case without having to resolve the larger privacy questions.

Moreover, the court itself asked the parties to brief and argue an issue regarding the installation of the GPS device that the lower court did not address. A decision on this issue could obviate the need for the court to get into the thornier GPS monitoring issue.

Ruling Impact on Other Mobile Devices?

Depending on the scope of the court’s ruling on GPS, there may nevertheless be a spillover impact on the privacy of other mobile devices, the Center for Democracy and Technology said in a Nov. 8 policy post.

“[T]he Court’s decision may also shed light on whether government agents are required to get a warrant before accessing location information generated by use of a cellular telephone, laptop computer, tablet computer, or other mobile computing device,” CDT said.

“While the methodology of mobile phone tracking differs from GPS—and the courts may find that accessing information from a third party service provider is constitutionally different from accessing information from a device the government installs directly—the privacy interests at stake are quite similar,” CDT said…

cforms contact form by delicious:days

By Alexei Alexis

The cyber theft of U.S. companies’ trade secrets by foreign actors has become a “significant and growing” threat to the nation’s prosperity and security, the Obama administration said in an intelligence report released Nov. 3.

The report, which the Office of the National Counterintelligence Executive prepared for Congress, identified China in particular as having the world’s most “active and persistent” perpetrators of industrial espionage.

“Increasingly, economic collection and industrial espionage occur in cyberspace, reflecting dramatic technological, economic, and social changes that have taken place in recent years in the ways that economic, scientific, and other sensitive information is created, used, and stored,” the report said, noting that nearly all business records are digitized and accessible on networks worldwide.

Economic Cost Hard to Quantify, Report Says

While there are huge economic implications, quantifying the problem is difficult due to a lack of adequate information from U.S. firms, which have no legal obligation to provide such data to the government…

cforms contact form by delicious:days