The Office of Management and Budget Dec. 8 issued a policy memorandum on cloud computing vendor data security authorization to support an acquisition program designed to allow federal agencies to more quickly transition to cloud computing services.

OMB said the new memo will help advance the Obama administration’s Cloud First policy (10 PVLR 307, 2/21/11) as well as its International Strategy for Cyberspace (10 PVLR 773, 5/23/11).

The OMB memorandum to chief information officers outlined agency cloud data security oversight responsibilities and mandates the use of the Federal Risk and Authorization Management Program (FedRAMP) administered by the General Services Administration.

On Nov. 2, 2010, GSA announced the FedRAMP project with a document setting forth a comprehensive set of security requirements designed to expedite the certification and accreditation process for federal agencies looking to take advantage of cloud computing (9 PVLR 1544, 11/8/10).

But as the Government Accountability Office told a congressional panel in October, FedRAMP could not proceed without the now-released OMB memorandum (10 PVLR 1496, 10/17/11)…

cforms contact form by delicious:days

An electronic health record (EHR) captures health data for treatment at the point of care but can also serve an important role for quality reporting, surveillance, and research. EHRs contain rich clinical and administrative health data from both primary and tertiary care health providers. They include data on efficacy, effectiveness, safety, and patient-level data, such as dosing patterns and treatment combinations, making EHRs a valuable resource for a myriad of observational research studies.

The term “secondary use” is used in the industry to refer to using data for a purpose (i.e., research) other than the purpose for which the data were initially collected (e.g., treatment). Recent developments in health information technology and health information exchange have made it easier for researchers to harness the value of electronically collected and transmitted health data, presenting a unique opportunity. More specifically, with the expected widespread adoption of EHRs, secondary use research has the potential to generate research findings that are more generalizable to a diverse population, as well as improve understanding of disease processes and the impact that social and behavioral factors have on illness. Increased secondary use research will save time and resources, as data sharing will enable researchers to maximize use of an existing data set for multiple studies. This in turn will limit the time and cost of finding and recruiting potential research subjects.

As noted, the benefits of secondary use research are significant, and advances—such as better detection of areas of the country where certain diseases are increasingly prevalent—are within the public interest. However, the individual’s privacy must be taken into consideration as well. Secondary use of identifiable health data collected for clinical or administrative purposes raises concerns of patient coercion or data misuse if proper safeguards are not in place. This article explores the current regulations governing the secondary use of data for research; the increasing need for an effective, comprehensive governing framework; and recent regulatory activity. While many issues still persist, there appears to be an emerging consensus on the general principles that should govern the secondary use of EHR data for research.

cforms contact form by delicious:days

By Melissa J. Krasnow, Dorsey & Whitney LLP, Minneapolis

Background

The U.S. Securities and Exchange Commission on occasion provides disclosure guidance on topics of interest to the business and investment communities. The SEC said recently that it has observed “an increased level of attention focused on cyberattacks.”

The rash of costly cyberattacks against companies like Epsilon and Sony, among others, gave the SEC cause to implement new cybersecurity disclosure requirements.

On Oct. 13 the SEC Division of Corporation Finance issued guidance for public companies regarding their disclosure obligations relating to cybersecurity (i.e., the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access) risks and cyber incidents in light of a public company’s specific facts and circumstances. The guidance is not a rule, regulation or statement of the SEC.

The federal securities laws are designed in part for disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no disclosure requirement specifically refers to cybersecurity risks and cyber incidents, the guidance provides an overview of the following particular disclosure obligations that may require discussion of cybersecurity risks and cyber incidents: (1) risk factors, (2) management’s discussion and analysis of financial condition and results of operations (MD&A), (3) description of business, (4) legal proceedings, (5) financial statement disclosure and (6) disclosure controls and procedures.

Risk factors

A public company should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. A cybersecurity risk disclosure made by a company must adequately describe the nature of the material risks and specify how each risk affects the particular public company. Generic risk factor disclosure should be avoided.

A public company should evaluate its cybersecurity risks and consider previous cyber incidents (including severity and frequency), the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks (including the potential costs and other consequences). In evaluating whether risk factor disclosure should be provided, a public company also should consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which it operates and risks to that security (including threatened attacks it is not aware of).

Examples of disclosures may include: (1) discussion of aspects of the public company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; (2) to the extent the public company outsources functions that have material cybersecurity risks, a description of those functions and how the public company addresses those risks; (3) a description of cyber incidents experienced by the public company that are individually, or in the aggregate, material, including a description of the costs and other consequences; (4) risks related to cyber incidents that may remain undetected for an extended period and (5) a description of relevant insurance coverage.

The federal securities laws do not require disclosure that itself would compromise a public company’s cybersecurity. Instead, a public company should provide sufficient disclosure to allow investors to appreciate the nature of the risks that it faces in a manner that would not have that consequence…

cforms contact form by delicious:days

By Randall S. Parks, Andrew G. Geyer, Melinda L. McLellan and Efe Stella Edosomwan,
Hunton & Williams LLP, Richmond, Va. and New York

Introduction

As merchants move to reap the functional and operational benefits of virtualized environments, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is becoming increasingly complicated, yet all the more essential to the protection of cardholder data. In addition to the formidable threats posed by the physical infrastructure of client-server computing, the complexity of virtual environments creates unique security challenges for merchants processing sensitive information on virtual machines over which they have only limited control. Although many merchants have outsourced data storage and processing to third parties, ultimate responsibility for securing customer data remains with the merchant. This article discusses the PCI DSS compliance requirements of merchants and cloud providers, and suggests a framework for contracting for that compliance.

New Guidance for Complying with PCI Data Security Standard Has Significant Implications for Merchants and Cloud Providers

On June 14, the Virtualization Special Interest Group of the PCI Security Standards Council published its PCI DSS Virtualization Guidelines Information Supplement to Version 2.0 of the PCI DSS. For merchants (defined broadly as any entity that accepts payment cards bearing the logos of PCI Security Standards Council members American Express, Discover, JCB, MasterCard or Visa), the Guidelines make clear that unquestioning reliance on a service provider’s assertion of PCI compliance is inadequate and risky. For cloud providers, the increased focus on applying the PCI DSS in virtual environments means they must prepare to respond to customer questions and convincingly demonstrate their ability to comply.

As the Guidelines point out, new vulnerabilities in virtualized environments can threaten an individual virtual machine that may itself be secure. The consolidation of resources inherent in virtual environments increases the risk that a single point of failure will expose multiple customers. On a more basic level, failure to comply with the PCI DSS also may jeopardize a merchant’s ability to process credit card transactions. The stakes are further increased by the emergence of state data security laws that incorporate the PCI DSS in its entirety. Nevada’s law on the Security of Personal Information, for example, requires that merchants doing business in Nevada and accepting payment cards must comply “with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council” (NRS Chapter 603A) (8 PVLR 821, 6/8/09). See our Client Alert on this topic.

The Guidelines not only provide context for the application of the PCI DSS to cloud and other virtual environments, they also include at least three critical reminders: first, the PCI DSS applies to those environments without exception; second, critical analysis of the application of the PCI DSS to rapidly evolving cloud offerings is essential to compliance; and third, cloud providers must be prepared to include necessary controls in their contracts. The Guidelines offer high-level vocabulary and technical advice, cataloging common components of virtualized environments and identifying those that are likely to be “in scope” for PCI DSS purposes. A number of recommendations and suggested best practices are included in the Guidelines, most of which focus on the critical need for precise technical understanding of how each virtual environment operates with respect to cardholder data as an essential first step in assessing PCI DSS compliance. To facilitate compliance, the Guidelines also include an appendix that provides a detailed list of virtualization considerations relevant to each of the 12 requirements of the DSS. Of particular relevance to cloud offerings, the Guidelines emphasize the importance of ensuring that the service offering is able to isolate each customer’s environment using controls such as segmented authentication, network access controls, encryption and logging…

cforms contact form by delicious:days

By Francine Friedman, Jamie Tucker, Jo-Ellyn Sakowitz Klein, and Kris Ekdahl, Akin Gump Strauss Hauer & Feld LLP, Washington

With a Republican-controlled House opposite a Democratic-controlled Senate, and presidential and congressional elections looming in less than sixteen months, few proposals of significance are capable of advancing to become law. Data security and consumer privacy, however, are hot-button issues that are gaining traction and may yield consensus for a new regulatory framework. Bipartisan and bicameral support exists in Congress for updated data security and privacy laws, and the Obama administration is actively engaged. New regulations could directly impact any entity that collects, stores, or shares data on a large scale. Data brokers, online marketers, advertising agencies, ad networks, retailers, banks and other financial services companies, media and publishing companies, automobile manufacturers, mobile application developers, companies selling consumer packaged goods, law enforcement, web browsers, large employers, website operators, credit reporting agencies, and nonprofit organizations (including universities) need to be aware of these policy debates and prepare for the possibility of new regulation in the near future.

A string of high-profile incidents has accelerated the drumbeat in Washington for increased regulation. Major corporations and even government entities have fallen victim to large-scale data breaches, and many mobile devices have been discovered to allow tracking and recording of users’ locations. Names, birth dates, Social Security numbers, e-mail addresses, passwords, locations, and even credit or debit card numbers increasingly seem at risk, fueling the anger of privacy watchdogs and galvanizing policymakers.

Congress, Administration Respond to Breaches

Congress and federal agencies have scrambled to respond to privacy advocates’ outcry for increased regulation. More than a dozen bills have been introduced in the first session of the 112th Congress, and the Federal Trade Commission (FTC) and Department of Commerce have published their own recommendations.

The proposals pertain to three areas that often overlap: online and point-of-sale privacy, mobile device privacy, and data security and breach notification. The scope of the various proposals is sufficiently broad that if enacted in part or in full, entities across the spectrum would be impacted.

With so much at stake, this is a critical moment for covered entities to educate themselves and consider adding their voices to the policy debate in Washington. Moreover, now is an ideal time for these groups to assess their privacy and security procedures to ensure compliance with legal and industry best practices frameworks currently in place on both the national and state levels.

This article will help covered entities navigate the evolving consumer privacy debate. An analysis is set forth of key pending regulatory proposals in Congress and the federal agencies, the practical implications of proposed regulations, how these proposals might interact with existing law, and what companies and nonprofit organizations should do today to comply with the complicated patchwork of privacy regulations currently in place.

Bills on Consumer Privacy, Data Security

Recent proposals pertain to three general topics.

First, consumer privacy bills seek to help consumers control what personal information is collected, used, stored, or shared based on their online and point-of-sale behavior. Second, mobile privacy bills seek to help consumers take control of what information is collected, used, stored, or shared based on their mobile device usage and their geolocation footprint. Third, data security and breach notification bills seek to implement new protocols for protecting data and to create a national standard for notifying affected individuals and government agencies when a breach has occurred. Some of the proposals under discussion by policymakers span more than one of these categories.

Various Approaches to Privacy Issues

Six bills have been introduced this year that pertain primarily to online and point-of-sale privacy. By browsing the internet or making purchases at a store, consumers reveal valuable information that is used to build user profiles based on their location, their tastes and interests, their contact information, and perhaps even their debit or credit card numbers. This data can be very valuable for behavioral marketers, which is why the practice of collecting and selling consumer data has grown so rapidly.

Privacy bills seek to change how consumer information is collected, stored, used, and shared, and what consumers are told about these practices. Bills regarding data collection call for opt-out or opt-in mechanisms that require express consent from the consumer before any personal information can be collected. Bills addressing data storage place new limits on the scope and duration of data retention and also impose new security procedures to safeguard information. Bills regarding data use and data sharing impose limits on the purposes for which data may be used, restrict with whom a data collector (e.g., a retailer) can share information, and set new standards for whether consumer consent or notification is necessary before information can be used in certain ways or shared with a third party.

1) Introduction

The popularity of smartphones like the Droid and iPhone as well as tablet devices such as the iPad means that people are able to accomplish many things without physically sitting in front of a computer or even being in the office. Apple currently claims over 90,000 apps for the iPad, many of which are in the health and health care category. After weeding out those directed toward consumers, several hundred are intended for physicians, nurses and clinicians. These health apps range from disease reference guides to remote EKG monitoring, which may also be connected to an EHR (electronic health record).

The promise of such devices and applications is that enhanced mobility and access to information will improve the way in which physicians and their teams interact with patient health information. Physician groups and hospitals should consider the implications, however, of how they use these devices. While a small number are regulated to date by the FDA as medical devices, the storage and wireless transmission of PHI (protected health information) to and from these tools means that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule will impact covered entities and business associates using them.

The benefits of health apps on mobile devices, then, must be balanced against the extra care required to ensure that doctors and others are properly protecting the data on these devices. In addition to the Security Rule, the new Health and Human Services Breach Notification Rule and associated Technology Guidance apply. In an era when people seem to lose portable devices with remarkable frequency, it is important to consider how to incorporate mobile devices into a practice and validate that the device or application(s) can support your compliance with HIPAA and other rules.

2) Proliferation of Devices and Apps

In releasing a study on physicians’ use of technology, Manhattan Research reported in May 2011 that thirty percent of doctors are using iPads to access EHRs, to view results such as radiology images, and to communicate with patients. While a search for “health” on the iPad App Store yields a wide variety of consumer-oriented tools, an increasing number of these apps facilitate a physician’s practice.

A quick review of iPad apps for doctors, nurses and clinicians displays a wide range of these tools. These include apps for drug-interaction checkers, medical dictionaries, diagnostic lab tests tools and disease treatment guides. While most of these apps are used as reference sources and thus would not contain any PHI, an increasing number provide access to EHRs, capture patient data, transmit prescription renewals, and clinical decision support. Many of these apps also provide for the remote monitoring of patient vital signs, such as an EKG-reading app, accessing patient charts and x-ray images. There is also a new blood pressure monitor that has received FDA approval. A recent study by PricewaterhouseCoopers estimated that the annual market for mobile monitoring devices ranges from $7.7 billion to $43 billion.

3) Keep HIPAA in Mind

a) HIPAA Security Rule

Arguably, one of the drivers of mobile devices in health care is the federal government’s push to move patient records into digital systems or EHRs for which the Health Information Technology for Economic and Clinical Health Act (HITECH Act) provides significant funding over the coming years. With the financial incentives, however, the HITECH Act expanded portions of HIPAA directly to business associates and initiated breach reporting obligations for covered entities. As physicians increasingly leverage iPads and similar devices for managing patient data, it remains critical that these devices and apps enable health care users to comply with the requirements of the HIPAA Security Rule.

The HIPAA Security Rule applies to electronic PHI held by covered entities and, since the amendments of the HITECH Act, business associates. Section 164.308(a)(1)(ii)(A) of the Security Rule requires that a covered entity conduct a risk analysis to assess the nature and volume of ePHI and the risks of unauthorized use or disclosure of this patient information. A covered entity must then implement administrative, technical and physical safeguards appropriate to the risks and vulnerabilities identified in the risk analysis. The purpose of these safeguards is to assure the confidentiality, integrity and availability of patient information.

cforms contact form by delicious:days

By Kendra Casey Plank

A recently published health data privacy proposed rule goes beyond legal requirements and would be burdensome for the health care industry by creating two separate new rights for individuals—one allowing requests for a full accounting of access to their electronic or paper protected health information, and a second allowing requests for information about who has accessed their PHI in electronic form—attorneys contacted by BNA said.

The Department of Health and Human Services Office for Civil Rights proposed Accounting of Disclosures Rule would revise the Health Insurance Portability and Accountability Act Privacy Rule to modify existing standards for the accounting of disclosures of individuals’ protected health information by HIPAA covered entities and businesses associates, as well as add new requirements that covered entities be able to report to patients about who has accessed their electronic health records (76 Fed. Reg. 31426, 5/31/11).

The changes were proposed, in part, to comply with a mandate in the Health Information Technology for Economic and Clinical Health (HITECH) Act that covered entities be able to account, for broader reasons than provided under existing requirements, for how patients’ health data were shared.

“The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information,” OCR said in the proposed rule. OCR noted, however, that the proposed access reports would not provide details about why a person accessed such data.

“In contrast, the intent of the accounting of disclosures is to provide more detailed information (a ‘full accounting’) for certain disclosures that are most likely to impact the individual,” OCR said.

OCR said meeting a detailed accounting of disclosures request “is generally a manual, expensive, and time consuming process for covered entities and business associates.”

By comparison, the agency said it believed creating an access report would be less burdensome because it would be an automated process and would involve electronic information covered entities already are required to collect under the HIPAA Security Rule.

‘Problematic’ Proposal

Health care attorneys told BNA that the revised accounting of disclosures standard and the new access report requirements could pose significant burdens on covered entities and business associates.

Kirk J. Nahra of Wiley Rein LLP, in Washington, called the proposal “problematic.”

Nahra said the “ proposed rule goes far beyond the HITECH statutory provisions to fundamentally restructure the accounting right, and in that context will create substantial problems and challenges for every participant in the health care industry and their business associates.”

Furthermore, Nahra said the access report requirement went far beyond existing requirements under the Security Rule, which he said requires “drastically less” than OCR is proposing. …

cforms contact form by delicious:days

By Debra Alligood White, Manatt, Phelps & Phillips LLP, Washington.

The Health Information Technology for Economic and Clinical Health (HITECH) Act’s promise of billions of dollars in government incentives has not only increased the pace of provider adoption of integrated health information technology (HIT) solutions but has also sparked enormous growth in the HIT vendor community. As yet, none of the hundreds of HIT vendors has emerged as the predominant market leader. It is therefore difficult to predict which vendors will survive the inevitable consolidation of the market. Selecting the right vendor to handle a major HIT project in this environment can be challenging because of the vast unknowns: Will data in legacy systems migrate over to the new system smoothly? Will the chosen technology keep pace with evolving trends and standards? And, perhaps foremost in the minds of the providers who will have to rely on the systems, will the patient records they need be available when they need them?

At negotiating sessions, as at weddings, it is often seen as bad form to discuss divorce or end-of-life at the joyous occasion. But, until the long-term prospects of HIT vendors become more predictable, it is likely that a customer that enters into a contract today with one HIT vendor will not be working with that same vendor in a decade or less. This article will highlight a few steps a customer can take to ensure that, however the relationship with the vendor ends, the customer’s interests, and data, will be protected.

Vendor Selection

There are any number of reasons why an HIT vendor might suddenly disappear without a forwarding address, from financial distress to being purchased by a competitor to being sued for intellectual property infringement. Unfortunately, the likelihood of any of these developments occurring is difficult to assess from information typically gathered in a competitive vendor selection process or during the course of negotiations. Understanding the history of the company, learning the identity of the management, financial backers and board of directors, and hearing what the existing customers, media reports, and third-party rankings have to say about the vendor may, however, provide some indication of the seriousness of the venture.

Data Ownership, Escrow, Migration, and Retrieval Rights

While many sectors of society, like banking and streaming music services, have become accustomed to arrangements where a user’s applications and data are stored remotely and accessed through a secure internet connection, the medical community is among those sectors that is moving to the “cloud” with a bit more caution. There are several reasons to select a web-based solution, including speedier deployment, lower implementation costs, upgrades and regular system maintenance being baked-into a subscription-like fee and the ability to access data from internet-connected devices even if a customer’s computer system goes down. A major concern, however, with web-based HIT systems is that a physician’s data will not be sitting down the hall from her when she needs them. This concern can be minimized by close scrutiny of the vendor’s data storage, back-up, failover, redundancy, and recovery arrangements. In addition, the contract should include a requirement that the vendor notify the customer before changing any of those arrangements so that, if the vendor suddenly “goes dark,” the customer at least has some clues about where its data are.

Another approach is for the customer to request that the vendor establish a “software-as-a-service escrow,” where the vendor deposits the source code along with certain development and maintenance tools and customer data with a third-party escrow agent. The terms of the escrow agreement will specify the circumstances, typically after a vendor has either gone out of business or refused to perform certain essential functions, under which the customer will have the right to use the escrowed materials in order to operate and maintain the software or retrieve data from the system. From the customer’s perspective, the biggest advantage of an escrow arrangement is that, provided the escrow is established at about the same time as the contract is initially entered into, the subsequent filing of bankruptcy by or against the vendor should not interdict the escrow release. Vendors generally abhor these arrangements, although carefully tailoring the release conditions and narrowly defining the customers’ ability to use the escrowed source code after its release may address some vendor objections.

In order to cover situations that do not trigger a release of the escrow, customers also should seek to secure data retrieval and migration services that the vendor would be obligated to provide even if, for instance, the contract were terminated for customer breach. The cost (or at least the basis for pricing) for these services should be established up front and any circumstances under which the services would be provided at no cost to the customer should be enumerated.

Especially where the HIT solution is “software-as-a-service” or “cloud-based,” one very basic and important step that a customer can take to protect its data from the eddy of a failing vendor is to make it clear—to the vendor and the vendor’s landlords, equipment lessors and creditors—that the data being stored, processed, transmitted, and generated by the vendor’s HIT application does not belong to the vendor. The fact that the vendor has no lienable interest in the data may seem so obvious that it falls into the category of things that “go without saying.” However, the law places a high premium on the concept of notice, particularly where there are competing rights in property, so it is advisable to include in the contract a statement regarding data ownership rather than leaving it open to question as to why it was not included. Further, the vendor should acknowledge that under no circumstance will the vendor have the right to deny the customer access to its data residing on the vendor’s system. The vendor has many remedies under the law and in equity for any wrong done to it by the customer—holding the data hostage for a late payment or an extra user or two need not be one of them…

cforms contact form by delicious:days

The White House May 12 unveiled a cybersecurity legislative proposal to protect computer networks and critical infrastructure that also includes a national data breach notification mandate for certain businesses.

The cybersecurity provisions of the proposal build on administration efforts that started in 2009 when President Obama took office, but the breach notice provision comes as something of a surprise as it had not previously been a focus of the White House’s cybersecurity efforts.

A June 2009 report on a comprehensive cybersecurity review ordered by Obama did not focus on breach notice (8 PVLR 795, 6/1/09). Neither did the administration’s Comprehensive National Cybersecurity Initiative white paper (9 PVLR 365, 3/8/10).

A July 2010 White House meeting with high level cybersecurity officials and public stakeholders also did not stress breach notice, and a cybersecurity progress report issued at the meeting did not even mention breach notification (9 PVLR 1045, 7/19/10).

In a May 12 statement, Senate Majority Leader Harry Reid (D-Nev.) said that he looked forward to seeing the president’s proposal combined with the cybersecurity work of various Senate committees in coming weeks, adding that “we hope to pass a bill this summer.”

Breach Notice National Standard

The breach notice legislative proposal would cover business that collect, use, transmit, retain, or dispose of sensitive personally identifiable information on more than 10,000 individuals within a 12 month period.

Business already covered by the data breach notice requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act would be exempt from the proposed law.

The proposal defines sensitive personally identifiable information (SPII) to include name information in combination with any two of the following: individual’s full birth date, home address or telephone number, or mother’s maiden name. In addition, SPII would include a non-truncated Social Security, driver’s license, passport, or other government-issued identification number, biometric data, a unique financial account or payment card number, and other financial information.

Covered businesses would be required, within 60 days, to notify individuals whose exposed SPII was unsecured by technological means to make it unusable. The proposal does not limit the technological means to secure the data to encryption.

In addition, businesses would have to notify the Department of Homeland Security if a breach involved the SPII of more than 5,000 individuals, involved a database containing such information on more than 500,000 individuals, is a database owned by the federal government, or the breach involved a database containing SPII of federal employees or contractors. Notification of DHS would be required at least 72 hours before providing notice to individuals or within ten days of discovering the breach, whichever comes first.

The proposal includes a risk of harm trigger for when notice is required by creating a safe harbor notification exemption for covered businesses that notify the Federal Trade Commission that they do not intend to notify individuals because their investigation of a breach concluded that “there is no reasonable risk that the security breach has resulted in, or will result in, harm to the individuals whose SPII was subject to the security breach.” Covered businesses would be required to invoke the safe harbor presumption with the FTC within 45 days of the results of a risk assessment.

Businesses would not be required to provide breach notice to individuals if they use or participate in a program “that effectively blocks the use of SPII to initiate unauthorized financial transactions before they are charged to the account of the individual and it provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions.”

Finally, no breach notice would be required if the U.S. Secret Service or FBI determined that doing so could “reveal sensitive sources or methods” or damage national security.

If a required breach notice affects more than 5,000 individuals in any one state, the business—in addition to individual notification—would be required to post notice of the breach in relevant news media outlets.

The FTC would be authorized to promulgate rules on the breach notice provisions and enforce the proposed law under Section 5 of the FTC Act. State attorneys general would also be authorized to file lawsuits to enforce the proposed law and could seek civil penalties of no more than $1,000 per day per individual affected, up to $1 million total for a single related security incident. The proposal, however, does not provide a limit to penalties that may be imposed for a breach caused by a business’s “willful or intentional” conduct.

The proposal specifically prohibits lawsuits by individuals seeking to enforce the law.

The administration proposal would preempt breach notification laws in 46 states and the District of Columbia. California adopted the first-in-the-country breach notification law nearly a decade ago in 2002 (1 PVLR 1180, 10/7/02), and in April 2010, Mississippi became the latest state to enact such a law (9 PVLR 533, 4/12/10). Only Alabama, Kentucky, New Mexico, and South Dakota do not have some sort of breach notice law on the books.

There are already two bills before Congress that seek to establish a national data breach notice standard to preempt state laws.

On May 4 Rep. Bobby L. Rush (D-Ill.) May 4 reintroduced a bill (H.R. 1707), which would require businesses to notify individuals if their electronic unencrypted personal information is breached and implement data security programs or face penalties of up to $5 million (10 PVLR 689, 5/9/11).

Rep. Cliff Stearns (R-Fla.) May 11 introduced a bill (H.R. 1841) that is nearly identical to the Rush legislation…

cforms contact form by delicious:days

Two major privacy bills recently introduced by federal lawmakers have important differences, but both would mark a significant step toward regulation of the collection and use of personal information in the United States. The authors closely analyze the Kerry-McCain measure, introduced in the Senate, and the Stearns-Matheson bill, introduced in the House, and list the differences in the provisions of the proposed laws in a side-by-side comparison chart.

By Alan Charles Raul, Edward R. McNicholas and Caleb Weaver

Privacy issues have been a hot topic in Congress over the past few years, but the likelihood of action on this issue increased materially in April with the introduction of bipartisan bills in both the House and Senate. Although the two bills have import differences, both would mark a significant step in the regulation of the collection and use of personal information. The more sweeping changes are found in the Senate bill, entitled “The Commercial Privacy Bill of Rights Act of 2011” (S.799). Co-sponsored by Commerce Committee member Sen. John Kerry (D-Mass.) and former Commerce Committee Chairman Sen. John McCain (R-Ariz.), the Senate bill faces significant hurdles. Kerry-McCain, however, is the most important piece of privacy legislation in several years, and it enjoys considerable support from the Obama Administration and among a number of leading technology companies. In the House, Rep. Cliff Stearns (R-Fla.), joined by Rep. Jim Matheson (D-Utah), introduced a modified version of the “Boucher Stearns” privacy bill floated widely in the last Congress. The Stearns-Matheson legislation, entitled the “Consumer Privacy Protection Act of 2011” (H.R. 1528), is less prescriptive than the Senate legislation, and will be the primary alternative to the Kerry-McCain proposal as the issue is debated over the coming months.

The heart of the Kerry-McCain bill is the creation of an omnibus data protection regime based on “fair information practice principles” (“FIPPs”). Its approach, however, would not merely require disclosure of privacy practices, but would actually set some baseline standards regarding what practices are presumptively acceptable. Companies would be required to give a clear and concise notice of uses for personally identifiable information (“PII”), as many already do. But individuals would also have a right to opt-out of unauthorized uses of non-sensitive PII, and opt-in consent would be required for both uses of sensitive PII and for transfers or uses that were materially different from those specified in the notice and that created a risk of harm to the individual. The bill would also require a mechanism for individuals to access and correct their PII, but it does not establish a “do not track” mechanism.

Importantly, while the new Kerry-McCain regime would be broadly applicable across all industry sectors, it has some limitations for already-regulated areas. Financial institutions, for instance, would continue to be primarily subject to the privacy and security obligations of the Gramm-Leach-Bliley Act and other financial statutes. Moreover, banks, securities firms and insurance companies would be excluded from the bill, except to the extent such financial institutions may be subject to concurrent FTC jurisdiction under existing law. Similarly, covered entities subject to healthcare privacy regulations issued under the Health Insurance Portability and Accountability Act would be exempted from the provisions of the new bill to the extent they are already covered by HIPAA privacy regulations.

Telecommunications carriers and cable companies, however, could face an entirely new privacy framework under Kerry-McCain. Although the import of the current legislative language is not entirely clear, the bill appears to have been intended to subordinate existing customer privacy rules to the legislation’s new regulations, most likely with a view to creating an environment in which all of the major Internet players – telecommunications carriers, cable companies, and Internet companies – are functioning under the same privacy regime. ¹

The Stearns-Matheson bill, on the other hand, would not regulate as intensively as the Kerry-McCain legislation, neither creating a “Consumer Bill of Rights” nor empowering the FTC to engage in extensive rulemaking. Instead, the bill relies primarily on disclosure of privacy practices, including requiring companies to publish privacy policies to inform consumers about the collection, use and transfer of PII, and on self-regulatory programs developed by the data collection industry and approved by the FTC.

In spite of the challenging legislative environment, the introduction of these two serious, bipartisan bills, combined with the broad engagement by industry and advocacy organizations this year, suggests that Congress may take up online privacy before the next election. Moreover, no significant congressional leaders of either party have gone on record objecting categorically to federal privacy legislation.

While there may be movement on this issue, the final result remains far from clear at this stage. Although the two bills address the same set of concerns, the approach they take to resolving these issues vary widely from one another, as seen in a comparison of the key topics covered in the two proposals…

Comparison of the Kerry-McCain and Stearns Legislation

cforms contact form by delicious:days