Introduction
Privacy laws and regulations impact every organization - from data security to data collection and sharing practices. New technologies, combined with the ever-changing legal and regulatory landscape, have caused privacy and data protection to become one of the fastest growing areas of practice in the US and abroad.
Data Security
Security breaches affect all industries. Attackers seek customer data or trade secrets, target companies for political reasons, or to sabotage critical infrastructure. In 2012, the Privacy Rights Clearinghouse estimated that 27,545,995 records were affected as a result of 680 publicly-known security breaches caused by unintended disclosures, hacking or malware, payment card fraud, persons with legitimate access, or lost or stolen paper documents or devices.
State Data Security Breach Notification Laws
Nearly every US state and territory requires notification to individuals when personal information has been breached. Organizations continue to struggle with variations in the definition of a breach, content requirements for notification letters, involvement of law enforcement and notification timing. During 2012, several states amended their laws to require notification to state attorneys general, which may bring increased scrutiny to data protection practices and compliance with notification laws.
Federal Legislation
Legislators continue to push for a national standard to preempt the current hodgepodge of state breach notification laws, introducing three federal breach notification laws in 2012. In June 2012, the Data Security and Breach Notification Act of 2012 (S.3333) was introduced, providing several thresholds for breach reporting, Federal Trade Commission enforcement power and fines of up to $500,000 per incident. In September 2012, the Senate Judiciary Committee approved the Data Breach and Notification Act (S. 1408), establishing a national standard for breach notification, and the Personal Data Protection and Breach Accountability Act (S. 1535), instituting data breach notification requirements and recourse for individuals victim of a preventable breach incident. In their current forms, the draft bills are weaker than laws already in effect in many states.
Privacy Litigation and Class Actions
During 2012, privacy class actions continued to trend toward two major categories: (1) actions arising out of a data breach event and (2) actions brought to prosecute an alleged consumer privacy right. Generally, plaintiffs have not been able to establish standing where the conduct and harm alleged was simply use or disclosure of personal information and where only hypothetical or future injury is alleged. There are signs that courts may be more willing to consider what were once considered speculative injuries as sufficient to confer Article III standing. Nonetheless, the probability of a dismissal for lack of injury or standing remains higher where there is no evidence of identity theft or other use of any compromised information. Plaintiffs have also had some success in avoiding the standing or lack of injury defense by bringing claims under state or federal statutes that permit an award of statutory damages, even where the conduct at issue is unrelated to the statute. A common question in statutory damages cases is whether the named plaintiff must prove an injury to recover statutory damages. In some cases, courts have concluded that a mere violation of the statute is enough to confer standing and no injury is required.
Privacy Regulatory Actions
The FTC continues to hold companies responsible for representations made to consumers regarding the use of their personal information. In 2012, the FTC brought legal action against multiple organizations alleging violations of Section 5 of the FTC Act, alleging failures to fulfill representations made in privacy policies. Another area of interest for the FTC will be compliance with the new requirements of the Children’s Online Privacy Protection Act (COPPA), which applies to businesses that collect information from children under the age of 13. Given the FTC’s history of vigorous COPPA enforcement, FTC enforcement will be even more aggressive now that “collection” is more broadly defined.
In 2012, state attorneys general remained active in privacy enforcement. Notable enforcement actions included the California Attorney General’s first legal action taken under the California Online Privacy Protection Act (CalOPPA) against an entity for failing to post a privacy policy on its mobile application; the Massachusetts Attorney General’s legal action and settlement under the Massachusetts Consumer Protection Act and Health Insurance Portability and Accountability Act (HIPAA) against a healthcare entity related to a data breach; the Minnesota Attorney General’s legal action taken pursuant to HIPAA and various Minnesota debt collection and consumer protection statutes against a business associate of a hospital system related to a data breach.
Healthcare Industry
Healthcare information is among the most sensitive information an organization can handle. As more healthcare entities move toward electronic health records, use of mobile devices in the clinical setting and sharing of healthcare information in health information exchanges, federal and state agencies are monitoring compliance with obligations to safeguard protected health information (PHI) and electronic protected health information (ePHI) as required under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).
The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, which set forth standards to protect the privacy of patient information. OCR investigates complaints throughout the healthcare industry. In 2012, OCR enforcement action resulted in five resolution agreements involving civil monetary penalties ranging from $50,000 to $1.7 million and compliance with stringent corrective action plans. All five resolution agreements were related to data security breaches, including the first settlement arising from a data security breach affecting fewer than 500 individuals.
In January 2013, HHS issued sweeping changes in its Final Omnibus Rule modifying the HIPAA Privacy and Security Rules and the HITECH breach notification rules. These changes provide a framework for vigorous enforcement by OCR and include direct liability on business associates for compliance with certain HIPAA Privacy and Security Rule requirements, and a presumption that an impermissible use or disclosure of PHI is a breach. Healthcare entities will continue to see an increase in data breaches and the regulatory and/or litigation activity that follow such incidents. As such, healthcare entities should maintain organization-appropriate incident response plans, policies and procedures for safeguarding PHI and ePHI, breach analysis forms, education and awareness training and materials, vetted vendor lists and contracts, and risk assessments and risk management plans.
Cybersecurity
Privacy concerns are not limited to consumer protection and identity theft. President Obama has declared that "cyber threat is one of the most serious economic and national security challenges we face as a nation," and that "America's economic prosperity in the 21st century will depend on cybersecurity." In an increasingly interconnected and interdependent world, the threats posed by cyberterrorism, state sponsored industrial espionage or hacktivists such as Anonymous, are real and growing. President Obama's long-awaited cybersecurity executive order issued shortly before his February 2013 State of the Union address aims to confront these threats and challenges. Many industries are affected, including heavily regulated industries that have been identified by the Department of Homeland Security as part of our country’s critical infrastructure and government contractors. The Executive Order focuses on two solutions: (1) enhanced security standards, and (2) improved sharing of information between government agencies and the private sector.