There have been recent privacy law developments relating to the following:Health Insurance Portability And Accountability Act, Children’s Online Privacy Protection Act, Information Security and the Federal Trade Commission.

Recent Developments In US Privacy Law: HIPAA, COPPA, State Data Security, and Federal Trade Commission Initiatives

Once upon a time, it was fair to say that tackling data privacy issues within an organization was comparable to playing the “whack-a-mole” game at the amusement park.  The “moles” (new privacy issues) would suddenly pop up on a tray in front of you (your work inbox), and you would  “whack” them quickly with your “privacy compliance mallet,” and they would go away.  It’s not that easy anymore.  The moles are no longer all the same size and shape.  Some are particularly large and ugly, manifesting the different levels of exposure for different privacy concerns (data breach, health/medical privacy, internal investigations and monitoring, conflicts between privacy and other compliance duties, and the like), and new sources of data collection (mobile apps, behavioral advertising, monitoring technologies, and the like).  The “rules” of the game (privacy regulations) have also changed.  You can no longer just whack all moles on top of the head with your mallet (e.g., issue an accurate privacy notice and maintain reasonable security), but you need to whack some moles on the side (e.g., changing actual business practices through “privacy by design” principles or otherwise).  Other moles you need to remove from the game altogether (e.g., terminate a vendor, overhaul a set of information security controls, relegate certain online features to the “Don’ts” category in the “Do’s and Don’ts” company policy).  Moreover, you need to attain a much higher score on the game in order to get enough little yellow tickets to redeem your prize at the desk (e.g., enforcement actions are more rigorous, driving you to do more to maintain your organization’s good privacy name).  Taken together, it’s therefore more accurate to say that data privacy compliance has become the “whack-a-mole game on steroids.”  The following provides a brief overview summary of key recent developments in privacy law.  Get your mallet ready.
 
I.    Health Insurance Portability And Accountability Act
 
The Health Information Technology for Economic and Clinical Health Act, Sec. 13001 of the American Recovery and Reinvestment Act, Public Law 111-005 (“HITECH Act”), established important amendments to HIPAA (as defined below), including (i) mandatory notification in the event of a security breach; and (ii) direct application of certain information security and other HIPAA provisions, including the heightened penalty provisions, to an expanded range of organizations, such as (a) Business Associates of Covered Entities (which previously only needed to adhere to agreements with such Covered Entities), and (b) application of breach notification obligations to vendors of personal health records (previously not covered by HIPAA). 
 
Since the enactment of HITECH, the Department of Health and Human Services (“HHS”), through the HHS Office for Civil Rights (“OCR”), had engaged in considerable rulemaking activity and increased its enforcement of HIPAA’s Privacy and Security Rules (discussed further below in Section 14).  Then, after a number of delays, HHS released on January 25, 2013 the final omnibus rules codifying and modifying many of these interim rules, including those regarding heightened penalties, breach notification, and direct applicability to Business Associates (the “Final Rules”).  The effective date of the Final Rules is March 26, 2013, and Covered Entities and Business Associates are required to be in compliance with the new requirements by September 23, 2013.  Covered Entities and Business Associates have an additional year to conform existing BAAs to the requirements of the Final Rules. 
 
 
In part, the Final Rules:

 
•     Confirm that Business Associates (as well as their subcontractors that access or receive Protected Health Information) are directly liable for compliance with certain of the requirements of the HIPAA Privacy and Security Rules and are subject to related penalties for violation of such requirements;
 
•     Impose more stringent limitations on the use and disclosure of Protected Health Information for marketing and fundraising purposes as well as prohibitions on the sale of Protected Health Information without individual authorization;
 
•     Require modifications to and redistribution of a Covered Entity’s Notice of Privacy Practices;
 
•     Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others;
 
•     Increase individual rights of access to Protected Health Information by allowing patients to request a copy of their electronic medical record in electronic form and allowing individuals to instruct their providers not to share information about their treatment with their health plan if they pay in full for the relevant product or service;
 
•     Adopt the increased and tiered civil money penalty structure provided by the HITECH Act (which was originally published as an interim final rule on October 30, 2009);
 
•     Adopt the breach notification rule for Covered Entities and Business Associates and replace the “harm” threshold for notification with an evaluation regarding whether the breached data was “compromised”.
 

The Final Rules also include additional modifications related to the use and disclosure of genetic information. 
 
Prior to the issuance of the Final Rules, HHS released on May 31, 2011 a notice of proposed rulemaking on the HIPAA accounting of disclosures requirement.  The purpose was, in part, to implement the statutory mandate under HITECH to require Covered Entities and Business Associates to account for disclosures of Protected Health Information to carry out treatment, payment, and health care operations.  Under the pre-HITECH rule, covered entities were not required to provide an accounting of disclosures for these types of uses and disclosures. 
 
The proposed 2011 rules also, apparently based on HHS’s general authority under HIPAA, expanded the current accounting provision to provide individuals with the right to receive an access report detailing the internal access to Protected Health Information in a designated record set.  If adopted in this form, these rules may pose challenges for Covered Entities that otherwise may be in the process of adopting electronic health records, as the detailed provisions regarding access tracking may not be contemplated by their current implementations.  Comments for this proposed rule were accepted until August 1, 2011.  The proposed May 2011 rules were not addressed in the Final Rules.  HHS noted in the Final Rules, however, that these rules remain in effect and will be subject to additional rulemaking.
 
II.   Children’s Online Privacy Protection Act
 
On January 17, 2013, the Federal Trade Commission (“FTC”) issued the following amendments to the Children’s Online Privacy Protection Rule (16 C.F.R. § 312.1 et. seq.) (the “Rule”), implementing the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et. seq.)(the “Act”):

 
•     modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
 
•     offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
 
•     close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
 
•     extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
 
•     extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
 
•     strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
 
•     require that covered website operators adopt reasonable procedures for data retention and deletion; and
 
•     strengthen the FTC’s oversight of self-regulatory safe harbor programs.
 
The amendments to the Final Rule will go into effect on July 1, 2013.

 
III.  Information Security
 
On July 19, 2012, the California Attorney General announced the creation of the Privacy Enforcement and Protection Unit in the California Department of Justice (“Privacy Unit”) which will focus on protecting consumer and individual privacy through civil prosecution of state privacy laws.  Specifically, the Privacy Unit will enforce laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government.
 
Vermont and Connecticut updated their existing breach notification statutes in 2012 and, in Massachusetts, a new aspect of its existing breach notification law took effect.
 
Vermont
 
Vermont amended its Security Breach Notice Act, as codified in 9 V.S.A. § 2435, in the following respects:
 

•     Requiring breach notice to Vermont residents within 45 days after discovery of the breach, instead of the prior “most expedient time possible and without unreasonable delay….” The notice must also now include the “approximate date of the security breach.”
 
•     Requiring notice to the Attorney General within 14 business days following discovery of the breach or the date Vermont residents were notified. The notification to the AG must include at least: the date of the breach; the number of Vermont residents breached, the date of discovery of the breach and a “preliminary description of the breach.” If the date when the breach occurred is unknown at the time notice to the AG is required the date of the breach must be sent thereafter “as soon as it is known.” A copy of the notice provided to the consumers must also be sent to the AG.
 
•     Adopting the industry-standard definition of “personally identifiable information”.
 
•     Revising the definition of “security breach” to cover only “unauthorized acquisition” of data rather than the previous “unauthorized acquisition or access” of data and adding four non-exclusive “factors” for determining whether there has been “acquisition” of data.

 
Connecticut
 
Connecticut amended its data breach notification statutes, as codified in Connecticut General Statutes Sec. 36a-701b, effective October 1, 2012. The amended law clarifies certain definitions, but the substantive addition is a new requirement that the Connecticut Attorney General’s office must be notified “not later than the time when notice is provided to the resident.”  There is no specific time period for notification of residents, as is the case under Vermont’s new law.
 
Massachusetts
 
As of March 1, 2012, any company that owns or licenses personal information regarding a Massachusetts resident will be required to include data security provisions in all of its agreements with service providers, including those executed prior to March 2, 2010, to which the covered entity transmits such information. The data security obligations that must be included would require the vendors to:
 

•     develop, implement, and maintain a comprehensive written information security program (“WISP”) describing the administrative, technical, and physical safeguards that have been, or will be, put in place for the protection of personal information.
 
•     the WISP should designate one or more employees to maintain the information security program.
 
•     the WISP should identify and assess foreseeable security risks to stored personal information.
 
•     the WISP should contain data security policies for employees to follow as well as disciplinary measures and responsive actions that should occur in connection with any violation or breach of the security program.
 
•     the WISP should address and provide for annual review of implemented security measures.

 
IV.  Federal Trade Commission
 
A.   Recent Enforcement Actions
 
On January 28, 2013, Cbr Systems, Inc., the operator of a cord blood bank, settled FTC charges stemming from a data security breach that involved the social security numbers and credit card numbers of nearly 300,000 individuals.  The FTC alleged that Cbr’s inadequate security practices contributed to the breach.  The settlement requires Cbr to make changes to its information security practices and to submit to biannual security audits for 20 years.
 
On December 5, 2012, the FTC settled with Epic Marketplace, Inc., an online advertising company, on charges that the company engaged in “history sniffing” to illegally gather data from consumers without their knowledge about the consumers’ sensitive medical and financial interests.  The settlement prevents Epic Marketplace from using history sniffing and from misrepresenting its data collection practices in the future.
 
 
B.   Other FTC Initiatives
 
On March 26, 2012, the FTC released its final report on protecting consumer privacy, entitled “Protecting Consumer Privacy in an Era of Rapid Change.”  The report calls on businesses to protect their consumer data through a number of approaches, including privacy by design, simplified choice for businesses and consumer, and greater transparency.  The report also notes that the FTC will focus in the near future on five main issues regarding consumer data protection: do-not-track, mobile privacy, data brokers, comprehensive tracking by large platform providers, and promoting enforceable self-regulatory codes.
 
On July 26, 2012, the FTC became the first enforcement authority in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system.  The APEC system is designed as a self-regulatory initiative through which participating businesses can enhance consumer data protection by adhering to a voluntary but enforceable code of conduct.  There are 21 APEC member states, including Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia, Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Taiwan, Thailand, the United States and Vietnam.
 
C.   Mobile Applications
 
The regulatory climate around mobile apps is rapidly shifting to require mobile app platforms and app developers to provide greater transparency regarding how apps use and share personal data.  Two recent key developments, one closely following the other, signal a distinct regulatory interest in mobile app privacy disclosures on a state and federal level, and the impacts of that regulatory interest have the potential to be far-reaching.
 
The California Attorney General brought the first action in California state court to enforce a requirement under the California Online Privacy Protection Act (“Cal OPPA”) (Cal. Bus. & Prof. Code §§ 22575-22579) that mobile apps collecting personally identifiable information “conspicuously post” a privacy policy (e.g., by providing an icon or similar type of link to the relevant privacy policy) (People v. Delta Air Lines, Inc., Cal. Super. Ct., No. CGC-12-526741).  Cal OPPA defines “personally identifiable information” broadly to include first and last name, email address or “any other identifier” that facilitates contact with the individual.  (Cal. Bus. & Prof. Code § 22577).  Under the law, a valid privacy policy must (i) identify the type of personal data collected as well as the third parties with whom the data may be shared; (ii) describe the process by which a consumer is able to review and request changes to his or her personal data if such a process is provided; (iii) explain how users will be notified of changes to the privacy policy; and (iv) identify the policy’s effective date. (Cal. Bus. & Prof. Code § 22575).  Prior to bringing this claim in state court, the California Attorney General issued warning letters to mobile app developers whose apps were purportedly not in compliance with the Cal OPPA requirement.  The letters gave the app developers thirty days to come into compliance, after which they would face a fine of $2,500 per subsequent violation.  Because Cal OPPA would apply to any app that collects personally identifiable information about California residents, the scope of this “conspicuous” privacy policy requirement is far-reaching and could create compliance obligations for a very large number of app developers. 
 
Two months after the California Attorney General’s enforcement action, the Federal Trade Commission (“FTC”) issued a report that called for mobile apps to increase transparency around how they use data and expand their use of privacy disclosures (the “Report”).   The Report stressed the need for mobile app platforms and app developers to provide clear, readily-identifiable and easy to understand methods to notify a user when certain kinds of data are being collected and/or transmitted.  The FTC specified four primary recommendations that mobile app platforms should adopt: (1) consistent disclosures, including just-in-time disclosures; (2) oversight across apps; (3) transparency regarding mobile app review; and (4) a Do Not Track mechanism.  Among the recommendations for app developers, the Report calls for them to (1) establish and publish a privacy policy for their apps that is available through the platform and (2) provide just-in-time disclosures and obtain user consent for the collection of “sensitive content” beyond a platform’s API (but not to overlap with disclosures issued by the platform).  While on a national level, these requirements are generally still voluntary, the FTC has indicated that failure to follow the recommendations set out in the Report may well lead to future enforcement actions. 
 
Taken together, the California Attorney General’s enforcement action on a state level and the FTC’s Report on a federal level signify a growing trend of regulatory interest in the privacy practices taken by mobile apps and  particularly their disclosures to consumers regarding those practices.  These initial regulatory stirrings are likely only the start of a larger regulatory movement that reaches mobile app developers, platforms and beyond.  Platforms and developers, therefore, may benefit from implementing early compliance measures as precautionary steps to weather the storm of regulatory activity that is likely to come.

Click here to read our full client alert on these topics.