The Increasing Complexity Of Privacy and Security Law

Monday, May 2, 2011 - 01:00

Editor: Please tell our readers about your practice area.

Nahra: My work is hard to pigeonhole. There are basically three components to my practice: first is health care work, which includes defending investigations, compliance programs, and regulatory advice on health care and health insurance programs; the second component is health care privacy-related work, dealing with both federal and state rules for the health care industry; the third is privacy work not connected to the health care industry, dealing with a full range of other issues that affect privacy and security.

Editor: What do you expect to see as the future role of the FTC in privacy enforcement?

Nahra: The FTC has been the default lead on privacy and security for about a decade, being very active in most industries directly on the enforcement front, and more subtly, on encouraging better behavior. For the past six months or so, it has been pushing to develop strong industry guidance in this area and to examine the possibility of national privacy legislation. We can expect to hear more over the next few months.

Editor: Please explain the actions of the FTC in the BJ's Wholesale settlement. How has this affected action by the FTC in imposing more stringent requirements on businesses?

Nahra: The FTC has engaged in a number of different enforcement actions that have set its policy on what it expects by way of behavior, the BJ's Wholesale case several years ago being the most significant of these. BJ's Wholesale had some credit card security problems inside their stores. BJ's was not regulated by any federal law at that time and had not made any promises to its customers about security. Nonetheless, the FTC took an enforcement action against the company, essentially sending the message to companies in every industry that if you have personal information about customers or employees, you have an obligation to have reasonable and appropriate security practices.

Editor: What implications does the Google-FTC settlement have for other Internet providers?

Nahra: The recent Google case is very interesting. Google launched a new product called Google Buzz, which, because it was Google, generated much attention. Buzz was Google's attempt to become a bit more like Facebook in that users could share photos, updates and the like. The problem was that these features weren't clearly communicated. Users didn't know it would expose certain kinds of personal information to friends and contacts in a way they had anticipated. Needless to say, the launch did not go very well, with the privacy implications of Buzz becoming very significant. The FTC stepped in, admonishing Google for its failure to think about privacy initially. The FTC does not really have authority to fine companies in most situations, but in order to assure it wouldn't happen again, the FTC reached an agreement with Google as to future practices. One of the most burdensome pieces of that settlement involves audits of privacy practices extending 20 years into the future. This very significant action is part of the FTC's broader efforts to implement what they're calling "privacy by design," a program meant to prod companies to think about privacy issues from the beginning of their product development cycle.

Editor: Why is the area of security breach regulation such a minefield?

Nahra: Over the past five years we've seen an enormous number of security breaches in essentially every industry segment. Those breaches have become public largely in places where various laws (mainly at the state level) require notification in the event of security breaches. As these security breaches became more visible across the country, concern over them has picked up momentum, leading local and state legislators and regulators to act - resulting in a variety of different laws that intersect.

We have different notice laws in each state and in the federal government as well. The laws are overlapping, but often in inconsistent or confusing ways. In some situations, we're still struggling with the purpose of these laws. Originally the purpose was to help people in the event of a security breach that created a risk of identity theft. But now we're seeing laws apply to many breaches where the risks, if there are any, are very different, and it's less clear what the purpose of these notices is. The FTC is concerned that there might already be too many notices, and people may no longer pay attention to the ones that really matter.

Editor: Describe the authority given under the HITECH Act. When will the final regulations come down?

Nahra: The HITECH law, which was part of the 2009 economic stimulus legislation, included some particular sections for the health care privacy community. It involved the first modifications to the HIPAA privacy and security rules since those rules were initially implemented, and now we're seeing an extended implementation of the provisions from that law. The Department of Health and Human Services is issuing new regulations, some of which are in effect, such as the regulation about notifying patients if there has been a security breach. The main regulations will be issued in final form later this year, and they will require the whole health care industry - along with service providers to the health care industry - to comply with the new rules sometime in mid-2012, thus broadening the law's reach.

Editor: There has been recent enforcement under this Act, the most egregious case being that of Cignet . Please share with our readers some background on this case.

Nahra: There has been much appropriate debate about whether the government is doing enough to enforce health care privacy rules over the last several years. Two recent, closely watched cases have led many people to conclude that the government will now act more aggressively to enforce these rules. In one such case, a rather unusual one, a company called Cignet failed to respond to various patients who were seeking access to their own medical records. The penalty was very large - $4.3 million. Based on public reports, Cignet essentially ignored its responsibilities under the law. Even more egregiously, it ignored a whole series of government efforts to ask questions about what happened, including letters, calls and even subpoenas and formal court action. Certainly most companies don't behave that way.

The second case, a much more typical one, actually was released the next day. An individual who worked at Massachusetts General took medical records on the subway and left them there. This obviously sloppy error led to a $1 million fine. This case generates greater concern because one can imagine an incident like this happening at any number of health care companies across the country.

Editor: Are we seeing security breaches in many other industries besides healthcare?

Nahra: Absolutely. There are particular rules for certain industries such as health care and financial services, but the FTC is setting general security practices across all industries. We see many breaches involving customer information relating to credit cards and employee information, often involving Social Security numbers. These various state and federal legal requirements coupled with the actual risks of security breaches should push companies in every industry to reevaluate and upgrade their overall security practices.

Editor: What new developments do you expect to see for health care privacy and security enforcement in 2011?

Nahra: Over the course of this year and leading into next we are going to see the final rules from HHS as well as lots of continued confusion in the health care industry because these new rules apply not only to people directly in the industry but also to the full range of service providers and downstream subcontractors of those service providers. An enormous number of companies that don't think of themselves as being in the health care industry will need to follow these new rules. While I do expect that we'll see incremental enforcement this year, we're going to see more new rules and we're going to see more time and energy being put into understanding these rules.

Editor: What are your thoughts about a nationwide electronic network of medical records?

Nahra: It's on a very short list of items that have been pursued by both the Bush and Obama administrations, but it is an effort that is in its infancy, being caught up in an incredible array of legal and IT-related complications.

Editor: What guidance do you give companies regarding social media in terms of use by employees?

Nahra: Social media is obviously a related kind of concern involving privacy and security, but it is in a different environment from health care because it is really not a very heavily regulated environment. Companies tried at the outset to use social media more actively, but now they are starting to see some of the reputational risks that ensue and the concerns about leakage of proprietary information. There may be some spin-off privacy risks as well. As with employment law issues generally, companies need to both educate and oversee their employees. That is leading to some interesting tensions in the workplace. It is clearly a hot issue because of the importance of social media as a business and marketing tool across all kinds of industries.

Editor: Have any laws limiting the use of social media been tested against the First Amendment?

Nahra: Again there is an emerging debate about this subject. The FTC is pushing for some new guidance about the Internet environment generally. Their focus has been more on behavioral tracking and the Internet generally than specifically on social media, although social media is obviously a component. One difference with social media from a lot of the Internet issues is that social media is largely voluntary for many people. The FTC has focused a little more heavily on entities that are tracking what you do without your knowing it, but that is clearly going to be a hot area over the next year or so. There are Congressional and FTC hearings and there are likely to be new regulations proposed, making this a generally very active area.

Editor: How would you compare the privacy protection laws for members of the EU and individual European countries with those in the U.S.?

Nahra: The EU created a general across-the-board privacy framework for how personal information is protected, governing all industries. That premise is different from that adopted by the United States historically. The United States has had a lot of sector-by-sector regulation, although because of the FTC we may be moving towards more across-the-board regulation. The EU has one model. It has created a lot of complexity for companies that have data coming in from the EU. We're also seeing countries across the globe implementing their own privacy structures - some starting with the EU model, some using the sector-specific model - so the international area again is very complicated because of the lack of any consistency in how the rules are written and interpreted across the globe.

Editor: Do you expect to see any national privacy legislation in the U.S. in the near future?

Nahra: That has been the single most debated topic in the privacy area. The FTC is slowly moving in the direction of recommending legislation, but I do not think we're likely to see national privacy legislation any time soon. We may see the FTC give some regulatory guidance and try to implement some essentially best practices that it would enforce, but Congress is expected to pass at most very specific sector laws.

Editor: Is there anything further you would like to add?

Nahra: The biggest conclusion from all of this is that privacy and security are issues that affect virtually any company in this country and internationally - any company that has employees and/or customers. It is critical for companies to evaluate everything that they are doing in connection with personal information.

Please email the interviewee at knahra@wileyrein.com with questions about this interview.