The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Supreme Court Strikes Down Vermont Prescription Privacy Law

In Sorrell v. IMS the U.S. Supreme Court stroke down yesterday (by a vote of 6-3) Vermont’s 2007 Prescription Confidentiality Law, which had made it illegal for pharmacies and similar entities to sell prescriber-identifying information, without the prescriber’s consent. The court had heard oral arguments in April.

Subject to certain exceptions, such as health care research, this information could not have been be sold or disclosed by pharmacies for marketing purposes. The law, Vt. Stat. Ann., Tit. 18, §4631 (Supp. 2010), states that:

“A health insurer, a self-insured employer, an electronic transmission intermediary, a pharmacy, or other similar entity shall not sell, license, or exchange for value regulated records containing prescriber-identifiable information, nor permit the use of regulated records containing prescriber-identifiable information for marketing or promoting a prescription drug, unless the prescriber consents . . . . Pharmaceutical manufacturers and pharmaceutical marketers shall not use prescriber-identifiable information for marketing or promoting a prescription drug unless the prescriber consents . . . .”

Pharmacies receive prescriber-identifying information when processing prescriptions, and many of them then sell this information to data-mining companies, which use this information to write marketing reports. These reports are leased to pharmaceutical manufacturers, and used for marketing research, leading to increased sales.

The case involved two consolidated suits, one brought by Vermont data-miners, the other by an association of pharmaceutical manufacturers, all contending that the Vermont law violated their First Amendment rights, as speech helping pharmaceutical marketing is speech protected by the First Amendment. The United States District Court for the District of Vermont had denied them relief, but the Second Circuit reversed, holding that the Vermont law violated the First Amendment by burdening the speech of pharmaceutical marketers and data mining companies without an adequate justification.

The state of Vermont had argued that the law is merely a commercial regulation, and thus heightened judicial scrutiny is unwarranted. But the Supreme Court was not convinced, noting that the law “imposes more than an incidental burden on protected expression. Both on its face and in its practical operation, Vermont’s law imposes a burden based on the content of speech and the identity of the speaker.” Since Vermont’s law enacts content- and speaker-based restrictions on the sale, disclosure, and use of prescriber-identifying information, this statute…

disfavors marketing, that is, speech with a particular content. More than that, the statute disfavors specific speakers, namely pharmaceutical manufacturers. As a result of these content- and speaker-based rules, detailers cannot obtain prescriber-identifying information, even though the information may be purchased or acquired by other speakers with diverse purposes and viewpoints.”

The state of Vermont had also argued that physicians have a “reasonable expectation” that their prescriber-identifying information “will not be used for purposes other than . . . filling and processing” prescriptions. The Supreme Court was not convinced by this argument either as the Vermont law does not completely serve that interest. The Vermont law allows pharmacies to share prescriber-identifying information with anyone unless this person then allows the information to be used for marketing. However, researchers, journalists, even the State itself, may use the information, and this “does not in itself advance confidentiality interests” remarked the Supreme Court, noting that…

[p]erhaps the State could have addressed physician confidentiality through “a more coherent policy.” For instance, the State might have advanced its asserted privacy interest by allowing the information’s sale or disclosure in only a few narrow and well-justified circumstances.. A statute of that type would present quite a different case than the one presented here. But the State did not enact a statute with that purpose or design. Instead, Vermont made prescriber-identifying information available to almost limitless audience. The explicit structure of the statute allows the information to be studied and used by all but a narrow class of disfavored speakers….

Vermont has given its doctors a contrived choice: Either consent, which will allow your prescriber-identifying information to be disseminated and used without constraint; or, withhold consent, which will allow your information to be used by those speakers whose message the State supports. [The Vermont law] may offer a limited degree of privacy, but only on terms favorable to the speech the State prefers.”

Justice Breyer wrote a dissenting opinion, with whom Justice Ginsburg and Justice Kagan joined. In his view, the Vermont statute only adversely affects speech in one way, as it prevents pharmaceutical and data-mining companies to access data that could help pharmaceutical companies create better sales messages. Justice Breyer wrote: ”In my view, this effect on expression is inextricably related to a lawful governmental effort to regulate a commercial enterprise.”

Leave a comment

Toward a Mandatory Requirement for EU Business Organizations to Notify of Data Security Breaches

Viviane Reding, Vice-President of the European Commission, spoke on Monday at the Data Protection and Privacy Conference of the British Bankers’ Association in London.

Ms. Reding acknowledged that the current EU legal frame work protecting personal data may no longer be appropriate to a world which has much changed since 1995 (when Directive 95/46/EC, the data protection Directive, was first published) as individuals “leave digital traces with every move [they] make.” The European Union now “needs a more comprehensive and more coherent approach in its policy for the fundamental right to personal data protection.”

Businesses must also play their part. The way they collect, process, store, and use personal data must be done in a more transparent way than it is right now. Ms. Reding alluded to the recent Sony PlayStation Network data breach, which affected some 70 million users worldwide, whose personal information, name, address, email, and birth date have been compromised. According to Ms. Reding, “this incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers’ trust in the online economy. “

Companies must better protect personal data against security breaches and identity theft. Ms. Reding stated that “they should immediately notify breaches of data security and confidentiality” and that she does intend to introduce a mandatory requirement for business organizations to notify data security breaches.

 As of today, Directive 2009/136/EC, which introduced mandatory data breach notification in the EU legal framework, makes it a requirement only to providers of publicly available electronic communications services to report data breaches. Business organizations do not however, have to report them.

This is likely to change soon, as Ms Reding wants to introduce this requirement for all sectors, including banking and financial services. She expressed hope that “[i]t would … create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data.”

Changes are ahead, as new EU data protection legislation proposals should be finalized in the upcoming months.

Leave a comment

Two Federal Geolocation Privacy Bills Introduced Last Week

Two federal bills introduced last week aim at protecting the privacy of the geolocation of mobile phone users. One bill would regulate private entities, and the other bill would regulate law enforcement and federal agencies.

Senator Al Franken (D-MN), chairman of the Judiciary Subcommittee on Privacy, introduced last week S.1223, the “Location Privacy Protection Act of 2011.” The bill is co-sponsored by Senator Richard Blumenthal (D-CT). The bill would only regulate companies. While the text of the legislation is not yet available, a press release states that the bill would:

close current loopholes in federal law to require any company that may obtain a customer’s location information from his or her smartphone or other mobile device to (1) get that customer’s express consent before collecting his or her location data; and (2) get that customer’s express consent before sharing his or her location data with third parties.”

Indeed, the Electronic Communications Privacy Act (18 U.S.C. § 2702) can be interpreted as allowing electronic communication service providers, including smartphone and app companies, to share with third parties the location information of their customers without first obtaining their consent.

The other federal geolocation privacy bill, the “Geolocation Privacy and Surveillance Act,” was introduced last week by Senator Ron Wyden (D-Ore.) and U.S. Representative Jason Chaffetz (R-Utah). It would regulate the government’s use of geolocation information. Its section 4 would make it illegal for the government to obtain geolocation information by making fraudulent statements to a telecommunications carrier, or by accessing the carrier’s customer account records without permission.


Leave a comment

Rep. Bono Mack Releases Discussion Draft of Data Security & Breach Notification Law and Holds Hearing

Earlier in the week, Representative Mary Bono Mack (R-CA) released a discussion draft of her “Secure and Fortify Electronic Data Act” (the “SAFE Data Act”). In a statement released about the draft, Bono Mack claimed the SAFE Data Act will establish uniform national standards for data security and data breach notification. 
Highlights of the proposed SAFE Data Act include:
·         Requiring the FTC to implement regulations that require companies holding personal information to establish and maintain a reasonable information security policy;
·         Requiring companies to establish a plan and procedures to minimize retention of personal information that is no longer needed for business or legal purposes;
·         Requiring the notification of law enforcement within 48 hours after discovery of a breach;
·         Requiring companies to begin notifying consumers within 48 hours after taking steps to prevent further breach and determining who has to be notified if there is a reasonable risk of harm.
·         Expanding the jurisdiction of the FTC to cover non-profits under the Act; 
·         Granting enforcement power to the FTC and to State Attorneys General if the FTC is not pursuing an action, but no private right of action; and
·         Preemption of the various state data security and breach notification law. 
Bono Mack is the chair of the House Subcommittee on Commerce, Manufacturing and Trade, which held a hearing earlier today on the proposed SAFE Data Act.  Testimony was given by FTC Commissioner Edith Ramirez, Jason Goldman(Telecommunications and e-Commerce Counsel, U.S. Chamber of Commerce), Robert Holleyman (President and CEO, Business Software Alliance), Stuart Pratt (President and CEO, Consumer Data Industry Association), and Marc Rotenberg (Executive Director, Electronic Privacy Information Center). Information on the hearing, including written testimony, is available on the House Energy and Commerce Committee’s webpage.   

Leave a comment

FTC Extends Deadline to Submit Comments on its “Dot Com Disclosures” Guide

The FTC recently announced that it has extended the deadline to submit comments on its guidance document regarding online advertising, "Dot Com Disclosures: Information About Online Advertising"  for 30 days until August 10, 2011. The invitation to submit comments was reported on this blog last month here



Leave a comment

Ninth Circuit Determines the Meaning of “Electronically Printed” Under FACTA

On May 24, 2011, the United States Court of Appeals for the Ninth Circuit determined that an email receipt was not an “electronically printed” receipt as used by the Fair and Accurate Credit Reporting Act (“FACTA”). Under FACTA, entities are prohibiting from printing “more than the last 5 digits of the [credit or debit] card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. Sec. 1681c(g)(1). This restriction only applies to “receipts that are electronically printed, and [does] not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.” Id. Sec. 1681c(g)(2).

In Simonoff v. Expedia, Inc., Simonoff claimed that Expedia violated FACTA by including the expiration date of his credit card on an email receipt for an online transaction. To be a violation of FACTA, an email displayed on a computer screen would have to be considered an “electronically printed” receipt. Upholding the district court’s decision and agreeing with a previous Seventh Circuit decision regarding this issue, the Ninth Circuit determined that the plain meaning of “print” and “electronically printed” does not include email displayed on a computer screen.

Specifically, the Ninth Circuit found that the ordinary meaning of “print” involves a “physical imprint onto paper or another tangible medium.” The court also found that the term “electronically” clarifies the “manner of printing by differentiating receipts printed with electronic devices from receipts printed by hand; it does not change the definition of ‘print.’” Further, the court looked to Congress’s intention in enacting FACTA and determined that “Congress did not use language that would have clearly extended FACTA’s protection to electronically mailed receipts.” The court also looked to other factors of the FACTA statute, such as “the staggered implementation schedule that applies to physical devices that print paper receipts, and the limitation of the statute to receipts produced at the point of the sale or transaction,” to determine the meaning of “electronically printed.” Accordingly, the court determined that “[t]he text of FACTA simply leaves no room to doubt that ‘electronically printed’ receipts include only receipts impressed onto a tangible medium by electronic devices at the point of the sale or transaction, not receipts that are electronically transmitted to an email account or displayed on a computer screen.”

Leave a comment

HHS Announces Proposed Changes to HIPAA Privacy Rule

The U.S. Department of Health and Human Services ("HHS") has announced a Notice of Proposed Rulemaking concerning the disclosure requirements under the HIPAA Privacy Rule.  The proposed rule would give individuals the right to obtain a report on persons who have electronically accessed the individual’s protected health information ("PHI").  HHS issued the proposed rule pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act. 

Under the proposed rule, individuals would be able to request an access report, which would document the particular persons who electronically accessed and viewed their PHI.  Currently, covered entities are only required to track access to electronic PHI.  However, they are not required to share this information with individuals.  The proposed rule also requires covered entities to modify their privacy notices in order to inform individuals that they have the right to obtain an access report from such covered entity.

The proposed rule can be viewed here.  Comments may be submitted here through August 1, 2011.