hot topics in privacy law - winston & strawn€¦ · laws don’t specifically address...

© 2013 Winston & Strawn LLP

Hot Topics in Privacy Law

© 2013 Winston & Strawn LLP 2

Today’s Presenters

Linda Hoseman

Chicago

[email protected]

312-558-6159

Liisa Thomas

Chicago

[email protected]

312-558-6149

Eric Zion

Charlotte

[email protected]

704-350-7713

Robert Newman

Chicago

[email protected]

312-558-8125

mailto:[email protected]�





Overview

1. Social Media and Privacy – New Concerns

2. What's New on the Breach Front?

3. Mobile Apps and the Dreaded "Privacy Policy”

4. COPPA Rule Change – Are You Ready for July 1?

5. Collecting PII During a Credit Card Transaction


Social Media and Privacy –New Concerns


How Broadly Can I Word My Social Media Policy?

Answer: Not very broad – be specific

NLRB is aggressively enforcing Section 7 rights

Targeting non-unionized employers with overbroad policies


What is Section 7 Rights?

All employees except supervisors and managerial employees Does not cover true independent contractors

Have the right to engage in “Protected Concerted Activity” “Concerted Activity” – Employees’ right to act together to improve

working conditions or for mutual aid and protection

“Protected” – There is certain “out-of-bounds” conduct

NLRB getting aggressive Issued first “Facebook firing” decision in October 2012

Three memos from GC focusing on social media


When Things Go Wrong

Bettie Page Clothing (April 19, 2013) Employer policy prohibited:

“Disclosure of wages or compensation to any third party or other employee is prohibited and could be grounds for termination.”

“It is a condition of employment that you not disclose this [personnel] information to third parties during or after employment.”

Board holds violation of Section 7 Orders company-wide notice to employees of rescission of policy

Orders reinstatement with back pay of three employees terminated for comments about supervisors on Facebook


Making “Don’t Disclose Confidential Information” Less Broad

Don’t say “do not disclose confidential customer, employee or company information,” say: Maintain the confidentiality of Employer trade secrets and

private or confidential information. Trade secrets may include information regarding the development of systems, processes, products, know-how and technology. Do not post internal reports or other internal business-related confidential communications.

Separate policy for managers?


How to Make “Don’t Disparage” Less Broad

Don’t say “do not making disparaging or defamatory statements,” say: Never post any information or rumors that you know to be

false about Employer, fellow associates, members, customers, suppliers, people working on behalf of Employer or competitors.


Why “Ask HR” Doesn’t Work

Don’t say, “if you are not sure, consult with HR or your manager before posting something,” say:

Express only your personal opinions. Never represent yourself as a spokesperson for Employer. If Employer is a subject of the content you are creating, be clear and open about the fact that you are an associate and make it clear that your views do not represent those of Employer, fellow associates, members, customers, suppliers or people working on behalf of Employer. If you do publish online related to the work you do or subjects associated with Employer, make it clear that you are not speaking on behalf of Employer. It is best to include a disclaimer such as “The postings on this site are my own and do not necessarily reflect the views of Employer.”


Don’t Say “No Social Media on Company Time”

Don’t say “you are not allowed to participate in personal social media activities on Company time,” say: Refrain from using social media while on work time or on

equipment we provide, unless it is work-related as authorized by your manager or consistent with the Company Equipment Policy. Do not use Employer email addresses to register on social networks, blogs or other online tools utilized for personal use.


What About Behavioral Advertising?

Laws don’t specifically address tracking/serving ads Except COPPA

Laws exist to prohibit eavesdropping

Laws exist to prohibit deception

Result in the cases we see in the news: Google, Apple, etc.

How depends on what you are doing

FTC warns consumers to keep cookie selections updated, review, delete: (http://onguardonline.gov/articles/0042-cookies-leaving-trail-web#Controlling Cookies)

Differs from Europe (opt-in)

Self-regulation helps avoid liability? Core is to provide notice and choice


Keep Your Eyes Open: Might Change


Give Notice in the Ad

Logo in Ad:

A hyperlink

Hover over logo:get brief disclosure

Click link:

Takes you to notice


Give Notice on the Site (Publisher/Advertiser)


Example of an OBA Disclosure


Need More Information on OBA?

http://bit.ly/15acmeo


What About Facebook Ads?

Facebook faced a self-regulatory challenge

Facebook maintained that clicking the gray "x" in the corner of an ad was sufficient

Now FB allows third-party advertisers to display the AdChoices icon under the X

Will still have to click the gray "x“


Can We Ask Employees for Their Social Media Passwords?

No, states are beginning to restrict California, Illinois, Maryland and Michigan

Why do you want all the information in those accounts?!

Employees who manage LinkedIn or other “official” accounts for company Have them do so with a company-specific account

Impact on Social Media Policies: Don’t restrict in policy – NLRB says can’t restrict “friending”

Probably need to have separate manager/supervisor guidelines


What's New on the Breach Front?


Notification Law Basics

Require notification if a “breach” of “covered information” State Law: in all but a few states (and DC, Puerto Rico, USVI, and Guam

too!)

HIPAA: HITECH Act – new updates!

Notification to lots of people (depending on facts of breach) Impacted individuals – follow law of the state where people reside

Substitute notice sometimes possible AG or other government authorities

Credit reporting agencies

Violations can result in fines But notification can result in lawsuits!


New Developments Stateside

Vermont Enacted Notification Law Requires notice to Attorney General within 14 business days

of discovery of the breach Applies regardless of number of impacted individuals

Connecticut Enacted New Notification Law Beginning on October 1, 2012, must notify Attorney General

No later than when impacted residents are notified.

Failure to notify could constitute violation of CT Unfair Trade Practices Act


Reminder: State Updates from 2011

California, Illinois, Nevada, and Texas Updated their data breach notification laws in 2011

In California, you must provide the AG with a copy of your consumer notification

Texas!! Could be interpreted to require notice to all impacted

individuals, including those who do not reside in Texas

Could result in notice obligations for those who live in one of the four states without a data breach notification law (AL, KY, NM, and SD)


Want More Information?

http://bit.ly/10WisgL


New Developments HIPAA-Wise

But first, a refresher? What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

was enacted August 21, 1996

Title II of HIPAA required HHS to publicize national standards for the electronic exchange, privacy and security of health information (the "administrative simplification rules")

HIPAA was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009


Who is Covered by HIPAA?

Covered Entities subject to the rules include: Health care plans

Health care clearinghouses

Health care providers that transmit electronically any information related to a health care transaction

Business Associates


Who are Business Associates? Am I?

Performs claims processing, data analysis, utilization review, and billing on behalf of (or for) a covered entity

Involves the use or disclosure of individually identifiable health information

Is a Health Information Organization, E-prescribing Gateway

Provides data transmission services with respect to protected health information to a covered entity that requires routine access to such protected health information; and

Offers a personal health record to one or more individuals on behalf of a covered entity


What Does This Have to do with Breaches?

A covered entity that uses a business associate should have written safeguards on the use of individually identifiable health information (business associate agreement)

HITECH expands application of HIPAA restrictions directly to business associates and to their subcontractors on down the line

An entity can be a “business associate” to a “business associate"


What Information is Protected by HIPAA?

The privacy rule protects all "individually identifiable health information" Held or transmitted by a covered entity or its

business associate

In any form or media, whether electronic, paper, or oral

The privacy rule calls this information “protected health information” (“PHI”)


What are the Basic HIPAA Principles?

Basic Privacy Principle: Covered entities cannot use or disclose PHI, except as permitted or required by the privacy rules or as authorized by the individual in writing

Basic Security Principle: Covered entities must implement administrative, technical and physical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI


What is HITECH?

The HITECH Act passed as part of the ARRA of 2009 contained a new breach notification rule

On February 22, 2010, enforcement of HITECH's breach notification rule went into effect for failures to provide required notice following a breach of unsecured PHI

On January 23, 2013, final regulations were issued that are effective March 23, 2013, with implementation required for certain items by September 23, 2013


What Uses Cause a Breach Under HITECH?

A breach is the acquisition, access, use or disclosure of PHI in a manner not permitted by the privacy rules that compromises the security or privacy of unsecured PHI

The final regulations changed the breach standard. Old Rule: if there is a significant risk of financial, reputational or other harm to the individual because of a breach, then notice was required. New Rule: A breach is presumed unless there is a low probability that the unsecured PHI has been compromised

A fact-specific risk assessment following each incident is required


What are the Elements of an Assessment?

The nature and extent of the PHI involved,

The unauthorized person who used the PHI or to whom the PHI was disclosed, whether the PHI was actually acquired or viewed, and

The extent to which the risk to the PHI has been mitigated


When is a Breach Discovered?

Covered Entities

Breach considered discovered as of first day on which breach is known to covered entity (including any of their employees, officers, or agents), or should reasonably have been known to have occurred

Business Associates

Breach considered discovered as of first day on which breach is known to the business associate (including any of their employees, officers or agents), or should reasonably have been known to have occurred

In some instances, knowledge of a breach will be attributed to the covered entity


What are the Notice Requirements Under HITECH?

Covered entity must provide notice to each individual "without unreasonable delay," but no later than 60 days, after discovery of the breach Written notice sent by first-class mail to last known address

By email if individual agrees

Annual notice requirement to HHS unless breach affects a large group of individuals

If breach is by a Business Associate, beginning of notice period depends on whether Business Associate is an agent


Are There Special Requirements for Large Group Breaches?

If breach involves 500 or more individuals living in a state or jurisdiction, covered entity must notify media outlets in state or jurisdiction "without unreasonable delay," but no later than 60 days, after discovery of the breach

Covered entity also must notify the Secretary of HHS: If breach involves 500 or more individuals, covered entity also

must notify HHS at the same time as it provides notice to individuals

If breach involves fewer than 500 individuals, covered entity must maintain log and submit log to HHS no later than 60 days after the end of calendar year


What Are Frequent Compliance Issues?

The compliance issues investigated most frequently by the HHS (in order of frequency): Impermissible uses and disclosures of PHI

Lack of safeguards of PHI

Lack of patient access to their PHI

Uses or disclosures of more than the minimum necessary PHI

Lack of or invalid authorizations for uses and disclosures of PHI


What Steps Should be Taken?

Covered entities should be certain to update the following HIPAA information:

Workforce training

Complaint process

Sanctions against workforce members

Policies and procedures (i.e., need to update to add these requirements)

Document retention (e.g., demonstrate all required notices provided if there is a breach or why an exception to breach applies)

Notice of Privacy Practices

Review business associate agreements, as these will need to be updated to comply with final regulations

Implement technologies for rendering PHI secure


Would You Like More HIPAA Info?

May 16th E-Lunch

HITECH-HIPAA-GINA Final Rules Require Action


Mobile Apps and the Dreaded “Privacy Policy”


California Requires Privacy Policy for Apps

California Online Privacy Protection Act requires all commercial websites or “services” to have a privacy policy

CA and App Stores agreed – this applies to apps

Potential fine of $2,500 per app download

Applies if you collect PII, but that’s broadly defined

California AG sued Delta under this law in December 2012

Delta’s website privacy policy does not mention the Fly Delta app

First California sent a letter, giving Delta 30 days to fix omission. Delta did not fix it in time


What Should We Say?

California’s AG “recommendations:” Assess the collection, use, and disclosure of PII

Limit to what is needed

Provide clear privacy policy This can be the same as the website one, if mentions app

Give extra notice for “unusual” uses

FTC agrees – has its own (similar) recommendations Recommends thinking about privacy from the start

Be transparent – both in privacy policy and “just in time”

Protect kids – remember COPPA applies to apps

And the standards: security, sensitive w/consent, self-regulation


What About OBA in Mobile?

DAA to release OBA privacy standards for mobile

New app by Evidon called Ad Control available through iTunes Consumer can download the app and

slide a button to turn "ad tracking" on or off for each listed company in the app

What will the FTC think??


COPPA Impact on Apps

Privacy policy needs to be in the app FTC recommends it be in the store as well

(Remember CA requires this)

Need to get parents direct notice before collection Could send through the device as long as have a way of getting

consent and reasonable that it's the parent giving consent

FTC seems open to this being a video process

Parental Consent If information collected as soon as downloaded, then would need

consent before (i.e., at point of purchase)

Remember this applies only if collecting PII Not always the case, for example, app with photo widget where

photo isn't sent to the company


COPPA Rule Change: Are You Ready for July 1?


Impact of COPPA on OBA

Ask if the site is covered by COPPA Is it directed to children?

Are you knowingly collecting from children?

Get parental consent unless an exception applies One-time use? Seems unlikely

Will cause the industry to think again about site audience Subject matter, visual content, animated characters

Empirical evidence of audience composition

“Safe harbor” of sorts – even if “directed to” but don’t target kids ok if: Do not collect PII (this includes OBA info!) before collecting age info

Stop collection of PII from anyone who says they are under 13

Does this mean age-gating before any OBA?! Seems like it, no answers yet from FTC

But, FTC seems to think may need consent (see new FAQs, #41) “You may be required to notify parents . . . And obtain verifiable parental consent"

And may also need to do lots more diligence to find out what vendors do on your site (FAQ42)


What if a Kid Submits Someone Else's Photo? Photos are now PII if contain a child's image or voice Doesn't matter if it is the image or voice of the child

submitting So, you have collected PII if collect picture of a kid (any kid)

from a kid You have not collected PII if you collect a picture of an adult

from a kid

Remember: COPPA Rule triggered if collect PII from a kid (regardless of

whose PII, so even if getting parent's email)


When is a Screen Name PII?

Screen names now fall under definition of PII

Means that you need consent unless fall under an exception Respond once to direct request (no notice)

More than once to direct request (notice, but no consent)

Names collected before July 1 are exempt FTC has suggested that if screen name is only usable on a

given site (chat room, for example), it won't be viewed as PII

Unclear how this will play out


Collecting PII During a Credit Card Transaction


Song Beverly Litigation

Statute prohibits requiring or requesting PII to be written/caused to be written on credit card transaction form

Broadly interpreted Both what is a writing on the form

And what is PII (even zip code)

Intensely litigated

Avoid collecting PII during transaction When is it over?

What about loyalty programs?


But Wait… California isn't the Only One!

At least 16 states with similar laws

Most similar, MA Cases have been litigated there, new ones being filed

MN also says "request" the PII

Most other states distinguish and prohibit "requiring as a condition of accepting the card"

Still worth watching, thinking about nationwide strategy


More Resources

Website www.winston.com/privacylawcorner

www.winston.com/privacylawresources

Twitter @winstonprivacy

Newsletters privacy, advertising, labor law

http://www.winston.com/privacylawcorner�

http://www.winston.com/privacylawcorner�

http://www.winston.com/privacylawresources�


Today’s Presenters

Linda Hoseman

Chicago

[email protected]

312-558-6159

Liisa Thomas

Chicago

[email protected]

312-558-6149

Eric Zion

Charlotte

[email protected]

704-350-7713

Robert Newman

Chicago

[email protected]

312-558-8125






Thank You!

hot topics in privacy law - winston & strawn€¦ · laws don’t specifically address...

Documents