hot topics in privacy law - winston & strawn€¦ · laws don’t specifically address...
TRANSCRIPT
© 2013 Winston & Strawn LLP
Hot Topics in Privacy Law
© 2013 Winston & Strawn LLP 2
Today’s Presenters
Linda Hoseman
Chicago
312-558-6159
Liisa Thomas
Chicago
312-558-6149
Eric Zion
Charlotte
704-350-7713
Robert Newman
Chicago
312-558-8125
© 2013 Winston & Strawn LLP 3
Overview
1. Social Media and Privacy – New Concerns
2. What's New on the Breach Front?
3. Mobile Apps and the Dreaded "Privacy Policy”
4. COPPA Rule Change – Are You Ready for July 1?
5. Collecting PII During a Credit Card Transaction
© 2013 Winston & Strawn LLP
Social Media and Privacy –New Concerns
© 2013 Winston & Strawn LLP 5
How Broadly Can I Word My Social Media Policy?
Answer: Not very broad – be specific
NLRB is aggressively enforcing Section 7 rights
Targeting non-unionized employers with overbroad policies
© 2013 Winston & Strawn LLP 6
What is Section 7 Rights?
All employees except supervisors and managerial employees Does not cover true independent contractors
Have the right to engage in “Protected Concerted Activity” “Concerted Activity” – Employees’ right to act together to improve
working conditions or for mutual aid and protection
“Protected” – There is certain “out-of-bounds” conduct
NLRB getting aggressive Issued first “Facebook firing” decision in October 2012
Three memos from GC focusing on social media
© 2013 Winston & Strawn LLP 7
When Things Go Wrong
Bettie Page Clothing (April 19, 2013) Employer policy prohibited:
“Disclosure of wages or compensation to any third party or other employee is prohibited and could be grounds for termination.”
“It is a condition of employment that you not disclose this [personnel] information to third parties during or after employment.”
Board holds violation of Section 7 Orders company-wide notice to employees of rescission of policy
Orders reinstatement with back pay of three employees terminated for comments about supervisors on Facebook
© 2013 Winston & Strawn LLP 8
Making “Don’t Disclose Confidential Information” Less Broad
Don’t say “do not disclose confidential customer, employee or company information,” say: Maintain the confidentiality of Employer trade secrets and
private or confidential information. Trade secrets may include information regarding the development of systems, processes, products, know-how and technology. Do not post internal reports or other internal business-related confidential communications.
Separate policy for managers?
© 2013 Winston & Strawn LLP 9
How to Make “Don’t Disparage” Less Broad
Don’t say “do not making disparaging or defamatory statements,” say: Never post any information or rumors that you know to be
false about Employer, fellow associates, members, customers, suppliers, people working on behalf of Employer or competitors.
© 2013 Winston & Strawn LLP 10
Why “Ask HR” Doesn’t Work
Don’t say, “if you are not sure, consult with HR or your manager before posting something,” say:
Express only your personal opinions. Never represent yourself as a spokesperson for Employer. If Employer is a subject of the content you are creating, be clear and open about the fact that you are an associate and make it clear that your views do not represent those of Employer, fellow associates, members, customers, suppliers or people working on behalf of Employer. If you do publish online related to the work you do or subjects associated with Employer, make it clear that you are not speaking on behalf of Employer. It is best to include a disclaimer such as “The postings on this site are my own and do not necessarily reflect the views of Employer.”
© 2013 Winston & Strawn LLP 11
Don’t Say “No Social Media on Company Time”
Don’t say “you are not allowed to participate in personal social media activities on Company time,” say: Refrain from using social media while on work time or on
equipment we provide, unless it is work-related as authorized by your manager or consistent with the Company Equipment Policy. Do not use Employer email addresses to register on social networks, blogs or other online tools utilized for personal use.
© 2013 Winston & Strawn LLP 12
What About Behavioral Advertising?
Laws don’t specifically address tracking/serving ads Except COPPA
Laws exist to prohibit eavesdropping
Laws exist to prohibit deception
Result in the cases we see in the news: Google, Apple, etc.
How depends on what you are doing
FTC warns consumers to keep cookie selections updated, review, delete: (http://onguardonline.gov/articles/0042-cookies-leaving-trail-web#Controlling Cookies)
Differs from Europe (opt-in)
Self-regulation helps avoid liability? Core is to provide notice and choice
© 2013 Winston & Strawn LLP 13
Keep Your Eyes Open: Might Change
© 2013 Winston & Strawn LLP 14
Give Notice in the Ad
Logo in Ad:
A hyperlink
Hover over logo:get brief disclosure
Click link:
Takes you to notice
© 2013 Winston & Strawn LLP 15
Give Notice on the Site (Publisher/Advertiser)
© 2013 Winston & Strawn LLP 16
Example of an OBA Disclosure
© 2013 Winston & Strawn LLP 17
Need More Information on OBA?
http://bit.ly/15acmeo
© 2013 Winston & Strawn LLP 18
What About Facebook Ads?
Facebook faced a self-regulatory challenge
Facebook maintained that clicking the gray "x" in the corner of an ad was sufficient
Now FB allows third-party advertisers to display the AdChoices icon under the X
Will still have to click the gray "x“
© 2013 Winston & Strawn LLP 19
Can We Ask Employees for Their Social Media Passwords?
No, states are beginning to restrict California, Illinois, Maryland and Michigan
Why do you want all the information in those accounts?!
Employees who manage LinkedIn or other “official” accounts for company Have them do so with a company-specific account
Impact on Social Media Policies: Don’t restrict in policy – NLRB says can’t restrict “friending”
Probably need to have separate manager/supervisor guidelines
© 2013 Winston & Strawn LLP
What's New on the Breach Front?
© 2013 Winston & Strawn LLP 21
Notification Law Basics
Require notification if a “breach” of “covered information” State Law: in all but a few states (and DC, Puerto Rico, USVI, and Guam
too!)
HIPAA: HITECH Act – new updates!
Notification to lots of people (depending on facts of breach) Impacted individuals – follow law of the state where people reside
Substitute notice sometimes possible AG or other government authorities
Credit reporting agencies
Violations can result in fines But notification can result in lawsuits!
© 2013 Winston & Strawn LLP 22
New Developments Stateside
Vermont Enacted Notification Law Requires notice to Attorney General within 14 business days
of discovery of the breach Applies regardless of number of impacted individuals
Connecticut Enacted New Notification Law Beginning on October 1, 2012, must notify Attorney General
No later than when impacted residents are notified.
Failure to notify could constitute violation of CT Unfair Trade Practices Act
© 2013 Winston & Strawn LLP 23
Reminder: State Updates from 2011
California, Illinois, Nevada, and Texas Updated their data breach notification laws in 2011
In California, you must provide the AG with a copy of your consumer notification
Texas!! Could be interpreted to require notice to all impacted
individuals, including those who do not reside in Texas
Could result in notice obligations for those who live in one of the four states without a data breach notification law (AL, KY, NM, and SD)
© 2013 Winston & Strawn LLP 24
© 2013 Winston & Strawn LLP 25
Want More Information?
http://bit.ly/10WisgL
© 2013 Winston & Strawn LLP 26
New Developments HIPAA-Wise
But first, a refresher? What is HIPAA? The Health Insurance Portability and Accountability Act of 1996
was enacted August 21, 1996
Title II of HIPAA required HHS to publicize national standards for the electronic exchange, privacy and security of health information (the "administrative simplification rules")
HIPAA was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009
© 2013 Winston & Strawn LLP 27
Who is Covered by HIPAA?
Covered Entities subject to the rules include: Health care plans
Health care clearinghouses
Health care providers that transmit electronically any information related to a health care transaction
Business Associates
© 2013 Winston & Strawn LLP 28
Who are Business Associates? Am I?
Performs claims processing, data analysis, utilization review, and billing on behalf of (or for) a covered entity
Involves the use or disclosure of individually identifiable health information
Is a Health Information Organization, E-prescribing Gateway
Provides data transmission services with respect to protected health information to a covered entity that requires routine access to such protected health information; and
Offers a personal health record to one or more individuals on behalf of a covered entity
© 2013 Winston & Strawn LLP 29
What Does This Have to do with Breaches?
A covered entity that uses a business associate should have written safeguards on the use of individually identifiable health information (business associate agreement)
HITECH expands application of HIPAA restrictions directly to business associates and to their subcontractors on down the line
An entity can be a “business associate” to a “business associate"
© 2013 Winston & Strawn LLP 30
What Information is Protected by HIPAA?
The privacy rule protects all "individually identifiable health information" Held or transmitted by a covered entity or its
business associate
In any form or media, whether electronic, paper, or oral
The privacy rule calls this information “protected health information” (“PHI”)
© 2013 Winston & Strawn LLP 31
What are the Basic HIPAA Principles?
Basic Privacy Principle: Covered entities cannot use or disclose PHI, except as permitted or required by the privacy rules or as authorized by the individual in writing
Basic Security Principle: Covered entities must implement administrative, technical and physical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI
© 2013 Winston & Strawn LLP 32
What is HITECH?
The HITECH Act passed as part of the ARRA of 2009 contained a new breach notification rule
On February 22, 2010, enforcement of HITECH's breach notification rule went into effect for failures to provide required notice following a breach of unsecured PHI
On January 23, 2013, final regulations were issued that are effective March 23, 2013, with implementation required for certain items by September 23, 2013
© 2013 Winston & Strawn LLP 33
What Uses Cause a Breach Under HITECH?
A breach is the acquisition, access, use or disclosure of PHI in a manner not permitted by the privacy rules that compromises the security or privacy of unsecured PHI
The final regulations changed the breach standard. Old Rule: if there is a significant risk of financial, reputational or other harm to the individual because of a breach, then notice was required. New Rule: A breach is presumed unless there is a low probability that the unsecured PHI has been compromised
A fact-specific risk assessment following each incident is required
© 2013 Winston & Strawn LLP 34
What are the Elements of an Assessment?
The nature and extent of the PHI involved,
The unauthorized person who used the PHI or to whom the PHI was disclosed, whether the PHI was actually acquired or viewed, and
The extent to which the risk to the PHI has been mitigated
© 2013 Winston & Strawn LLP 35
When is a Breach Discovered?
Covered Entities
Breach considered discovered as of first day on which breach is known to covered entity (including any of their employees, officers, or agents), or should reasonably have been known to have occurred
Business Associates
Breach considered discovered as of first day on which breach is known to the business associate (including any of their employees, officers or agents), or should reasonably have been known to have occurred
In some instances, knowledge of a breach will be attributed to the covered entity
© 2013 Winston & Strawn LLP 36
What are the Notice Requirements Under HITECH?
Covered entity must provide notice to each individual "without unreasonable delay," but no later than 60 days, after discovery of the breach Written notice sent by first-class mail to last known address
By email if individual agrees
Annual notice requirement to HHS unless breach affects a large group of individuals
If breach is by a Business Associate, beginning of notice period depends on whether Business Associate is an agent
© 2013 Winston & Strawn LLP 37
Are There Special Requirements for Large Group Breaches?
If breach involves 500 or more individuals living in a state or jurisdiction, covered entity must notify media outlets in state or jurisdiction "without unreasonable delay," but no later than 60 days, after discovery of the breach
Covered entity also must notify the Secretary of HHS: If breach involves 500 or more individuals, covered entity also
must notify HHS at the same time as it provides notice to individuals
If breach involves fewer than 500 individuals, covered entity must maintain log and submit log to HHS no later than 60 days after the end of calendar year
© 2013 Winston & Strawn LLP 38
What Are Frequent Compliance Issues?
The compliance issues investigated most frequently by the HHS (in order of frequency): Impermissible uses and disclosures of PHI
Lack of safeguards of PHI
Lack of patient access to their PHI
Uses or disclosures of more than the minimum necessary PHI
Lack of or invalid authorizations for uses and disclosures of PHI
© 2013 Winston & Strawn LLP 39
What Steps Should be Taken?
Covered entities should be certain to update the following HIPAA information:
Workforce training
Complaint process
Sanctions against workforce members
Policies and procedures (i.e., need to update to add these requirements)
Document retention (e.g., demonstrate all required notices provided if there is a breach or why an exception to breach applies)
Notice of Privacy Practices
Review business associate agreements, as these will need to be updated to comply with final regulations
Implement technologies for rendering PHI secure
© 2013 Winston & Strawn LLP 40
Would You Like More HIPAA Info?
May 16th E-Lunch
HITECH-HIPAA-GINA Final Rules Require Action
© 2013 Winston & Strawn LLP
Mobile Apps and the Dreaded “Privacy Policy”
© 2013 Winston & Strawn LLP 42
California Requires Privacy Policy for Apps
California Online Privacy Protection Act requires all commercial websites or “services” to have a privacy policy
CA and App Stores agreed – this applies to apps
Potential fine of $2,500 per app download
Applies if you collect PII, but that’s broadly defined
California AG sued Delta under this law in December 2012
Delta’s website privacy policy does not mention the Fly Delta app
First California sent a letter, giving Delta 30 days to fix omission. Delta did not fix it in time
© 2013 Winston & Strawn LLP 43
What Should We Say?
California’s AG “recommendations:” Assess the collection, use, and disclosure of PII
Limit to what is needed
Provide clear privacy policy This can be the same as the website one, if mentions app
Give extra notice for “unusual” uses
FTC agrees – has its own (similar) recommendations Recommends thinking about privacy from the start
Be transparent – both in privacy policy and “just in time”
Protect kids – remember COPPA applies to apps
And the standards: security, sensitive w/consent, self-regulation
© 2013 Winston & Strawn LLP 44
What About OBA in Mobile?
DAA to release OBA privacy standards for mobile
New app by Evidon called Ad Control available through iTunes Consumer can download the app and
slide a button to turn "ad tracking" on or off for each listed company in the app
What will the FTC think??
© 2013 Winston & Strawn LLP 45
COPPA Impact on Apps
Privacy policy needs to be in the app FTC recommends it be in the store as well
(Remember CA requires this)
Need to get parents direct notice before collection Could send through the device as long as have a way of getting
consent and reasonable that it's the parent giving consent
FTC seems open to this being a video process
Parental Consent If information collected as soon as downloaded, then would need
consent before (i.e., at point of purchase)
Remember this applies only if collecting PII Not always the case, for example, app with photo widget where
photo isn't sent to the company
© 2013 Winston & Strawn LLP
COPPA Rule Change: Are You Ready for July 1?
© 2013 Winston & Strawn LLP 47
Impact of COPPA on OBA
Ask if the site is covered by COPPA Is it directed to children?
Are you knowingly collecting from children?
Get parental consent unless an exception applies One-time use? Seems unlikely
Will cause the industry to think again about site audience Subject matter, visual content, animated characters
Empirical evidence of audience composition
“Safe harbor” of sorts – even if “directed to” but don’t target kids ok if: Do not collect PII (this includes OBA info!) before collecting age info
Stop collection of PII from anyone who says they are under 13
Does this mean age-gating before any OBA?! Seems like it, no answers yet from FTC
But, FTC seems to think may need consent (see new FAQs, #41) “You may be required to notify parents . . . And obtain verifiable parental consent"
And may also need to do lots more diligence to find out what vendors do on your site (FAQ42)
© 2013 Winston & Strawn LLP 48
What if a Kid Submits Someone Else's Photo? Photos are now PII if contain a child's image or voice Doesn't matter if it is the image or voice of the child
submitting So, you have collected PII if collect picture of a kid (any kid)
from a kid You have not collected PII if you collect a picture of an adult
from a kid
Remember: COPPA Rule triggered if collect PII from a kid (regardless of
whose PII, so even if getting parent's email)
© 2013 Winston & Strawn LLP 49
When is a Screen Name PII?
Screen names now fall under definition of PII
Means that you need consent unless fall under an exception Respond once to direct request (no notice)
More than once to direct request (notice, but no consent)
Names collected before July 1 are exempt FTC has suggested that if screen name is only usable on a
given site (chat room, for example), it won't be viewed as PII
Unclear how this will play out
© 2013 Winston & Strawn LLP
Collecting PII During a Credit Card Transaction
© 2013 Winston & Strawn LLP 51
Song Beverly Litigation
Statute prohibits requiring or requesting PII to be written/caused to be written on credit card transaction form
Broadly interpreted Both what is a writing on the form
And what is PII (even zip code)
Intensely litigated
Avoid collecting PII during transaction When is it over?
What about loyalty programs?
© 2013 Winston & Strawn LLP 52
But Wait… California isn't the Only One!
At least 16 states with similar laws
Most similar, MA Cases have been litigated there, new ones being filed
MN also says "request" the PII
Most other states distinguish and prohibit "requiring as a condition of accepting the card"
Still worth watching, thinking about nationwide strategy
© 2013 Winston & Strawn LLP 53
© 2013 Winston & Strawn LLP 54
More Resources
Website www.winston.com/privacylawcorner
www.winston.com/privacylawresources
Twitter @winstonprivacy
Newsletters privacy, advertising, labor law
© 2013 Winston & Strawn LLP 55
Today’s Presenters
Linda Hoseman
Chicago
312-558-6159
Liisa Thomas
Chicago
312-558-6149
Eric Zion
Charlotte
704-350-7713
Robert Newman
Chicago
312-558-8125
© 2013 Winston & Strawn LLP
Thank You!