Privacy and Data Security: Outlook 2011

Cox Smith Privacy / Data Security E-Alert:

The New Year brings with it the exciting prospect of real movement in U.S. privacy law. Given this environment of evolving developments and challenges, we have decided to send occasional email updates. This first email looks at where we are on privacy and the outlook for 2011.

The Stage, as set by the December 2010 FTC and DOC Reports
Both the Federal Trade Commission (FTC) and the Department of Commerce took bold stands with separate reports in December. The FTC report focuses on behavioral advertising, transparency, and choice. The Department of Commerce report is not so focused, but leans towards self-regulation, while requesting comments about the FTC’s authority, privacy "principles", and the development of a U.S. privacy "framework".

For marketers, the Do-Not-Track proposal in the FTC’s report signaled that the FTC was not satisfied with self-regulation initiatives of the advertising industry and, more recently, browser providers. At its core, the problem posed by (behind-the-scenes) trackers’ ability to combine "anonymous" pieces of data into targeted (read, "personally identifiable" or "device identifying") information demands a new approach; yet, it is clear that a simple "on/off" do-not-track mechanism will not work. In any event, advertisers and the website industry that relies on them will be scrambling. With a new Chief Technologist, Ed Felten of Princeton’s Center for Information Technology Policy, the FTC is armed for industry response. Notably, at least for now, the FTC is only focused on website (not mobile) tracking, and only on third party tracking (but not third-party analytics for primary website operators).

Meanwhile, the Wall Street Journal’s popular "What They Know" series on Internet tracking has informed the public (partially accomplishing one of the FTC’s objectives) and heightened public interest. Among other things, the WSJ series has revealed that website operators may not even realize that a service provider (or a service provider of a service provider) is extracting user data from their websites. Thus, companies that have a mobile application or collect any personal information online may want to have their IT departments take a close look at all vendors with any access to their websites (or apps), while also double-checking the underlying contracts.

Federal legislators keep talking about federal privacy legislation (including a preemptive federal data breach notification law), and there may soon be enough public interest and momentum for legislation to actually get passed. Predictions are that do-not-track will prove to be too controversial at the federal level this year, but a federal data breach law may succeed. Watch for states to continue to adopt privacy laws (maybe even do-not-track) where the federal government does not. Also, it will be interesting to see what if anything comes of behavioral tracking lawsuits alleging illegal "interception" under the outdated Electronic Communications Privacy Act and "unauthorized access" under the Computer Fraud and Abuse Act.

As a general matter, the FTC will continue to look for shorter privacy policies and meaningful (contemporaneous, conspicuous, clear) notice and consumer choice mechanisms. Put another way, it seems that the privacy policy of old is destined to become more an accountability statement and less of a vehicle for actually providing notice and obtaining consent.

Also, while the FTC has not regulated mobile devices extensively, it has established a "mobile lab". For now, though, companies that do any mobile marketing continue to face challenging notification and consent issues, including a lack of clarity in federal laws and regulations that concern "calls" or "emails", but do not squarely address "text" messages. Given the highly relevant, online-plus-offline, nature of smartphone data, the rise of the "fourth screen" (the electronic notepad), and the fact that locational data has found its way into the "sensitive" category, more significant laws and regulation in the mobile space are only a matter of time.

Financial Institutions
A key issue unfolding in 2011 is the organization and activities of the Consumer Financial Protection Bureau (CFPB). The CFPB, (a new agency within the Federal Reserve Board) was created under the Dodd-Frank act, and will exercise rulemaking, investigation, and enforcement authority for a number of specific financial protection statutes, including the financial privacy requirements of the Gramm-Leach-Bliley Act (GLBA). Also this year, financial institutions can report on the successes and limitations of the GLBA form privacy notice rolled out in 2010.

HIPAA-Protected Health Information
Taking into account the sheer volume of highly-regulated PHI, the push to transition to electronic health records, and evolving HIPAA requirements, health information technology is reportedly the number one issue for the health industry this year. The Department of Health & Human Services (HHS) has stated its intention to provide guidance in the form of the following rules this year:

• final Breach Notification Rule;
• final HIPAA Enforcement Rule;
• final rule implementing HITECH requirements;
• final rule implementing Genetic Information Nondiscrimination Act requirements; and
• proposed rule on accounting of disclosures of electronic health records.

Most or all of these rules are to be released at the same time, and we can expect a six month compliance grace period thereafter. It remains unclear whether and to what extent HHS and the state attorneys general will actually ramp up enforcement activity.

Other Important Developments
In 2011, companies will increasingly incorporate what is sometimes referred to as "privacy by design" (or "good data hygiene") into their internal systems, policies, and procedures. Smart software providers, and others that offer products and services that touch personal information, will more consciously incorporate privacy into the design of those products and services as well. Laws such as the Massachusetts data protection regulations and the Red Flags Rule have made the written information security program a universally applicable requirement. Such laws, and reputational pressure, have increased the importance of protective measures and ongoing risk assessment when entrusting personal information to service providers. As information technology continues to race along, including the natural evolution to storage and processing in the "cloud", companies rely more heavily on information-handling service providers, in the U.S. and abroad. The too-common approach of simply letting the IT department sign vendors’ form contracts is increasingly ill-advised.

On the international front, the European Union is actively revisiting the EU Data Protection Directive (enacted in 1995), and the Department of Commerce is apparently keen on the global harmonization agenda. The FTC has successfully teamed up with international agencies to fight spam, and Canada has enacted a more technology-neutral anti-spam law. We continue to see the adoption of data protection laws (in countries previously lacking any such laws) and the adoption of data breach notification requirements (in countries already having some sort of data protection laws).

Other notable developing issues for 2011 include: (i) the proliferation of app providers in the data-rich, geolocational, and highly personalized mobile environment (currently subject to relatively little privacy control and oversight); and (ii) farther down the road (but not too far), significant development of the "smart [power] grid" (another massive network, separate from the Internet) replete with highly-personal, incredibly detailed, real-time information about our daily lives.
________________________________________

As we enter the New Year, a few fundamentals bear repeating.

• Inward-facing practices must at least match outward-facing assurances.
• The cornerstone of a privacy compliance program is a good personal information inventory.
• Remember that responsibility for data covers all aspects of data handling, including data disposal.
• Privacy awareness is key.
• Be prepared to produce a comprehensive written information security program, and to demonstrate appropriate contractual provisions and risk-management with respect to personal information-handling service providers.

… And have a good thing to say. Yes, mistakes will occur. But you will be in a much better place if you can demonstrate that an error was made despite the exercise of reasonable care, rather than because of a lack of it.