California Attorney General Kamala Harris has sued Kaiser Foundation Health Plan over what it considers a too-slow data breach notification. California’s breach notification law requires notification of affected individuals “in the most expedient time possible and without unreasonable delay.” Kaiser notified individuals of the breach in March, 2012, but California alleges in its complaint that Kaiser had sufficient information to notify between December 2011 and February 2012.
A recent settlement with the US Department of Health and Human Services Office of Civil Rights (OCR) demonstrates the importance of privacy and security policies, even other violations of regulations do not occur. APDerm, a Massachusetts-based dermatology practice, agreed to pay $150,000 to settle claims that it violated HIPAA and HITECH regulations by failing to have in place breach notification policies and procedures.
OCR began an investigation of APDerm after receiving a report of a lost USB thumb drive that may have included the PHI of up to 2,200 individuals. Despite uncovering no evidence of actual harm or that PHI had been accessed, and a timely notification to potentially affected individuals, APDerm lacked written policies and procedures regarding the notification rule or to train workforce members, among other alleged HIPAA violations.
Last week, the FTC announced that it had settled with a gaming company that falsely claimed to be certified under the US Safe Harbor. The Safe Harbor agreement is a self-certification arrangement under which you can transfer personal data from Europe to the US without “tripping up” on the EU data export prohibition. It is a critical plank in the platform for global companies who need to transfer personal data across borders. Think about how many companies operate globally or who use cloud-based storage solutions and you can see how important it is to be able to transfer data internationally in a legally compliant manner.
Are we seeing a new pattern of enforcement?
Only last month, the FTC announced enforcement action against 12 companies who also falsely claimed to be Safe Habor certified. So this is starting to look like a deliberate move to be more pro-active on Safe Harbor infringers. This has mostly been for failure to certify. Annual re-certification is required under the Safe Harbor for it to be valid. By the way, failing to hold a current certification doesn’t mean that you are guilty of any actual privacy law breach. So the companies had not suffered a data leak or hack and were not, necessarily, guilty of ignoring any individual rights in relation to privacy. Perhaps this is a sign of a new willingness to take enforcement action.
Why are we seeing additional privacy enforcement?
If you asked the FTC, they will tell you that enforcement of the Safe Harbor is a top priority and should send a signal to companies that they cannot pretend to be in the program when this is not the case. But there may be a political reason too. The recent Snowdon revelations are still bubbling in Europe and elsewhere and there is a real concern among European consumers that their data may be at risk if it is held in the US or by US companies. This is being stoked by the media and politicians although it is not quite clear who is more to blame. One of the longstanding criticisms of the US position is that enforcement of Safe Harbor or companies falsely claiming that they are participants has been limited. So the FTC’s latest enforcement action takes this criticism head on. It also must be one of the most efficient ways to demonstrate a willingness to ensure companies are complying with the Safe Harbor without fighting long or complex disputes with alleged offenders. Failing to self-certify is a fairly binary issue and easy to prove.
Of course, if you were going to be cynical, you would probably compare and contrast the US FTC enforcement action with equivalent action taken by supervisory authorities in Europe in relation to unlawful data exports. While the EU supervisory authorities have been hot on many other enforcement issues, enforcement in relation to data exports has been pretty fragmented. Suddenly the FTC looks like a rather more effective enforcer of privacy rights than some of the EU supervisory authorities would like to admit. We are watching the FTC’s enforcement action and enthusiasm for Safe Harbor with great interest.
The privacy and security of personal information in mobile Apps continues to be a hot topic. Data protection authorities, other oversight agencies, and self-regulatory bodies were busy in 2013 developing guidelines and conducting investigations.
On January 29, 2014, I had the pleasure of speaking to the Toronto Computer Lawyers Group about where we are and some thoughts about where we might be going. My slides from the presentation are below.
Canada’s Anti-Spam Legislation (CASL) brings with it new legal violations and penalties, some of which become effective as of July 1, 2014. The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada will have new enforcement roles with respect to these violations and penalties, in the following areas:
CRTC: spamming, traffic rerouting (altering transmission data without authorization); malware (installation of “computer programs” without consent)
Competition Bureau: fraud (false and misleading representations online, e.g. websites and addresses)
Office of the Privacy Commissioner: harvesting (using computer system to collect addresses without consent); invasion of privacy (unauthorized access to computer system to collect personal information without consent).
On January 23, 2014, the Competition Bureau announced that it had entered into a memorandum of understanding (MOU) with the Office of the Privacy Commissioner of Canada and the CRTC the regarding the implementation of their mandates under CASL. The MOU is dated October 22, 2013.
Nature of the MOU
The MOU fleshes out the already detailed CASL provisions on “consultation and disclosure of information” among the agencies, and with foreign states. The provisions of CASL itself, and the requirements of the MOU, suggest that all concerned are aware that coordination will not be an easy task. For example, CASL requires the agencies to provide the Minister of Industry with “any reports that he or she requests” on how they are co-ordinating efforts on their mandated areas. The MOU requires agency officials to meet “at least quarterly” to discuss enforcement activities and any other matters “of mutual interest” relating to CASL.
While the MOU is not intended to be legally binding or enforceable by the courts, it does represent these three agencies’ agreement on how they intend to co-ordinate their responsibilities. Among other things, that will affect how each agency’s staff will approach their enforcement activities on the ground.
Each agency will notify the others with respect to enforcement activities – including the conduct under investigation and CASL provisions at issue – that ”may potentially affect” the others’ interests under CASL.
Enforcement Cooperation, Coordination and Information Sharing
The agencies will consult with each other, and may share information related to their enforcement activities. Where those activities potentially overlap, they will “seek to coordinate their efforts”, whether jointly or alongside one another. The agencies will also coordinate involvement in information requests and arrangements with foreign agencies. Once the Private Right of Action (PRA) becomes effective as of July 1, 2017, when an agency is informed of a PRA initiated by a third party, that agency will notify the others.
Criminal Law Enforcement by the Commissioner of Competition
The Commissioner of Competition has authority under CASL to pursue enforcement activities under CASL’s criminal provisions. Under the MOU, the Commissioner is to notify the other agencies where a decision has been made on that front. That will in turn halt any cooperation and information sharing among the agencies on that enforcement activity.
Competing interests and Confidentiality
The MOU is not intended to override an agency’s obligations under existing laws, including the Access to Information Act. This extends to sharing information. Agencies will make “best efforts to share what information they can, consistent with their interests and legal obligations”. The agencies commit to maintaining confidentiality of information received from another agency “to the fullest extent allowed by law”, and will use that information only for enforcement activities under the MOU – unless the agency that provided the information agrees to the use of the information for other purposes.
The MOU is another indication, in a long line of communications, guidelines, and statements, that the implementation process for CASL will be very new territory, not only for stakeholders, but for the enforcement agencies themselves.