Tsibouris & Associates Law Blog

District Court Holds Blockbuster Arbitration Provision Unenforceable

2009-05-16T15:42:00.002-04:00

By Mehmet Munur

A District Court in Texas recently held Blockbuster’s website terms and conditions arbitration provision illusory and therefore unenforceable due to Blockbuster’s right to unilaterally modify it. The District Court cited to established Texas precedent to argue that nothing in the website terms prevented the arbitration provision's retroactive application.

The plaintiff sued blockbuster in connection with the controversial Facebook beacon program and its integration with Blockbuster as a violation of “the Video Privacy Protection Act, 18 U.S.C. § 2710, which prohibits a videotape service provider from disclosing personally identifiable information about a customer unless given informed, written consent at the time the disclosure is sought.” The plaintiffs argued and the court held that the arbitration provision was illusory and therefore unenforceable.

The district court analyzed the Blockbuster Terms and Conditions under Texas law. The terms and conditions state:

Blockbuster may at any time, and at its sole discretion, modify these Terms and Conditions of Use, including without limitation the Privacy Policy, with or without notice. Such modifications will be effective immediately upon posting. You agree to review these Terms and Conditions of Use periodically and your continued use of this Site following such modifications will indicate your acceptance of these modified Terms and Conditions of Use. If you do not agree to any modification of these Terms and Conditions of Use, you must immediately stop using this Site.

In finding this run-of-the-mill terms of use provision illusory, the court relied not on another business-to-consumer case, but Fifth Circuit case analyzing business-to-business agreements.

More specifically, the District court relied on Morrison v. Amway where the distributors signed Amway’s standard distributorship agreement. Facing disputes relating to the calculation of profits, Amway instituted an arbitration provision and published it in its magazine as well as other media sent to the distributors. Amway required that the distributors sign an acknowledgement form and send it back to Amway. Though all distributors renewed their agreements with Amway, two different groups sued Amway in federal as well as state court, both of which were stayed pending litigation. The arbitrator issued judgments and awards without opinions and the district court confirmed these opinions. The parties appealed their case to the Circuit Court.

The Circuit Court examined Amway’s arbitration policy to determine whether it was a valid agreement to arbitrate under Texas law. While the distributors had agreed to conduct their business according to Amway’s Code of Ethics, which would be amended from time to time, “the only express limitation on that unilateral right [was] published notice.” The Circuit Court was concerned that this unqualified right to amend the arbitration policy might apply to disputes arising before as well as after its publication. The Circuit Court held that this unqualified right to modify the Code of Ethics was unenforceable.

The Circuit Court relied on two Texas Supreme Court decisions. In one case, Texas Supreme Court had concluded that application of the arbitration policy 10 days after reasonable notice would be enforceable. In another case, however, the Texas Supreme Court plainly stated that “if the defendant-employer retained the right to ‘unilaterally abolish or modify’ the arbitration program, then the agreement to arbitrate was illusory and not binding on the plaintiff-employee.”

The District Court, relying on Morrison v. Amway and the underlying Texas precedent, concluded that the Blockbuster arbitration provision was illusory. Based on this web of Texas Supreme Court, Circuit Court, and District Court opinions, companies using arbitration policies—either in human resources policies, supplier agreements, or website terms of use—should qualify them. Such qualification should include at least a 10 day delayed application period and an explicit statement that makes the arbitration provisions applicable only to disputes arising after reasonable notice to counter any arguments that the contracts are illusory.

The cases are Harris v. Blockbuster Inc., No. 09-217, (N.D. Texas Apr. 15, 2009) and Morrison v. Amway, 517 F.3d 248 (5th Cir. 2008).

FTC and HHS Issue Proposed Rules on Breach Notification

2009-04-23T11:12:00.003-04:00

By Mehmet Munur

Both the Federal Trade Commission and the Department of Health and Human Services issued proposed regulations last week to satisfy their obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was a part of the American Recovery and Reinvestment Act of 2009. The FTC rules address the obligations of non-HIPAA covered entities such as vendors of personal health records and third party service providers, while the HHS rules address the procedures required to secure unprotected health care information. Affected entities should invest in technologies that prevent and detect breaches and also draft and implement policies to notify the appropriate parties when they do occur.

FTC Proposed Regulations:

While the FTC proposed regulations track the HITECH Act in many respects, they differ in others. The definitions of the terms business associate, HIPAA-covered entity, personal health record, PHR identifiable health information, vendor of personal health records, and unsecured stay substantially the same as under the HITECH act. However, the FTC adds more substance around the concepts of third party service providers, presumption for acquisition, notification of senior officials in vendors in a breach, and discovery of data breaches.

While PHR related entities and third party service provider are non-HIPAA covered entities, they are, nevertheless, covered by the HITECH Act’s breach notification provisions enforced by the FTC. Third party service providers include “entities that provide billing or data storage services to vendors of personal health records or PHR related entities.” Such services certainly include the likes of Google Health and Microsoft HealthVault. Both services have been in the spotlight recently. Google Health recently signed up CVS and HealthVault recently announced a partnership with the Mayo clinic.

Due to the difficulty in determining whether access results in acquisition of data, the proposed FTC regulations enhance the definition of breach by adding language that creates a presumption of unauthorized acquisition where unauthorized access has taken place. However, the vendor or the PHR related entity may rebut this presumption where it “has reliable evidence showing that there has not been, or could not reasonably have been, any unauthorized acquisition of such information.”

The proposed regulations also require entities to notify senior officials in vendors or PHR related entities and to obtain an acknowledgement in the event of a breach. The FTC also prevents entities from ignoring a breach by making inability to reasonably ascertain a breach to be a violation of the regulations. On the other hand, the failure to discover a breach would not constitute a violation of the rules if the organization had strong breach detection measures and still failed to detect it. Therefore, breach detection is almost as important as breach notification under the proposed regulations.

The FTC expects the rules to affect about 900 entities and cost a total of $1 million for 11 breaches per year. The FTC appears to be concerned about some overlap between the FTC and the HHS regulations and is therefore seeking comments on the dual role of certain entities which would bring them under the scrutiny of the both FTC and the HHS. More detail on the proposed rules can be found at the FTC website.

HHS Proposed Regulations:

The regulations proposed by the HHS mainly concern the definition of the term “unsecured” as it modifies “protected health information” under the HITECH Act. This term is crucial as notification is not necessary if the protected health information is secured.

If the Secretary had not issued timely guidance, the term “unsecured protected health information” would have meant “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute (ANSI).” Now that the HHS has proposed these regulations, protected health information will be secured if it is encrypted or destroyed. However, such encryption and destruction will have to abide by the strict requirements of National Institute of Standards and Technology Special Publications on encrypting and destroying data.

The HHS relies on the existing HIPAA Security Rule for encryption and requires “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” where the keys for decryption have not been breached. However, as a new measure, the HHS issued an exhaustive list of NIST publications for encrypting data at rest and for encrypting data in motion. For example, NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, recommends that travelling laptops should be secured using full-disk encryption and pre-boot authentication. HHS also requires that electronic media be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, which requires that magnetic hard drives be purged using “Secure Erase” or degaussing, making them inoperable. The HHS is seeking public comments on the adequacy of some of these methods. More detail about the HHS proposed rules can be found at the HHS website.

The comment period for both sets of regulations will last until June and the agencies should issue interim final rules by August, which may result in changes to the proposed regulations. In addition, Congress may create a federal breach notification law after it receives the joint FTC-HHS report on the entities the HITECH Act regulates. Nevertheless, both HIPAA covered entities and non-HIPAA covered entities should invest in technologies and policies to prevent data breaches that may affect their bottom lines through breach notification costs, regulatory fines, and tarnished brands.

Court Strikes Down Electronic Signature Due to Weak Security Procedures

2009-03-23T22:48:00.002-04:00

By Mehmet Munur

The US District Court in Kansas held on February 19, 2009 that the data security procedures Dillard’s Stores had created to authenticate the electronic signature its employees used to execute an arbitration policy were not sufficient. While the case may have turned on its particular facts, Dillard’s could have avoided such problems by abiding by ISO 17799 procedures in operating its electronic signature systems.

The plaintiff, Yolanda Kerr, successfully kept her claim in court because she disputed the formation of the arbitration agreement. In 2005, Dillard’s started requiring current and new employees to sign an electronic arbitration agreement through its intranet system. In theory, Dillard’s associates executed their agreements using either a social security number or associate identification number and a unique confidential password followed by clicking an “I accept” button. The plaintiff refused to electronically sign the arbitration agreement for nearly six months despite alleged threats from supervisors and the store secretary that she would be fired if she failed to do so.

In April of 2006, the plaintiff missed a day of work. When she showed up for work on April 28, she told the store secretary that she had missed the day of work because she did not have access to the intranet site that contained her schedule. To give her access to the schedule, the secretary accompanied the plaintiff to a computer kiosk, reset her password to the default password, and demonstrated how to access the system. Then the store secretary took control of the computer again and navigated through various screens with the plaintiff beside her. Plaintiff alleged that the store secretary electronically signed the arbitration agreement at this point. After the interaction at the computer, the two left the break room together. Five minutes later, the system automatically sent the employee’s account an email confirming the execution of the arbitration agreement. The email stated that failure to reply to the email would deem agreement to the plaintiff’s electronic signature of the arbitration agreement. Someone opened the email but did not respond. Dillard’s later terminated the plaintiff for allegedly calling a supervisor a profane name. The plaintiff sued for discrimination and Dillard’s attempted to compel arbitration at court.

In analyzing the electronic signature, the court concluded that Dillard’s failed its burden to show through a preponderance of the evidence that the plaintiff knowingly and intentionally executed the agreement for two reasons. First, the court did not want to impute the electronic signature to the plaintiff due to the possibility, however minimal, that the store secretary may have fraudulently executed the agreement while plaintiff was standing beside her. Second, the court held that Dillard’s did not have adequate security procedures in place to restrict unauthorized access to the execution of the arbitration agreement. While the record showed that the employees were at the kiosk on April 28, it did not show that the plaintiff was at the kiosk precisely at 3:26:20. In other words, Dillard’s failed to show that the username, authentication, and the signature coincided with the employee’s log in. It is unclear whether Dillard’s systems had the capacity to log such information or if Dillard’s failed to produce such evidence. Nevertheless, the two factors persuaded the court hold that Dillard’s had not satisfied its obligation to show that there was an enforceable arbitration agreement.

In sum, Dillard’s electronic signatures system failed for two reasons. The systems failed to log associates’ access to the system and the system did not require that the associates change their default passwords immediately. In fact, both policies, are recommended under of ISO 17799 Information technology — Security techniques — Code of practice for Information Security Management. ISO Section 10.10.1 Audit Logging requires that “[a]udit logs recording user activities, exceptions, and information security events should be produced and kept” and include “dates, times, and details of key events, e.g. log-on and log-off.” Arguably, the formation of a legally binding agreement that compelled arbitration is such an event. Furthermore, ISO Section 11.2.3 User Password Management requires that “when users are required to maintain their own passwords they should be provided initially with a secure temporary password . . . , which they are forced to change immediately.” Here, it appears that Dillard’s system continued to operate and allow either the plaintiff or the store secretary to electronically sign the arbitration agreement. Implementing both of these procedures would have greatly helped Dillard’s satisfy its burden. However, it is unlikely that ISO 17799 would not have protected Dillard’s store secretary from fraudulently executing the arbitration agreement by either using the default password or using the plaintiff’s username while she stood by her side.

Unfortunately, the court was not too impressed with the security procedures that Dillard’s already had in place because they were violated. For example, associates were prohibited from sharing passwords and supervisors could only log into associate’s accounts if they reset their password to the default password. Dillard’s also posted notices regarding the confidentiality of passwords. Nonetheless, the two employees, in effect, shared their username and their password and the authentication failed because the system could not keep track of the actual person that signed the agreement. Such user failure combined with a weak logging and password feature resulted in the failure of the electronic signature.

The case is similar to Campbell v. General Dynamics, No. 03-11848-NG (D. Mass. June 3, 2004) where the court held that the employer could not prove an employee’s acceptance of an arbitration policy simply by sending a link to the policy in an email. There General Dynamics proved that the employee had opened the agreement but could not show that he had indeed clicked on the link or agreed in any other way. Furthermore, that email did not even mention the importance of the arbitration policy until its fifth paragraph. The court had noted that General Dynamics could have required the plaintiff to signify his acceptance by a return email he had read the email and accepted the conditions of the arbitration policy. In sum, both the employers in Campbell and Kerr failed to successfully use the technology they had available to them.

This case should set a good example for all employers using electronic signatures for policies. IT, HR, and Legal Departments may need to collaborate to ensure that established security procedures such as the ISO 17799 are used for variety of issues including authentication, accurate system audit logs, and password resets. Moreover, all industries depending on electronic signatures should focus on security procedures to preempt the argument that the electronic signatures they collect do not in fact belong to their system users.

The case is Kerr v. Dillard Store Services, Inc., No. 07-2604-KHV, (D. Kan. Feb. 17, 2009).

Stimulus Bill Requires Data Breach Notification Under HIPAA and Signals Broader Enforcement

2009-02-27T17:57:00.002-05:00

by Mehmet Munur

The American Recovery and Reinvestment Act that President Obama signed into law on February 17, 2009 includes wide reaching data breach notification provisions for entities covered by the Health Insurance Portability and Accountability Act and organizations servicing those entities. It also has privacy provisions related to sales of protected health information, marketing, fines, and enforcement. The Act is likely to increase joint enforcement activities by the Federal Trade Commission and the Department of Health and Human Services Office for Civil Rights. Such enforcement will likely result in settlements similar to the CVS settlement on February 18, 2009 that arose out of improper disposal of protected health information.

I. Data Breach Notification

The Act places notification obligations on covered entities, business associates, and vendors of personal health records for breaches of protected health information as well as required updates to contracts between covered entities and business associates.

A. Covered Entities

Generally speaking and without using the defined terms of the Act, an entity’s duty to notify arises when it has a breach involving unencrypted personal health information that it processes. The entity must then notify, the individual, the media, and the Secretary of the DHHS within 60 days of finding out about the breach, so long as the law enforcement exception does not apply. In creating these obligations, the Act defines the terms breach, electronic health record, personal health record, and vendors, but retains the earlier definitions of covered entities and business associates from HIPAA. The Act and the obligation to notify will likely become effective for breaches discovered 210 days from its enactment.

A breach is the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. The term has several narrow exceptions related to inadvertent disclosures to authorized users. Most importantly, a breach is deemed to have been discovered on the first date on which it is known or reasonably should have been known to have occurred.

Covered entities still refer to health plans, health care clearinghouses, or health care providers who transmit any health information in electronic form. Processing, while not a term used in the language of the Act, includes access, maintenance, retention, modification, storage, destruction, using, or disclosing.

Unencrypted personal health information refers to the defined term unsecured protected healthcare information. The portion of term referring to protected healthcare information retains its definition under HIPAA and means individually identifiable health information that is either transmitted by electronic media or maintained in electronic media, or both. Unsecured, on the other hand has two meanings. The Secretary should issue guidance specifying the technologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals within 60 days. If he does not, then that technology will be a technology developed or endorsed by the American National Standards Institute. Though the Act does not specify that technology, it will probably be the Advanced Encryption Standard used by the Federal government for sensitive documents.

Notification takes 3 forms: individual, media, and the DHHS. Notification must be made without unreasonable delay and within 60 days after its discovery. However, the law enforcement exception can delay such notification if the entity receives and documents a written or oral statement from the DHHS. The burden to prove that the notification was performed according to the Act lies with the covered entity.

Entities must notify each individual whose unsecured protected health information has been, or is reasonably believed by the entity to have been accessed, acquired, or disclosed during the breach. This individual notice may be by first class mail at the last known address of the individual or by email if that is the preference of the individual. If the entity has more than 10 individuals with insufficient or out of date contact information, then it is required to place a conspicuous post on its web page or notice in major print or broadcast media for a period of time that the Secretary specifies. The entity may also notify by phone due to possible imminent misuse of the information.

The entity must notify prominent media outlets serving a state or jurisdiction if the information of more than 500 residents are reasonably believed to have been subject to the breach. The entity must also notify the Secretary. If the breach involves more than 500 individuals, the entity must notify immediately, whereas breaches involving less than 500 individuals may be submitted in an annual log. The Secretary is then required to post breaches involving more than 500 individuals on its website.

The Act delineates the contents of the notifications. They must include a brief description of the events, the date of the events, a description of the types of information involved, the steps the individuals should take to protect themselves from any harm that may result, and procedures for contacting the entity through a toll-free phone number, email address, or website.

The Secretary must also pass interim final regulations on breach notification within 180 days. These regulations will apply to breaches discovered after 30 days after their enactment. These regulations will certainly require covered entities to craft breach response procedures and implement them promptly.

B. Business Associates

Business associates that service covered entities under HIPAA have an obligation to notify the covered entities in the event of a breach. Business associates are now also subject to the same security procedures that covered entities are under HIPAA and these requirements must also be incorporated in their agreements.

The definition of a business associate has not changed with the Act. Business associates still refer to persons that perform or assist any activity involving the use or disclosure of individually identifiable health information or persons performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity. The Act states that the business associates need to notify the covered entities who must then notify the individuals. However, the requirements related to timeliness and the discovery of the breach are the same.

Covered entities will need to amend their contracts with business associates to reflect the provisions of the Act. These amendments must include administrative safeguards, physical safeguards, technical safeguards, and policies and procedures and documentation requirements promulgated by the DHHS. Business associates that receive protected health information may be subject to fines for wrongful disclosures of protected health information. Prior to the Act, HIPAA only made business associates liable to the covered entity for contract breaches.

The Act also contains a whistle blowing provision for business entities and the covered entities they serve. Prior HIPAA regulations stated that a covered entity was non-compliant if it knew of a business associate’s activity that constituted a material breach of the associate’s contractual obligations and did not take reasonable steps to cure them. If the business associate did not cure the problems, the covered entity was required to terminate the contract or, if that was not feasible, inform the secretary. Now, the Act requires that business entities have the same whistle blowing responsibility towards the covered entities they service. Failure to do so is a violation of the Act.

C. Vendors and Non-HIPAA Covered Entities

The breach notification standards also apply to a new kind of entity called vendors under the Act. These are entities other than covered entities that offer or maintain personal health records. A personal health record is an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. Google Health and Microsoft HealthVault are examples of such entities.

A vendor’s obligations under the Act are similar to the covered entities’ and business associates’ responsibilities. Vendors must notify individuals and the Federal Trade Commission, instead of the DHHS, of data breaches. The FTC then notifies the DHHS. The methods and timeliness of these disclosures and the definitions of breach and unsecured protected health information are almost identical to the methods and timeliness that covered entities. Violation of this duty to notify is considered an unfair and deceptive trade practice under the FTC Act. Third party services providers that service vendors have an obligation to notify their vendors of any breaches they experience, as well.

The FTC is required to pass regulations related to vendors covered under the Act within 180 days. If, however, Congress passes breach notification laws that directly apply to vendors, then the breach notification provisions of the Act will be overridden. While this provision may be good housekeeping to prevent dual breach notification laws for vendors, it may also be a sign of further breach notification legislation to come from Congress.

II. Marketing, Sale of Protected Healthcare Information, and the Minimum Necessary Standard

The Act has several provisions that restrict marketing activities and create greater privacy protections for individuals. Covered entities will need to revise their privacy practices to accommodate their new responsibilities.

The Act reduces the amount of marketing activities allowed under HIPAA. Communication by covered entities or business associates that is about a product or service and that encourages recipients to purchase or use the product or service are not considered a health care operation under HIPAA unless they are made 1) to describe a health-related product or service, 2) for treatment of the individual, or 3) for case management or care coordination for the individual. If, however, the covered entity or business associate receives direct or indirect payment in exchange for the communication, then the communication is considered marketing. On the other hand, such a communications will still be considered to be a healthcare operation if it describes a drug that the recipient is using and the payment received is reasonable. The Secretary is charged with defining the amount of reasonable compensation through regulations. However, such communication must still be made with a valid authorization. The Act also prohibits the sale of protected health information without a valid authorization. The regulations for these authorization do not change under the Act.

The Act now makes it mandatory to comply with an individual’s request that the entity restrict the use and disclosure of protected health information about the individual to carrying out treatment, payment, or healthcare operations. Prior HIPAA regulations did not require covered entities to agree to such restrictions.

Individuals also have the right to access protected health information in electronic format if the entity maintains that information. The fee for such access cannot exceed labor costs in responding to the request.

Under HIPAA, an entity was required to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of that information. The Act further reduces the amount of data in circulation by requiring the Secretary to promulgate regulations based on the limited data set concept that excludes identifiers such as names, addresses, social security numbers, email addresses and similar information to the extent practicable. Such changes will certainly require that covered entities revisit their privacy practices.

III. Fines and Enforcement

The Act also promotes enhanced enforcement through required fines and investigations.

Violations due to willful neglect now require a fine by the Secretary. Furthermore, the Secretary now has an obligation to investigate any complaint of a violation of the Act if a preliminary investigation of the facts of the complaint indicate a possible violation due to willful neglect. Most importantly, the Act requires that any civil monetary fine or settlement fund collected relating to privacy and security be transferred to the Office for Civil Rights of the DHHS. This provision will likely create a positive feedback loop where enforcement will result in fines and settlements that will give the OCR more funds to carry out more investigations. Additionally, individuals harmed by such breaches may also receive a percentage of the funds received by the OCR, but this amount will be determined three years from the date of the enactment. The Act also creates four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are effective immediately.

The law can also be enforced by the State Attorneys General. If there is reason to believe that the interests of one or more of the residents of the State is or could be threatened, then the AGs may bring action in federal district court. The courts can, in their discretion, award attorneys fees to the AGs that bring action in federal district courts. However, such state action is limited to circumstances where the Secretary is not already bringing an action. Considering the availability of attorneys fees and the public record of breaches, it is likely that this provision will increase enforcement in cases where the FTC or the DHHS decline enforcement.

IV. Joint Enforcement and CVS’s $2.25 million DHHS Fine

The day after the Act was signed into law, the FTC and the DHHS announced separate settlements with the nationwide pharmacy chain CVS arising out of improper disposal of sensitive personal information. The settlement is significant because it is the first joint investigation by the FTC and the DHHS, involves a health provider, and employee data. Moreover, due to the language of the Act and the cooperation required between the two organizations, it is likely to be a sign of more joint investigations to come.

According to the FTC complaint, during 2006 and 2007 television stations found evidence of CVS’s disposal of names, addresses, dates of birth, bank account numbers, physicians’ names, insurance account numbers and other personal information in unsecured dumpsters in at least 15 cities. Seizing on CVS’s statements that “nothing is more central to our operations than maintaining the privacy of your health information” and that CVS took “this responsibility very seriously,” the FTC argued that CVS’s representations in its notice of privacy practices were false and misleading, likely to cause substantial injury to consumers; therefore, an unfair act or practice. As a result, CVS settled with the FTC and the DHHS in separate settlement agreements.

The FTC settlement is very similar to the other settlements that FTC reached with ChoicePoint, DSW, and TJ Maxx. CVS must create a comprehensive information security program, designate an accountable employee for that program, identify risks, and receive third party assessments of its security procedures for the next 20 years. It is the 24th FTC case that challenges a company’s failure to implement reasonable information security practices.

The DHHS settlement is similar but probably more significant. Under the resolution agreement with the OCR, CVS agreed to pay $2.25 million and implement a robust corrective action plan that includes safeguards for disposal, employee training, and employee sanctions for noncompliance. CVS must comply with this action plan for the next three years, followed by the FTC settlement’s two decade long program. The DHHS Office of Civil Rights press release on the resolution agreement highlights the OCR’s intention to make an example of CVS and its “commitment to strong enforcement of HIPAA Privacy Rule . . . [intended to] spur other health organizations to examine and improve their privacy protections.” The DHHS settlement is the second one of its kind. The previous resolution agreement was with Providence Health Information for $100,000. While the OCR conducts investigations and allows entities to correct HIPAA problems, it had not issued fines of this magnitude.

Vendor breach notifications under the Act will likely spur closer cooperation between the two agencies. OCR’s new obligation to assess fines, conduct investigations in certain cases, and its ability to keep the fines it issues will result in OCR having more resources and incentives to enforce the law. This positive feedback loop will likely result in the FTC and the OCR enforcing the requirements of HIPAA and publicizing them in the future. Therefore, the CVS settlement should provide an incentive for entities of all sizes to satisfy not only their current HIPAA obligations but also their future breach notification requirements.

V. Conclusion

The Recovery and Reinvestment Act creates broad data breach notification requirements for covered entities, business associates, and vendors on a federal level under HIPAA. These entities will need to abide by the regulations that the Secretary of the DHHS will promulgate in the next six months. Further, they will need to abide by the breach notification rules or face fines and settlements by both the FTC and the OCR. Therefore, affected organizations should act quickly to update their breach response plans, revise their privacy policies, stop sales of protected health information without appropriate authorization, and update business associate agreements.

Heartland Payment Systems Loses Credit Card Data to Malware

2009-02-02T17:44:00.008-05:00

By Mehmet Munur

Heartland Payment Systems, the 6th largest card acquirer in the United States with a processing volume of $51.9 billion, reported that its “investigation uncovered malicious software that compromised data that crossed Heartland’s network.” This data breach is disconcerting because consumers may be unable to pin down the source of the fraudulent transactions and also because Heartland was a Payment Card Industry Data Security Standard compliant acquirer. Heartland will likely be subject to liability from consumers, investors, and the FTC.

Heartland’s data breach may have revealed close to 100 million card numbers. It appears that a malicious software within Heartland’s network collected the data on the magnetic stripes of credit and debit cards. Heartland believes that the security codes or sensitive data, such as driver license numbers or social security numbers, are not a part of the data breach; therefore, the risk of identity theft is minimal. However, the risk of financial loss still exists due to the possibility of placing the magnetic information involved in the data breach on another card and using that card fraudulently. Considering that Heartland services all types of merchants, the largest risk to consumers is that such fraudulent transactions could come from any source and consumers do not have a way of identifying whether any of their cards was involved in the breach.

Another disturbing point for both consumers and corporations is that Heartland was a PCI DSS compliant acquirer. According to its 2008 10-K, Heartland “maintain[ed] current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test [its] systems for vulnerability to unauthorized access.” Furthermore, Heartland encrypted the data stored in its databases but not when the data was in transit across its network. Heartland’s assumption was that its network was secure. As a result of the breach, Heartland’s listing in Visa’s Cardholder Information Security Program is now under review. To remedy the situation, Heartland announced that it would begin encrypting cardholder data throughout its network.

However, encryption is not the silver bullet that will save Heartland—or another acquirer—in the future. While PCI-DSS only requires that cardholder data be encrypted while crossing public networks and when it is stored, it does not require that data be encrypted while crossing an acquirer’s internal network. However, this data must be decrypted at some point in order for it to be processed. Furthermore, due to the fast evolution of malware, a vulnerability is likely to develop within any system at some point. Instead, companies that thrive on data processing must approach data security with comprehensive processes—such as ISO 270002. This is not to say that PCI-DSS is inadequate. Considering that the 6th requirement of PCI-DSS is the development and maintenance of secure systems and applications, it appears that it was Heartland’s implementation of PCI-DSS that failed—not PCI-DSS itself.

Heartland may be subject to legal liability from consumers, the Federal Trade Commission, and investors. A week after the breach, Heartland is already facing a class action lawsuit. TJ Maxx recently settled a similar class action lawsuit arising out of its data breach using its reserve of $178 million. Such a class action lawsuit may prove costly for Heartland as well.

TJ Maxx did not have to pay a fine to the Federal Trade Commission. Heartland may be lucky enough to avoid fines from the FTC, as well. Yet, similar to the TJ Maxx’s FTC settlement, Heartland may be subject to third-party audits as a part of a compliance program for the next 20 years. Heartland may also be able to avoid a lawsuit from its investors. While Heartland’s stock prices have declined from about $18 to $8 [1] since the breach became public, it appears to have made the appropriate disclosures as a part of its risk factors in its 10-K:

Unauthorized disclosure of merchant and cardholder data, whether through breach of our computer systems or otherwise, could expose us to liability and protracted and costly litigation.

Our computer systems could be penetrated by hackers and our encryption of data may not prevent unauthorized use. In this event, we may be subject to liability, including claims for unauthorized purchases with misappropriated bank card information, impersonation or other similar fraud claims. We could also be subject to liability for claims relating to misuse of personal information, such as unauthorized marketing purposes. These claims also could result in protracted and costly litigation. In addition, we could be subject to penalties or sanctions from the Visa and MasterCard networks.

In sum, corporations like Heartland that make their money through processing personal data should invest in data protection using comprehensive processes, especially if the loss of that data may result in financial liability. Such comprehensive processes are likely to better protect corporations and their customers against data breaches.

[1] The connection between data breaches and stock prices declines have been subject to several studies since the ChoicePoint data breach.

Article 29 Working Party Releases 11th Annual Report

2009-01-23T11:57:00.002-05:00

By Mehmet Munur

On January 21, 2009, the Article 29 Working Party released its 11th Annual Report on Data Protection and the report shows a rise in enforcement activities by the European Union Data Protection Authorities (DPAs) resulting in fines totaling millions of Euros, some criminal prosecutions, and concerns over liberal use of electronic discovery in US litigation involving EU subsidiaries.

While the report covers the year 2007, it is a handy (yet belated) insight into all EU Data Protection Authorities’ enforcement activities. Most importantly, it serves as a useful tool to gauge where data protection enforcement in the EU is heading. In 2007, the DPAs focused on a variety of areas of data processing such as electronic healthcare, law enforcement, employment, financial sector, biometric data, and video surveillance. The report also highlights the local implementation efforts of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the E-Privacy Directive) and the varying degrees of retention periods set by local legislation.

The Spanish, Dutch, French, and Italian DPAs were just as active in 2007 as in the previous years.

The Spanish DPA noted that in “2007, the number of claims filed by citizens with the AEPD rose by around 7% to a total of 1,624.” The Spanish DPA issued 399 penalties, “a 32.5% increase over the previous year” resulting in fines of 19.6 million Euros—an average of nearly €50,000. Furthermore, “[t]he greater part of the inspections carried out ha[d] to do with telecommunications and financial institutions, followed by video-surveillance, which is now in third place following an increase by over 400%.”

The Dutch DPA stated that in 2007 it had “changed its strategic direction and shifted its priority to carrying out investigations and enforcement actions – the core task of any independent supervisory authority – to ensure a more effective promotion of the awareness of standards.” The Dutch DPA also suggested that it was going after the bigger fish stating that it “g[a]ve priority, as regards requests for help and assistance, to serious violations of a structural nature and to violations which entail major consequences for a substantial number of citizens or for groups of citizens.”

The French DPA reiterated its penalty and audit powers stating that “the CNIL has sanctioning powers enabling it to levy fines to the amount of €150,000 (€300,000 in the case of repetition), within the limit of 5% of turnover.” In 2007, the French DPA issued nine fines ranging from €5,000 to €50,000, five warnings, and 101 formal notifications.

The French DPA also voiced its concerns over US data retention and electronic discovery rules stating that it had “observed a recent increase in the requirement for the communication of personal data held, inter alia, by the French subsidiaries of American companies that are the subject of discovery proceedings before American civil courts or pre-trial discovery.” The French DPA was worried not just about private litigation but discovery by the FTC and SEC. Therefore, the French DPA “attempted to draw the government’s attention to this issue” and set up inter-ministerial discussions.

The Italian DPA also enhanced its inspection activities in 2007. Interestingly, the Italian DPA benefited from the use of the specialized Financial Police when checking compliance with notification requirements, information notices, and security measures. “Overall, 452 inspection proceedings were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation.” The Italian DPA focused on “personal (medical) data by pharmaceutical companies and healthcare bodies; the online processing of personal data; processing aimed at the provision of goods and services via distance selling mechanisms (including call centres); the processing operations performed by Revenue Offices; the retention of users’/subscribers’ data by telecom operators; and e-banking services.” Out of these 452 inspections, the DPA issued 228 administrative sanctions and referred 15 cases to criminal prosecution. The Italian DPA expects revenues of €750,000 from these sanctions.

In sum, enforcement by EU DPAs and the financial liability for violations of local data protection legislation are both on the rise.

US-Swiss Safe Harbor Framework Signed

2009-01-22T11:08:00.003-05:00

by Mehmet Munur

On December 9, 2008, the Swiss Federal Data Protection and Information Commissioner and the Department of Commerce signed “an exchange of letters” to create the “US-Swiss Safe Harbor Framework.” As a result, multinational corporations certified under the Department of Commerce Safe Harbor program are now able to transfer data from Switzerland to the US more conveniently.

The Swiss Federal Data Protection Act operates similar to the 95/46/EC Data Protection Directive. Article 6 of the Swiss Act prohibits data exports in the absence of adequate guarantees, similar to Article 25 of the Directive. Since the US, without the Safe Harbor, does not offer adequate protections for personal data, companies were forced to use exceptions under Article 6 for data transfers, such as standard contractual clauses approved by the Data Protection Commissioner of Switzerland. Companies can now self-certify for transfers of personal data from Switzerland at the Department of Commerce website in addition to other European Economic Area countries.

US Supreme Court to Review Whether States Can Enforce Antidiscrimination Laws against Federally Chartered Banks

2009-01-19T08:32:00.005-05:00

By Dino Tsibouris

The US Supreme Court will consider whether the New York Attorney General can enforce antidiscrimination laws against federally chartered banks. In The Clearing House Assoc., LLC v. Cuomo, 510 F.3d 105 (2d Cir. 2007), the New York-based Second Circuit Court of Appeals upheld the OCC's position that a state may not request or subpoena information relating to potential lending discrimination from such banks. Opinion at:

http://www.occ.treas.gov/law/OCCvCuomo.pdf

Originally, Eliot Spitzer started a probe to determine if banks were charging higher rates to minority applicants. As Attorney General Cuomo continued the investigation, the court ruled that national bank regulation is a matter of federal law, and that Congress left no role for the states.

The court could hear arguments and decide the case by the end of its term in late June. The case is Cuomo v. Clearing House Association, 08-453 at:

http://www.supremecourtus.gov/docket/08-453.htm

All federally chartered lenders and their service providers should watch this closely.

ABA: Boutique Law Firms Make Inroads During the Downturn

2009-01-16T10:28:00.006-05:00

By Dino Tsibouris

The ABA Journal and New York Law Journal have interesting stories about how the downturn in work at large law firms has opened doors for small firms that offer specialized expertise at competitive rates. The article focuses on the New York market, but the factors apply in any legal market:

Despite the struggling economy and Wall Street layoffs, some small law firms in New York are seeing their business boom.

Among the reasons why are the significantly lower hourly rates charged by these law boutiques and a growing number of small businesses being launched by laid-off workers that need legal services, reports the New York Law Journal. Its article is reprinted by New York Lawyer (reg. req.).

Federal Rule of Evidence 502: Protecting Against the Inadvertent Waiver of the Attorney-Client Privilege

2008-11-11T13:51:00.002-05:00

By Kelly Prior, Esq.

President Bush recently signed a bill creating new Federal Rule of Evidence 502, which addresses the disclosure of communications and information protected by either the attorney-client privilege or the work-product doctrine. The purpose of FRE 502 is two-fold: 1) to resolve the conflicts which have arisen between courts in the area of inadvertent disclosure and subject matter waiver; and 2) to bring some measure of control over spiraling discovery costs that are due in part to the concern that any disclosure, however small or unintentional, will result in the subject matter waiver of all protected communications and information. The Rule provides several protections, as follows:

Subsection (a) applies to disclosures which are made in a federal proceeding or to a federal office or agency. When a disclosure is made in that context and the privilege or protection is waived, the waiver will only apply to undisclosed communications or information when the waiver is intentional, the same subject matter is involved and “fairness” dictates that the disclosed and undisclosed communications or information be considered together. Thus, subject matter waiver is reserved for those cases where a party intentionally produces protected information in a selective, misleading and unfair manner.

Subsection (b) applies to inadvertent disclosures which are made in a federal proceeding or to a federal office or agency. In such cases, the inadvertent disclosure does not constitute a waiver if the holder of the privilege or protection took “reasonable steps” to both prevent the disclosure and to rectify the error.

Subsection (c) addresses the difficulties which often arise when the disclosure of protected communication or information is made in a state proceeding, the communication or information then becomes part of a federal proceeding on the grounds that the disclosure constituted a waiver, and there is a conflict between the state and federal laws as to whether a waiver occurred. Rule 502(c) instructs the federal court to apply the most protective law as between the two.

Subsection (d) provides that the terms of confidentiality orders (pertaining to the disclosure of privileged or protected communication or information) entered into in federal proceedings are enforceable against non-parties in any state or federal proceeding.

Subsection (e) makes it clear that while the parties in a federal proceeding may enter into a binding agreement to limit the effect of waiver by disclosure between themselves, such an agreement is not binding on non-parties. The agreement must be made part of a court order in order for it to bind non-parties.

It will be interesting to see over the next few years how effective the new rule is in preserving attorney-client privilege and work product protections and in reducing discovery costs.

Google Updates IP Address Log Retention Policy

2008-11-10T12:01:00.004-05:00

By Dino Tsibouris & Mehmet Munur

On September 8, 2008, Google announced that it will reduce the amount of time it retains distinct IP addresses from 18 months to 9 months due to pressure from European regulators. This is not the first time, and likely not the last time, Google will have to amend its IP log retention period in order to comply with the European regulators’ strict policies.

In June of 2007, Google had to reduce the amount of time it retained distinct IP addresses from 24 months to 18 months, due to pressure from the EU Article 29 Data Protection Working Party. After 18 months of obtaining the IP addresses, Google anonymized its IP logs by replacing the last byte of the IP address with hashes (for example 216.54.106.###). Then, Google “firmly reject[ed] any suggestions that [it] could meet [its] legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months.”

This recent change in IP log retention policy is certainly in part due to the Working Party’s Opinion on Data Protection Issues Related to Search Engines released in March 2008. The Working Party suggested that the “retention of personal data and the corresponding retention period must always be justified (with concrete and relevant arguments) and reduced to a minimum, to improve transparency to ensure fair processing, and to guarantee proportionality with the purpose that justifies such retention.” More importantly, if “search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service.” The Working party then concluded that “[i]n view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.” It appears that Google’s rejection was not firm enough.

Before issuing this opinion, the Working Party sent questionnaires to many search engines. Undoubtedly, Google was one of the search engines that received a questionnaire. Google must have predicted that the Working Party would issue an opinion on IP addresses and cookie use as a result of this questionnaire. Google probably provided all the justifications that it could, but the Working Party was not satisfied. Considering that the Working Party concluded that logs should be retained for 6 months—not 9—Google either has a better justification, or another revision to its privacy policy awaits Google in the near future.

Google may also have problems with the methods it uses to anonymize the logs. The Working Party opinion also commented on Google’s anonymization methods and suggested that they may not be satisfactory under all circumstances. “Currently, some search engine providers truncate IPv4 addresses by removing the final [byte], thus in effect retaining information about the user's ISP or subnet, but not directly identifying the individual. The activity could then originate from any of 254 IP addresses. This may not always be enough to guarantee anonymisation.”

Furthermore, Google has not finalized the methods it is going to use to anonymize IP addresses. In its recent announcement, Google stated that it had not “sorted out all of the implementation details, and [it] may not be able to use precisely the same methods for anonymizing as [it] d[id] after 18 months . . . .” In other words, the anonymization used after 18 months and anonymization used after 9 months are different methods of anonymization. Considering that the Working Party is not satisfied with the first method under all circumstances, arguably, the Working Party may not be satisfied with the new method, either.

One reason for this continuous disagreement over Google’s privacy policy may be about how Google and the European regulators think about privacy. IP address logs are an invaluable source of competitive information for Google; therefore, it would like to retain them unless they are shown to be personal data. In other words, presume the data to be non-personal unless proven otherwise. To support this view, Peter Fleischer, Google’s Global Privacy Counsel, argued in NY Times Bits and in his own blog that he did not think that IP addresses were private data under all circumstances. Both Mr. Fleischer and a Google engineer stressed that IP addresses did not always return to a unique individual but could shared among many users.

The Working Party disagreed. The Working Party opinion stated that “increasing number of ISPs distribute fixed IP addresses to individual users.” Then, the Working Party turned the presumption on its head by stating that “unless the [Search Engine] is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.” In sum, Google would like a sliding scale approach to IP addresses privacy while the Working Party sees all IP addresses as personal data. This stark difference in approach to privacy is likely to result in more revisions for Google’s IP address logs.

Certainly, Google appears to be taking a serious approach to privacy by creating Google Privacy Channel on YouTube, and drafting a reader friendly Terms of Use. Despite all its efforts, Google’s actions are likely to stay on the spotlight for some time to come. One cannot expect Google to give up so easily on IP address logs that allow Google to provide better services and get the upper hand on its competitors.

Best Lawyers in America - 2009

2008-10-06T12:12:00.002-04:00

Dino Tsibouris of Tsibouris & Associates, LLC was recently selected to be included in the 2009 edition of The Best Lawyers in America in the specialty of Information Technology Law. The Best Lawyers in America is a publication of the most respected attorneys in their fields, which has been known to be a very valuable referral list of attorneys in practice. Inclusion in Best Lawyers is determined by more than 1.8 million evaluations and votes cast by the top attorneys in the country. To read more about the selection process, click here.

Recent 9th Circuit Ruling Highlights the Importance of Employee Policies Regarding Electronic Communications

2008-08-09T10:58:00.001-04:00

By Dino Tsibouris & Mehmet Munur

The 9th Circuit Court recently ruled that the unauthorized search of employee text messages on an employer provided text messaging pager may have violated the employee’s privacy rights despite a written policy stating that the employees should have no expectation of privacy. The case demonstrates the need to revise some of the nation’s privacy laws as well as the attention employers need the pay to the drafting and enforcement of their privacy policies.

The case arose from Ontario Police Department’s review of text messages by a member of its SWAT team, Jeff Quon. The Police Department provided its employees with two-way text messaging pagers in order to make it more efficient for dispatchers. In October 2001, the city contracted Arch Wireless to provide the service and each pager was allotted 25,000 characters per month. When Quon and others went over the allotted character limit, they paid for their overage charges. An understanding formed between the employees and their supervisors that the employees would have to pay the charges unless they wanted their text messages audited to determine whether the use was personal or business related.

Then in August 2002, Lieutenant Duke got tired of collecting bills and decided that the text messages should be audited to determine whether they were being used for business or personal use. To this end, city officials requested the transcripts from Arch Wireless who sent the transcripts to the City after determining from its records that the pagers actually belonged to the City. A review of the transcripts by the city officials showed that some of the text messages were personal. This resulted in an internal investigation to determine whether the pagers were being used during work hours for personal use.

As a result of this investigation, Sergeant Quon and four other officers filed a complaint against the Chief of Police, the City of Ontario, and Arch Wireless under the Stored Communication Act (“SCA”) and the Fourth Amendment, among others. The district court dismissed the claims against Arch Wireless under the SCA but decided that the Fourth Amendment claims should go to a jury. The district court ruled against the plaintiffs on the SCA claim concluding that Arch Wireless was a Remote Computing Service (“RCS”) under the SCA instead of an Electronic Communication Service (“ECS”). Arch Wireless, as an RCS, could release transcripts of the text messages without the consent of the subscriber. Under the facts of this case, the City was the subscriber and had consented to the release of the transcripts. Therefore, Arch Wireless could not be liable. The 9th Circuit disagreed. Arch Wireless was an ECS and it required the consent of the addressee or the intended recipient in order to disclose the transcripts, neither of which it had obtained. The 9th Circuit reversed the district court on the SCA claim.

Both courts had to interpret the archaic and convoluted language of the SCA that Congress passed as a part of the Electronic Communications Privacy Act of 1986 (“ECPA”). Neither text messages nor emails were in existence at the time. Both courts used legislative history and congressional reports yet came to different results. This is yet another case in a long line of cases that suggests that the legislation on electronic communication needs to be rewritten because unforeseeable results make compliance difficult for corporations.

The case also demonstrates the importance of the reasonable expectation of privacy in electronic communications. Both the 9th Circuit and the district court declined to award summary judgment to the City on the issue of the Fourth Amendment violations. Both courts agreed that a jury might find that Quon had a reasonable expectation of privacy in the text messages he sent from the pager. Both courts noted several factors that would make Quon’s expectation of privacy unreasonable. First, the Ontario Police Department’s Computer Usage Policy, which Quon signed, required equipment to be used for business purposes. Second, Quon attended a meeting where he was specifically told that the policies applied to the pagers. Third, the pager was owned by the Police Department. If that were all, the 9th Circuit noted, the outcome would be very similar to other cases where the employee was specifically cautioned against any privacy. However, several other factors made his expectation of privacy reasonable. First, the officers in charge of collecting the bills had made it clear to the plaintiffs that the text messages would not be audited so long as they agreed to pay for the overages. Second, the City in fact did not audit the messages when the employees paid their overages. Further, the 9th Circuit ruled that the expectation could be reasonable despite the fact that the oral declaration was made by someone not in charge of policymaking. Both courts declined to award the City summary judgment on the reasonableness of Quon’s privacy expectation.

In essence, any employer who has a written policy against any expectation of privacy in computer, email, or telephone use may contradict their behavior and create a reasonable expectation of privacy in employee communications simply by not uniformly enforcing their policies or by acting counter to their policies. If the employees have not consented, and none of the other exceptions in the ECPA apply, then an employer may be liable to the employee for invasion of his privacy.

In comparison, courts usually allow a greater expectation of privacy for personal email accounts on websites—such as Yahoo, Google, or Hotmail accounts—accessed through employer-owned equipment compared to business email accounts owned and operated by the employer. However, even such personal email accounts may be subject to monitoring if the employer properly informs the employee. In NERA v. Evans, the employer, NERA, searched Evans’ company-owned laptop’s hard-drive after he left employment and found images of Evans’ personal emails. Evans had deleted his personal files and defragmented his hard-drive mistakenly believing that it would remove any traces of his personal files. While the court noted that such emails could not be retrieved by an average computer user simply by browsing the computer’s hard-drive, it could be retrieved by a specialist. The court ruled against the employer despite NERA’s written policies stating that a log of network activity would be kept and that network administrators could read emails. The court required the employer to be more specific. The policy did not state that contents of personal email accounts would be monitored or that NERA could retrieve them from the hard-drive. Therefore, the court concluded that Evans’ expectation of privacy was reasonable under the circumstances.

Another case currently in litigation merges the issues in Evans and Quon and illustrates the importance of properly drafting and enforcing privacy policies. In Sidell v. Structured Settlement Investments, the plaintiff alleged that his employer continued reading his personal Yahoo email after he was fired because Sidell had left the email account logged-on. Sidell made allegations under the ECPA similar to the ones between Quon and Arch Wireless. Sidell further alleged that the employer used the email account to monitor Sidell’s communications with his attorney. The employer defends that they suspected Sidell of emailing trade secrets to his personal email account. Depending on how explicit Structured Settlement Investments’ policies were and whether Sidell was in fact emailing himself trade secrets, the employer could be liable under the ECPA. Regardless of how the case turns out it is likely to demonstrate at least one very important point: employers must caution their managers from snooping on their employees’ emails without consulting in-house counsel.

These electronic communication cases will certainly influence how employers and corporations involved in electronic communications act in the future. Surely, Arch Wireless will work to improve its handling of text message transcript requests where the subscriber is different than the addressee or the intended recipient. Moreover, employers may have to both revise their policies so that they describe their intended actions more accurately and enforce these policies uniformly to assure that they hold up in court.

The cases are Quon v. Arch Wireless Operating Co., 445 F. Supp. 2d 1116 (2006); Quon v. Arch Wireless Operating Co., 529 F.3d 892 (2008); and National Economic Research Associates, Inc. v. Evans, No. 04-2618-BLS2 (Sup. Ct. Mass. Aug. 3, (2006).

Google Health Launches

2008-05-26T13:21:00.002-04:00

By Dino Tsibouris & Mehmet Munur

Having concluded its testing at the Cleveland Clinic, Google Health launched amid privacy concerns last week. Commentators are concerned that Google is not currently regulated under the Department of Health and Human Services (“DHHS”) and Google’s claim that it is regulated by the Federal Trade Commission does not appear to appease them. Nevertheless, Google Health appears to have a solid approach to both storing health care data online and finding information about health issues with Google Health.

Google Health ships with terms of service, a privacy policy, a health sharing authorization, and a legal notice. The terms of service caution the user that Google Health does not offer medical advice, that the user is responsible for the security of the password, and that Google will treat the information provided by the user in accordance with its privacy policy— along with the usual limitation of liability and exclusion of warranties languages. The privacy policy states that Google will not sell, rent, or share the information without the explicit consent of the user, explains what information Google retains, and clarifies how a user may share health data with a licensed third party health care provider. The health sharing authorization allows Google to pass along sensitive health care information to third parties that the user authorizes. Finally, the legal notice provides limitation of liability for Google’s partners that provide drug related information.

Commentators have at least two privacy concerns with Google Health. First, anyone with a Google username may instantly and easily sign onto Google Health. While Google requires that passwords be at least 8 characters long, it does not require that the passwords contain numbers, upper and lower case characters, and special characters—which would help create strong passwords. Considering that only a minority of users will create strong passwords when not required to do so, access to a user’s health information on Google health is only as good as the password the user creates—assuming that Google’s systems are secure. However, both Microsoft and Google suffer from this same problem.

Second, Google (rightly) claims that it is not bound by Health Insurance Portability and Accountability Act (“HIPAA”). The regulations under 45 CFR part 160.102 state that the Act applies to a) health plans, b) health care providers who transmit any health information in electronic form in connection with a covered transaction, or c) health care clearinghouses. A health plan is an individual or group that provides or pays the cost of medical care. Medical care includes diagnoses, cures, treatments, and transportation related to medical care, but not storage or transfer of information. A health care provider is a provider of medical or health services and any other person or organization that is paid for health care in the normal course of business. While medical services are defined ad nauseum in the regulations, none of those services relate to storage of healthcare information as a service.

A health care clearinghouse is an entity that processes or facilitates the processing of health care information from a nonstandard format (or data) to a standard format (or data), or vice versa. In promulgating the final rules on HIPAA, the DHHS stated that the definition was not meant to apply to telecommunication companies such as internet service providers or telephone companies, so long as they did not process the data in the fashion required. Therefore, processing of information coming from one entity and going to another entity appears to be at the heart of the regulations. Google does not process the data. It only makes it available to both the patient and the health care professional—presumably in the format it is provided. On the other hand, any manipulation of this data from standard to nonstandard format would trigger the regulations under HIPAA. In sum, Google Health currently resides in that gray area between explicitly exempt entities and nonexempt entities.

Nevertheless, Google’s interpretation of the current regulations is in line with DHHS’ Office for Civil Rights (“OCR”), which is in charge of the civil enforcement of the Privacy Rule under HIPAA. Susan McAndrew, senior advisor for the OCR, has stated in unofficial discussions that Google Health and Microsoft HealthVault are exempt from HIPAA rules, but that the Confidentiality, Privacy, and Security Workgroup of the American Health Information Community is in the process of making recommendations to regulate them under HIPAA. In regulating electronic health information exchange networks such as Google and Microsoft, the Workgroup has already identified six factors ranging from prevention of unauthorized access of the health care data to the purposes for which the health care data can be used. However, it will probably be years before such regulations take effect.

Yet, Google does not claim that it is exempt from regulation for its privacy policies. On the contrary, Google agrees that it is subject to section 5 of the Federal Trade Commission (“FTC”) Act. While the OCR responds to thousands of complaints every year, the FTC’s settlements are more public and its punishments are probably more severe. So far this year, the FTC settled with 5 companies for breach of privacy policies, including retailer TJ Maxx, publisher Reed Elsevier, and online advertiser ValueClick. Almost all FTC settlements include biennial security audits by independent third parties for 10 or 20 years following the settlement. Some include civil penalties. In 2006, the FTC settled with ChoicePoint for $10 million in civil penalties and $5 million in consumer redress. Such settlements tend to affect a company’s stock prices in the short run and hurt their brand images. Google is certainly aware of the consequences of a security breach at Google Health.

Google has a healthy competitor to Microsoft’s HealthVault in Google Health. However, both business models appear to be ahead of the legal regulations in this area of health privacy. Moving health records online will certainly benefit patients, healthcare providers, and companies such as Google and Microsoft—so long as all the parties involved understand and fulfill their responsibilities.

Ohio Supreme Court Prepares to Adopt Electronic Discovery Rules

2008-05-13T12:20:00.003-04:00

By Dino Tsibouris & Mehmet Munur

The Ohio Supreme Court is finalizing Proposed Amendments to the Rules of Civil Procedure that include amendments related to electronic discovery. The comment period for the proposed amendments ended on March 4, 2008. The commission responsible for the rules had until May 1st to review and make changes to the proposed amendments. They have not. Therefore, the proposed amendments should take effect on July 1, 2008—unless the General Assembly adopts a concurrent resolution of disapproval. Though the Ohio Rules are very similar to the Federal Rules, the Ohio Rules differ to accommodate the differences in practical application.

Under proposed Ohio Rule 26, a judge may schedule a pretrial conference related to electronically stored information, while such a pretrial conference is required under the Federal Rules. Also, proposed Rule 26 clarifies the scope of discovery to include electronically stored information and limits it to cases where the information is reasonably accessible and its production not unduly burdensome or expensive. Proposed Rule 37 provides factors that are not provided in the Federal Rules that a judge should consider in determining sanctions as a result of routine, good faith operation of an electronic information system. Some of these factors are 1) whether and when the obligation to preserve the information is triggered, 2) whether the party intervened in a timely fashion to prevent the loss of information, and 3) whether the party took steps to comply with any court pr party agreement requiring the preservation of specific information.

You may find the proposed amendments here.

Senate Votes to Expand Student Loan Access

2008-05-01T09:35:00.003-04:00

By Dino Tsibouris

We represent a number of student lenders with respect to their online lending operations. In the past several months we have observed a number of unique events in the marketplace, ranging from the reduction of interest rates in federally-insured student loans that have made the business financially unattractive to banks, to disruptions in the bond markets that have impaired the ability of lenders to obtain funds to make student loans. Many lenders have suspended student lending activity temporarily, stopped making certain types of student loans, or completely left the business and focused on other opportunities.

Students are now faced with increasing tuition costs at the same time that their access to student loans has substantially declined. To address these concerns, the senate yesterday approved The Ensuring Continued Access to Student Loans Act of 2008 (similar to a bill that recently passed the house) to increase the amounts borrowers may obtain in federally-insured student loans. Both the senate and house bills would also allow the Department of Education to buy existing student loans from lenders to free up their capital and allow the lenders to make new loans. President Bush is expected to sign the new legislation. It is important to note that the proposed legislation aims to increase borrowers access to FFELP loans, but does not affect private student loans that are not guaranteed by the government.

Interestingly, Federal Reserve Chairman Bernanke was quoted in the Wall Street Journal today as having sent a letter to senators inviting them to revisit their earlier decision to cut interest rates on federally-insured loans to entice lenders to return to the marketplace. Time will tell.

In Case You Missed It: Judge Dismisses Cheating Husband’s Breach of Privacy Policy Case

2008-05-01T09:27:00.002-04:00

By Dino Tsibouris & Mehmet Munur

A federal judge in Texas recently dismissed a case (due to improper venue) in which the plaintiff alleged that the website’s breach of its privacy policy led to his wife finding out about his infidelity, which ultimately led to his divorce.

Plaintiff Leroy Greer called 1-800-FLOWERS (Company) and ordered flowers for his girlfriend. He was directed to 1-800-flowers.com when he inquired about the Company’s privacy policy. After the purchase, the Company sent a “thank you” note to his home, which prompted his wife to contact the Company for proof of purchase, a copy of the note attached to the flowers, and information about the husband’s girlfriend. Greer filed suit for $1.5 million arguing that the Company’s actions breached the privacy policy and caused him damages in connection with the divorce that followed.

In its defense, the Company argued that the forum selection clause of the website terms of use specifically assigned Nassau or Suffolk counties of New York exclusive jurisdiction. In response, Greer argued that because the transaction had taken place over the telephone, the forum selection clause was not applicable. In essence, Greer argued that his use of the website to view the privacy policy did not amount to full-fledged use to trigger the terms of use but that the phone transaction governed.

The court disagreed for two reasons. First, the privacy policy was a part of the terms of use which stated that accessing any part of the website legally bound the user to its terms. In other words, Greer was cherry-picking the parts of his agreement with the Company—wanting to enforce the privacy policy but not the terms of use. Second, the court ruled that Greer did not successfully show that the terms of use only applied to web transactions.

The court then summarily found that that the forum selection clause did not violate the Supreme Court’s four-factor forum selection test. After all, whether the Plaintiff actually read the terms of use was beside the point considering that the privacy policy contained a link to it, specifically mentioned it, and notified the user of its existence. Greer was going to have sue the Company in New York.

While Greer’s lawyer suggested that they would be filing the case in New York in the next couple of weeks, research has not revealed whether he actually has. For details related to Greer’s note to his girlfriend and his wife’s discovery, visit here. Visit here for the MSNBC story.
The case is Greer v. 1-800-Flowers.com, Inc., No. H-07-2543, 2007 U.S. Dist. LEXIS 73961 (S.D. Tex. Oct. 3, 2007).

Google Health Starts Pilot at the Cleveland Clinic

2008-04-11T16:21:00.005-04:00

By Dino Tsibouris & Mehmet Munur

On February 21, 2008, Google announced a partnership with the Cleveland Clinic to test its online personal health records management platform called Google Health. While Google is late to bring its platform to the party, its offering appears to go beyond Microsoft’s HealthVault offering. The goal of the project is “to give the patients the ability to interact with multiple physicians, healthcare service providers and pharmacies.” The pilot project will test the secure exchange of patient medical records.

Google claims that its offering is different than other online personal health records in four ways. First, Google developed its privacy policies using Google Health Advisory Council, made up of leaders in the healthcare industry—from CEOs of the Cleveland Clinic and the American Medical Association to the Executive Vice President of Risk Management at Wal-Mart. Second, Google Health is a platform and not just a website. This allows third party application developers to create programs for use on its application programming interface or API. For example, such third party applications may include reminders to take prescription medicine on personalized Google homepages. Third, storage of medical data on Google’s servers allows for portability. Lastly, Google Health will have a user focus through which users can easily manage their healthcare information or find health information about their health conditions. The service will allow users to find relevant and dynamically generated news, web search results, research articles, and discussion groups.

The Cleveland Clinic pilot project is supposed to last six to eight weeks and the platform is to become public some time after that. For this reason, no terms of use are available from Google to judge its commitment to privacy. Yet, Google appears to have changed its privacy policies in a positive way. First, Google changed its 30 year expiration period for its cookies to two years—but included automatic renewal.

Second, Google was the first major search engine to anonymize its server logs after 18 months instead of an 18 to 24 month period. Google deletes the last few digits of the IP address as well as some portion of the cookie information to anonymize the information contained these logs. According to Peter Fleischer, Google’s Global Privacy Counsel, Microsoft and Yahoo later followed this practice with 18 and 13 month retention plans, respectively. However, Google continues to retain these logs for as long as necessary. Third, Google has started offering videos through its YouTube Google Privacy Channel to explain its privacy policies without legalese and geek-speak.

All of these changes at Google appear to point towards Google’s corporate responsibility for privacy within its business framework of “creating[ing] [a] minimum global standard, built around international consensus, that is flexible, technologically neutral, and forward looking.” Obviously, creating such a framework would be beneficial for Google’s business as it would make compliance much easier. Yet, cultural and legal differences are likely to make this goal hard to achieve.

On the other hand, Google must have a business purpose for entering the health records management field. After Google CEO Eric Schmidt’s keynote speech at the HIMSS, a doctor asked what was in it for Google. He answered that there was not a “monetization path” for Google Health in the short term. However, he suggested that Google was able to create brand following through other services even though those ancillary services were not supported by advertisements—such as Google News. It appears that Google would like to inspire confidence in its service first and then create revenue through contextual advertisements if users explicitly consent. It is at this juncture that privacy advocates would have the most difficulty with Google Health.

Eric Schmidt suggested that this service Google Health Starts Pilot Project at the Cleveland Clinic

On February 21, 2008, Google announced a partnership with the Cleveland Clinic to test its online personal health records management platform called Google Health. While Google is late to bring its platform to the party, its offering appears to go beyond Microsoft’s HealthVault offering. The goal of the project is “to give the patients the ability to interact with multiple physicians, healthcare service providers and pharmacies.” The pilot project will test the secure exchange of patient medical records.

Google claims that its offering is different than other online personal health records in four ways. First, Google developed its privacy policies using Google Health Advisory Council, made up of leaders in the healthcare industry—from CEOs of the Cleveland Clinic and the American Medical Association to the Executive Vice President of Risk Management at Wal-Mart. Second, Google Health is a platform and not just a website. This allows third party application developers to create programs for use on its application programming interface or API. For example, such third party applications may include reminders to take prescription medicine on personalized Google homepages. Third, storage of medical data on Google’s servers allows for portability. Lastly, Google Health will have a user focus through which users can easily manage their healthcare information or find health information about their health conditions. The service will allow users to find relevant and dynamically generated news, web search results, research articles, and discussion groups.

The Cleveland Clinic pilot project is supposed to last six to eight weeks and the platform is to become public some time after that. For this reason, no terms of use are available from Google to judge its commitment to privacy. Yet, Google appears to have changed its privacy policies in a positive way. First, Google changed its 30 year expiration period for its cookies to two years—but included automatic renewal.

Second, Google was the first major search engine to anonymize its server logs after 18 months instead of an 18 to 24 month period. Google deletes the last few digits of the IP address as well as some portion of the cookie information to anonymize the information contained these logs. According to Peter Fleischer, Google’s Global Privacy Counsel, Microsoft and Yahoo later followed this practice with 18 and 13 month retention plans, respectively. However, Google continues to retain these logs for as long as necessary. Third, Google has started offering videos through its YouTube Google Privacy Channel to explain its privacy policies without legalese and geek-speak.

All of these changes at Google appear to point towards Google’s corporate responsibility for privacy within its business framework of “creating[ing] [a] minimum global standard, built around international consensus, that is flexible, technologically neutral, and forward looking.” Obviously, creating such a framework would be beneficial for Google’s business as it would make compliance much easier. Yet, cultural and legal differences are likely to make this goal hard to achieve.

On the other hand, Google must have a business purpose for entering the health records management field. After Google CEO Eric Schmidt’s keynote speech at the HIMSS, a doctor asked what was in it for Google. He answered that there was not a “monetization path” for Google Health in the short term. However, he suggested that Google was able to create brand following through other services even though those ancillary services were not supported by advertisements—such as Google News. It appears that Google would like to inspire confidence in its service first and then create revenue through contextual advertisements if users explicitly consent. It is at this juncture that privacy advocates would have the most difficulty with Google Health.

Eric Schmidt suggested that this service was unlikely to take off or reach market saturation in a short time but that in the long run it makes sense because such a large part of online searches involve health topics. Google Health and Microsoft HealthVault appear to be steps in the right direction; however, it remains to be seen how these services will affect individual privacy and how corporations and legislators will respond to those concerns.

You can find a blog post and screens from Google Health at the Official Google Blog here. You can find Eric Schmidt’s keynote speech at the Healthcare Information and Management Systems Society Annual Conference in Orlando on February 28, 2008 here.was unlikely to take off or reach market saturation in a short time but that in the long run it makes sense because such a large part of online searches involve health topics. Google Health and Microsoft HealthVault appear to be steps in the right direction; however, it remains to be seen how these services will affect individual privacy and how corporations and legislators will respond to those concerns.

You can find a blog post and screens from Google Health at the Official Google Blog here. You can find Eric Schmidt’s keynote speech at the Healthcare Information and Management Systems Society Annual Conference in Orlando on February 28, 2008 here.

Supermarket Chain Falls Victim to Security Breach

2008-03-18T15:47:00.003-04:00

By Dino Tsibouris & Mehmet Munur

On Monday March 17, 2008, Hannaford, an East Coast supermarket chain, announced that it fell victim to a security breach. The security breach has so far resulted in 1,800 actual cases of fraud.

Hannaford announced that the breach affected 4.2 million unique account numbers during the card authorization process. Hannaford first noticed the breach on February 27 and contained it on March 10. Hannaford, VISA, MasterCard, and the U.S. Secret Service have not released much information regarding the security breach due to the ongoing nature of the investigation. However, no personal data such as names, addresses, or telephone numbers were revealed during the breach.

It is possible that hackers breached Hannaford’s security similar to how hackers breached TJ Maxx’s security in 2006. TJ Maxx employed an outdated and easy to break encryption scheme called WEP to secure its wireless networks. Hackers breached a TJ Maxx store’s wireless network near St. Paul, MN using a laptop and a directional antenna. They then used this data to compromise TJ Maxx’s central customer database at its Framingham, MA headquarters. The hackers obtained many millions of credit card numbers and some personally identifying information such as driver’s license numbers and social security numbers.

Hannaford’s security breach pales in comparison to the security breach at TJ Maxx, which may have affected 100 million customers. TJ Maxx has settled with VISA and the card issuing banks over its security breach for $82 million. TJ Maxx has set aside a reserve fund of $107 million for payments and legal expenses. Though the FTC has been investigating TJ Maxx, it has not yet announced a settlement. FTC may levy fines against TJ Maxx since that breach was the largest security breach to date.

While the FTC has only settled 17 cases to date relating to data security practices by companies handling personal information, it has settled 2 so far in 2008. It appears that FTC will settle more cases related to security breaches this year.

Settlement of Lawsuit over Email Upheld

2008-03-17T11:28:00.001-04:00

By: Dino Tsibouris & Mehmet Munur

A Massachusetts court of appeals recently held that Amazon was bound to a settlement that was conducted over email to dismiss a case against it and noted that the email exchange created “a present agreement awaiting a later document.”

The litigation that led to the email settlement arose from Amazon’s investment in Basis Technology, a software company focusing on “extracting meaningful intelligence from multilingual text.” In September 1999, Amazon entered a technical services agreement with Basis to help Amazon create an electronic commerce system in Japan. In December 1999, Amazon purchased 1.6 million shares of preferred stock in Basis with a common stock conversion provision with a ratio of one-to-one and anti-dilution rights. In April 2001, Amazon agreed to a recapitalization that increased its conversion rights to two-to-one (one share of preferred stock to two shares of common stock). In March 2004, the Basis Board of Directors distributed a memorandum acknowledging the issuance of almost half a million shares of preferred stock to In-Q-Tel, the venture capital arm of the Central Intelligence Agency. Amazon received notice of this issuance but did not consent.

In the meantime, in May 2003, Basis had commenced a lawsuit against Amazon for breach of fiduciary duty. In March 2005, counsel for Basis and Amazon reached a preliminary settlement through email. Basis counsel sent an email memorializing the discussions of that evening with 6 provisions that showed general agreement on the main points but omitting most of the details that would be drafted later. One of the provisions required Amazon to convert its preferred stock to common stock under the 1999 share purchase agreement. Basis counsel also asked to be contacted the next morning, before the two parties reported the settlement to the judge, in the event the Amazon counsel disagreed. The next morning, counsel for Amazon replied to the email with one word, “correct.” The trial judge ended the trial and entered an order for a settlement between the parties, pending the detailed provisions.

Several days later, Amazon and Basis reached a deadlock over the conversion ratio. Basis argued that the conversion rate should be two-to-one. Amazon argued that the anti-dilution provisions should result in a ratio of more than 2.1-to-one due to the issuance of shares of preferred stock to In-Q-Tel. Amazon concluded that this difference would result in a loss of quarter of a million dollars and reduction in ownership stake from 10% to 8.5%. When the parties could not resolve this dispute, after extensive hearings and examinations, the court entered a judgment enforcing the settlement agreement the parties had reached during their email exchange in March 2005.

On appeal, Amazon argued that the emails did not create an unambiguous agreement between the parties and that Amazon did not intend to be bound. After reviewing the emails, the appeals court ruled that the parties had reached a settlement on the essential business terms when Amazon counsel “concisely responded, ‘correct.’” The court, citing a 1987 decision, stated that “the parties have agreed upon all material terms, [therefore] it maybe inferred that the purpose of a final document which the parties agree to execute is to serve as a polished memorandum of an already binding contract.” Therefore, solely agreeing to the essential terms of a contract over email does not change the principles of contract formation.

The decision of both the trial court and the appeals court is not surprising for two reasons. First, Amazon executives appear to have wanted to get out of an unfavorable settlement by Amazon counsel after it was already made. Second, an email that manifests the intention to be bound by a sufficiently definite agreement should be treated no different than a similar writing in a different medium.

This case compares well with CSX Transp., Inc. v. Recovery Express, Inc., 415 F. Supp. 2d 6 (D. Mass. 2006). There, CSX received an email from a person expressing interest in purchasing railcars as scrap. Relying only on the domain name on the email address, and without checking to make sure that the person worked for that corporation, CSX sold the railcars to the email sender. When the check written by the purchaser bounced, CSX sued the company holding the domain name of the email address—Recovery Express. The court concluded that the use of the email address by the railcar purchaser did not create apparent authority to act as Recovery Express’ agent. Though the CSX employee conducting business over email was not an attorney, it appears that he fell in the same trap that Amazon counsel did when he conducted a settlement over email.

The case is Basis Tech. Corp. v. Amazon.com Inc., No. 06-1048 (Mass. App.Ct., Jan. 7, 2008).

Tsibouris Law Blog Featured in Columbus Business First

2008-03-17T11:25:00.002-04:00

Tsibouris & Associates Law Blog was recently featured in Columbus Business First article on Columbus law firm blogs. The article discusses the burgeoning law firm blog scene in Columbus, Ohio. To read more, please click here.

NY AG Cuomo Announces Code of Conduct for Private Student Loan Programs

2007-12-19T08:36:00.000-05:00

By: Dino Tsibouris and Mehmet Munur

New York Attorney General Andrew M. Cuomo reached a settlement with University Financial Services (UFS), a private student loan consolidation service and announced a Direct Marketing Code of Conduct that would apply to student loans marketed directly to students. This represents a new regulatory approach. The proposed code of conduct:

(1) Prohibits lenders from using misleading tactics such as using insignia to appear to be a part of the federal government;

(2) Prohibits lenders from paying students to steer their peers to lenders;

(3) Requires submitting uniform disclosures to students at three different stages of the loan application process;

(4) Requires lenders to advise students to exhaust federal loan options before using private loans;

(5) Prohibits lenders from using gift cards or similar items to entice students;

(6) Prohibits lenders from selling or disclosing personal information about the borrower unless the lender clearly and conspicuously discloses its intent to do so in a privacy policy;

(7) Requires lenders to disclose whether they intend to resell the student loans; and

(8) Prohibits lenders from levying early payment penalties

The settlement requires UFS to end arrangements with 63 colleges to market UFS’s consolidation loan services. UFS also agreed to publish advertisements advising students to be cautious when shopping for loans. AG Cuomo criticized some private lenders for co-branding their products with university mascots to appear as a university’s financial aid services.

AG Cuomo’s announcement mirrors some of the concerns that the NY legislature and the United States Congress raised. NY recently passed the Student Lending Accountability, Transparency and Enforcement Act while Senator Dodd (D-CT) introduced the Private Student Loan Transparency and Improvement Act of 2007 in June.

Lenders who offer loans directly to students should see this as the first of what may be a series of similar regulatory efforts aimed at student lenders outside the FFELP program or marketed through schools.

Microsoft Health Vault

2007-12-10T14:15:00.003-05:00

By: Dino Tsibouris & Mehmet Munur

Microsoft recently launched Health Vault promises benefits in healthcare information storage and sharing online but raises concerns on privacy of this information. Health Vault is Microsoft’s “new personal health platform that lets you gather, store, and share health information online.” Service users need a Windows Live ID (previously . NET Passport) to use the service. Once users create both a sufficiently safe username and a strong password, they can enter data from health and wellness devices, or upload documents to their vault. Users can then share this information with other Windows Live ID users, such as doctors and health care professionals.

Google also has a similar website entitled Google Health that is similar to Microsoft’s consumer oriented approach to health information. While Google’s service will probably not be introduced until 2008, both companies’ focus on this field is a result of current trends. In 2007, 52 percent of adults in the US searched the web for health information compared to 29 percent in 2001. More and more, patients are confronting their health care providers with information gathered from websites such as WebMD. Both Google and Microsoft hope to leverage their expertise in web search functionality with personal health information storage and sharing.

Consolidating healthcare information online can offer many benefits to a patient as well as the doctors. Online storage reduces the risk of data loss and enables access to data regardless of where the patient resides. However, giving patients full control of their health records may mean that patients can selectively disclose healthcare information.

On the other hand, both Google and Microsoft are entering this industry to generate advertisement or software sale revenues, which creates privacy concerns. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 governs the security of personal health information. While Microsoft is aware that HIPAA may apply to it, it is not yet aware of extent of that HIPAA applies to Health Vault.

Microsoft’s Health Vault privacy statement addresses some privacy concerns while it does not specifically address HIPAA regulations. First, the privacy statement asserts that third parties, such as companies Microsoft hires to answer customer service questions, have access to personal information such as IP addresses and email addresses. However, Microsoft also states that these third party companies are required to maintain confidentiality. Second, Microsoft states that this information “may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities.” Third, the statement asserts that “aggregated information from the Service for marketing” may be disclosed. While, this aggregated information is not associated with any individual account, it may be used for marketing after an “opt-in consent” from the user. Finally, the privacy policy specifically addresses cookie use, web-beacon use, and encryption using HTTPS. While these assurances are definitely in the right direction, Microsoft will certainly want to assure compliance with HIPAA’s privacy and security rules.

Considering that Google’s use of cookies has been under the spotlight before, we are looking forward to review Google’s approach to both the privacy and security of personal health information.

Court Rules That Cease and Desist Letter Confirms Notice of Website Terms of Use

2007-10-29T16:16:00.001-04:00

Written by: Dino Tsibouris and Mehmet Munur

A federal trial court in Texas held that cease and desist letters explaining infringing conduct created knowledge of website terms of use and further use of the website after this knowledge was a breach of contract. Therefore, a corporation wishing to stop another party from violating its website terms of use should consider sending a cease and desist letter before litigation to enhance their position in trial.

Southwest Airlines is a Dallas based airline carrier that subscribes to a first come, first served seating policy. Southwest divides the plane into three sections—A, B, and C— with class A being the most in demand. Southwest allows its customers to check in at www.southwest.com within 24 hours of the flight, which dramatically increases their chances being awarded the coveted A class.

On the other hand, BoardFirst assists customers with getting class A seating at Southwest flights. A Southwest ticket holder can supply BoardFirst with his name, flight information, credit card number, and make BoardFirst his agent to obtain class A seating for a fee of $5. Then, BoardFirst’s employees log onto the Southwest website at the appropriate time, obtain a pass, and allow customers to print their boarding pass at the airport. BoardFirst has been in operation since 2005 and serves less than 100 customers per day.

In court, Southwest argued that BoardFirst’s circumvention of Southwest’s first come, first served policy is a breach of contract. The terms of this contract were posted on Southwest’s website under a link titled “Terms and Conditions.” These terms specifically prohibited commercial use of the Southwest’s website—unless the user was an approved travel agent. Furthermore, Southwest specifically prohibited the services that BoardFirst provided, stating: “third parties may not use the Southwest web sites for the purpose of checking Customers in online or attempting to obtain for them a boarding pass in any certain boarding group.”

Clearly, if Southwest could prove that there was a contract between Southwest and BoardFirst, then it should be entitled to relief. In order for a contract to exist, parties must mutually agree to its terms, either through spoken or written terms or actions. Southwest’s website terms of use—in plain and very common terms—stated that “use of the Southwest web sites and our Company Information is subject to these terms and conditions, and by using our web site, you agree to these terms and conditions.” Therefore, Southwest argued that BoardFirst was aware of the website terms of use, and agreed to its conditions by using the website.

In similar circumstances, defendants have argued that they had no knowledge of these terms and that the small hyperlink at the bottom of the website gave insufficient notice. However, BoardFirst did not raise these arguments because Southwest sent two cease and desist letters before starting this lawsuit. The court held that a contract between BoardFirst and Southwest formed at least as early as when BoardFirst received the first cease and desist letter and then continued the use of Southwest’s website.

Southwest then had to prove breach of contract and damages to prevail in this lawsuit. The court held that BoardFirst breached this contract because the activities were specifically prohibited by the website terms of use. Southwest’s damages were difficult to calculate, but nevertheless tangible. Southwest argued that the customers that paid BoardFirst did not visit Southwest’s website, where they would have viewed advertisements and possibly made hotel or rental car reservations. The difficulty of proving these damages; however, allowed Southwest to get an injunction stopping BoardFirst’s breaching activities.

The case is interesting because the court correctly compared BoardFirst’s activities to landmark terms of use cases to come to the conclusion that BoardFirst’s activities formed a contract. While the case certainly reaches the correct conclusions, it does so a conservative fashion. One could argue—as Southwest did—that a contract between the parties existed long before the cease and desist letters, as early as BoardFirst’s first use of the Southwest website in early 2005. The court’s willingness to take the easy road to enforce the contract between the parties demonstrates at least one lesson. Corporations wishing to enforce their website terms of use are encouraged to send at least one cease and desist letter before litigation.

The case is Southwest Airlines Co., v. BoardFirst, L.L.C., No. 3: 06-CV-0891-B (N.D. Tex., Sept. 12, 2007).

Best Lawyers in America - 2008

2007-10-22T12:02:00.001-04:00

Dino Tsibouris of Tsibouris & Associates, LLC was recently selected to be included in the 2008 edition of The Best Lawyers in America in the specialty of Information Technology Law. The Best Lawyers in America is a publication of the most respected attorneys in their fields, which has been known to be a very valuable referral list of attorneys in practice. Inclusion in Best Lawyers is determined by more than 1.8 million evaluations and votes cast by the top attorneys in the country. To read more about the selection process, click here.