World Tech Law

A recent decision by Appellate Division of the New York Supreme Court, upholding a jury award of punitive damages for unintentional privacy breaches, emphashould serve as a warning flag for all organizations – especially those in the health care sector – that failure to implement and maintain appropriate policies for the handling of personal data may result in liability for the company. The case emphasizes the importance of the proper data security safeguards and suggests that organizations revisit their policies and procedures to ensure that they are adequate. The case, as with other notable cases involving security breaches, also accentuates the critical role that employee training and education plays in one’s own data privacy and security program.

In this case, the court ruled, in a 3-2 decision ,that punitive damages can be awarded for a grossly negligent breach of confidential medical information even if the breach was the result of negligence and not intentional or malicious. The court upheld the jury’s award of $365,000 ($65,000 in compensatory emotional distress damages and $300,000 in punitive damages) despite acknowledging that the defendant was acting in good faith and without malice or intent to violate the plaintiff’s privacy rights. According to the court’s decision, a plaintiff need not prove malice or bad faith in order to be awarded punitive damages.

The facts of the case illustrate the importance of development of and uniform compliance with internal policies and procedures for maintaining confidentiality and privacy of personal data. The plaintiff underwent an abortion at the defendant surgery center. When filling out a pre-operative questionnaire, the plaintiff included her home telephone number, but then crossed it out. Because the plaintiff lived with her parents and did not want them to know of the procedure, she gave specific instruction to only call her cell phone number. However, administrative personnel at the surgery center generated patient file labels for the plaintiff which included her home number. Later, a nurse at the center made a call to the plaintiff’s home number to follow up on certain lab tests. Despite realizing that she was speaking with the plaintiff’s mother, and not the plaintiff, the nurse proceeded to discuss the plaintiff’s condition in a manner which made apparent the fact that the plaintiff had undergone an abortion procedure.

The court found that although the defendant did not act in bad faith, the actions of the center and its personnel rose to the level of recklessness and gross negligence. The court specifically pointed to the fact that the center had no written policy for protection of the patient’s right to privacy and confidentiality. The decision in this case is a reminder of that organizations must not only develop privacy and personal data protection policies and procedures, but must also ensure that personnel are consistently implementing and following these policies and procedures.

Nov. 15, 2007 - Privacy-it’s getting tougher to maintain, especially with identity theft on the rise. With this in mind, growing numbers of Americans are making demands on corporate America to treat their personal information with secrecy. According to a Harris Poll sponsored by Microsoft, 60% of Americans said they’ve decided not to support a store because of doubts about that store’s privacy protections. What is surprising is that it isn’t just marketers that are trying to access personal information. The government has drafted private industry for “data collection duty” in the war on terror.

So how can businesses keep customers’ personal information under wraps when the U.S. Patriot Act allows the government to collect copious amounts of this sort of information? Jacqueline Klosek, an attorney and author of the new book, “The War on Privacy,” advises clients on issues related to data privacy and security. As a Certified Information Privacy Professional, Klosek believes private industry faces a precarious balance, trying to simultaneously maintain consumer privacy while also complying with governmental demands for information.

“This issue is not going to just disappear,” says Klosek. “The war on terror has reduced privacy rights in the United States and around the world. The bottom line is whether the feds are leaning on your company for records or you’ve suffered a security breach by hackers, your reputation is at stake and you’ve lost your customers’ trust.”

Klosek routinely advises businesses to follow all privacy measures required by law. In addition to these measures, she offers her clients the following additional tips:

1. Conduct an Internal Audit. Before you can inform your consumers about your privacy policies and practices, you must first understand what they are. Businesses should conduct an internal audit to understand: what data they are collecting, how they are using that data, with whom they are sharing that data, how that data is being protected and related issues.

2. Develop a Privacy Policy. Once the company’s policies and plans for collecting and using customer information are clarified, these policies should be communicated to customers and clients through a Privacy Policy. Your Company Privacy Policy needs to clearly state how your company can be contacted in regards to information and the types of third parties that will have access to such information. Also, be sure to follow all laws and legal requirements in this regard.

3. Be Broad. When drafting your Consumer Privacy Policy it is smart to be as broad as possible. This will give your company greater latitude if you are forced by the government to hand over data or are faced with other potentially unanticipated events such as corporate restructuring, mergers and acquisitions.

4. Plan Ahead and Be Prepared for the Inevitable. Anticipate the fact that your company could face a government subpoena demanding your client’s personal information records. By understanding that this can happen, you can suitably prepare your policies in order to set your clients’ and customers’ expectations regarding the privacy of their personal information. This may help you to avoid making a strong privacy promise to consumers that governmental demands will not allow you to keep.

5. Seek Prior Consent. It’s a smart idea to obtain prior consent from your consumers/clients about potential personal data transfers that could be subpoenaed by the government. The same holds true for other types of transfers, including transfers to business partners and service providers.

6. Conduct Due Diligence When Outsourcing. Examine the third-party service provider’s experience with privacy and data security. Investigate any privacy complaints the service provider has faced and make sure you’re complying with all U.S. and foreign laws when outsourcing.

7. Protect Your Website. It’s good practice to implement a web monitoring program that automatically runs privacy scans to ensure that the site hasn’t been compromised and that privacy measures remain intact.

Protecting customers’ privacy is becoming a more cumbersome task with the advances in technology and the war on terror. “Ironically, the erosion of individual privacy rights here and abroad occurs under the guise of enhancing national security,” says Klosek. “The surprising fact is that this so-called greater protection renders private citizens more exposed than ever before.”