World Tech Law

Germany’s Federal Constitutional Court recently issued an important ruling regarding privacy and surveillance. After considering a state law that had permitted governmental monitoring of the computers of criminal suspects, the Court ruled that data stored or exchanged in a personal computer is covered by Constitutional principles that protect the right to personal privacy.

While directly addressing the state law, the court’s decision also established ground rules regarding a controversial federal law that governed the ability of secret services agencies to install software to monitor the online activities of suspected terrorists. According to the ruling, authorities would be able to use such monitoring software only in exceptional cases and then only with the approval of a judge.

The decision has great significance, not only for Germany but also for the rest of the international community as countries around the globe continue to debate over where, precisely, the line should be drawn between efforts to protect individual privacy and attempts to provide for national security.

The new year has once again ushered in significant changes in the regulation of data security in California. With Governor Schwarzenegger’s signing of Assembly Bill 1298 (“AB 1298”), effective January 1, 2008, state law requirements governing the privacy of confidential computerized information maintained by businesses and state agencies have been expanded to include medical and health information.

In light of recent reports about the growing problem of medical identity theft, this bill expands the definition of “personal information’’ by adding two new breach-triggering data elements of “medical information” and “health insurance information” to the law. The provisions apply broadly, are not to be limited to health care providers, and thus may affect any employer or other entity with computerized employee benefits or other health data. Significantly, the removal of social security numbers from computerized files will not insulate entities from notification obligations in the event of a breach.

In addition to the important changes regarding the medical information, this bill also makes clarifying changes to California’s “security freeze law.’.

Key Provisions of AB 1298

Expansion of the application of the Confidentiality of Medical Information Act (CMIA). The bill expands the application of the CMIA to include any business organized for the purpose of maintaining medical information in order to make the information available to an individual or a provider of health care for purposes of managing health care information or for treatment or diagnosis, even if the business is not organized for the primary purpose of maintaining medical information for treatment or diagnosis.

Expansion of Data Breach Notification Law to Medical and Health Insurance Information. AB 1298 also expands the definition of “personal information,” as that term is used in California’s data breach notification laws, to include medical and health information. This security breach notification requirement applies to all entities, whether or not they are health care providers under the CMIA.

• Medical Information, defined as any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and

• Health Insurance Information, defined as an individual’s health insurance policy number or subscriber information number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

Clarification to the State’s existing security freeze law. While the most significant components of the new measure apply to medical information, AB 1298 also makes important clarifications to the state’s existing provisions regarding security freezes. Specifically, the new measure clarified that the state’s existing security freeze law (which permits a person to place a hold or “freeze’’ on his or her credit report) does not apply to any information in the report that the credit reporting company agency lawfully obtained from public records.

Violations
AB 1298 subjects businesses to the civil and criminal penalties prescribed by the Confidentiality of Medical Information Act for improper uses and disclosures of medical information. Under the expanded definition of personal information under the data breach notification law, failure to notify individuals whose medical or health insurance information has been accessed in an unauthorized manner subjects the entity failing to notify to potential civil liability.

Implications
With the changes that went into effect as of January 1, 2008, California becomes one of only a few states to extend security breach notification requirements to medical information. If your company maintains information covered by the new requirements, there are important steps that should be taken as promptly as possible.

• Conduct an Internal Audit. Identify what types of computerized medical information or health insurance information your company maintains, and consider the business reasons for collecting and maintaining this data. Limiting the collection and retention of protected data helps to reduce the risk and/or magnitude of a potential security breach.

• Implement Proper Security Measures. Ensure that medical information and health insurance information are protected by the same data security measures applied to other personal information covered by the breach notification laws (such as Social Security numbers and credit card numbers).

• Consider Encryption. The law, as modified by AB 1298, continues to provide an exemption or safe harbor for encrypted data if all components of personal information are encrypted. Encryption can provide significant protection to information and eliminate any notification obligations.

• Train All Staff. Technical security measures will only go so far. Administrative and organizational security measures will also play a significant role in the security of information but these measures will only be effective if employees are adequately trained.

• Update Breach Response Plan. Ensure that your company’s breach response plan is updated with respect to medical information and health insurance information. If a breach response plan has not been developed or implemented, now is an opportune time to do so.

A recent decision by Appellate Division of the New York Supreme Court, upholding a jury award of punitive damages for unintentional privacy breaches, emphashould serve as a warning flag for all organizations – especially those in the health care sector – that failure to implement and maintain appropriate policies for the handling of personal data may result in liability for the company. The case emphasizes the importance of the proper data security safeguards and suggests that organizations revisit their policies and procedures to ensure that they are adequate. The case, as with other notable cases involving security breaches, also accentuates the critical role that employee training and education plays in one’s own data privacy and security program.

In this case, the court ruled, in a 3-2 decision ,that punitive damages can be awarded for a grossly negligent breach of confidential medical information even if the breach was the result of negligence and not intentional or malicious. The court upheld the jury’s award of $365,000 ($65,000 in compensatory emotional distress damages and $300,000 in punitive damages) despite acknowledging that the defendant was acting in good faith and without malice or intent to violate the plaintiff’s privacy rights. According to the court’s decision, a plaintiff need not prove malice or bad faith in order to be awarded punitive damages.

The facts of the case illustrate the importance of development of and uniform compliance with internal policies and procedures for maintaining confidentiality and privacy of personal data. The plaintiff underwent an abortion at the defendant surgery center. When filling out a pre-operative questionnaire, the plaintiff included her home telephone number, but then crossed it out. Because the plaintiff lived with her parents and did not want them to know of the procedure, she gave specific instruction to only call her cell phone number. However, administrative personnel at the surgery center generated patient file labels for the plaintiff which included her home number. Later, a nurse at the center made a call to the plaintiff’s home number to follow up on certain lab tests. Despite realizing that she was speaking with the plaintiff’s mother, and not the plaintiff, the nurse proceeded to discuss the plaintiff’s condition in a manner which made apparent the fact that the plaintiff had undergone an abortion procedure.

The court found that although the defendant did not act in bad faith, the actions of the center and its personnel rose to the level of recklessness and gross negligence. The court specifically pointed to the fact that the center had no written policy for protection of the patient’s right to privacy and confidentiality. The decision in this case is a reminder of that organizations must not only develop privacy and personal data protection policies and procedures, but must also ensure that personnel are consistently implementing and following these policies and procedures.

On March 30, 2007, the House of Lords denied an author permission to appeal a ban on her book, the publication of which was stopped on the grounds that it violated the privacy of the main subject.. The publication of “Travels With Loreena McKennitt: My Life As A Friend”, was halted when Loreena McKennitt, a Canadian songwriter and singer known for being particularly protective of her personal privacy, won an injunction, blocking the publication of certain passages in the book on the grounds that the publication of the passages would violate her right to a private life under the European Convention on Human Rights (“ECHR”).

Ms Kennitt was successful in cases brought in the High Court and in the Court of Appeal. Thereafter, Niema Ash, the author of Travels with Loreena, sought permission to appeal the injunction to the House of Lords. In a step hailed by privacy advocates, the House of Lords denied Ash permission to appeal, bringing the end of to a case that marks further evolution on the development of a right to privacy under English law.

Prior to the writing of the book and the resulting dispute, McKennitt and author Ash had been friends and spent a lot of time together. During this time, Ash, apparently, was gathering information for her book, which ultimately exposed a lot of details about conversations that Ash and McKennitt had shared.. McKennitt originally sought an injunction against the publication of the entire book but was unsuccessful. She then narrowed her challenge to particular portions of the book. The passages of Ash’s book that McKennett had challenged contained details about very personal aspects of her life, including her personal relationships, the death of her fiancé, accounts of her emotional vulnerability and a discussion of a property dispute in which she was involved. McKennitt argued that Ash’s book revealed private details about intimate personal matters that she was entitled to keep private.

Ash, on the other hand, contended, that, as she spent a lot of time with McKennitt, the accounts that she had proposed including in her book were as much about her own experiences as they were those of McKennitt. She also pointed to the ECHR, emphasizing the right to freedom of expression that was guaranteed to her by Article 10 of the ECHR.

In ruling in favor of McKennitt, the Court of Appeals maintained that, as the focus of the book was McKennitt and not Ash, the rights of McKennitt must prevail over those of Ash. In denying Ash the right to appeal, the House of Lords appears to have been saying that the Court of Appeals got it right.

Analysts have been watching the case closely, suggesting that it might be a milestone in the development of the right to privacy under English law. The present case was one a few recent trials that have tested the bonds and limits of the concept of a privacy law of this nature, under English law. Traditionally, English law has not recognized a cause of action for breach of privacy. As such, in recent years, famous persons seeking to protect their private lives have sought legal redress by effectively extending the existing tort of breach of confidentiality to accommodate the principle the right to private life as exists in Article 8 of the ECHR. In bringing her case, McKennitt also relied upon this Article.

Other public figures have enjoyed similar successes in reliance upon Article 8 of the ECHR. Prince Charles, for instance, won a case recently preventing the publication of notes he sent to friends relating to the handing over of Hong Kong to China. Also, Michael Douglas and wife Catherine Zeta Jones are presently involved in another case that, when resolved should lead to further clarification of the right to privacy.

It will be interesting to observe how the right to privacy develops hereafter. Privacy advocates are contending that the McKennitt case will have strong implications and are cautioning tabloid editors to take note that courts will protect public figures when they have a reasonable expectation of privacy - just as long as there is not a serious public interest in the content at issue being made public. Others have taken a more restrained approach, contended that this is more of a special case because McKennitt has been especially protective of her own privacy rights and the information that was made public was a result of what she thought were private conversations with whom she thought was a friend. Other celebrities who voluntarily place themselves out in the public eye may be less able to claim that they had a reasonable expectation of privacy, when for example, a reporter writes about their behaviors when out in public venues.