Privacy, Data Protection and Outsourcing in the United States

Outsourcing service providers and their enterprise customers have a joint duty to ensure that their business relationship does not violate applicable laws and regulations on privacy and data protection. Consumer fraud, identity theft, brand damage, remediation costs and damages hang in the balance.

The United States has a web of rules guaranteeing the privacy rights of individuals, juridical entities and governmental operations. This outline highlights basic rules, which are constantly under judicial, legislative and regulatory review.

The American legal framework for privacy and data protection differs significantly from the laws in other countries. Unlike implementing legislation of the European Union Data Protection Directive, the U.S. law does not have a single basic rule on privacy, data protection and the rights of access, opt-in requirements, restrictions on custody or uses originally contemplated, or restrictions on onward transfer (even if the onward transfer is under a legally binding confidentiality duty). U.S. law is more based on general principles according to the type of data, not the absolute right of the individual as to all data, and the commercial or financial context where the data is used.

Data Security. The Federal Trade Commission recommends that businesses have a sound data security plan based on five key principles:

  • Take stock. Know what personal information you have in your files and on your computers.
  • Scale down. Keep only what you need for your business.
  • Lock it. Protect the information in your care.
  • Pitch it. Properly dispose of what you no longer need.
  • Plan ahead. Create a plan to respond to security incidents

In every outsourcing relationship where sensitive personal information is handled, such principles provide a simple checklist for vendor selection, contractual obligations and periodic audit.

Unfair or Deceptive Commercial Practices relating to Private Information. A Website privacy policy typically describe how consumers’ personal information is collected, used, shared, and secured. Federal law does not require the adoption of privacy policies on websites. However, companies generally adopt such policies as part of their marketing and customer relationship management (“CRM”).

Privacy policies attract the attention of the Federal Trade Commission (“FTC”), which interprets and enforces the general statutory prohibition on the use of unfair or deceptive practices in interstate or international commerce. FTC Act, Section 5. The FTC has adopted a privacy enforcement program targeted to ensure that companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. The FTC has issued injunctions and financial penalties against mortgage lenders, retailers, database companies, Internet research companies and educational ventures to stop:

  • Failures to safeguard personal information;
  • Misrepresentation of security procedures to protect consumers’ personal information at any stage, such as during gathering, storage, transmission or disposal;
  • Misrepresentation of the actual uses of personal data;
  • Falsely stating in a privacy policy (ostensibly to comply with the Children’s Online Privacy Protection Act, discussed below) that the company would not seek to collect personal information from children without obtaining prior parental consent, and falsely stating that it would delete any children’s personal information about which it became aware.

Disregard for privacy and data protection requirements can be costly and impair the value of a well-respected business brand. For example, in 2009 the pharmacy and drugstore chain CVS Caremark settled Federal Trade Commission charges that it failed to take reasonable security measures to protect the sensitive financial and medical information of its customers and employees. The charges were based on media reports that CVS pharmacies were throwing trash into open dumpsters that contained pill bottles with patient names, addresses, prescribing physicians’ names, medication and dosages; medication instruction sheets with personal information; computer order information from the pharmacies, including consumers’ personal information; employment applications, including social security numbers; payroll information; and credit card and insurance card information, including, in some cases, account numbers and driver’s license numbers. In addition to paying fines of $2.25 million, CVS agreed to establish and implement policies and procedures for disposing of protected health information, implement a training program for handling and disposing of such patient information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance for three years.

In addition, the attorneys general of individual states have similar authority under local law against unfair competition and unfair or deceptive practices.

Personally Identifiable Information. The definition of “personally identifiable information” (“PII”) varies according to the particular statute or regulation. Generally, PII includes any one of a number of data points: name, Social Security number, telephone number, residence address, medical records, voting records.

Notification Requirements in case of Security Breach.

Federal Law. Under Federal Trade Regulations issued under section 13407 of the 2009 Health Information Technology for Economic and Clinical Health (“HITECH”) Act, vendors of personal health records and their third party service providers (outsourcers) must make certain notifications in case of a security breach notification provisions.

State Laws. Starting with California, nearly all U.S. states have adopted security breach notification laws that mandate disclosure to local governmental authorities and affected individuals, and in many cases to the media, of security breaches to PII stored by or for a business. Only California provides a separate cause of action by the affected individuals for damages.

Breach Notification and Remediation: A Separate Service Industry. There have been so many security breaches that a separate mini-industry has arisen to serve those businesses and governmental units that suffer security breaches. The costs of remediation of security breaches are significant, involving typically re-issuance of credit cards, payment for credit identification verification and impairment services for a year with three national credit rating agencies and other customer satisfaction efforts. The data processing for PII in any consumer or business transaction thus entails the risk of significant financial liability for remediation of any security breach. In the outsourcing Master Services Agreements, enterprises and their outsourcing providers typically negotiate the costs and responsibilities involved in such remediation.

Personal Information of Children under Age 13. The Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s implementing Rule prohibit unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from and about children under 13 on the Internet. Enforcement can cost a lot of money and embarrassment. The law requires operators to notify parents and obtain their consent before collecting, using, or disclosing children’s personal information. In 2008, Sony BMG Music Entertainment paid a $1.0 million penalty for violating this rule on its music fan websites.

Governmental Databases of Personal Information. The federal Privacy Act of 1974, 5 U.S.C. 552a, requires federal agencies to maintain the confidentiality of “records” of personal information records that they maintain, subject to use for legislative, judicial, legal enforcement or other stipulated use. A protected “record” means “any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.” 5 U.S.C. 552a(a)(4). Like the EU DP Directive, federal law entitles the individual to gain access to, review, copy and amend his or her records, but only for such governmental records, and records prepared in contemplation of litigation or criminal proceedings are exempt from disclosure.

Personal Health Information. The Federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”, Public Law 104-191,) mandates data security rules and privacy rules for “personal health information.” Under regulations of the U.S. Health and Human Services (“HHS”), the “HIPAA Privacy Rule” establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule, enforced by the HHS Office for Civil Rights (“OCR”), requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The HIPAA Privacy Rule applies to “covered entities,” namely a health care provider that conducts certain transactions in electronic form (a “covered health care provider”), a health care clearinghouse or a health plan.

Civil Penalties for Wrongful Disclosure. Wrongful disclosure of PHI could result in civil monetary penalties, under section 1176 of the Social Security Act, for a covered entity’s failure to comply with certain requirements and standards.

Notification Requirements in case of Security Breach. HIPAA “covered entities” and their “business associates” must provide notification following a breach of unsecured protected health information under regulations under Section 13402 of the 2009 HITECH Act. Breach notification is a public process that generates negative publicity about the covered entity, its business associates and any service providers that are affected by the security breach. The notices must go to the Secretary of Health and Humans Services, the affected individuals and the covered entity. If the covered entity lacks up-to-date contact information for more than 10 individuals affected, then it must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. For a breach affecting more than 500 residents of a State or jurisdiction, the covered entity must provide notice to prominent media outlets serving the State or jurisdiction. For breaches affecting under 500 residents of a State or jurisdiction, an annual report to the HHS is enough; for larger breaches, the report must be submitted as soon as possible and not later than in 60 days.

Security Safeguards. HIPAA requires “covered entities” to adopt security safeguards that are administrative, physical and technological.

  • “Administrative safeguards” are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
  • “Physical safeguards” are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
  • “Technical safeguards” means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Covered entities must also report “security incidents”, namely, the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

In policy guidance, the Centers for Medicare and Medicaid Systems has recommended that covered entities not allow electronic PHI (“EPHI”) offsite in portable devices or via remove access devices. The covered entity must make a risk assessment of the impact of remote access, storage and transmission of EPHI. Transmission risks to the integrity and security of EPHI arise in the case of outsourcing to any service provider. Covered providers must maintain policies for security and to impose predictable sanctions on individuals who violate security policies. Training is also mandatory.

Discretionary Decisions on Disclosure. Those who administer PHI policies for covered entities must exercise some discretion about whether to disclose PHI to a person who might otherwise be a “personal representative” (such as parent, guardian or other person authorized by law). Administrators must use discretion in situations of potential abuse, neglect or endangerment of the patient. 45 CFR 164.502(g)(5).

Disclosures are also permitted for “whistleblowers” employed by a covered entity or one of its “business associates” who believes in good faith that such disclosure is necessary to protect victims from misdeeds by the covered entity, such as workplace violence, unlawful conduct or actions that violate professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and the disclosure is to a health oversight agency or public health authority or an attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member. 45 CFR 164.502(j).

Patient Access to PHI Records. An individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set. This right of access does not apply to psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; or information concerning clinical studies exempt under the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, and, under certain circumstances, PHI maintained by a criminal correctional facility. 45 CFR 164.524(a). An individual’s access may also be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. Licensed healthcare providers can also deny disclosure where, in the exercise of professional judgment, the provider has determined that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person. The individual may appeal a denial access under administrative procedures.

Banking and Financial Information. “Financial institutions” are required by the Financial Modernization Act of 1999 (or the “Gramm-Leach-Bliley Act” or GLB Act), protect consumers’ personal financial information. These protections apply not only to banks, securities firms, and insurance companies, but also to non-traditional financial companies providing many other types of financial products and services to consumers.

The GLB Act applies to financial services such as lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and several other financial-support activities. Such non-traditional service providers fall in the categories of non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services and debt collectors.

Enforcement authority is split across many agencies. The Federal Trade Commission has authority to enforce the law with respect to “financial institutions” that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities.

Financial Privacy Rule. The GLB Act requires that financial institutions protect information collected about individuals. It does not apply to information collected in business or commercial activities.

Privacy Notices. The Financial Privacy rule requires the financial institution to provide, by mail or in-person delivery, annual privacy notices to customers who have an ongoing relationship (and are not merely spot-transaction consumers). Online financial institutions may provide notices online. The privacy notice must be a clear, conspicuous, and accurate statement of the company’s privacy practices; it should include what information the company collects about its consumers and customers, with whom it shares the information, and how it protects or safeguards the information. The notice applies to the “nonpublic personal information” that the company gathers and discloses about its consumers and customers. This relates to virtually a nonpublic personal information that the customer might provide on any form or information about the individual from another source, such as a credit bureau.

“Opt-Out” Rights. Consumers and customers have the right to opt out of , and refuse, to having their information shared with certain third parties. The privacy notice must explain how – and offer a reasonable way – they can do that. The privacy notice also must explain that consumers have a right to say no to the sharing of certain information – credit report or application information – with the financial institution’s affiliates. An affiliate is an entity that controls another company, is controlled by the company, or is under common control with the company. Consumers have this right under a different law, the Fair Credit Reporting Act. The GLB Act does not give consumers the right to opt out when

  • the financial institution shares other information with its affiliates.
  • a financial institution shares information with outside companies that provide essential services like data processing or servicing accounts;
  • the disclosure is legally required; or
  • a financial institution shares customer data with outside service providers that market the financial company’s products or services.

Impact of Privacy Notices on the Outsourcing Service Provider’s Right to Use Non-Public Personal Data. The GLB Act imposes on outsourcers the same limitations on use and onward disclosure of non-public personal data that apply to the outsourcer’s enterprise customer. In the case of a lender that discloses customer information to a service provider responsible for mailing account statements (where the consumer has no right to opt out): the service provider may use the information for only for mailing account statements. It may not sell the information to other organizations or use it for marketing. In the same case, if the privacy statement gave the consumer a right to opt out of disclosures to a third party, the outsourcer could have the same rights to use and disclose the data as the financial institution as set forth in the privacy notice. Thus, the privacy notice can be designed in different ways that affect the scope of the service provider’s privacy obligations.

Security Safeguards Rule. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions “such as credit reporting agencies” that receive customer information from other financial institutions.

Pretexting Rule. “Pretexting” is the practice of obtaining customer information from financial institutions under false pretenses. The FTC has brought several cases against information brokers who engage in pretexting.

Business Information. In addition to confidentiality provisions in contracts and trade secret principles of Common Law, the Federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. 1030, imposed criminal penalties and imprisonment for between 10 and 25 years for unauthorized access to “protected computers.” Under this statute, a crime is committed where a person “intentionally accesses a computer without authorization or exceeds authorized access” and thereby obtains certain categories of information. The protected categories of information include “financial records” of a “financial institution” or a “card issuer” or “information in a file of a consumer reporting agency on a consumer,” information from any department or agency of the United States; or “information from any protected computer if the conduct involved an interstate or foreign communication.”

A separate crime occurs if the individual “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and, by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” The CFAA also criminalizes acts of extortion by means of transmitting “in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer.”

In the context of outsourcing, virtually any computer can be a “protected computer” under the CFAA. A “protected computer” can be in one of three categories: (i) a computer “exclusively for the use of a financial institution or the United States Government, (ii) in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (iii) a computer “used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” 18 U.S.C. 1030(e)(2).

;

International Agreements on Protection of Privacy of Foreign Personal Information. The Federal Trade Commission has entered into a “Safe Harbor” framework with the European Union to enable American companies voluntarily to adopt the European Union’s Data Protection Directive and voluntarily submit to U.S. enforcement action in case of violation of their voluntary privacy commitments. This program requires the U.S. company to certify itself annual to the U.S. Department of Commerce that it complies with a defined set of privacy principles. Such principles are set forth in the EU Data Protection Directive. Under the US-EU Safe Harbor Framework of 2005, the United States received an “adequacy” determination from the European Commission limited to those U.S. organizations that self-certified to Safe Harbor which allows data transfers to take place without prior approval.

The FTC has enforced the Safe Harbor program to provide assurance to European Union consumers. In October 2009, the FTC entered settlement agreements with six U.S. businesses on FTC charges that they deceived consumers by falsely claiming they were abiding by the Safe Harbor agreement. The six U.S. businesses had allowed their self-certifications to lapse. For remediation, the settlement agreements contemplated that the companies would be prohibited in the future from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party.

Hot Topics.

Legislative Initiatives. Privacy violations have been so extensive that legislators in Congress and the states have begun to propose criminal liability for act such as the misuse of Social Security numbers. Pending legislation can be expected to introduce new penalties for privacy violations.

Amending the Safe Harbor Framework. Annually, the U.S. government meets with the European Commission to examine the progress that the Safe Harbor Framework has made. The 2009 annual conference was scheduled for November 2009 to review the changes made to the process for approving binding corporate rules, look at new paradigms for privacy compliance, cross border data sharing during pandemics, privacy by design, strategic information management for the enterprise, social network service providers and behavioral advertising in cloud computing, global privacy standards and electronic discovery in civil litigation.

For related topics:

Federalizing Data Security Breach Rules

Cyber Security Threat Management in Outsourcing:  The Coming National Security Regulation of ITO, BPO and KPO

Updated as of January 21, 2010.