Outsourcing Law & Business Journal™ – October 2011
October 21, 2011 by Bierce & Kenerson, P.C.
OUTSOURCING LAW & BUSINESS JOURNAL™ : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com.
Insights by Bierce & Kenerson, P.C. Editor. www.biercekenerson.com.
Vol. 11, No. 8, October 2011
_________________________________
Webinar Announcement
Join our expert panel on Wednesday, October 26, 2011 at 11AM EST for a Webinar on The Future of Law and the Impact of Outsourcing. This will be a timely global debate on the future of the legal profession and the growth in delivery of legal support services via outsourcing and cloud technology. Cerebra LPO, together with Bierce & Kenerson, P.C. (Full disclosure: Bill Bierce, the Editor-in-Chief, will be on the panel) and PA Consulting and expert panel guests will convene an interactive webinar to discuss the implications of cloud, change and outsourcing in the legal sector. For more information and to register click here.
________________________________
1. Impact of “America Invents” Patent Law on Global Sourcing.
2. Federalizing Data Security Breach Rules.
3. Humor.
4. Conferences.
_________________________________
1. Impact of “America Invents” Patent Law on Global Sourcing. On September 16, 2011, President Barack Obama signed the Leahy-Smith “America Invents Act,” H.R. 1249, 112th Cong., 1st Sess. The first major patent reform since 1952, this law restructures the processes for obtaining and maintaining the validity of U.S. patents. Given the troubles with certain business method patents, particularly those used in software for financial services, the law opens new avenues for challenging business method patents. This brief article will focus on the impact of the changes on domestic and international trade in technology-enabled services. For the complete article, click here.
2. Federalizing Data Security Breach Rules. Virtually all U.S. states have adopted “data security breach notification” laws to alert individuals and local governmental officials of possible identity theft. In California, victims of such breaches can sue for damages. On September 22, 2011, Senator Richard Blumenthal (Democrat, Connecticut) introduced a draft federal law on data protection: Personal Data Protection and Breach Accountability Act of 2011, S. 1535, 112th Cong., 1st Sess. It would create a new federal crime of intentionally failing to disclose a security breach. It would also coordinate breach reporting with criminal investigations. It would create federal standards that could effectively supersede state laws on security breach notification and repair of an individual’s identity.
The draft law would apply particularly to financial institutions under the Gramm-Leach-Bliley Act and HIPAA-covered entities. Each would need to implement a comprehensive personal data privacy and security program that includes administrative, technical and physical safeguards “appropriate to the size and complexity of the business entity and the nature and scope of its activities.” While the draft law identifies certain criteria for the design, risk assessment and risk management and control, the sufficiency of any security program will depend on the facts and therefore invites litigation. For more, click here.
3. Humor.
Prior art, n. (1) in patent law, technical knowledge of others that pre-dates the date of your invention; (2) in copyright law, another master’s masterpieces that pre-dates yours; (3) in trademark law, someone else’s gorgeous logo that has acquired secondary meaning in the marketplace; (4) in warfare, the cunning of a master warrior, studied for fighting the next war under new conditions; (5) in life, what you always knew but were too stupid or shy to claim it as your own original, novel, useful invention or as your own masterpiece. See “invalidate.”
Invalidate, v. (1) to find a convenient technicality; (2) to enact a new law with a new convenient technicality; (3) to liberate yourself from the oppression and economic enslavement of someone else’s prior art. See “prior art.”
Infringe, v. (1) to identify as yours that which an imposter claims is his prior art. See “Prior Art” and “Invalidate.”
Appropriate, adj. (1) the minimal effort that meets the “raised eyebrow” standard of judicial review; (2) the lowest common denominator of least “best” practices; (3) convenient judicial standard for ascertaining criminal neglect of statutory duty.
Safe Harbor, n. (1) a small pond surrounded by raging storms; (2) a temporary refuge; (3) an opportunity for misguiding a stranded sailor into the maelstrom; (4) a legal framework that is unsafe until so adjudicated; (5) legalized “trick or treat.”
4. Conferences.
October 20-21, 2011, ACI presents its 6th Annual Forum on Reducing Legal Costs, Philadelphia, Pennsylvania. ACI’s 6th Annual Forum on Reducing Legal Costs has been uniquely tailored to provide in-house counsel and legal sourcing managers, as well as private practice attorneys and law firm marketing/business development specialists who are serious about working with their clients to reduce legal costs, with the practical guidance, key insights, expert knowledge, and proven strategies that they need in order to successfully implement cost-reduction initiatives both internally and externally. For more information, click here.
November 17, 2011, Global Sourcing Council’s Annual Meeting, South African Consulate, New York, New York. Join this non-profit organization, focused on helping organizations from all sectors, buyers and sellers, achieve their economic goals without sacrificing sustainability, at their annual meeting; network and meet George Monyemangene, South Africa’s Consul General and other professionals with a keen interest in this educational mission. To register, click here.
**********************************************
FEEDBACK: This newsletter addresses legal issues in sourcing IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at wbierce@biercekenerson.com. The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: wbierce@biercekenerson.com. Edited by Bierce & Kenerson, P.C. Copyright (c) 2011, Outsourcing Law Global, LLC. All rights reserved. Editor-in-Chief: William Bierce of Bierce & Kenerson, P.C., located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080
Federalizing Data Security Breach Rules
October 20, 2011 by Bierce & Kenerson, P.C.
Virtually all U.S. states have adopted “data security breach notification” laws to alert individuals and local governmental officials of possible identity theft. In California, victims of such breaches can sue for damages. On September 22, 2011, Senator Richard Blumenthal (Democrat, Connecticut) introduced a draft federal law on data protection: Personal Data Protection and Breach Accountability Act of 2011, S. 1535, 112th Cong., 1st Sess. It would create a new federal crime of intentionally failing to disclose a security breach. It would also coordinate breach reporting with criminal investigations. It would create federal standards that could effectively supersede state laws on security breach notification and repair of an individual’s identity.
The draft law would apply particularly to financial institutions under the Gramm-Leach-Bliley Act and HIPAA-covered entities. Each would need to implement a comprehensive personal data privacy and security program that includes administrative, technical and physical safeguards “appropriate to the size and complexity of the business entity and the nature and scope of its activities.” While the draft law identifies certain criteria for the design, risk assessment and risk management and control, the sufficiency of any security program will depend on the facts and therefore invites litigation.
Scope. Senator Blumenthal, a former prosecutor in Connecticut, would criminalize data security breaches by data brokers who sell access to personally identifiable information (“PII”), especially sensitive PII. The draft bill seeks to achieve several goals:
- to protect consumers by mitigating the vulnerability of personally identifiable information to theft through a security breach,
- providing notice and remedies to consumers in the wake of such a breach,
- holding companies accountable for preventable breaches,
- facilitating the sharing of post-breach technical information between companies, and
- enhancing criminal and civil penalties and other protections against the unauthorized collection or use of personally identifiable information.
Preemption of Conflicting State Laws. Under Section 221(a), the draft federal law would supersede any other federal or state law “relating to notification by a business entity engaged in interstate commerce or an agency of a security breach.” Preemption would not apply to state common law (including liability under trespass, contracts or tort law) for damages caused by a failure to notify an individual following a security breach. Nor would this act pre-empt existing federal laws governing GLB-covered financial institutions or HIPAA / HITECH covered entities or business associates for vendors of personal health information.
However, the remedies of individuals to sue for damages, punitive damages and equitable relief under Section 205 “are cumulative” with any other rights and remedies. This appears to conflict with federal preemption under Section 221(a), a challenge for courts interpreting the statutory text.
Definition of a “Security Breach.” Under the proposed law, the term “security breach” would mean the “compromise of the security, confidentiality, or integrity of, or the loss of, computerized data through misrepresentation or actions that result in, or that there is a reasonable basis to conclude has resulted in:
(i) the unauthorized acquisition of sensitive personally identifiable information; or
(ii) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.
The term would not include:
(i) a good faith acquisition of sensitive personally identifiable information by a business entity or agency, or an employee or agent of a business entity or agency, if the sensitive personally identifiable information is not subject to further unauthorized disclosure;
(ii) the release of a public record not otherwise subject to confidentiality or nondisclosure requirements or the release of information obtained from a public record; or
(iii) any lawfully authorized criminal investigation or authorized investigative, protective, or intelligence activities that are carried out by or on behalf of any element of the intelligence community and conducted in accordance with the United States laws, authorities, and regulations governing such intelligence activities.
Legal Standards for Outsourcing by Data Brokers. In governmental procurements involving data brokers, the draft law would establish a standard of care for outsourcing contracts. It would impose “monetary or other penalties” (such as debarment) if a government contractor “knows or has reason to know that the sensitive personally identifiable information being provided is inaccurate, and provides such inaccurate information.” Where the government contractor hires an outsourcing service provider, the data broker must follow some vague standards of “appropriateness” and “reasonableness.” It must:
(A) exercise appropriate due diligence in selecting those service providers for responsibilities related to sensitive personally identifiable information;
(B) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and
(C) require such service providers, by contract, to implement and maintain appropriate measures designed to meet the objectives and requirements governing the privacy and security of sensitive personally identifiable information.
By using such vague standards, the draft law would invite litigation to identify what meets these standards.
Security Auditing Standards. The proposed law would mandate that federal procurement officers purchasing PII from data brokers should conduct a “privacy impact assessment” and adoptsecurity audit regulations. Of interest, the scope of such regulations would be very broad, an indication of the minimum prudent levels of security auditing in today’s commercial marketplace. For procurements exceeding $500,000, the General Services Administration would need to review the contracts for assessment of the data security program. Such review would apply to all “contracts with data brokers for products or services related to access, use, compilation, distribution, processing, analyzing, or evaluating sensitive personally identifiable information.” [Section 301.]
For such procurements, each federal agency would need to adopt regulations that specify—
(A) the personnel permitted to access, analyze, or otherwise use such databases;
(B) standards governing the access, analysis, or use of such databases;
(C) any standards used to ensure that the sensitive personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal agency;
(D) standards limiting the retention and redisclosure of sensitive personally identifiable information obtained from such databases;
(E) procedures ensuring that such data meet standards of accuracy, relevance, completeness, and timeliness;
(F) the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases;
(G) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases;
(H) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and
(I) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases.
[Section 303, amending Section 208 of the E-Government Act of 2002, 44 USC 3501 Note.]
“Safe Harbor” from GSA Debarment. The draft law would implement a process for GSA evaluation of security standards. As a “safe harbor,” the data privacy and security program of a data broker would be deemed sufficient if the data broker were to comply with or provide protection equal to “industry standards,” as identified by the Federal Trade Commission, that are applicable to the type of sensitive personally identifiable information involved in the ordinary course of business of such data broker.
Enforcement. The draft law would allow enforcement by State attorneys general, acting for their citizens, and individual victims. The U.S. Attorney General could also enforce. Liability would be capped at $500 per day per individual victim, up to $20 million per incident. Punitive damages would be available for “intentional and willful violation” and for simple failure to adopt a compliant personal data privacy and security program.
Impact on Outsourcing. Companies and their IT outsourcing providers have suffered major security breaches in the past. The draft law lacks clear guidance on what is “adequate” or “sufficient” or “reasonable,” except for a safe harbor that refers to industry standards as blessed by the FTC. The FTC would thereby become a de facto federal data protection authority (“DPA”).
There are benefits in having a uniform law on data protection and security breach. However, this draft does little to add certainty. By adopting a “safe harbor” based on a regulator’s interpretation of “best practices,” the draft law risks depriving prudent data brokers and their outsourced service providers of legitimate defenses to avoid contract penalties in government contracts and in claims by individual victims of identity theft.
Finally, the enforcement structure effectively exposes data brokers and their outsourcing service providers to statutory and punitive damages, and invalidates any contrary arbitration agreement. The law would add significantly to the costs of breaches and will undoubtedly benefit the litigating legal profession.
For related topics: