The Red Flags Rule hit two more hurdles recently.

On Oct. 29, 2009, the U.S. District Court for the District of Columbia granted summary judgment to the American Bar Association (ABA) to set aside an extended enforcement policy of the controversial Red Flags Rule in the Fair and Accurate Credit Transactions Act (FACTA) as it would have pertained to working lawyers. (American Bar Association v. Federal Trade Commission, case number 09-cv-1636)

The Red Flags Rule swept within its coverage all "creditors," which the FTC asserted includes lawyers engaged in the practice of law who bill for their services after those services are rendered. The ABA argued that the FTC was incorrect in its interpretation of FACTA and that application of the Red Flags Rule to attorneys based upon their billing practices was unreasonable. Judge Reggie B. Walton of the U.S. District Court for the District of Columbia granted the ABA's motion for summary judgment to set aside the FTC's enforcement policy as it applies to working lawyers. Accordingly, lawyers will not need to meet the Nov. 1, 2009, enforcement deadline.

Additionally, the FTC announced on Oct. 30 that it would delay enforcement of its Red Flags Rule until June 1, 2010, at the request of members of Congress.

This principle was recently reaffirmed by a court in California in a case involving MySpace. In Moreno v. Hanford Sentinel, Inc., the Court of Appeal affirmed a demurrer to an invasion of privacy claim because the plaintiff in the case had posted the material that served as the basis of the invasion of privacy claim on MySpace (though it was subsequently removed).

Certain of the tapes were made in Baltimore, and Maryland is a two-party consent state. Maryland law not only covers wire and electronic communications, but it also includes oral communications, defined as "any conversation or words spoken to or by any person in private conversation." (Information Security & Privacy, Section 8:132.) Maryland's wiretap law provides criminal remedies for the violation of the law, and, like other wiretap laws, violation of this law is a felony. (Information Security & Privacy, Sections 8:132, 137.)

The dispute here will be over whether the communications were "private." I have not researched Maryland law on this point, but California's two-party consent law is instructive on this point regarding what is a "confidential" communication. Under California law, the test for confidentiality is an objective one. One party's subjective intent is irrelevant to this analysis because a communication is confidential if either party reasonably believes the communication to be "confined to the parties." I am not aware whether Maryland law applies a similar definition, but this will be one of the key issues in this case.

These types of cases illustrate the importance of clearly identifying what are, and are not, permissible uses of employer-owned equipment so that expectations of privacy are clearly understood by employees.

California prohibits any person, firm, partnership, association, corporation or limited liability company that accepts credit or debit cards for the transaction of business from printing more than the last five digits of the credit or debit card account number or the expiration date upon any of the following:

• any receipt provided to the cardholder;
• any receipt retained by the person, firm, partnership, association, corporation or limited liability company, which is printed at the time of the purchase, exchange, refund or return, and is signed by the cardholder; or
• any receipt retained by the person, firm, partnership, association, corporation or limited liability company, which is printed at the time of the purchase, exchange, refund or return, but is not signed by the cardholder, because the cardholder used a personal identification number to complete the transaction.

These requirements only apply to receipts that include a credit or debit card account number that is electronically printed; the requirements do not apply to transactions in which the sole means of recording the person's credit or debit card account number is by handwriting or by an imprint or copy of the credit or debit card.  It also does not apply to any documents used for internal administrative purposes, other than receipts described above. 

Part of this law became effective on Jan. 1, 2009, so reviewing your policies is recommended.

The plaintiffs brought a number of claims, including claims for breach of implied warranty, breach of confidential relationship, failure to advise of the breach (independent of the existing statutory requirements), and strict liability. The District Court followed these cases and dismissed the breach of implied warranty, breach of confidential relationship, failure to advise of the breach, and strict liability claims. However, the District Court found that certain claims, including breach of implied contract, negligence, and a claim arising from Maine's unfair trade practices statute could potentially be stated, and these claims were not dismissed by the court. Part of the basis for this ruling by the District Court was its belief that there could be an implied term when a consumer purchases goods that a seller will take reasonable measures to protect information. Of relevance to the District Court were the FTC's data security enforcement actions brought under its "unfairness" authority, which do not require a representation regarding security and instead rely upon the argument that a lack of data security is independently violative of Section 5 of the FTC Act.

However, the District Court then considered the damage issues in the case and followed a line of reasoning that began with Trikas v. Universal Card Services Corp., 351 F. Supp. 2d 37 (E.D. N.Y. 2005), in which the court rejected a plaintiff's claim for violation of the Fair Credit Reporting Act. In Trikas, the plaintiff brought an action based upon the assertion that an account erroneously remained open on his credit report. The plaintiff claimed that he suffered emotional distress because of this, even though it was admitted that no creditor actually saw, or relied upon, the erroneous information. Ultimately, the court dismissed the claim because the plaintiff could not prove damages that were caused by the alleged violation. The court in Forbes v. Wells Fargo Bank, N.A. reached a similar conclusion. In this case, the plaintiffs' personal information was obtained due to a theft of computers that contained unencrypted customer information including names, addresses, Social Security numbers and account numbers. It again was undisputed that plaintiffs had expended time and money to monitor credit, but there was no indication that the information had been accessed or misused. The court rejected the plaintiffs' claim that they had suffered damage due to the time and money they had spent because the plaintiffs could only recover for loss of time in terms of earning capacity or wages. The court therefore rejected both the breach of contract and negligence claim in that case.

In the Hannaford case, the District Court found that the plaintiffs could not state damages based upon consequential losses, such as costs related to identity theft insurance, credit monitoring, overdraft fees, fess related to pre-authorized payment arrangements and loss of accumulated rewards points, and that the plaintiffs also could not rely upon allegations of emotional distress damages. The Court did find that to the extent the plaintiffs faced fraudulent charges that remain on their credit cards, those charges are actual damages regardless of the plaintiffs' ability to recover those charges from their bank.

This case is notable because while it dismisses the case based upon a lack of damages, it is the second recent case that permits an unfair trade practice claim based upon a data breach to survive, and it is the first that explicitly ties into the FTC's cases based upon its unfairness authority in the data-security realm. 

A number of states and local governments have enacted similar laws, including: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Georgia, Hawaii, Indiana, Kansas, Kentucky, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nevada, New Jersey, New York, New York City, North Carolina, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin. The Massachusetts law has extensive requirements in it, but the compliance date has been pushed off several times. Nevada had a data security law on the books already, but it was recently amended, becomes effective Jan. 1, 2010, and has drawn a significant amount of attention. The amendments to Nevada law require data collectors who accept a payment card in connection with the sale of goods or services to comply with certain standards or to use encryption to protect information that is transmitted electronically or that is moved beyond the control of the data collector. 

The new law requires data collectors who accept a payment card in connection with the sale of goods or services to comply with the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council, no later than the date for compliance set forth in the PCI Data Security Standard or the date adopted by the PCI Security Standards Council.

PCI-covered entities are just the beginning of this law. Under the new law, a data collector who is not covered by PCI may not transfer personal information through an electronic non-voice transmission, other than by facsimile, to a person outside of the data collector's secure system unless the data collector uses encryption to ensure the security of the electronic transmission. Data collectors may also not move any data storage devices beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.

In the health field, while HIPAA and state medical privacy laws mandate data security for PHI, these laws can impact your company or organization in that these laws are likely applicable to non-PHI that is collected or processed by you.

The compliance date is now Nov. 1, 2009, a year after the original deadline.

For those the medical field, compliance remains an open question.

Like California, New York has a number of restrictions on the use of genetic testing, including under its Civil Rights law. Unless it can be clearly shown that a person's unique genetic disorder would prevent the person from performing a particular job, no person who is otherwise qualified may be denied equal opportunities to obtain or maintain employment or to advance in position in his job solely because the person has a unique genetic disorder regardless of whether the employer or prospective employer is the state or any political subdivision thereof or any other category of employer.

Any person or legal entity, whether public or private, that fails to meet these restrictions is guilty of a violation.

The matter resolved via consent decree and required CVS to implement a comprehensive data security plan, as well as to not make any misrepresentations regarding security and privacy of information. CVS was also required to engage in standard reporting, third-party review, and document-retention requirements.

It should be noted that this was the first health care case brought by the FTC and the first one brought in conjunction with the Office of Civil Rights in the Department of Health and Human Services. It is another example of the potential pitfalls of not addressing information security.

A person who commits this act is subject to a civil penalty up to $1,000, plus court costs. A person who willfully commits this act is subject to a civil penalty of not less than $1,000, and no more than $5,000, plus court costs. A person who commits this act negligently or willfully and which results in economic, bodily or emotional harm to the subject of the test, is guilty of a misdemeanor punishable by a prison term of up to 1 year, a fine not to exceed $10,000, or both. Additionally, a person who violates this law is also liable for all actual damages, including economic, bodily or emotional harm that is proximately caused by the violation.

1) that it has suffered an injury in fact -- an invasion of a legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical;

2) a causal connection between the injury and the conduct complained of -- the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court; and

3) that it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992).

These requirements are "an indispensable part of the plaintiff's case, [and] each element must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation." Lujan, 504 U.S. at 560.

Prevailing on standing is often an important point since courts may address this issue early in a case and because it cannot be waived and in fact can be raised at any time. As discussed in Section 26:18 of my book, while some courts, including in the Bell v. Acxiom, Inc. matter, have held that a plaintiff's inability to prove damages also means that the plaintiff lacks standing to pursue the claim, other courts have simultaneously found that a plaintiff has standing to pursue a claim, while dismissing the claim on the merits because the plaintiff cannot show the requisite level of damage to state a claim. See Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007).

A recent case from the Northern District of California reached this conclusion, finding that the plaintiff had standing to pursue a claim arising from the alleged loss of a laptop, but then dismissing the claim based upon a lack of damage. Specifically, the court found, "While [the plaintiff] has standing to sue based upon his increased risk of future identity theft, this risk does not rise to the level of appreciable harm necessary to assert a negligence claim under California law." Ruiz v. Gap, Inc., 3:07-cv-05739-SC (N.D.Cal. April 6, 2009).

The Pisciotta and Ruiz cases appear to be inconsistent with the holding of Lujan and other cases, particularly the holding of Lujan that the plaintiff must prove standing "with the manner and degree of evidence required at the successive stages of the litigation." It is also inconsistent with Ninth Circuit decisions finding that Article III standing is a higher burden than that imposed by California law. However, these cases must be addressed if you face privacy litigation.

I am currently briefing the standing issue before the Ninth Circuit and would be happy to provide further comment.

In a recent case, Van Alstyne v. Electronic Scriptorium, the Fourth Circuit brought that thinking into question in a action brought under the Stored Communications Act (Title II of ECPA and also known as the SCA). In this case, an executive improperly accessed an employee's personal e-mail account both during, and after, her employment. The account in question was the employee's personal AOL account that she accessed, from time to time, on the company's network. The former employee brought employment-related claims (which did not arise out of improper access to e-mails) and discovered that her AOL account had been improperly accessed. Ultimately, the former employee recovered statutory penalties, attorneys' fees and punitive damages under the SCA due to the improper review of her e-mails.

The defendants argued under a Supreme Court case involving the Privacy Act (a privacy law applicable to the government), Doe v. Chao, which is discussed in sections 5:29 and 26:18 of my book, that the former employee was required to show actual damages as a prerequisite to recovering under the SCA. The Fourth Circuit concluded, given the similarity of the remedial provisions of the SCA to those of the Privacy Act, that statutory penalties could not be recovered under the SCA absent a showing of actual damages. However, the Fourth Circuit concluded that punitive damages and attorneys' fees could be recovered in the absence of a showing of actual damages.

The case is important because it offers defendants the ability to argue that statutory penalties are not typically recoverable under ECPA because in most cases improper review of e-mails does not give rise to actual damages. However, not all courts have accepted this analysis, and there are other Privacy Act cases that could complicate this analysis. Either way, punitive damages and attorneys' fees appear to be recoverable. Finally, this case is yet another example of a court finding that a company accessing an employee's personal e-mail account is questionable, even when the account is accessed via company property.

On Feb. 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA). I will be focusing on the health care aspects of ARRA in my next several blogs.

ARRA provides additional support for the development and adoption of health care information technology (HIT). The largest allocation of HIT funding -- approximately $17 billion -- is for incentive payments through the Medicare and Medicaid reimbursement systems to encourage providers and hospitals to implement electronic health record (EHR) systems -- specifically for the "meaningful use of certified EHR technology" by eligible professionals and hospitals.

An eligible professional (professionals eligible for the incentive payments are those who participate in Medicare and who are defined under Sec. 1861[r] of the Social Security Act) will receive incentive payments for the first five years (2011 through 2015) for demonstrating a meaningful use of EHR technology and demonstrated performance during the reporting period for each payment year.

In order to maximize payments under ARRA, eligible professionals must adopt a meaningful use of EHR technology in 2011 or 2012, thereby qualifying for five annual payments ending in 2015 or 2016, respectively (an aggregate maximum payment of $44,000). If an eligible professional does not demonstrate a meaningful use of EHR technology by 2015, he or she will not receive incentive payments and his or her reimbursement payments under Medicare will be reduced as specified in the legislation. Thus, there is strong incentive to move quickly on these matters.

Under the Red Flag rules, a "creditor" is "any person or business who arranges for the extension, renewal or continuation of credit" with a "covered account."  An "account" means a continuing relationship with a creditor to obtain a product or service and includes deferred payments for services or property.  A "covered account" is: (1) an account primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; and (2) any other account (including an account for business purposes) for which there is a reasonably foreseeable risk to customers, or the safety and soundness of the creditor, from identity theft, including financial, operational, compliance, reputation or litigation risks.

Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts:

• The methods it provides to open its accounts;
• The methods it provides to access its accounts; and
• Its previous experiences with identity theft.

There are a number of other requirements and health care providers are not exempt from these requirements, so an examination of whether the regulations are applicable is important and timely given the pending deadline.

In theory, interoperability should be simple, but it will likely be somewhat difficult to implement. Interoperability would permit health care providers to review and place a patient's medical information into an electronic chart for the patient. This is a concept that will rely upon -- but be much broader than electronic health records (known as EHRs) -- because all providers will need to communicate and keep one accurate record for the patient and the required technology presumably will be based upon an EHR system. Patients will have to be permitted to restrict certain portions of their medical records, but there will be scenarios (emergent health issues) where physicians and other health care professionals will be permitted to access information without patient consent, which could be impossible to obtain.

California has recognized the importance of interoperability and has a goal to achieve 100 percent compliance between payers and providers in less than 10 years. The state has allocated money to assist the implementation of interoperability, with the goal being to have the Secretaries of the Health and Human Services Agency and the Business, Transportation and Housing Agency, the Director of the Department of Managed Care and the State Chief Information Officer work with public and private sector stakeholders to develop a sustainable business model for an e-health network connecting rural health clinics to medical centers throughout the state using telemedicine and other technology.

An eHealth Action Forum was created to develop a comprehensive state policy agenda for health information technology by:

• defining the goals and values of health information technology for the purposes of state policy and planning; creating an inventory of the various initiatives underway in the state related to health information technology and assess opportunities for building on those efforts, and replicate those projects that prove the feasibility and business case for health information technology and health information exchange;

• identifying the appropriate role of state government in the development of health information technology and health information exchange versus those activities more appropriately coordinated through other entities;

• facilitating statewide adoption of standards and interoperability requirements for e-health to enable the secure exchange of health information across the state and nation;

• identifying areas where state laws and regulations hinder, rather than facilitate, adoption of health information technology, and recommend strategies to remove such barriers;

• identifying and developing strategies for the continued protection of confidentiality and privacy of health information in an electronic environment;

• identifying opportunities and strategies for a public/private partnership approach to create financially viable and sustainable business models for health information technology projects in the state;

• developing options for advancing the implementation of health information technology through the state's role as a major purchaser, provider and regulator of health care services; and

• developing with stakeholders performance metrics to measure the success of the implementation of health information technology throughout California.

In large part, these goals are being achieved through the Privacy and Security Advisory Board (PSAB) of the California Office of HIPAA Implementation. While there is a clear mandate from the state to facilitate and encourage interoperability, the implementation steps of this concept are not clear-cut. There are many models that might work; one option that seems to accomplish many of the goals is based upon the consumer reporting model. A select group of entities could manage your health records in one location, giving providers and others the right to input data, as well as view data, depending on the circumstances. One of the advantages of such a system is that it reduces the chances of having multiple, different records in different providers' hands, all with potentially inconsistent data. It also would seem to reduce the time needed to obtain data in truly emergent situations. While there is agreement on the end goal of interoperability, no model has yet been agreed upon, so there is much work for groups like California's PSAB to do in the years to come.