Are You Watching the Right Risks?
When Scott McNealy, chairman and chief executive of Sun Microsystems, was quoted as saying "You already have zero privacy — get over it,” little did he realize that regulators, legislators and plaintiffs' lawyers around the country would be moving to change that result. In this issue of The Executive Summary, we catalogue some of the recent developments in privacy law.
The Federal Trade Commission
In urging industry compliance, the FTC has formulated a series of "Fair Information Practices” that it has been encouraging companies to follow. These practices are:
- Notice/Awareness. Consumers should have notice of a company's online information practices to permit them to make informed privacy decisions.
- Choice/Consent. Consumers should have a choice about the use and dissemination of information they reveal (typically an "opt-in” or "opt-out” approach).
- Access/Participation. Consumers should have access to the information businesses collect about them online.
- Integrity/Security. Consumers should have the personal information collected about them adequately secured from outside parties and from corruption of the data.
- Enforcement/Redress. Consumers should have a way to ensure that businesses comply with the preceding four core privacy principles.
Despite some progress under this self-regulatory approach, however, the FTC recently has shifted towards favoring legislative requirements, indicating that it does not view the "self-regulation” approach as working. Early this summer, the FTC departed dramatically from its earlier stance by asking Congress for new authority to regulate the information practices of Internet web sites. The FTC initiative (issued by a 3-2 vote) focused on the agency's survey of leading web sites, which indicated only limited compliance with the Fair Information Practices.
While the FTC's focus has been on the Internet, it is clear that these principles apply to the "off-line” business world as well as the online world. And regulators, law enforcement agencies and plaintiffs' lawyers are looking at the standards set by these Fair Information Practices, even if they are not enacted into law as formal requirements.
For example, in recent weeks, the Michigan Attorney General launched a series of attacks against Internet companies for a failure to abide by certain privacy principles. While the lawsuits have been temporarily postponed, the AG's actions were made under the Michigan Consumer Protection statute, essentially arguing that companies were (1) gathering and selling private information about visitors to their site, through the use of "cookies” placed on a consumer's computer, and (2) failing to disclose their privacy policies. According to one published report, privacy was the "new cause celebre” at the recent meeting of the National Association of Attorneys General, and that privacy issues "dominated the agenda” for the meeting.
Beyond the broad-based Internet industry, where the FTC standards apply to any business that operates a web site, there are other industries where privacy provisions are mandatory and more onerous. The health care industry faces the most burdensome requirements — but these requirements likely will regulate not only health care providers and health insurers but also employers that offer health care benefits to their employees.
The proposed HHS regulations apply to electronic medical records, meaning personally identifiable health-related information, which is covered in any form once it is transmitted or stored electronically. The statute governs only health plans, health care providers and health care clearinghouses. Despite other interpretations of this term in other federal statutes or regulations, the term "health plans” in these regulations is limited to health insurers.
The proposed regulations have substantial implications for a very broad range of interests, including any health care provider. They also will establish principles and trade customs on a wide range of other businesses that are considered "business partners” of health plans or health insurers. Lastly, unless changed in the final rules, the regulations will apply to employer health plans, meaning that employers who provide health care benefits will have significant compliance obligations.
The primary impact on covered entities from these regulations will be compliance obligations, which are so significant that they will affect virtually all operations of a health plan or health care provider.
For example, health plans and providers are required to:
- Develop a notice of information practices for distribution to customers;
- Develop procedures for tracking disclosures on a customer-by-customer basis;
- Designate a company privacy official;
- Train employees on privacy requirements;
- Develop safeguards for the protection of information;
- Develop information sharing policies and procedures; and
- Draft contracts for arrangements with business partners to share protected information.
Financial services industries are the other major recipients of heightened privacy attention, stemming from the privacy provisions of the Gramm-Leach-Bliley Act. These rules apply to the banking, securities and insurance industries. In addition, the rules govern a wide variety of "related” financial services business, including
— retailers who issue their own credit cards;
— real estate and personal property appraisers;
— tax preparers;
— automobile dealerships who lease automobiles;
— developers of financial software;
— career counselors providing advice for employees in the financial services industry; and — businesses that print and sell checks for consumers.
In order to comply fully with the regulations, covered companies should have completed all of the following steps, with a fully operational compliance system, by July 1, 2001: an audit of information practices; preparation and distribution to all customers of a notice of information practices and privacy policies; a "reasonable” amount of time (at least several weeks) for customers to "opt-out” of certain information disclosures; a tracking system to collect "opt-outs”; and a disclosure system that recognizes all such opt-outs. A financial institution that fails to meet this deadline (including distribution of information without giving customers sufficient time to opt-out) risks enforcement activities and potentially litigation from the plaintiff's bar.
Privacy issues will remain, for the foreseeable future, a focus of significant attention for legislators, regulators, plaintiffs' lawyers and the public. For professional liability insurers, these issues may emerge both directly, when statutes like the Gramm-Leach-Bliley Act impose obligations on all insurers, and in terms of monitoring future liability risks for insureds.