Privacy and Security Update - January 2005
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Privacy Statements Not Contracts, say Courts
Two federal District Courts recently ruled that an airline’s online privacy statement does not constitute a contract between the airline and a passenger. In a class action lawsuit against Northwest Airlines, passengers claimed that the airline had breached its online privacy statement by sharing passenger data from its web site with NASA. NASA had conducted a government study on airline security.
A North Dakota federal district court held, “[B]road statements of company policy do not generally give rise to contract claims.” In a similar lawsuit against Northwest Airlines, a Minnesota federal district court also ruled that an online privacy statement does not create a contract. As a result, the passengers could not claim that Northwest had breached a contract with them by allegedly violating its online privacy statement.
Even if not liable for a breach of contract, companies that violate their own privacy statements face potential claims by government agencies like the FTC or similar state agencies for deceptive or misleading practices. They also must answer to federal, state, or
foreign governments for failing to comply with privacy laws.
Final FACT Act Rules on Consumer Data Disposal
The Federal Trade Commission and a group of federal financial regulatory agencies have each issued a final rule on the proper disposal of consumer report information, as required by the Fair and Accurate Transactions Act of 2003.
The rules require financial institutions to augment information security efforts to include policies on proper disposal of consumer information. The rules aim to reduce the potential for identity theft by protecting against unauthorized access to or use of consumer information.
The rules take effect in the summer of 2005. Even financial institutions with strong information security programs must follow the new standards on information disposal.
HIPAA Security Rule Compliance
Health care organizations spent significant time and effort preparing for compliance with the HIPAA Privacy Rule by its April, 2003 effective date. They have until next April to comply with the HIPAA Security Rule. The Security Rule requires health care organizations to protect the integrity, confidentiality, and availability of electronic patient information against security threats, improper use and disclosure, and illegitimate access.
The two regulations overlap, and health care organizations that comply with the Privacy Rule have already taken significant steps toward Security Rule compliance. These organizations have already examined carefully their collection, use, and disclosure of patient information and have prepared and implemented policies governing these processes. The Security Rule wraps these privacy processes in a cloak of safeguards.
In deference to constant changes in software and in security threats, the drafters of the Security Rule wisely authorize a flexible approach to compliance. The Rule allows organizations to consider their size, complexity, and capabilities when determining proper compliance. What is reasonable and appropriate for a physician’s office is not reasonable and appropriate for a large hospital.
If your organization had to comply with the HIPAA Privacy Rule, then you must also comply with the HIPAA Security Rule. Fortunately, you have already done much of the Security Rule legwork by complying with the Privacy Rule, and you already have at least some security safeguards.
Spyware has become big news this year because it has wreaked havoc in infecting millions of computers nationwide. Congress and state legislatures have begun to act in response to this threat, but industry observers worry that an overbroad definition of spyware could harm makers and distributors of accepted, legitimate computer software.
What is it? The new term “spyware” can mean several different things:
- Keystroke logging programs that reveal passwords and credit card numbers as you type them.
- Adware programs that collect information on your Web surfing.
- Hijacking programs that take over your Web browser to direct you to a vendor’s products.
Existing laws on electronic communications and computer fraud are of limited use against spyware. As a result, Congress and the states have taken up the anti-spyware cause.
Utah passed the nation’s first anti-spyware law in March of this year. The law bans the installation on an individual’s computer of any "content based triggering mechanism" to display ads that obscure other Web content. A court blocked enforcement of this ground-breaking Utah law while it resolves a challenge that the law restricts interstate commerce and infringes on free speech.
California recently passed comprehensive anti-spyware legislation designed to prevent computer hijacking and collection of personal information. The law also forbids programs that prevent computer owners from blocking spyware installation or that mislead them about uninstalling or disabling the spyware.
In October, the U.S. House of Representatives passed both the SPY Act and the I SPY Act. Both bills prohibit deceptive spyware programs. The SPY Act imposes notice and consent provisions on software vendors. The I SPY Act imposes criminal penalties. The Senate’s SPYBLOCK Act passed out of committee and would forbid the installation of spyware programs without proper notice and consent. Each of these federal bills would preempt state spyware laws.
Ultimately, Congress did not pass any spyware legislation into law in 2004. The authors of both the SPY Act and the I SPY Act have re-introduced or will re-introduce these bills in the House. The SPYBLOCK Act or similar legislation will likely also be introduced in the Senate.
The extent of potential liability from these new and proposed anti-spyware laws is unclear. Software makers and distributors worry that provisions protecting them from liability for using legitimate applications that provide software or anti-virus updates might not prevent zealous regulators or prosecutors from pursuing makers or operators of legitimate software for alleged spyware violations. In addition, businesses or individuals might face legal liability even if they unwittingly send spyware in an otherwise mundane e-mail attachment.
Before a national consensus develops on which types of software and behavior are illegal, those who develop or transmit software programs can prepare for compliance by taking
into account any new laws, legislation under consideration, and court or regulatory decisions on alleged spyware law violations.
Mr. Hazelton has a Master of Health Administration degree in addition to his law degree.
Please see his recent articles on HIPAA security, spyware, and online privacy at http://www.mt-law.com/publications.aspx.
You may reach him at (614) 846-6571 x22 or firstname.lastname@example.org.
This Privacy and Security Update is intended to provide information about important legal developments, not legal advice. Readers should consult legal counsel for advice about their specific circumstances.