FTC Calls for National Data Security Standards as Proposed Legislation Stalls

In congressional testimony, the Federal Trade Commission’s Chairwoman, Edith Ramirez, recently reiterated the FTC’s call for stronger data security laws, while federal legislation concerning data security and breach notification remains in limbo.

Although the FTC is the nation’s leading privacy enforcement agency, it derives enforcement authority from a hodgepodge of statutes, many of which lack adequate remedies to compel compliance with data security and breach notification requirements.

Those laws include:

The FTC’s need to resort to multiple statutes results in uneven enforcement authority. Only the FCRA and COPPA allow the FTC to seek civil penalties for data security violations. To obtain a civil penalty for unfair or deceptive practices under the FTC Act, the agency must show that company violated a prior administrative order.

In her remarks, Chairwoman Ramirez stressed the need for uniform national standards for data security and breach notifications, stronger civil remedies, and expanded rulemaking authority under the Administrative Procedure Act enabling the FTC to respond effectively to changes in technology.

Ramirez’s statements echoed bipartisan calls for national data security standards. Despite widespread support for such standards, proponents have not been able to amass enough votes to pass a comprehensive data security law.  

There are competing proposals in the Senate – the Personal Data Privacy and Security Act, which Sen. Patrick Leahy, D-Vt., introduced for the fifth time in January 2014, and the Data Security Act, which Sen. Tom Carper, D-Del., and Roy Blunt, R-Mo. re-introduced that same month.

Continue Reading...

Newly introduced Data Security Act would remove data security standards from state oversight

The Federal Government has not taken significant steps to regulate data security. For that reason, local and state officials have been taking a more aggressive role in responding to data breaches and in establishing best practices for protecting data. 

Following the well publicized breaches involving Target and Neiman Marcus, Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) re-introduced legislation, the “Data Security Act,” that would establish federal standards for data security and remove the issue from state oversight, with one notable exception: standards for insurance companies. 

The Data Security Act would require companies to take appropriate steps to protect personal information and to notify consumers when data breaches could result in identity theft or financial losses. There would be no notification requirement if the stolen data was encrypted or otherwise unusable.

Healthcare insurers subject to HIPAA would be in compliance provided they comply with regulations promulgated under that act. 

The proposed law would preempt all state laws related to data security and notification requirements and prohibit all lawsuits in state court or under state law that relate to “any act or practice governed under the Act.” These provisions, taken together, would effectively remove data security from state oversight.

Proponents of the legislation contend that federal standards for data security are necessary because companies are subject to multitude of local laws, which sometimes conflict. Yet even under the proposed law, there would not be a single set of standards. The bill would delegate regulatory authority to a patchwork of federal agencies to promulgate rules for the particular industry that agency oversees. 

For most insurance companies, state insurance departments would retain regulatory oversight for creating data security standards. This leaves open the possibility that insurers would still have to comply with standards that vary by jurisdiction.  However, the proposed legislation would require agencies to consult with each other, to the extent possible, to develop regulations that are consistent and comparable.

The bill is in its embryonic stages and certainly would undergo significant changes if ever passed. With data breaches becoming more prevalent and larger in scope, the push for federal action in this area will only increase.

"Do Not Track" and Telematics

Most major U.S. auto insurers have launched or are exploring usage-based insurance (UBI) programs. The most common of these programs, pay-as-you-drive (PAYD), uses actual driving data to determine accurate rates in order for insurers to give customers more control over premiums. 

One issue of concern that has been voiced is that, in addition to collection of mileage data, telematic devices monitor and collect all sorts of other driving information, so-called GPS data, including such things as location, speeds, braking patterns etc. The collection and use of this GPS data raises privacy concerns.

The recently released Federal Trade Commission (FTC) report, “Protecting Consumer Privacy in an Era of Rapid Change” pledges that part of a “best practices” framework for the Internet industry concerning how companies should address consumer privacy includes either an industry-created “easy to use and effective”  “Do Not Track” option by the end of 2012, or “Do Not Track” legislation from Congress in 2013.  “Do Not Track” is the proposed ability by consumers to opt out of tracking procedures.

At this point, it is too early to tell the impact that the renewed call for a “Do Not Track” requirement will have on the telematics industry, but it is worth noting that federal “Do No Track” legislation last year, the Do Not Track Online Act, would have allowed consumers to opt out from having online services collect personal information that can be used for data mining. 

That legislation applied to all online activities, including mobile telephone applications and auto-based telematics options. Important to the telematics industry last year was the fact that that legislation permitted providers to collect data, even for those who have previously opted out, in order to provide a service requested by the individual. So, even if it was enacted, the Do Not Track Online Act did not threaten the telematics industry. It should be noted that there was a similar legislative effort last year in California, Senate Bill 761, which failed to pass.

The operational provisions of the federal Do Not Track Online Act and California’s SB 761 were broadly similar by allowing exceptions to data collection and tracking opt-outs in order to provide an expressly requested service. As such, if those statutes had been enacted, it was not believed that they would have had any significant impact on telematics services. 

However, with the recent renewed calls by the FTC for “Do Not Track” requirements, the telematics and insurance industries need to protect their business models by watching all federal or state pronouncements on this topic to make sure similar exceptions are present.

For more information or any questions, please contact Tim Moroney 415-743-3713 or tmoroney@bargerwolen.com.

 

Guidelines for Health Insurers Requesting Rate Increase Issued by California Insurance Commissioner (SB 1163)

On February 4, 2011, California Insurance Commissioner Dave Jones released draft guidelines for implementing SB 1163 (“Guidance 1163:2”).

SB 1163, signed by former Governor Schwarzenegger on September 30, 2010, responds to the federal Patient Protection and Affordable Care Act (“PPACA”), which requires the United States Secretary of Health and Human Services to establish a process for the annual review of “unreasonable” increases in premiums for health insurance coverage.

Under the federal act, health insurers must submit to the secretary, and the relevant state, a justification for an “unreasonable” premium increase prior to implementation of the increase.

SB 1163, effective January 1, 2011, requires health insurers to file with the California Department of Managed Health Care or the California Department of Insurance detailed rate information regarding proposed premium increases and requires that the rate information be certified by an independent actuary. 

The bill authorizes the departments to review these filings and issue guidance regarding compliance. It also requires the departments to consult with each other regarding specified actions as well as post certain findings on their Internet Web sites.

In his draft guidelines (“Guidance 1163:2”), Commissioner Jones lists several factors that will be used by the Department to determine if a rate is “unreasonable.”

Continue Reading...

Patient Protection and Affordable Care Act of 2009 Now in Effect

By Larry M. Golub and Misty A. Murray

On March 23, 2010, President Obama signed the Patient Protection and Affordable Health Care Act of 2009 (“PPACA”) into law. (After the amendments made March 30, 2010, the law is referred to as The Affordable Care Act.) 

While Republicans in Congress vow to repeal such enactment, key aspects of the PPACA went into effect on September 23, 2010, which marks the six-month anniversary of the legislation. 

Although the following list is not exhaustive, here are some of the more notable changes in the health care reform law (effective September 23, 2010) that will apply to individual and group health plans:

Coverage Changes

No Lifetime or Annual Limits on Essential Benefits:

Health plans may not contain lifetime limits on the amount of benefits that will be provided for essential benefits. No regulations have yet been issued regarding the definition of “essential benefits, which in general include, but are not limited to, ambulatory patient services, emergency services, hospitalization, maternity and newborn care, prescription drugs, laboratory services, preventive and wellness services, and chronic disease management.  As for annual limits, for plan years beginning before January 1, 2014, the Department of Health and Human Services’ (“HHS”) interim regulations adopt a three-year phase-in approach of removing annual limits on essential health benefits. For more information, click here.

Anti-Rescission Rules:

Health plans may not rescind, i.e., retroactively cancel coverage, except in cases of fraud or intentional misrepresentations of material fact. These rules do not apply to prospective cancellations or any cancellation due to failure to timely pay premiums.

Mandatory Preventative Health Care Services:

Health plans must provide benefits without cost sharing (i.e., no co-payments, deductibles or co-insurance) for certain preventative services, including, but not limited to, immunizations recommended by the CDC, as well as preventative care and screening for infants, children and adolescents and for women as recommended by the Health Resources and Services Administration. Grandfathered health plans are exempt. (A grandfathered health plan is a group health plan that was created – or an individual health insurance policy that was purchased – on or before March 23, 2010, and a health plan must disclose in its plan materials whether it considers itself to be a grandfathered plan.) 

Extension of Adult Dependents Coverage:

For health plans that elect to provide dependent coverage, such coverage must be extended to adult children up to age 26.

No Pre-existing Condition Exclusions for Children:

Health plans may not impose any preexisting condition exclusions for children 19 and under. (Grandfathered plans are exempt.).

Patient Protection Changes

Right to Choose Primary Care Provider (“PCP”):

For health plans that require designation of a PCP, the patient must be allowed to designate any participating PCP accepting new patients. For children, any participating physician specializing in pediatrics can be designated as the child’s PCP and, for women, any participating OB-GYN can be designated as a PCP.

Coverage for Emergency Services:

For health plans that provide coverage for emergency services, such plans must do so without requiring prior authorization and regardless of whether the provider of emergency services is a participating provider. Emergency services provided by a non-participating provider must also be provided at the same level of cost-sharing as would apply to a participating provider.

Appeals Process:

Group plans must provide for an internal appeals process that complies with the U.S. Department of Labor regulations and individual plans must provide an internal appeals process that comports with the standards established by the Secretary of Health and Human Services. Both group and individual plans must also provide for an external appeals process that complies with applicable law or at a minimum with the NAIC Uniform External Review Model Act.

Additional health care reform changes will continue to take effect in 2010 and as late as 2018. More information about the PPACA can be found on the National Association of Insurance Commissioners (NAIC) website here.

For additional information on ERISA plans and the PPACA, the U.S. Department of Labor has posted information on its website here.

For additional information on the PPACA and individual policies and nonfederal governmental plans, the HHS has posted information on its websites here and here.

For the Government, Transparency and Accountability Is a One-Way Mirror

The much-touted and recently signed Financial Reform Bill includes a provision that prevents the public from obtaining any documents relating to SEC investigations (past or present, open or closed) pursuant to the Freedom of Information Act

As discussed in an article by Barger & Wolen partner Michael A.S. Newman in the Los Angeles and San Francisco Daily Journals, the law flies in the face of well-established notions in this country that the workings of the government must remain visible to the general public. 

Click here to read the full article (pdf).

Financial Services Reform Bill and the Insurance Industry

On July 15, 2010, the United States. Senate passed the Restoring American Financial Stability Act of 2010. The bill now goes to President Obama for his signature, which is expected in the coming days.

The bill, which is over 1,600 pages, establishes new regulations designed to prevent the repeat of the recent financial crisis and end the prospect of future government bailouts. Oversight is established through the creation of the Financial Stability Oversight Council (“Council”).

Members of the Council consist of the heads of several Federal financial regulatory agencies and departments (including the Treasury Secretary who is to act as the Chairman of the Council) and an independent member having insurance expertise who will be appointed by the President subject to Senate confirmation. 

Article V of the bill covers insurance and creates within the Treasury Department a new Office of National Insurance (“Office”). The Office will monitor the insurance industry, coordinate international insurance issues, and provide a study with recommendations to Congress on ways to modernize insurance regulation.        

Various duties that the Office will oversee include:

  1. Monitoring all aspects of the insurance industry and identifying issues or gaps in the regulation of insurers that could contribute to a systemic crisis in the insurance industry or U.S. financial system.
  2. Identifying entities that could become subject to regulation by the Council.
  3. Coordinating federal efforts on prudent aspects of international insurance matters.
  4. Consulting with state regulators on insurance matters of national and international importance.
  5. Advising the Secretary of Treasury on major domestic and international insurance policy issues.
  6. Providing ability to collect financial information from certain insurers (smaller insurers may be exempt).

Robert W. Hogeboom, Senior Regulatory Attorney with Barger & Wolen, along with several insurance executive members of the Pacific Association of Domestic Insurance Companies (PADIC) were escorted by staff of the National Association of Mutual Insurance Companies (NAMIC) in late June to meet with key legislators from the California House of Representatives and U.S. Senate in Washington D.C. to discuss the legislation and its effect on California insurers. 

Most important to the insurance industry is the fact that within 18 months the Office must conduct a study and issue a report to Congress providing recommendations on how to modernize and improve the system of insurance regulation in the United States.

Continue Reading...

The Federal Insurance Office is on the Way

While not yet approved by the United States Senate, the Federal Insurance Office (FIO) – the first time an entity in the federal government has been created to specifically address the insurance industry – moved that much closer to reality when the House of Representatives on June 30 passed the Dodd-Frank Wall Street Reform and Consumer Protection Act, H.R. 4173.  The bill passed the House by a vote of 237-192.

The Senate is expected to vote on the bill when it returns from its July 4 recess on July 12.

The FIO will be housed under the U.S. Treasury Department, though it will not have any regulatory authority. Among other things, the FIO will gather information regarding the insurance industry, will monitor the industry for systemic risks, and will serve as a negotiator for international insurance treaties. The bill contains a provision that will modernize and streamline the surplus lines and non-admitted markets. As explained by the National Underwriter, the “surplus lines provisions in the bill dictate that in any multi-state placement of surplus lines, the only state whose rules govern access to the products is the state in which the insurance is placed—the ‘principal place of business’ for the insured.”

Just prior to passage in the House, the bill dropped a tax on financial institutions to raise $19 billion to pay for implementation of the bill over five years, a provision strongly opposed by the insurance industry.

Speaking for the National Association of Insurance Commissioners (NAIC), its President and West Virginia Insurance Commissioner Jane L. Cline thanked the congressional negotiators for essentially preserving the role of state insurance regulators in protecting consumers and ensuring the viability of the insurance industry, stating, “We were pleased to see that the Federal Insurance Office (FIO) set up under the bill is narrowly designed to carry out its mission while not unnecessarily undermining strong state regulation.”  NAIC President Cline also stated: 

“The package provides senior investment protection grants for annuity suitability, an area where the NAIC and the states have a solid track record,” and “The bill also provides important clarification in regulatory authority for indexed annuities, ensuring that these guaranteed products are under the clear authority of state insurance regulators.”

While the bill will allow federal regulators to wind down troubled large institutions, the NAIC further stated that the bill made “clear that state insurance regulators will continue to have the ability to ‘wall off’ insurance companies from troubled holding companies, protecting insurance policyholders from other risks in the financial system” and that state regulators “will also retain their role to monitor consumer protections in the insurance sector.”

When the Obama administration first proposed a national insurance office last year, California Insurance Commissioner Steve Poizner stated at the time that such plan “appropriately acknowledges the primary role the states play in regulating the insurance business to benefit consumers. State oversight of insurance companies, coordinated among all state regulators, is the reason that, among all the financial players in this country, it is the insurers who are and remain the most stable and the least in need of federal assistance.”

Putative Class Action Lawsuits May Remain in Federal Court Even After Court Denies Class Certification

In United Steel et al. v. Shell Oil Co., et al., the Ninth Circuit Court of Appeals held that putative class action lawsuits properly removed to federal court under the Class Action Fairness Act of 2005 ("CAFA") [28 USC 1332(d), 1453 ] may remain in federal court even after the court denies class certification.

If the putative class action was properly removed to begin with, the subsequent denial of Rule 23 class certification does not divest the district court of jurisdiction. The case remains removed and is not to be remanded to state court."
In construing CAFA, the Ninth Circuit reasoned that if:
Congress intended that a properly removed class action be remanded if a class is not eventually certified, it could have said so." 
The Ninth Circuit joins the Seventh and Eleventh Circuits on this point.

H.R. 4115 May Encourage Cookie-Cutter Complaints In Federal Court

In an article appearing in today's Los Angeles and San Francisco Daily Journals (pdf), I discuss H.R. 4115, which, if passed, will overturn the Supreme Court's recent rulings in Bell Atlantic Corporation v. Twombly and Ashcroft v. Iqbal. Twombly and Iqbal held that a complaint filed in federal court could be dismissed if it does not contain sufficient factual matter to state a claim for relief that is plausible on its face.  

H.R. 4115 (called "The Open Access To Courts Act of 2009"), by contrast, would prohibit a federal district judge from dismissing a complaint unless it appears

beyond doubt that plaintiff can prove no set of facts in support of their claim which would entitle plaintiff to relief.

A judge would also be prohibited from dismissing a complaint based on the determination that the factual contents of the complaint do not show their claim to be plausible or do not warrant a reasonable inference that the defendant is laible for the misconduct alleged.  

The exact effect of this legislation is unclear, but, if passed, it is certain to invite the argument from plaintiff's lawyers that all they need to do to get a complaint past the pleading stage is to include as few facts as possible. Vagueness may become the order of the day, and it will certainly become more difficult to dismiss a case under Federal Rules of Civil Procedure Rule 12.  

This law may mean that we will soon see complaints in federal court containing fewer and vaguer allegations. For the insurance industry, this may mean rethinking the generally accepted practice of invariably removing state court actions to federal court on diversity grounds. If a motion to dismiss is being contemplated, it may see more success as a state court demurrer. 

Please feel free to contact me directly for more information.

Ninth Circuit Rules Complaint Must Specifically Allege Conduct Amounting To Fraud

In Kearns v. Ford Motor Company, --- F.3d ----, 2009 WL 1578535 (9thCir. June 8, 2009), plaintiff William Kearn sued Ford for alleged violations of California’s Consumers Legal Remedies Act (“CLRA”) and California’s Unfair Competition Law (“UCL”) arising out of Ford’s Certified Pre-Owned (“CPO”) vehicle program. Kearn’s complaint generically alleged that Ford had made false and misleading statements concerning the safety and reliability of its CPO vehicles (without identifying who made the statements, the specific content of the statements, or when and how Kearn was exposed to such statements), and failed to disclose to consumers Ford’s lack of actual oversight in determining whether used vehicles qualify for the CPO program.  Kearn alleged that he was harmed by the foregoing conduct because he had paid a higher price for a CPO vehicle then he would have paid for a non-CPO vehicle, even though there was no difference between the two. While Kearn alleged that Ford’s conduct constitutes an unfair business practice under California law, he did not assert any claims for fraud in the complaint.

In the district court, Ford brought a motion to dismiss Kearn’s complaint for failure to comply with the heightened pleading standards of Federal Rule of Civil Procedure 9(b). The district court granted the motion and Kearn appealed, principally arguing that Rule 9(b) does not apply to California’s consumer protection statutes because California courts have not applied Rule 9(b) to such statutes, and that Rule 9(b) does not apply to his CLRA and UCL claims because they are not grounded in fraud. 

 

In rejecting Kearn’s arguments, the Ninth Circuit held that it is well established that the Federal Rules of Civil Procedure – including Rule 9(b) – apply in federal court, “irrespective of the source of the subject matter jurisdiction, and irrespective of whether the substantive law at issue is state or federal.” The Court further noted that while a federal court examines state law to determine whether the elements of fraud have been sufficiently pled to state a cause of action, the Rule 9(b) requirement that fraud be pled with specificity is a federally imposed rule. The Court also held that, while fraud is not a necessary element of a claim under the CLRA or UCL, if the plaintiff nevertheless alleges a unified course of fraudulent conduct and relies entirely on that course of conduct as the basis of the CLRA or UCL claim, the CLRA or UCL claim is considered to be “grounded in fraud” or sounding in fraud such that the complaint as a whole must satisfy the particularity requirement of Rule 9(b).

     

Get a copy of the opinion here.