Taking Precautions Against Medical Identity Theft

We recently reported that the number of cyber events involving the healthcare industry is expected to rise in 2014.

The reliance on electronic medical records and the use of insurance exchanges increase efficiency but also heighten the risk of medical identity theft. 

In October 2013, the California Department of Justice published recommendations for preventing and managing medical identity theft. See Medical Identity Theft: Recommendations for the Age of Electronic Medical Records

For insurance companies, the recommendations include:

  • Make Explanation of Benefits statements patient friendly. Include information on how to report any errors that are discovered.
  • Notify customers who have been identified as victims of medical identity theft by email or text or other agreed upon timely method whenever a claim is submitted to their account.
  • Used automated fraud-detection software to flag suspicious claims that could be the result of identity theft.
  • When medical identity theft is confirmed, the first priority should be correcting the patient’s claims record to eliminate the possibility that benefits could be capped or terminated.

In an earlier publication, the Department of Justice provided guidance for all companies that handle personal or private data. See Data Breach Report 2012

The key recommendations include:

  • Encrypt personal information sent by email, mailed in thumb drives or tapes, or stored in laptop or desktop computers. 
  • The Attorney General’s Office would make it an “enforcement priority” to investigate breaches involving unencrypted personal information and recommended that other agencies and regulators do the same.
  • Tighten security controls protecting personal information, including training of employees and contractors.
  • Improve the readability of breach notices.
  • Offer mitigation products or provide victims information on how to protect themselves against identity theft after a breach.

The Department of Justice’s recommendations are not detailed. Nonetheless, they may inform what constitute “best practices” in the healthcare insurance industry with respect to preventing medical identity theft. At the very least, the publications provide guidance about what precautions regulators consider most important.

Click here to read more about the California Department of Justice’s recommendations concerning privacy enforcement and protection.


Evolving Expectations of Privacy: Klayman v. Obama

In a 68-page opinion, Federal District Judge Richard J. Leon of the District of Columbia ruled yesterday in Klayman v. Obama that the NSA's systematic collection of telephone metadata of millions of citizens violates the Fourth Amendment's prohibition on unreasonable searches.  

The opinion highlights an important issue that will have implications beyond the constitutional dispute in that case -- how expectations of privacy are evolving in light of changing technologies and the rapidly expanding use of the internet and mobile phones.    

Judge Leon's ruling concerns the government's collection of "metadata" about telephone calls, such as information about what numbers were called, when calls were made, and how long they lasted.  The government maintains that, under the program at issue, the NSA were not storing information about the content of calls or the participants' names, addresses or financial information.   

Relying on the United States Supreme Court opinion in Smith v. Maryland, government lawyers argued that individuals have no expectation of privacy, let alone a reasonable one, with respect to telephone service provider metadata.  Smith involved an investigation into threatening and obscene phone calls that a robbery victim had received.  Without obtaining a warrant or court order, the police installed a "pen register" to record numbers dialed from a telephone at Smith's home.

The Supreme Court ruled that Smith had no reasonable expectation of privacy in the numbers dialed, since he voluntarily submitted this information to the phone company and reasonably should have known that the company maintained this information as business records.  

Leon did not find the government's precedent compelling.  As the judge phrased the issue,

When do present-day circumstances -- the evolutions in the Government's surveillance capabilities, citizen's phone habits, and the relationship between the NSA and telecom companies -- become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith simply does not apply?"  

For Leon, that time had come. He found Smith distinguishable; the case involved the collection of limited telephone data for a few weeks. Klayman on the other hand concerns the creation and maintenance of a historical database containing information about calls made by everyone in the country.    

The government's ability to store, collect, and analyze phone data not only is much greater now than in 1979, but the amount and type of available metadata are much greater as well. As the judge noted,

[data that] once would have revealed a few scattered lines of information about a person now reveal an entire mosaic -- a vibrant and constantly updating picture of the person's life." 

Some would argue that changes in technology and the ubiquitous storing and analysis of metadata by companies and the government would lower individual expectations of privacy.  Taking the opposite view, Judge Leon assumed that these trends have resulted in greater expectations of privacy.

This decision will not be the last word on the subject.  Other courts have reached the opposite conclusion, and the government certainly will appeal the ruling. Regardless of the ultimate outcome, Judge Leon makes an obvious point -- courts cannot analyze present-day expectations of privacy by reference to technology and cultural norms that existed over three decades ago.  


Auto Manufacturer and Insurer See In-Car Connectivity Systems as Win-Win in the Fight for Market Share - How Far Will Regulators Let Them Go?

In surely a sign of things to come, Ford Motor Company and State Farm announced on May 30, 2012, that they have partnered to offer auto insurance savings. The program allows State Farm customers with select Ford vehicles that have the SYNC in-car connectivity system to reduce their auto insurance premiums.

Specifically, by using the SYNC system, Ford owners will be able to provide verified mileage information to State Farm necessary to qualify for State Farm’s Pay-As-You Drive (PAYD) program, which may allow savings of up to 40%.

The SYNC system allows owners to request a Vehicle Health Report directly from the vehicles engine’s computers, which will provide odometer readings and other diagnostic reports about the vehicle’s performance and maintenance needs. The Vehicle Health Report is a no-subscription feature that is free for vehicle owners for the life of the vehicle. Therefore, Ford owners whose vehicles are equipped with the SYNC-system may qualify for auto discounts for years, and without having to pay a monthly subscription.

In the highly competitive automotive and auto insurance markets, partnerships such as this program present a win-win situation. In the fight for market share, the auto manufacturer can differentiate the competition by offering technologies that could allow insurance savings while insurers get a chance to secure new policyholders with a built-in retention mechanism. 

Since PAYD programs now exist in many states and are offered by many insurers, we expect to see more partnerships like this from others auto manufacturers and insurers. We also expect to see auto manufacturers and other technology providers such as cell phone manufacturers and telematics providers forge similar partnerships in other areas to offer consumers savings on all types of products and services.

The issue is how far will state insurance regulators allow these types of programs to go in the name of protecting privacy?

While it is relatively safe to assume that most states allow or will allow technology (whether embedded or after-market) to purely report or verify mileage information to insurers for the purpose of calculating premium as California does, what about other, and more arguably meaningful, types of information such as location information, sometimes referred to as GPS information, or information on braking or accelerating patterns.

Information other than mileage may be a better indicator of risk. For example, frequent braking can lead to more rear-end accidents. Insurers also predict that these systems encourage safer driving or reduced driving, which could lead to fewer crashes and insurance claims.

There are excellent arguments as to why more information collection is better and allows better products and services for consumers. However, regulators, in order to stem abuse, may feel compelled to prohibit insurance companies from collecting any information other than mileage driven, or from selling to or sharing such information with other companies (so that other product and services can be offered to the consumer), and/or to require insurance companies to allow audits of the information so collected.

Only time will tell how far the regulators will let these programs go, and in the end consumers may be deprived of meaningful products and services.

For more information or any questions, please contact Tim Moroney at 415-743-3713 or by email.

California Legislation Aims to Protect Personal Social Media Account Access by Employers

In effort to protect employees and prospective employees, the California Legislature is taking steps to prevent an employer’s ability to gain access to their employees’ or prospective employees’ social media accounts.

On May 2, 2012, the California Assembly Committee on Labor and Employment unanimously approved Assembly Bill 1844 a bill which will prohibit an employer from requiring an employee or prospective employee to disclose user names and passwords to personal social media accounts. AB 1844 is a direct result of national stories and statements by Facebook that employers have been asking for such information more frequently to monitor employees’ activities or to screen prospective employees.

AB 1844 is expected to sail through the Legislature with little opposition, though the Governor has not indicated his position on the bill. At least eight other states are currently considering similar legislation.

Related legislation has also been introduced – Senate Bill 1349 – The Social Media Privacy Act. SB 1349 would prohibit a postsecondary educational institution and employer, whether public or private, from requiring, or formally requesting in writing, a student or an employee, or a prospective student or employee, to disclose the user name and account password for a personal social media account.  

While SB 1349 currently would allow postsecondary educational institutions and employers to request access to a personal social media account to aid in a formal investigation conducted by the institution or employer regarding specific allegations of harassment, discrimination, intimidation, or potential violence, the bill would prohibit the post secondary institution and employer from discharging, disciplining, threatening to discharge or discipline, or otherwise in any way penalizing a student or employee for refusing to disclose the requested information related to their personal social media account. SB 1349 is making its way through the Senate.

For more information or any questions, please contact Tim Moroney 415-743-3713 or tmoroney@bargerwolen.com.

Big Brother - Are Americans Ready for the Growth of Usage (Telematics) Based Insurance?

Fox News.com (“Fox”) reported on April 24, 2012, Are drivers ready for Big Brother car insurance plans? that a new study points to the fact that good drivers seem poised to give up privacy rights in order to achieve savings in their auto insurance premiums through usage based insurance programs such as pay-as-you-drive (PAYD) models.

Specifically, the Fox article noted that a UK-based insurance aggregator, GoCompare.com, conducted a survey that found 92 percent of drivers surveyed believe that insurance premium should be based on how they drive and that 97 percent indicated that good drivers should get better insurance rates.

While PAYD programs now exist in many states from many carriers, as reported by Fox, Americans once thought to be protective of their privacy may now be willing to give up some privacy in order to obtain rewards such as cheaper insurance premiums. 

While no reasons or support were provided in the Fox article to suggest that Americans are in fact willing to give up some privacy, any loosening of views in this area may result from the fact that consumers in today’s Google or Facebook America may not have the same expectations of privacy when it comes to giving private companies (as opposed to government actors) access to their private information, including driving data.

Insurance regulators across the country are surely going to adopt rules on how and what types of information may be collected – California has already done so (Title 10 California Code of Regulations section 2632.5) – in connection with such programs. We will keep you posted on any state developments in this regard.


"Do Not Track" and Telematics

Most major U.S. auto insurers have launched or are exploring usage-based insurance (UBI) programs. The most common of these programs, pay-as-you-drive (PAYD), uses actual driving data to determine accurate rates in order for insurers to give customers more control over premiums. 

One issue of concern that has been voiced is that, in addition to collection of mileage data, telematic devices monitor and collect all sorts of other driving information, so-called GPS data, including such things as location, speeds, braking patterns etc. The collection and use of this GPS data raises privacy concerns.

The recently released Federal Trade Commission (FTC) report, “Protecting Consumer Privacy in an Era of Rapid Change” pledges that part of a “best practices” framework for the Internet industry concerning how companies should address consumer privacy includes either an industry-created “easy to use and effective”  “Do Not Track” option by the end of 2012, or “Do Not Track” legislation from Congress in 2013.  “Do Not Track” is the proposed ability by consumers to opt out of tracking procedures.

At this point, it is too early to tell the impact that the renewed call for a “Do Not Track” requirement will have on the telematics industry, but it is worth noting that federal “Do No Track” legislation last year, the Do Not Track Online Act, would have allowed consumers to opt out from having online services collect personal information that can be used for data mining. 

That legislation applied to all online activities, including mobile telephone applications and auto-based telematics options. Important to the telematics industry last year was the fact that that legislation permitted providers to collect data, even for those who have previously opted out, in order to provide a service requested by the individual. So, even if it was enacted, the Do Not Track Online Act did not threaten the telematics industry. It should be noted that there was a similar legislative effort last year in California, Senate Bill 761, which failed to pass.

The operational provisions of the federal Do Not Track Online Act and California’s SB 761 were broadly similar by allowing exceptions to data collection and tracking opt-outs in order to provide an expressly requested service. As such, if those statutes had been enacted, it was not believed that they would have had any significant impact on telematics services. 

However, with the recent renewed calls by the FTC for “Do Not Track” requirements, the telematics and insurance industries need to protect their business models by watching all federal or state pronouncements on this topic to make sure similar exceptions are present.

For more information or any questions, please contact Tim Moroney 415-743-3713 or tmoroney@bargerwolen.com.


FTC Issues Best Practices Guide to Protecting Consumer Privacy

The Federal Trade Commission (FTC) recently issued a report, “Protecting Consumer Privacy in an Era of Rapid Change.”

Two years in the making, the report outlines a “best practices” framework for the Internet industry concerning how companies should address consumer privacy. 

The FTC pledged that consumers will have an industry-created “easy to use and effective” “Do Not Track” option by the end of the year, or it will almost certainly face “Do Not Track” legislation from Congress next year. "Do Not Track" is the proposed ability by consumers to opt out of tracking procedures.

The Report calls on companies to act now to implement “best practices” to protect consumers’ private information. The “best practices” are based on the following key principles:

  1. Privacy by Design (building privacy at every stage of product development);
  2. Simplified Choice for Business and Consumers (give consumers the ability to make decisions about their information at the relevant time and context, including Do Not Track mechanism); and,
  3. Greater Transparency (make information collection and use practices transparent).

The Report indicates that, over the course of the next year, FTC staff will work to encourage consumer privacy protections by focusing on the following five main action items:

Do Not Track - The FTC will work with interested groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system.

Mobile Services - The FTC will be urgings companies offering mobile services to work toward improved privacy protections, including disclosures.  To this end, the FTC is trying to do what the California Attorney General did in February to improve and define consumer privacy on mobile apps. See our post dated February 24, 2012. 

Data Brokers - The FTC will be calling on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data.

Large Platform Providers - The FTC cited heightened privacy concerns about the extent to which large platform platforms, such as Internet Service Providers, operating systems, browsers and social media companies, seek to comprehensively track consumers’ online activities.

Promoting Enforceable Self-Regulatory Codes - The FTC will be working with the Department of Commerce and stakeholders to develop industry-specific codes of conduct.

The FTC Report appears to be a broad warning to the Internet industry that it must adhere to what it considers reasonable behavior and has laid out a road map of its expectations in connection therewith.

For more information or any questions, please contact Tim Moroney at 415-743-3713 or tmoroney@bargerwolen.com.

Agreement with California Attorney General May Set Floor for Privacy Protections for Users of Mobile Applications

Amid growing concern about their personal information being pulled by mobile applications (“apps”) and taking a lead from the Federal Trade Commission (“FTC”), whose recent report raised concerns about the lack of privacy information available to mobile app users before download, California Attorney General Kamala Harris announced a privacy agreement with the six largest mobile app providers – Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion – that will impact how millions download apps to their smartphones, tablets, and other mobile devices.

The six companies have agreed to privacy principles designed to bring the industry in line with California’s Online Privacy Protection Act (“the Act”), most significantly requiring mobile apps that collect personal information to have a privacy policy, and to display it in prominent fashion and in easy to understand language before the app is downloaded. 

Two important features of the agreement are that consumers:

  1. will be afforded the opportunity to review the app’s privacy policy before they download the app rather than after, and
  2. will be offered a consistent location for finding the app’s privacy policy. 

The six companies will also be tasked with educating the app developers about their privacy obligations and will be providing users tools to report non-compliant apps.

Privacy policies are important consumer protections that allow for transparency into how companies collect and use personal information. Currently, most apps do not have privacy policies.

An important part of the agreement is the recognition that the Act applies to independent app developers as well as operators of commercial website and online services that sell and distribute them.

The Attorney General predicts that this agreement will have international impact as app developers will choose to comply with California law and the agreement because California is an important state (lots of app users here), and it will be administratively easier for the app developers to have one design that works everywhere.

At this point, it is uncertain whether the agreement will have the global impact the Attorney General predicts. That said, we have seen other California privacy laws assume a national impact. 

For example, the California Security Breach Notification law was one of the first in the country and, as such, many companies doing business in California had to comply with it not only in California, but, for public relations reasons, everywhere – how could a large national company provide security breach notification letters in California to California residents, but not in Arizona? 

In this example, the company would essentially being telling people in Arizona that their protection is less important than persons in California. Therefore, many companies simply decided to provide security breach notification letters everywhere it did business even before many states passed similar security breach notification laws. It is possible the same impact could happen with this new Act.

For more information or any questions, please contact Tim Moroney 415-743-3713 or tmoroney@bargerwolen.com.

California's Reader Privacy Act: What Every Bookseller Must Know

On January 1, 2012, the California Reader Privacy Act went into effect. The Act requires all “book service providers,” i.e., book sellers, in the State to take certain steps when responding to governmental requests for user information and to make specific reports and disclosures regarding those requests.

The Act protects unauthorized disclosure of private information regarding books and book readers.

California consumers are increasingly utilizing digital book services and providers and in connection therewith such entities may collect detailed personal information about consumers such as books browsed, how much time is spent reading each page, and digital notes made in the margins. The Act is meant to address implicated privacy issues and codify the privacy and free speech safeguards for expressive records guaranteed by the California Constitution. 

The Act prohibits book service providers—defined as any service that has as its primary purpose the “rental, purchase, borrowing, browsing, or viewing of books”—from knowingly disclosing the personal information of any of its users to a law enforcement agency except per a valid court order based on probable cause and a determination that the requesting agency has a compelling interest in obtaining the information that could not be obtained by less obtrusive means. 

Prior to issuing an order to disclose user information, the book service provider must have been provided “reasonable notice” to allow it the opportunity to appear and contest the issuance of the order. 

Once a book service provider receives a court order seeking disclosure of a user’s personal information, the service provider must notify the user so that he or she has a chance to appear or quash the order. 

The Act also imposes certain reporting requirements on all book service providers. If a book service provider discloses the personal information of 30 or more California users in a year it is required to prepare a report that is to be made publicly available in an online searchable format. A book service provider with a commercial web site is required to either create a prominent hyper link to the report required under this Act or state that no report was prepared because the service provider was exempt from the reporting requirement. (because less than 30 disclosures were made). 

The provisions of the Act are ignored at a book service provider’s peril. A service provider that violates the Act is subject to civil penalties to the user and/or Attorney General and the Act may be the basis of civil actions and liability brought by either the user or an attorney general or district attorney within two years of discovery of any violation of the Act.