The Top Ten Privacy and Data Security Issues to Watch in 2013
By Kirk J. Nahra, Wiley Rein LLP, Washington
Top ten lists are both fun and really hard to do. David Letterman has made a living with them for more than 20 years. Some lists—the best books of the year, for example—are purely personal, and have the benefit of being selected from a new crop each year. Last year’s books need not apply.
For privacy and security, the challenge is different. Some issues are very important and simply do not go away. The “imminent” Health Insurance Portability and Accountability Act (HIPAA) rules will be on this list for the third straight year (and we haven’t even seen them yet). Other issues rise or fall depending on politics, international relations and new technological developments. The popular media makes certain issues jump in visibility, almost randomly, if there’s a catchy hook. Moreover, while all companies are touched by some set of privacy and data security issues, the latest developments on certain laws (for example, new privacy notices under the Gramm-Leach-Bliley Act) are important to some but entirely irrelevant to many others.
So, this list of the top ten privacy and security issues to watch in 2013, is driven by my own scientifically and meticulously selected review of the issues that will matter the most to the most people in 2013, based on a proprietary model peer-reviewed by a respected panel of experts (or, at least, the things I think will be important in 2013). Here goes.
1. The Eagerly Awaited HIPAA/HITECH Act Rules
Let’s get this one out of the way. For the third year in a row, the Department of Health and Human Services (HHS) definitely—guaranteed—without fail (or at least pretty likely) will issue the long overdue regulations implementing the Health Information Technology for Economic and Clinical Health Act (HITECH Act). For those of you who may have forgotten, the HITECH Act—passed in February of 2009—made specific changes to the text of the HIPAA Privacy and Security Rules. The text of this legislation specified that these changes would be effective one year after passage of the law (meaning February 2010). However—for reasons that have never been clearly explained—the Department of Health and Human Services made clear—in July 2010, several months after these provisions were to be effective—that in fact the statute meant nothing, and that no changes would take effect until a new regulation was issued. We’ve been waiting since then. The July 2010 announcement came in the course of the proposed regulation addressing these changes (9 PVLR 1007, 7/12/10). Since then, nothing, other than various now inaccurate predictions and a lot of waiting and confusion. The only part of the HITECH Act that is in effect—through an “interim final regulation” (8 PVLR 1227, 8/24/09)—is the breach notification provision, which already has had an enormous impact on the health care industry.
Waiting aside, these new rules may end up being somewhat anticlimactic. The proposed rule actually said very little, other than transferring the HITECH Act statutory language into the regulations. We knew from the statute almost all of what the proposed regulation said (even though it took a year and a half to get out). There was little interpretation and little change beyond what the HITECH Act mandated. HHS made some very minor changes based on its almost ten years of overseeing the HIPAA regime, but these changes appear to have virtually no importance (unless you have been dead for more than 50 years and your privacy rights have now been decreased).
In addition, the statute itself addressed or modified very few HIPAA provisions. The major impact of the rule will be on HIPAA business associates—contractors and service providers to the health care industry—who will need to follow new requirements including (most onerously) the HIPAA Security Rule. This impact will flow downstream as well, to all subcontractors and others who access any HIPAA-protected information. But the most important impact of these changes—once they are finally issued—will be to finally stop the confusion, anxiety and uncertainty that have plagued the health care industry during this delay. If nothing else, the issuance of these new rules will be an important reminder to the health care industry that it needs to constantly pay close attention to the privacy and security of health care data.
• Business associates should start compliance efforts now, particularly for the HIPAA Security Rule.
• Everyone in the health care industry needs to pay close attention to potential breaches.
• Watch for any wild cards in the final rules—topics that haven’t been addressed in the statute and the proposed regulation.
2. Legislative Changes
The possibility of new privacy and security legislation continues to fascinate legislators at the state and federal level. For the past several years, the legislative debate on privacy and security brings to mind Shakespeare as much ado about nothing. Nonetheless, we are likely to see considerable energy spent on development of potential privacy and security legislation. And while the odds of any significant privacy legislation getting through Congress are quite low, the mere discussion of many of the issues begins to affect behavior on a broader level. In addition, developments at the state level are much more subject to current events or legislative whim, such that the likelihood of new privacy legislation at the state level is always significant.
The most significant legislative topics in recent years have fallen into three significant categories: privacy (meaning specific restrictions on how personal information in a variety of contexts can be used), security (typically dictating specific technical safeguards for personal information) and breach-related issues (focused primarily on adding new—and often confusing, inconsistent or unnecessary—details to the various state breach notification laws). Congress has waded into these territories, through a variety of proposals in each category. Most of the legislation has been introduced to make a particular political point or address a specific topic of concern. There has been little traction for any new significant privacy legislation in Congress (although there is a somewhat increased likelihood of legislation addressing issues such as geolocation). The concepts of national data security legislation and national breach notification legislation have moved somewhat further along the legislative spectrum (and may be linked to the passage of legislation on cybersecurity issues), but we have seen little significant movement from Congress on these issues in recent years. Given the current overall state of debate in Washington, it would be surprising to see meaningful privacy or security legislation emerge in 2013 (with the most likely scenario involving data security requirements added to a cybersecurity bill).
The state level is more troubling, as states continue to consider a wide range of bills on many topics. For companies operating outside of a single state’s boundaries, these proposals create realistic concerns and add important transaction costs, particularly where security details or breach notification requirements are involved. It is important, however, for companies in all industries to pay attention to privacy and security bills at the state level once these bills move at all past the initial stage of bill introduction.
• If there is cybersecurity legislation, will data security and breach notification be attached?
• Will national breach notification legislation preempt all the state laws on notification?
• Watch for state legislation on “hot topics” that arise quickly and attract media attention.
3. International Developments
While U.S. companies struggle with the wide variety of overlapping and often conflicting requirements at the state and federal level, the international privacy and security structure presents even more complexity. More and more countries are adding their distinctive voice to the emerging cacophony of privacy and data security regulations. Global contracts that involve personal data in any meaningful way are becoming increasingly unwieldy, with more detailed and more confusing requirements and potential obligations being added regularly. The European Union continues to debate significant changes to its enormously important privacy regulation (11 PVLR 178, 1/30/12). Even though formal new requirements in the European Union will not go into effect for several years, the mere discussion of these potential changes is already causing behavioral change across the globe.
Increasingly, while lawyers and compliance professionals advise on these new changes and related developments, international privacy and security compliance is becoming an expanding challenge of simply risk management. It may not be possible (or often necessary) to meet all of the international obligations in a truly global setting. With that said, the challenge for privacy and security professionals is to meet these challenges head on, through realistic risk assessment and (hopefully) a reasoned perspective on how these requirements should be put into practice. It would be helpful for all companies involved to take a bit of a deep breath—to realize that they do not always need to make these laws and regulations appear as aggressive as possible, especially when imposing obligations on others through detailed contract requirements. On the whole, however, it is critical for companies to understand the range of new challenges and develop appropriate approaches to meeting relevant obligations, legally, contractually and operationally.
• Be careful on any contracts dealing with personal data that have international implications.
• Focus on reasonableness and risk management—it may be too hard to learn every obligation, so focus on the hard or risky steps.
• Pay closer attention to any countries that become more active on enforcement (although international enforcement remains low).
4. Regulating the Internet
The Do Not Track idea has become a focus of the debate. Promoted largely by the Federal Trade Commission and various advocacy groups, this model promises individuals increased control over their activities on the internet, in terms of protecting their paths across the internet. As with most internet restrictions proposed over the past 15 years, the devil has been in the details, and the complexity of the apparently simple proposal has threatened to overtake the debate (assuming one buys into the concern about a book buyer seeing ads about books). Now, Do Not Track—as a legislative requirement—seems destined to the same fate as most previous internet proposals. Many companies may implement their own form of Do Not Track across their systems, and public pressure may push towards modified forms of this concept. Yet, it is clear that the debate about Do Not Track and related concerns about behavioral advertising will continue to be an enormous focus of attention in 2013.
Following history, the one area where change will come will be in the area of children’s information on the internet. The Children’s Online Privacy Protection Act—whether you think it is strong enough or not—stands as the single most significant privacy protection that Congress has passed in its years of debating privacy on the internet. It is clear that new restrictions will come into effect in 2013 (as evidenced by the FTC’s recent announcement (11 PVLR 1833, 12/24/12)). What is less clear is whether these legislative and regulatory proposals will keep pace with the ability of “children” (defined however you want) to engage in behavior on the internet regardless of any of these provisions, and whether the rules will be out of date even by the time they become effective.
• Be extra careful if you target your website or any particular programs or applications to children.
• Be smart about your privacy commitments—the FTC is watching promises carefully.
• Be alert to all kinds of potential consumer harm—regulatory enforcement will be broader than claims that can be made in private litigation.
5. Cloud Computing
Not all of the most significant issues to watch will involve regulation and legislation. The development of cloud computing as a new technology with enormous benefits, cost savings and potential risk clearly is outpacing the ability of the regulatory process to adapt to new technology. This means that companies need to act and make decisions now, in advance of any new regulatory developments, by adapting an old regulatory framework to a new environment. Companies in all industries are facing the direct challenge of the cloud—understanding what it really is, analyzing the potential benefits and cost savings, and trying to adapt this technology to the confusing regulatory landscape. The cloud also threatens to explode the idea of country-specific approaches to privacy and security, as well as the idea that data are located in or relate to any area in particular.
It is clear that the cloud will continue to move forward aggressively in 2013, as more companies offer cloud services and provide additional security protections for these services and additional companies seek to recognize and incorporate the potential benefits into their operating structure. The cloud will present a direct challenge to the ability of regulators to keep pace with rapidly developing technology. So far, the regulatory structure remains far behind the technological developments (although many would conclude it may be an appropriate result to allow technology to move forward in an appropriate free market way)…