one voice one vision one firm

1
D E W E Y B A L L A N T I N E L L P
one voice one vision one firm
2
Issues in Privacy and Outsourcing

• Jennifer Danner Riccardi
• Dewey Ballantine LLP
• 202/862-3695
• jriccardi_at_dbllp.com
• June 21, 2004

3
Liability Under Privacy Rules and Regulations Is
a Current Issue

• Medical Records in Pakistan
• Personal Financial Data in the Ukraine
• NASSCOM Seeks to Be Proactive

4
Privacy Issues Are Multi-layered and Complex

• U.S. Federal statutes and regulations
• U.S. state statutes and regulations
• Non-U.S. statutes and regulations (EU, Canada,
  Australia)

5
Selected Federal Statutes and Regulations

• Health information
• Health Insurance Portability and Accountability
  Act (HIPAA) and Implementing Regulations
• Financial information
• Gramm-Leach-Bliley Act (GLBA)
• Electronically transmitted or stored information
• Computer Fraud and Abuse Act (CFAA)
• Electronic Communications Privacy Act (ECPA)
• Childrens Online Privacy Protection Act
  (COPPA)

6
HIPAA What's Covered

• Applies to covered entities that transmit
  information in an electronic form in connection
  with a covered HIPAA transaction
• Protects from disclosure protected health
  information (PHI)
• Requires mechanisms to insure both privacy and
  security of PHI
• Disclosure generally requires consent or
  authorization
• Duty to mitigate any harmful effects caused by
  unauthorized disclosure
• Duty to maintain data safeguards

7
HIPAA Business Associate Contracts

• Covered entities may disclose PHI without consent
  to a business associate pursuant to a written
  agreement
• Business associate receives PHI in order to
  perform, for the covered entity, legal,
  management, administrative or related services
• A written agreement must obligate the business
  associate to abide by the same restrictions to
  which the covered entity is subject and to the
  covered entitys privacy practice

8
HIPAA Privacy Rule BA Contracts

• Required since April 2004
• Express agreement BA will use appropriate
  safeguards to prevent use or disclosure of PHI
• Expressly require BAs subcontractors and agents
  to be bound by the same standards
• Specify standards of training for BAs employees
  and agents
• Require immediate notification if rules and
  standards are breached
• Stipulate violation permits termination
• End of contract issues return or destruction of
  PHI

9
HIPAA Security Rule BA Contracts

• Required from April 2005
• Express agreement BA will implement
  administrative, physical, and technical
  safeguards to protect electronic PHI
• Expressly require BAs subcontractors and agents
  to be bound by the same standards
• Require immediate notification if rules and
  standards are breached
• Require implementation policies to be provided to
  HHS
• Authorize termination of contract for breach of a
  material term

10
HIPAA Penalties for Violation

• Civil penalties HHS may impose penalties of up
  to 100 per failure to comply with a Privacy Rule
  requirement
• Criminal penalties Fines of between 50,000 to
  250,000 and imprisonment between one year and
  ten years
• knowledge
• false pretenses
• for profit or malicious harm.
• Civil liability No direct civil liability to
  parties harmed by disclosure, but potential
  liability under other causes of action based on
  violation of HIPAA

11
GLBA What's Covered

• Applies to any enterprise that is engaged in
  activities that are financial in nature
• Requires notice to customers of privacy policy
  and the opportunity to opt-out of having
  information shared with non-affiliates
• Limits the uses/right to disclose nonpublic
  personal information
• The Safeguard Rule

12
GLBA Safeguard Rule

• Plans must focus on three specific areas
• 1. employee management and training
• information systems and
• managing system failures.

13
GLBA Safeguard Rule

• Financial institutions must develop a written
  information security plan, which must include
• Designation of at least one employee to
  coordinate the safeguards
• Identify and assess the risks to customer
  information, and evaluate the effectiveness of
  the current safeguards for controlling these
  risks
• Design and implement a safeguards program, and
  regularly monitor and test it
• Select appropriate service providers and contract
  with them to implement safeguards and
• Evaluate and adjust the program in light of
  relevant circumstances, including changes in the
  firm's business arrangements or operations, or
  the results of testing and monitoring of
  safeguards.

14
European Union (EU) Data Protection Directive

• Mandates certain minimum standards for the
  collection, disclosure, and transmission of
  personal data
• Restricts the flow of personal data within the
  EU, as well as from member states to countries
  outside the EU that the European Commission
  determines do not provide adequate protections
• In May 2000, the U.S. and EU developed safe
  harbor principles

15
EU Directive Safe Harbor

• U.S. Companies are deemed in compliance with the
  directive if they annually certify to the U.S.
  Department of Commerce and publicly state that
  they adhere to the safe harbor principles
• Notice
• Choice
• Onward Transfer
• Security
• Data Integrity
• Access
• Enforcement

16
State Law Regulation

• Possible basis of liability
• Numerous states have or are contemplating privacy
  statutes/regulations
• Preemption issues

17
Best Practices

• Outsourcing does not absolve the personal
  information generator from liability
• Integrate privacy concerns into your vendor
  selection process
• Memorialize privacy policies and procedures into
  contracts
• Retain ability to terminate contract for material
  breach of privacy policies
• Mandatory disclosure of breaches of security
  policy
• Audit for compliance
• Due diligence in vendor selection
• Insurance and bonding issues

18
For Further Information

• Jennifer Danner Riccardi
• Dewey Ballantine LLP
• 1775 Pennsylvania Avenue, N.W.
• Washington, DC 20006
• 202/862-3695
• jriccardi_at_dbllp.com
• www.deweyballantine.com