I recently authored an article for the Daily Journal on the new cybersecurity framework. You can read about it by visiting the Daily Journal.
The Health Insurance Portability and Privacy Act of 1996 (HIPAA) is 15 years old this year – still acting a bit like an uncertain, wide-eyed teenager responding to new developments. Although more mature, clarified by regulations, and supplemented by the HITECH Act, at its core HIPAA has remained relatively unchanged since its enactment. Societal changes implicating HIPAA, however, have been significant. Over the past five years alone, we saw the rise of Facebook, the domination of Google, and the introduction of powerful personal electronic devices such as Apple’s iPhone and iPad. In addition, technologies such as cloud computing, wireless communication, and telemedicine have reached a level of reliability and affordability that has allowed healthcare providers to expand their reach and services. With every emerging technology, the specter of HIPAA compliance remains a key concern, while its application becomes more murky.
Read the full article here: HIPAA and Emerging Technologies Article
Retail stores across California routinely ask customers to provide a ZIP code when making a purchase. This practice may now be prohibited following the California Supreme Court decision in Pineda vs. William Sonoma, __ Cal. 4th__ (February 10, 2011), holding that ZIP codes are "personal identification information” for the purposes of the Song-Beverly Credit Card Act.
In 2008, Jessica Pineda visited a Williams-Sonoma Store in California. While making her purchase, the cashier asked for her zip code, but did not tell her what the information would be used for. Thinking the information was necessary to complete the transaction, Pineda provided the information. Later, using specialized computer software, Williams-Sonoma conducted a “reverse lookup” and was able to determine Pineda’s previously unknown mailing address by matching her name and zip code in a third-party database. This information was then stored in Williams-Sonoma’s own database for use in direct-mail marketing campaigns. Pineda learned of this and filed a class-action lawsuit, alleging that the store's conduct violated the Song-Beverly Credit Card Act (“Credit Card Act “) and Business and Professions Code section 17200 et seq.
California's Credit Card Act prohibits retailers from asking customers for their personal identification information and recording it during credit card transactions. Specifically, section 1747.08(a) provides that no firm shall “[r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the . . . firm . . . accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise."
Personal identification information is defined in subsection (b) as “information concerning the cardholder . . . including, but not limited to, the cardholder's address and telephone number.” However, prior to the court’s recent decision, an individuals’ zip code was not considered to be personal identification information. In fact, the opposite was true. As recently as 2008, California 4th District Court of Appeals addressed this specific issue in Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (2008) where it held that ZIP codes were too general to be covered by the Credit Card Act because they pertain to a group of individuals, not a specific individual.
In Pineda, the Supreme Court construed the definition of “personal identification information” broadly to include any information concerning the cardholder. The Court reasoned that since a cardholder’s ZIP code refers to the area where a cardholder lives or works, it would qualify as information that pertains to the card holder. In addition, since a ZIP code is part of the address, the statute “should be construed as encompassing not only a complete address, but also its components.” Further, in reversing Party City, the Court rejected the argument that a ZIP code should not be protected because it does not pertain to a specific individual. An address or phone number, both of which are explicitly defined as personal identification information by section 1747.08, might also pertain to individuals other than the cardholder. Therefore, the fact that a ZIP code could pertain to multiple individuals did not render it exempt from the Credit Card Act.
The Court found further support in “the legislative history of the Credit Card Act in general, and section 1747.08 in particular, [which] demonstrates the Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.” Here, the ZIP codes at issue were not collected for identification purposes nor were they necessary in order to complete the credit card transaction. Instead, Williams-Sonoma collected the ZIP codes specifically for marketing purposes. The difference is key. Had Williams-Sonoma collected ZIP codes for identification purposes, it would have been governed by Civil Code section 1747.08(d). This statute allows a business to require reasonable forms of identification from cardholder, such as a driver’s license, but it may not record any of the information on that license, including the cardholder's ZIP code. It would be inconsistent with the intent of the Legislature to allow in subdivision (a) what would be explicitly forbidden in subdivision (d) - namely the requesting and recording of a ZIP code. The logical conclusion, the court held, is that the term “personal identification information” as used in section 1747.08, includes a cardholder's ZIP code.
Within California, the effect of this ruling is significant. Retail stores routinely ask customers for their ZIP code for both marketing and regional sales forecasting. The potential effect is compounded by the fact that in 2008, this practice was considered exempt from the Credit Card Act by the court’s holding in Party City. Seemingly overnight, actions that were previously authorized could now subject retail stores to statutory penalties up to $250 for the first violation and $1,000 for each subsequent violation. Further, as privacy expert and CIPP Tanya Forsheit pointed out, “it is not clear how collection of zip codes, while perhaps unnecessary to credit card transactions, is of any potential harm to the consumer. And that, as the Court notes, is the point of the statute - consumer protection.” Outside of California, it is unclear what impact this case will have. The Credit Card Act was modeled after a similar New York statute passed in 1990 and several other states have similar laws but none of those prohibit the collection of ZIP codes. At a minimum, California retailers should take a close look at their information collection practices and consider updating those policies in light of this decision.
The Supreme Court opinion is available here: Pineda v. Williams-Sonoma, __ Cal. 4th__ (February 10, 2011).
M. Scott Koller is an attorney with McKennon Schindler LLP in its Newport Beach office in California. His practice specializes in civil litigation involving privacy, data security, and intellectual property.
The very first email message was sent in 1971 by a computer engineer named Ray Tomlinson. It was just a simple test message sent between two computers sitting next to each other on a desk. At the time, Tomlinson had no idea of the ultimate ramifications of this invention.
Today, email has revolutionized the way we communicate. With an estimated 250 billion messages sent every day, email is used by individuals and corporations alike to both conduct business and share information across the internet. From bank statements to greeting cards, information that was once sent via the U.S. Postal service is now sent by email. Although not completely replacing either the telephone or the U.S Postal service, email has become the de facto standard for daily communication for millions of Americans. Until recently, email enjoyed far less privacy protection.
The Fourth Amendment to the Constitution provides that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause....” The purpose of this amendment is to protect against unreasonable searches and seizures where there is a reasonable expectation of privacy. As a result, this protection requires the government to obtain a warrant before searching your home or recording your telephone conversations. At issue in United States v. Warshak, --- F.3d ----, 2010 WL 5071766 (6th Cir. 2010), was whether that same protection should be extended to email.
Steven Warshak owned and operated a company called Berkeley Premium Nutraceuticals, Inc., whose activities drew the attention of the U.S Government due to allegations of money laundering and wire fraud. As with many businesses, email played a vital role in the day-to-day operations of the company. During its investigation, the U.S. Government directed Berkeley’s internet service provider (“ISP”) to preserve the contents of any email sent to or from Warshak’s email account. This request was made pursuant to the Stored Communications Act 18 U.S.C. §§ 2701-2712 (“SCA”). Passed in 1986, the SCA governs the compelled disclosure of "stored wire and electronic communications and transactional records." In certain situations, the SCA allows the government to obtain email without a warrant. That is precisely what happened in Warshak. For almost two years, Warshak had no idea that his ISP was storing copies of his email for the U.S. Government. Eventually, the government obtained approximately 27,000 emails, many of which could be considered highly incriminating. Warshak challenged the government’s action on the grounds that without a warrant, it amounted to an unlawful search and seizure.
On appeal, the Sixth Circuit sided with Warshak and subsequently extended the Fourth Amendment to include electronic mail. The court reached this conclusion by building on the Supreme Court case of Katz v. United States, 389 U.S. 347 (1967) which found that wiretapping telephone calls implicated the Fourth Amendment due to “the vital role the public telephone has come to play in private communication.” As with the telephone, the court reasoned, email is an indispensable part of the Information Age. People use email to communicate with children, with spouses, or with employers. Confidential information is shared via email with doctors, lawyers and various financial institutions. When you consider the full range of information shared and the level of detail available, email has the potential to be more intrusive then a phone call could ever be.
As reasonable as this conclusion may sound, the court still had to overcome several key objections. The government argued that there was no reasonable expectation of privacy because the ISP’s terms of service specifically allowed it to access user emails for certain purposes. Further, since the user disclosed the context of his email to a third party, in this case the ISP, he could not reasonably expect the conversation to be private. However, the court wisely rejected both of these arguments. Instead, the court described an ISP as the functional equivalent of a post office or telephone company. Just as the telephone company has the ability to listen in on telephone calls, ISPs also have the ability to access a user’s email. Similarly, a physical letter must be entrusted to the post office for delivery in the same way an email is entrusted to an ISP. That is entrustment is necessary for the communication to be possible and therefore does not divest the communication of its Fourth Amendment protection. Given the similarities between email and traditional forms of communication, the court held that “it would defy common sense to afford emails lesser Fourth Amendment protection.”
Interestingly, the court declined to rule that the terms of service would never be sufficient to eliminate the reasonable expectation of privacy in emails. It is possible that an ISP’s intent to audit, inspect or monitor a subscriber’s email could remove the protection granted under the Fourth Amendment. Some email providers, such as Google’s popular Gmail service, scan the content of email for the purposes of delivering targeted ads and web links. Google maintains that this process is completely automated and that no “human” reads a user’s email. The question remains whether this level of third-party disclosure is sufficient to negate protections of the Fourth Amendment.
M. Scott Koller is an associate of McKennon | Schindler in its Newport Beach office. His practice specializes in civil litigation involving privacy, data security, ERISA, and insurance. See www.californiainsurancelitigation.com for the firm's blog.
The Thursday August 5, 2010 edition of the Los Angeles Daily Journal featured my article entitled “Cell Phone Users Catch a Break,” in the Perspective column. It discusses the U.S. Copyright Office's recent announcement regarding its decision to exempt wireless telephone handsets from the anti-circumvention provision under the Digital Millennium Copyright Act. The article is posted below with permission of Daily Journal Corp. (2010).
Upon entering or leaving my neighborhood grocery store, I am usually confronted by either children selling cookies or individuals seeking my signature or vote on a variety of political causes. Even thought I am more likely to purchase a box of cookies than I am to sign a political petition, I have never considered the privacy implications of signing a petition, until now.
In Doe v. Reed, __ U.S. __ (Decided June 24, 2010), the Supreme Court addressed the narrow question of whether disclosure of referendum petitions would violate the First Amendment. The facts are fairly straightforward. In May of 2009, the State of Washington enacted a bill that would expand the rights and responsibilities of domestic partners, including same-sex domestic partners. This bill, known as Senate Bill 5688, was drafted by the legislature and signed into law by Washington’s Governor Christine Gregoire.
Seeking to repeal the bill, a group by the name of Protect Marriage Washington started collecting signatures in order to place a referendum on the ballot that would give the voters the opportunity to vote on the bill. Protect Marriage collected the required signatures and the referendum was placed on the ballot. Prior to election night, the Secretary of State received several public records requests seeking disclosure of the names of the individuals who signed the petition. This information would include the names, address and county of residence for each of the 137,000 signatures submitted. The Washington Public Records Act (“PRA”) makes available for public inspection “any writing containing information relating to the conduct of government or the performance of any governmental or proprietary function.” Since the Secretary of State considered the referendum petition to fall under that definition, the identity of those who signed the petition was considered a public record. Protect Marriage objected to the disclosure citing privacy concerns and sought a preliminary injunction to enjoin the disclosure of the petition signatories.
In an 8-1 decision, the Supreme Court held that the disclosure of referendum petitions do not, as a general matter, violate the First Amendment. Writing for the majority, Chief Justice Roberts wrote:
“Public disclosure thus helps ensure that only signatures counted are those that should be, and that the only referenda placed on the ballot are those that garner enough valid signatures. Public disclosure also promotes transparency and accountability in the electoral process to an extent other measures cannot.”
As a result, the Court held that the State’s interest in preserving the integrity of the electoral process is sufficient to defeat the argument that the PRA is unconstitutional when applied to referendum petitions.
On the surface, this holding seems to be relatively clear-cut. However, when you dive a bit deeper into the Court’s opinion, you find that this issue is far from over On appeal to the Ninth Circuit, the plaintiff asserted two key arguments: first, that the PRA was unconstitutional when applied to referendum petitions in general and second, that the PRA was unconstitutional when applied this specific petition. Since the Appellate decision was based solely on the first argument, the Supreme Court declined to address the second argument, which is arguably the stronger of the two. Therefore, in the event this case returns to the Supreme Court, would the outcome remain the same?
In Reed, Chief Justice Roberts acknowledged that those resisting disclosure can prevail under the First Amendment if they can show “a reasonable probability that the compelled disclosure [of personal information] will subject them to threats, harassment, or reprisals from either Government officials or private parties.” Reed citing Buckley v. Am. Constitutional Law Found. (Buckley II), 525 U.S. 182, 197, 119 S.Ct. 636, 142 L.Ed.2d 599 (1999). In this case, the Respondents acknowledged their intent to publicly identify those who had signed the petition and broadcast the signers’ political views via a searchable internet website. This, plaintiff argued, would be a blueprint for harassment and intimidation, effectively chilling future political participation. However, a number of the Justices seemed to disagree. Justice Stevens argued that “there would have to be a significant threat of harassment directed at those who sign the petition that cannot be mitigated by law enforcement measures” and that such harassment “is unlikely to occur in cases involving the PRA.” Further, Justice Sotomayor, who was joined by Justice Ginsburg and Stevens, viewed the burden on public speech as “minimal” and wrote that “disclosure of the identity of petition signers, moreover, in no way directly impairs the ability of anyone to speak[.]” Even Justice Scalia, compared the act of signing a petition to the act of legislating, which he noted, “Our Nation’s longstanding traditions of legislating and voting in public refute the claim that the First Amendment accords a right to anonymity in the performance of an act with governmental effect.”
Apart from Justice Thomas, who believe the PRA was unconstitutional as applied to referendum petitions in general, the only other support came from Justice Alito. Even though he voted with the majority, Justice Alito noted that “plaintiffs in this case have a strong argument that the PRA violates the First Amendment as applied to the Referendum 71 petition.” Since it appears that at least five of the justices seem to be predisposed toward rejecting even a narrow First Amendment challenge to the PRA, its seems unlikely that signatories to the referendum petition will be able to remain anonymous. Accordingly, anyone who is deciding whether to sign a referendum petition, should decide if they want to be publicly identified with that particular political issue.