I was interviewed for this PC World piece on the potential impact of Facebook's recently announced IPO on data privacy. My take: being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies. This seems obvious to me, but there are those who suggest that being public will add a profit motive that will push Facebook in the other direction.
This article, "Cyber Bombs: Data-Security Sector Hopes Adoption Won’t Require a ‘Pearl Harbor’ Moment," in last week's Mass High Tech suggests that even without a watershed event (i.e., a "Pearl Harbor") the cyber-security business will continue to grow robustly. Interestingly, the article cited the launch of the Advanced Cyber Security Center as proof that the Pearl Harbor isn't necessary.
It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches.
Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys to open the front door. According to a statement by Sony, the attackers tested a “massive set” of log-in credentials, consisting of pairs of user IDs and passwords, against accounts on three of its networks. Even though the “overwhelming majority” of the log-in attempts failed, they successfully breached about 93,000 user accounts. This indicates that the attackers used stolen log-in credentials, and did not resort to brute force or dictionary attacks.
How did the attackers obtain this trove of log-in information? Sony says it is “likely” they were stolen from elsewhere and not from its own networks, based on the low success rate. This may well be true, given the numerous incidents reported of late, some of which gave rise to our post referring to 2011 as The Year of the Breach.
If that scenario holds, it highlights the secondary effects of data breaches, and the relationship among user accounts on different on-line services. It has long been known that individuals often reuse the same username and/or password across multiple on-line services. As a result, if any one of those services suffers a breach that exposes its log-in information, corresponding accounts on the other services become open to the attackers. It is very much a “weakest link” situation.
This risk was also raised in the immediate aftermath of the data breaches at Sony this past Spring. The company initially reported the loss of unencrypted account passwords, which could have had the same cascading effect on its users’ other accounts. Sony later stated that the passwords were in fact hashed. As we described at the time, “hashing” differs from “encryption,” but storing passwords in a hashed form can be an effective way to keep an attacker from seeing or using the plain-text passwords of account holders. Password hashing is a known security technique that apparently was not in place at the “weak link” among the on-line services shared by those 93,000 users.
As promised in our earlier entry, here is our detailed discussion of the Supreme Court's decision in Sorrell v IMS Health, Inc.,written by Colin J. Zick, Pat A. Cerundolo, Tad Heuer
On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure, and use of redacted pharmacy records containing physician prescribing information constituted “speech in aid of pharmaceutical marketing” and therefore enjoyed First Amendment protection. This case is an important victory for the pharmaceutical, medical device, biotechnology, and related sectors, The following summarizes this ruling and its potential consequences to those involved in these industries.
Background
The case concerned Vermont’s 2007 Act Relating to Increasing Transparency of Prescription Drug Pricing and Information. The Vermont law prohibited pharmacies and similar entities from selling information about physician prescription patterns (“prescriber-identifiable data”), and prohibited pharmaceutical manufacturers from using such data for marketing purposes without the express consent of prescribers. As a result, the law severely restricted the ability of pharmaceutical sales representatives to tailor their “detailing” presentations (the trade term used to describe routine pharmaceutical marketing presentations) to the needs of individual prescribers. The law did include an exception for the use of prescriber-identifiable data in healthcare research.
IMS Health, an entity that collects and sells prescriber data, challenged the law in the United States District Court in Vermont. The District Court upheld the law, finding that it was a valid and constitutional restriction on commercial speech, given Vermont’s asserted interests in both healthcare cost containment and public health. On appeal, the Second Circuit Court of Appeals reversed, finding that these justifications were inadequate. The Second Circuit ruled that the law violated the First Amendment by burdening the speech of pharmaceutical marketers and data mining entities. The United States Supreme Court granted certiorari in order to reconcile the conflict between the Second Circuit’s decision to strike down the Vermont law, and the First Circuit’s recent decision to uphold a similar New Hampshire law.
Supreme Court Ruling
In ruling in favor of IMS Health and affirming the Second Circuit, the Supreme Court first found that the text of the Vermont law constituted more than an incidental burden on speech, as it explicitly disfavored both specific speakers (pharmaceutical manufacturers) and specific contents of speech (marketing activities), and was thus subject to a “heightened” standard of judicial scrutiny. The Court also observed that the law’s legislative history clearly indicated that its express purpose was to diminish the effectiveness of brand-name pharmaceutical marketing efforts. Second, the Court concluded that the Vermont law directly regulated the content of that speech, and was therefore not solely a commercial regulation (whose constitutionality could have been analyzed using a level of judicial scrutiny more deferential to Vermont). Third, the Court ruled that the Vermont law restrained the use and dissemination of information about prescriber habits, and thus specifically burdened the marketing speech of pharmaceutical companies. As a result, the Court ruled that the Vermont law violated the First Amendment.
Futher, the Court noted that even if the Vermont law were viewed only as a limitation on commercial speech, the law still would have failed to pass constitutional muster, as it did not directly and proportionately advance any of Vermont’s asserted reasons for its necessity: physician privacy, healthcare cost control, or public health generally. First, the Court reasoned that the law could not be said to protect physician privacy, because the law still authorized pharmacies to share prescriber-identifying information with essentially anyone for any reason other than marketing. Second, the Court found that Vermont’s indirect approach to controlling healthcare costs — passing a law that restrained speech in an effort to diminish the perceived influence of detailing — constituted a disproportionate burden on free speech. Third, the Court emphasized that the dissemination of truthful information about pharmaceuticals may actually improve public health, by helping prescribers make more informed decisions. Indeed, the Court observed that far from being either false or misleading — two situations in which the Court has previously permitted limited regulation of commercial speech — there was no evidence that the “detailing” at issue here was anything but truthful. In conclusion, the Court observed that the mere fact that Vermont “finds [certain forms of] expression too persuasive does not permit [Vermont] to quiet the speech or to burden its messengers.”
In dissent, Justice Breyer (joined by Justices Ginsburg and Kagan) argued that although the Vermont law may have adversely affected speech, it did so only as part of a lawful governmental effort to regulate a commercial enterprise. Breyer emphasized that the prescriber information is only retained because pharmacists are required by law to do so, and argued that in such a situation, the First Amendment does not require the Court to apply a heightened level of judicial scrutiny. Breyer further argued that even if “intermediate” scrutiny were applied to the Vermont law (the legal standard that is usually applied to a review of restrictions on purely commercial speech), the Vermont law would have met this test. Breyer concluded that the law directly advanced Vermont’s substantial interest in public health because it would encourage detailing discussions that focused on safety, effectiveness, and cost, rather than on past prescribing history.
Outlook
The Supreme Court’s Sorrell decision is an important development for the pharmaceutical, medical device, biotechnology, and related sectors, because it confirms the legal right of industry sales staff to access prescriber-identifiable data for marketing and other purposes. The Sorrell ruling will almost certainly require a reexamination of similar statutory and regulatory restrictions in other states, particularly if those state laws burden the access to and use of this type of prescriber information.
Finally, it remains to be seen whether Sorrell represents a move toward granting commercial speech greater constitutional protections than it has been afforded in the past. The Court concluded that the Vermont law would have been unconstitutional under either the “intermediate” scrutiny standard traditionally applied to commercial speech regulations or the “heightened scrutiny” standard alluded to by the majority. However, the implication that a new “heightened” standard exists in the commercial speech context — and precisely what such a standard would look like in practice — is a development that merits being monitored closely.
The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy's opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.
The first paragraph of Justice Kennedy's opinion provides a brief summary of the posture of the case and of the Court's decision:
Vermont law restricts the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors. Vt. Stat. Ann., Tit. 18, §4631 (Supp. 2010). Subject to certain exceptions, the information may not be sold, disclosed by pharmacies for marketing purposes, or used for marketing by pharmaceutical manufacturers. Vermont argues that its prohibitions safeguard medical privacy and diminish the likelihood that marketing will lead to prescription decisions not in the best interests of patients or the State. It can be assumed that these interests are significant. Speech in aid of pharmaceutical marketing, however, is a form of expression protected by the Free Speech Clause of the First Amendment. As a consequence, Vermont’s statute must be subjected to heightened judicial scrutiny. The law cannot satisfy that standard.
We will be publishing a more extensive analysis shortly; watch this space for a link to it.
As we noted back in May, digital copiers have caught the eye of government privacy enforcers. If you have a digital copier at your business, you should review the FTC's Copier Data Security:
A Guide for Businesses. In that Guide, the FTC suggests that "your information security plans . . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft."
The Substance Abuse and Mental Health Services Administration ("SAMHSA"), in close cooperation with the Department of Health and Human Services Office for Civil Rights ("OCR"), is conducting a study of the “Confidentiality and Privacy Issues Related to Psychological Testing Data.” This study was specifically called for in section 13424 of the Health Information Technology for Economic and Clinical Health ("HITECH") Act.
HIPAA’s Privacy Rule includes special protections relating to the use and disclosure of psychotherapy notes; this SAMHSA study will address whether these special protections also be applied to test data that is related to direct responses, scores, items,forms, protocols, manuals or other materials that are part of a mental health evaluation.
To this end, SAMHSA has announced a regional public meeting in Chicago, Illinois,on October 7, 2010, to give the public a chance to learn about this issue and express opinions. Registration is necessary, but there is no charge for attending. Another regional meeting will beheld this year in Los Angeles in late November or early December. The meeting is designed for mental health professionals, consumers, health care providers and health plans, agency administrators, health information technology experts, and test developers
The significant concepts and issues being addressed in this project include:
· What activities and information are considered the “test data” that is part of a mental health evaluation? What are the relevant distinctions among test materials, raw data, and reports or assessments with respect to the level of protection currently afforded and/or otherwise necessary?
· Does the individual (i.e., the subject of the test data) need to know, or have an interest in, inspecting or obtaining a copy of such information?
· Are there circumstances under which test data should be disclosed to third parties?
· Should the individual’s authorization be required prior to such a disclosure? To whom should test data be released?
· How would affording mental health test data a higher level of protection affect the workflow in medical, behavioral health, or psychological practices? Are there any additional implications with respect to clinical integration efforts and the increasing availability of mental health services in general health care settings?
· How is the issue of greater protection for test data affected by State and Federal laws other than HIPAA?
· In light of the increasing reliance on electronic health records and the exchange of electronic health data, what are the implications of setting more stringent requirements for the use and disclosure of test data?
Small groups will consider these and other central questions following brief presentations by SAMHSA’s and OCR’s study team.
The February 27 issue of The Economist has an excellent special report, "Data, data everywhere: A special report on managing information." It features a series of articles on the volume of information that is overtaking business and society, and the means by which business and governments are responding.
As part of the settlement of a federal court action, the State of Texas has agreed to destroy more than 5 million blood samples taken from babies without parental consent and stored indefinitely for the purpose of scientific research. The Texas Department of State Health Services announced earlier this week that it would destroy the samples in connection with the settlement of a federal lawsuit filed in March 2009 by the Texas Civil Rights Project on behalf of five parents of children whose blood was being held for use in research without their consent.
The parents' complaint alleged that the state’s failure to ask parents for permission to store and possibly use the blood - originally collected lawfully in order to screen for birth defects - violated constitutional protections against unlawful search and seizure. The parents also expressed fears that their children’s private health data could be misused and that the disclosure of that data could lead to discrimination against them later in life. Under the settlement, the blood samples collected without parental consent must be destroyed by early next year. State authorities estimated that some 5.3 million samples would be destroyed as part of this process. The State of Texas also is required to publish a list of all research projects that used the blood specimens.
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
The Foley Hoag Security, Privacy and the Law Blog focuses on the security and privacy issues encountered by businesses thatMore...