Analysis of the Supreme Court's Decision Striking Down Vermont Pharmaceutical "Data Mining" Law

Posted on June 26, 2011 by Colin J. Zick

As promised in our earlier entry, here is our detailed discussion of  the Supreme Court's decision in Sorrell v IMS Health, Inc.,written by Colin J. Zick, Pat A. Cerundolo, Tad Heuer 

On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure, and use of redacted pharmacy records containing physician prescribing information constituted “speech in aid of pharmaceutical marketing” and therefore enjoyed First Amendment protection. This case is an important victory for the pharmaceutical, medical device, biotechnology, and related sectors, The following summarizes this ruling and its potential consequences to those involved in these industries.

Background

The case concerned Vermont’s 2007 Act Relating to Increasing Transparency of Prescription Drug Pricing and Information. The Vermont law prohibited pharmacies and similar entities from selling information about physician prescription patterns (“prescriber-identifiable data”), and prohibited pharmaceutical manufacturers from using such data for marketing purposes without the express consent of prescribers. As a result, the law severely restricted the ability of pharmaceutical sales representatives to tailor their “detailing” presentations (the trade term used to describe routine pharmaceutical marketing presentations) to the needs of individual prescribers. The law did include an exception for the use of prescriber-identifiable data in healthcare research.

IMS Health, an entity that collects and sells prescriber data, challenged the law in the United States District Court in Vermont. The District Court upheld the law, finding that it was a valid and constitutional restriction on commercial speech, given Vermont’s asserted interests in both healthcare cost containment and public health. On appeal, the Second Circuit Court of Appeals reversed, finding that these justifications were inadequate. The Second Circuit ruled that the law violated the First Amendment by burdening the speech of pharmaceutical marketers and data mining entities. The United States Supreme Court granted certiorari in order to reconcile the conflict between the Second Circuit’s decision to strike down the Vermont law, and the First Circuit’s recent decision to uphold a similar New Hampshire law.

Supreme Court Ruling

In ruling in favor of IMS Health and affirming the Second Circuit, the Supreme Court first found that the text of the Vermont law constituted more than an incidental burden on speech, as it explicitly disfavored both specific speakers (pharmaceutical manufacturers) and specific contents of speech (marketing activities), and was thus subject to a “heightened” standard of judicial scrutiny. The Court also observed that the law’s legislative history clearly indicated that its express purpose was to diminish the effectiveness of brand-name pharmaceutical marketing efforts. Second, the Court concluded that the Vermont law directly regulated the content of that speech, and was therefore not solely a commercial regulation (whose constitutionality could have been analyzed using a level of judicial scrutiny more deferential to Vermont). Third, the Court ruled that the Vermont law restrained the use and dissemination of information about prescriber habits, and thus specifically burdened the marketing speech of pharmaceutical companies. As a result, the Court ruled that the Vermont law violated the First Amendment.

Futher, the Court noted that even if the Vermont law were viewed only as a limitation on commercial speech, the law still would have failed to pass constitutional muster, as it did not directly and proportionately advance any of Vermont’s asserted reasons for its necessity: physician privacy, healthcare cost control, or public health generally. First, the Court reasoned that the law could not be said to protect physician privacy, because the law still authorized pharmacies to share prescriber-identifying information with essentially anyone for any reason other than marketing. Second, the Court found that Vermont’s indirect approach to controlling healthcare costs — passing a law that restrained speech in an effort to diminish the perceived influence of detailing — constituted a disproportionate burden on free speech. Third, the Court emphasized that the dissemination of truthful information about pharmaceuticals may actually improve public health, by helping prescribers make more informed decisions. Indeed, the Court observed that far from being either false or misleading — two situations in which the Court has previously permitted limited regulation of commercial speech — there was no evidence that the “detailing” at issue here was anything but truthful. In conclusion, the Court observed that the mere fact that Vermont “finds [certain forms of] expression too persuasive does not permit [Vermont] to quiet the speech or to burden its messengers.”

In dissent, Justice Breyer (joined by Justices Ginsburg and Kagan) argued that although the Vermont law may have adversely affected speech, it did so only as part of a lawful governmental effort to regulate a commercial enterprise. Breyer emphasized that the prescriber information is only retained because pharmacists are required by law to do so, and argued that in such a situation, the First Amendment does not require the Court to apply a heightened level of judicial scrutiny. Breyer further argued that even if “intermediate” scrutiny were applied to the Vermont law (the legal standard that is usually applied to a review of restrictions on purely commercial speech), the Vermont law would have met this test. Breyer concluded that the law directly advanced Vermont’s substantial interest in public health because it would encourage detailing discussions that focused on safety, effectiveness, and cost, rather than on past prescribing history.

Outlook

The Supreme Court’s Sorrell decision is an important development for the pharmaceutical, medical device, biotechnology, and related sectors, because it confirms the legal right of industry sales staff to access prescriber-identifiable data for marketing and other purposes. The Sorrell ruling will almost certainly require a reexamination of similar statutory and regulatory restrictions in other states, particularly if those state laws burden the access to and use of this type of prescriber information.

Finally, it remains to be seen whether Sorrell represents a move toward granting commercial speech greater constitutional protections than it has been afforded in the past. The Court concluded that the Vermont law would have been unconstitutional under either the “intermediate” scrutiny standard traditionally applied to commercial speech regulations or the “heightened scrutiny” standard alluded to by the majority. However, the implication that a new “heightened” standard exists in the commercial speech context — and precisely what such a standard would look like in practice — is a development that merits being monitored closely.

 
Tags: , , , , , , , , , , , , , , , , , , , , ,

Will 2011 Bring Us "Do Not Track" Legislation?

Posted on December 14, 2010 by Colin J. Zick

Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:

1)      This is an area where bipartisan concensus is possible.

2)      The industry powers will fight against “Do Not Track” and will win that fight.  

3)      Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”

We could see passage of a federal data security and privacy statute, not unlike those that the various states have been adopting. The states have already passed models for such legislation and have shown that these increased protections can be implemented without too much opposition from the business sector. Also, adoption of a single standard for data security and privacy could actually relieve some of the regulatory burden on business: instead of having to comply with 50 different state laws, there would just be one federal law. This is the very same logic that led to the passage of HIPAA (and its standards for health information privacy) in 1996.

*   *   *
 
"Creepy" is the new "cool" and how to make sure it stays that way
 
Posted by Dave Broadwin on December 14, 2010

The other day at Mass TLC’s Mobility Summit I had a brief conversation with Mark Herrmann (an entrepreneur here in Boston) that touched on the FTC’s recent proposal for protecting consumer privacy online.  We were talking about the “do not track” proposal and the consensus in the tech industry that it just won’t fly. 

Mark’s comment: 

“It is creepy that ‘they’ can and do track you out in the net, but ‘creepy is the new cool.’”  There is just no question that some people accept the fact that they are being tracked and fed targeted online advertising.  It is not just OK by them; it’s a value add.  I don’t disagree. But, for anyone who has read “1984” (and even a lot of people who haven’t) the notion of being tracked is creepy.  There are a lot of these folks – perhaps a significant majority of the U.S. population – that feel this way.

In 2011 the FTC and Congress are going to pay attention to these concerns. It is good politics. 

Prediction #1:  Legislation in this area will be one of the few places where we will see bipartisan consensus in the next Congress. 

Why: No Congressperson wants to be opposed to consumer privacy, and they all want to have supported some legislation that passed, when running in the next election. Mark (and others) made the point that if you really end tracking, you will end Facebook.  So, whatever happens it won’t be that.  However, the political snowball is rolling down the mountain - there will be regulatory activity around consumer privacy. The only question is: What will be the nature and scope of the activity? The big boys (those with well established businesses that either make money or have ready access to capital) are going to be lobbying hard for a regulatory framework that does not dent their current business model. 

Prediction #2:  The big boys will fight anything that disrupts tracking and they are going to win this battle – no one in Congress wants to run on the platform that they put Facebook (or others) out of business. But the big boys are going to have to trade something.  The easy things for them to trade are procedural protections for the consumer. 

  • The FTC wants the industry to adopt “privacy by design” principles.  This means that companies should adopt internal processes to promote consumer privacy and security protections into their daily practices and to consider privacy issues at every stage of design and development of products and services.
  • The FTC wants the industry to make consumer data more available to consumers.  This means allowing for increased consumer access to data collected. 

Prediction #3:  The big boys will trade lots of procedural protections for the consumer to prevent substantive regulation that will directly affect their business models. 

Why:  The big boys can afford the administrative burden implicit in procedural protections.  It is just a matter of more money, more people and more oversight.  A company that is well established and profitable or that has easy access to capital can afford to write the code, hire an army of new engineers, consultants, lawyers etc. and create an entire Department of Privacy Compliance and Protection.  In fact, to the extent that having to do all that makes it harder for start-ups, it may even be helpful to the established companies. Some folks I talk to have expressed real concern about this looming regulatory push and how it might affect the entire ecosystem for digital media start-ups. There is still a chance to influence the inevitable regulation that is upcoming and I am working on assembling a group of industry leaders to do just that.  I recently sent out a letter (here’s a link) to people I thought might be concerned enough to actually do something.

Read it and let me know what you think.

Tags: , , , , , , , , , , , , , , , , , , , , , ,

U.S. and South Korea Targeted in Ongoing Denial of Service Attacks

Posted on July 8, 2009 by Aaron Wright

On the 4th of July an organized series of Denial of Service (DOS) attacks were launched against a number of U.S. government websites (including the White House, Treasury Department and the Federal Trade Commission websites), as well as several websites associated with the South Korean government and a handful of corporate targets (the Washington Post and Nasdaq stock exchange). [If you are wondering what a DOS/DDOS attack is, brief explanations are available from U.S. Computer Emergency Response Team (CERT) and CNET.]

The U.S. government routinely faces threats like these (note coverage of prior events in 2001 and 2000), but the recent attacks have been especially long lasting, apparently very well coordinated and sophisticated, and “remarkably successful”. In fact, a number of government websites were brought down over the weekend and some are still experiencing service problems as a result of this attack. [As of this posting, the FTC website is still showing signs of overload.] Of particular note is that the website of at least one agency charged with investigating cybercrime violations in the United States, the Secret Service website, was successfully brought down by this attack.

At the moment, the source of the attack is unknown, but some are reporting that North Korea is behind the attack. In particular, there is some suggestion that North Korea may be running a “cyber warfare unit” which is tasked with hacking into military websites and disrupting traffic to those sites.  If such reports are accurate, then we have seen a demonstration that a hostile government has the capability to disrupt traffic to government websites, even the websites of government agencies involved in cyber security. Of course, the apparent impact of these attacks has been minimal, they have effectively disrupted the use of public websites, but there appears to be little lasting impact.

U.S. officials have not issued any public comment on the attacks. 

Links:

 

Tags: , , , , , , , ,

Limits of Privacy in Schools: Supreme Court Hears Arguments on School Strip Search Case

Posted on April 21, 2009 by Aaron Wright

Today, the Supreme Court heard oral arguments in Safford Unified School v. Redding, a dispute concerning the propriety of a school-ordered a strip-search of a 13-year-old student who was believed to be in possession of prescription strength ibuprofen in violation of the school’s zero-tolerance drug policy.  The case has received a good deal of media coverage (see the New York Times article for an example) because the facts are attention grabbing.  But, attention-grabbing facts aside, the case has the potential to clarify the Fourth Amendment rights of students and, in particular, whether suspicion of violating school policy may justify strip searches in schools.

The Supreme Court granted certiorari, in part, to address the question (.pdf): “Whether the Fourth Amendment prohibits public school officials from conducting a search of a student suspected of possessing and distributing a prescription drug on campus in violation of school policy.”  Early reporting from today’s oral arguments suggests that the Court is likely to reach that question.  

Links:

Tags: , , ,

Cyberspies Penetrate U.S. Power Grid

Posted on April 9, 2009 by Jeff Bone

According to a recent report from the Wall Street Journal, cyberspies from China, Russia and other countries have penetrated into the U.S. electrical grid and left behind software that could disrupt the system.  According to officials, the spies have not actually damaged the grid or any other key infrastructure, but appear to have been attempting to navigate the electrical system.  More importantly, the intruders could attempt to damage the system during a war or other national security crisis.

Evidently, there have been a growing number of intrusions over the past year, most of which were detected by intelligence agencies and not the companies actually in charge of the infrastructure.  According to officials, the software left behind "could be used to destroy infrastructure components," and "water, sewage and other infrastructure systems were at risk."  These same officials cautioned, however, that "the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger."

The Journal also notes that "protecting the electrical grid and other infrastructure is a key part of the Obama's administration cybersecurity review, which is to be completed next week" (Aaron Wright's post on this blog regarding the review can be found here).  One also wonders if news of this breach will increase momentum for a cybersecurity bill recently introduced in the Senate (see my post here).  That bill would give the President power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network (which would presumably include the electricity grid) and would also require that infrastructure companies meet new security standards.

Links:

Tags: , , , ,

Big Bump in Federal Cybersecurity Spending?

Posted on April 7, 2009 by Aaron Wright

The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation's computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to be in the billions of dollars annually and that future attacks could cause physical harm or serious financial chaos. 

While future spending levels will not be set until after the White House's 60-day review of the nation's information infrastructure is completed,  the potential move has sent major defense contractors and consulting groups scrambling to capture a share of the potential spending. The Journal reports that defense contractors are adding, growing, and consolidating their cybersecurity capabilities and bumping up against already established consulting firms in the process. Foreign defense contractors are also apparently looking to become involved and are buying smaller firms and making strategic hires to position themselves.

Links:

Tags: , , , ,

Newly released opinions on privacy shed light on past government practices

Posted on March 3, 2009 by Aaron Wright

On Monday the Department of Justice released a previously classified opinion entitled “Authority for Use of Military Force To Combat Terrorist Activities Within the United States” (.pdf), which concluded, among other things, that “the Fourth Amendment [of the U.S. Constitution] does not apply to domestic military operations designed to deter and prevent further terrorist attacks.” This may come as a shock to some because the Fourth Amendment expressly prohibits the government from searching or seizing individuals or their property absent a warrant and probable cause, without any special carve out for domestic military operations. The DOJ opinion, written by Deputy Assistant Attorney General John C. Yoo and Special Counsel Robert J. Delahunty, also concluded that these constitutionally exempt counter-terrorism operations would include “making arrests, seizing documents or other property, searching persons or places or keeping them under surveillance, intercepting electronic or wireless communications, setting up roadblocks, interviewing witnesses, and searching for suspects.” The evidence recovered from these operations could then be used “for criminal investigations or prosecutions.”

Commentators have reacted with concern to the opinion as it placed the power to decide whether or not the Fourth Amendment applied to a military action in the hands of the President (“If the President concludes that it is necessary to use military force domestically to counter [terrorists], the Fourth Amendment should be no more relevant than it would be in cases of invasion or insurrection.”).  Many have also noted that have noted that because NSA is part of the military, this opinion was probably part of the justification for the past administration’s warrantless wire-tapping program, which caused great concerns among civil libritarians.

It is unlikely that this opinion will govern during the Obama presidency: the DOJ formally renounced this opinion on January 15, 2009.  However, the disclosure of this opinion does help shed light on (or confirm) the last administration's view of privacy during the war on terror.

Links:

  • Department of Justice website
  • The October 23, 2001 opinion can be found here (.pdf) or from the DOJ’s website here (.pdf)
  • Department of Justice Press Release announcing the disclosure of the opinion memorandum is available here or from the DOJ’s website here
  • Glenn Greenwald’s column “The newly released secret laws of the Bush administration” is available here
  • National Security Agency website
  • New York Times article “Memos Reveal Scope of the Power Bush Sought” is here (registration required)
  • New York Times article first reporting on the warrantless wiretapping program is here (registration required).
Tags: , , , , , , , ,

A bad week for the government - data breaches at federal organizations on the rise

Posted on February 12, 2009 by Aaron Wright

 It has been a bad week for the federal government's own information security track record.

The first story comes from the FAA where hackers broke into the agency’s computer systems and stole personal information on some 45,000 individuals. The second story comes from Los Alamos National Laboratory, which confirmed the theft of 67 computers, 13 in the past year alone. In both instances the American people appear to have dogged a bullet. The electronic intrusion into the FAA appears to have been limited to a raid of personal information and did not interfere with air traffic control systems.  Also, the physical thefts at Los Alamos apparently did not result in the disclosure of any classified data (e.g., information on the U.S. nuclear stockpile), though what information was taken is still unknown. In both cases governmental entities that we hope would be heavily secured against  both electronic and physical thefts appear to have suffered embarassing breaches.  The moral (one hopes) is that while there may be no such thing as perfect security, all of us - including our friends in the government - may need to be working a bit harder and should have a plan in place ahead of time for managing any incidents that eventually arise.

Links:

Federal Aviation Administration website

Los Alamos National Laboratory website

Tags: , , , , , , , , ,