As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.
As promised in our earlier entry, here is our detailed discussion of the Supreme Court's decision in Sorrell v IMS Health, Inc.,written by Colin J. Zick, Pat A. Cerundolo, Tad Heuer
On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure, and use of redacted pharmacy records containing physician prescribing information constituted “speech in aid of pharmaceutical marketing” and therefore enjoyed First Amendment protection. This case is an important victory for the pharmaceutical, medical device, biotechnology, and related sectors, The following summarizes this ruling and its potential consequences to those involved in these industries.
Background
The case concerned Vermont’s 2007 Act Relating to Increasing Transparency of Prescription Drug Pricing and Information. The Vermont law prohibited pharmacies and similar entities from selling information about physician prescription patterns (“prescriber-identifiable data”), and prohibited pharmaceutical manufacturers from using such data for marketing purposes without the express consent of prescribers. As a result, the law severely restricted the ability of pharmaceutical sales representatives to tailor their “detailing” presentations (the trade term used to describe routine pharmaceutical marketing presentations) to the needs of individual prescribers. The law did include an exception for the use of prescriber-identifiable data in healthcare research.
IMS Health, an entity that collects and sells prescriber data, challenged the law in the United States District Court in Vermont. The District Court upheld the law, finding that it was a valid and constitutional restriction on commercial speech, given Vermont’s asserted interests in both healthcare cost containment and public health. On appeal, the Second Circuit Court of Appeals reversed, finding that these justifications were inadequate. The Second Circuit ruled that the law violated the First Amendment by burdening the speech of pharmaceutical marketers and data mining entities. The United States Supreme Court granted certiorari in order to reconcile the conflict between the Second Circuit’s decision to strike down the Vermont law, and the First Circuit’s recent decision to uphold a similar New Hampshire law.
Supreme Court Ruling
In ruling in favor of IMS Health and affirming the Second Circuit, the Supreme Court first found that the text of the Vermont law constituted more than an incidental burden on speech, as it explicitly disfavored both specific speakers (pharmaceutical manufacturers) and specific contents of speech (marketing activities), and was thus subject to a “heightened” standard of judicial scrutiny. The Court also observed that the law’s legislative history clearly indicated that its express purpose was to diminish the effectiveness of brand-name pharmaceutical marketing efforts. Second, the Court concluded that the Vermont law directly regulated the content of that speech, and was therefore not solely a commercial regulation (whose constitutionality could have been analyzed using a level of judicial scrutiny more deferential to Vermont). Third, the Court ruled that the Vermont law restrained the use and dissemination of information about prescriber habits, and thus specifically burdened the marketing speech of pharmaceutical companies. As a result, the Court ruled that the Vermont law violated the First Amendment.
Futher, the Court noted that even if the Vermont law were viewed only as a limitation on commercial speech, the law still would have failed to pass constitutional muster, as it did not directly and proportionately advance any of Vermont’s asserted reasons for its necessity: physician privacy, healthcare cost control, or public health generally. First, the Court reasoned that the law could not be said to protect physician privacy, because the law still authorized pharmacies to share prescriber-identifying information with essentially anyone for any reason other than marketing. Second, the Court found that Vermont’s indirect approach to controlling healthcare costs — passing a law that restrained speech in an effort to diminish the perceived influence of detailing — constituted a disproportionate burden on free speech. Third, the Court emphasized that the dissemination of truthful information about pharmaceuticals may actually improve public health, by helping prescribers make more informed decisions. Indeed, the Court observed that far from being either false or misleading — two situations in which the Court has previously permitted limited regulation of commercial speech — there was no evidence that the “detailing” at issue here was anything but truthful. In conclusion, the Court observed that the mere fact that Vermont “finds [certain forms of] expression too persuasive does not permit [Vermont] to quiet the speech or to burden its messengers.”
In dissent, Justice Breyer (joined by Justices Ginsburg and Kagan) argued that although the Vermont law may have adversely affected speech, it did so only as part of a lawful governmental effort to regulate a commercial enterprise. Breyer emphasized that the prescriber information is only retained because pharmacists are required by law to do so, and argued that in such a situation, the First Amendment does not require the Court to apply a heightened level of judicial scrutiny. Breyer further argued that even if “intermediate” scrutiny were applied to the Vermont law (the legal standard that is usually applied to a review of restrictions on purely commercial speech), the Vermont law would have met this test. Breyer concluded that the law directly advanced Vermont’s substantial interest in public health because it would encourage detailing discussions that focused on safety, effectiveness, and cost, rather than on past prescribing history.
Outlook
The Supreme Court’s Sorrell decision is an important development for the pharmaceutical, medical device, biotechnology, and related sectors, because it confirms the legal right of industry sales staff to access prescriber-identifiable data for marketing and other purposes. The Sorrell ruling will almost certainly require a reexamination of similar statutory and regulatory restrictions in other states, particularly if those state laws burden the access to and use of this type of prescriber information.
Finally, it remains to be seen whether Sorrell represents a move toward granting commercial speech greater constitutional protections than it has been afforded in the past. The Court concluded that the Vermont law would have been unconstitutional under either the “intermediate” scrutiny standard traditionally applied to commercial speech regulations or the “heightened scrutiny” standard alluded to by the majority. However, the implication that a new “heightened” standard exists in the commercial speech context — and precisely what such a standard would look like in practice — is a development that merits being monitored closely.
By Brian Bialas
A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.
The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar Group violated Massachusetts’s Consumer Protection Statute by failing to comply with the Payment Card Industry Data Security Standards (PCI DSS), standards created by the Payment Card Industry Security Standards Council that apply to all organizations that collect payment card data. To settle this suit, the Briar Group entered into a consent judgment pursuant to which it would pay $110,000 in civil fines.
What is interesting about this settlement is that it requires the Briar Group to “maintain PCI DSS compliance,” over and above Massachusetts’ own strict legal requirements. Does the AG’s action against the Briar Group signify that all merchants are legally required to comply with both state regulations and PCI DSS? It’s too early to tell.
The payment card industry has long been leading the charge in protecting personal data. Governments often react to issues rather than regulate proactively, but private industry must try to anticipate problems before they happen. As such, private standards generally are better at protecting personal information than state statutes and regulations. Businesses always must be two steps ahead of identity thieves in order to protect consumer data and thrive in the marketplace; the price of not doing so is high, as Sony and others have learned and continue to learn. Given this, it’s not a surprise the AG looked to PCI DSS as a new legal standard.
Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:
1) This is an area where bipartisan concensus is possible.
2) The industry powers will fight against “Do Not Track” and will win that fight.
3) Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”
We could see passage of a federal data security and privacy statute, not unlike those that the various states have been adopting. The states have already passed models for such legislation and have shown that these increased protections can be implemented without too much opposition from the business sector. Also, adoption of a single standard for data security and privacy could actually relieve some of the regulatory burden on business: instead of having to comply with 50 different state laws, there would just be one federal law. This is the very same logic that led to the passage of HIPAA (and its standards for health information privacy) in 1996.
The other day at Mass TLC’s Mobility Summit I had a brief conversation with Mark Herrmann (an entrepreneur here in Boston) that touched on the FTC’s recent proposal for protecting consumer privacy online. We were talking about the “do not track” proposal and the consensus in the tech industry that it just won’t fly.
Mark’s comment:
“It is creepy that ‘they’ can and do track you out in the net, but ‘creepy is the new cool.’” There is just no question that some people accept the fact that they are being tracked and fed targeted online advertising. It is not just OK by them; it’s a value add. I don’t disagree. But, for anyone who has read “1984” (and even a lot of people who haven’t) the notion of being tracked is creepy. There are a lot of these folks – perhaps a significant majority of the U.S. population – that feel this way.
In 2011 the FTC and Congress are going to pay attention to these concerns. It is good politics.
Prediction #1: Legislation in this area will be one of the few places where we will see bipartisan consensus in the next Congress.
Why: No Congressperson wants to be opposed to consumer privacy, and they all want to have supported some legislation that passed, when running in the next election. Mark (and others) made the point that if you really end tracking, you will end Facebook. So, whatever happens it won’t be that. However, the political snowball is rolling down the mountain - there will be regulatory activity around consumer privacy. The only question is: What will be the nature and scope of the activity? The big boys (those with well established businesses that either make money or have ready access to capital) are going to be lobbying hard for a regulatory framework that does not dent their current business model.
Prediction #2: The big boys will fight anything that disrupts tracking and they are going to win this battle – no one in Congress wants to run on the platform that they put Facebook (or others) out of business. But the big boys are going to have to trade something. The easy things for them to trade are procedural protections for the consumer.
Prediction #3: The big boys will trade lots of procedural protections for the consumer to prevent substantive regulation that will directly affect their business models.
Why: The big boys can afford the administrative burden implicit in procedural protections. It is just a matter of more money, more people and more oversight. A company that is well established and profitable or that has easy access to capital can afford to write the code, hire an army of new engineers, consultants, lawyers etc. and create an entire Department of Privacy Compliance and Protection. In fact, to the extent that having to do all that makes it harder for start-ups, it may even be helpful to the established companies. Some folks I talk to have expressed real concern about this looming regulatory push and how it might affect the entire ecosystem for digital media start-ups. There is still a chance to influence the inevitable regulation that is upcoming and I am working on assembling a group of industry leaders to do just that. I recently sent out a letter (here’s a link) to people I thought might be concerned enough to actually do something.
Read it and let me know what you think.
The following item was posted recently on Foley Hoag’s Law and Environment blog, and we thought it would be of interest to our readers.
Discussion of the Smart Grid usually focuses on efficiencies that may be achieved by a system that responds to real time information about energy production, distribution and consumption. But the development of this advanced digital infrastructure, with two-way capabilities for communicating information, controlling equipment, and distributing energy, also presents some legitimate information security and privacy concerns. For example, a disgruntled employee or a terrorist with the right computer skills could penetrate a network and alter load conditions to destabilize the grid in unpredictable ways. The grid may also be compromised by inadvertent events such as equipment failures and natural disasters.
On the privacy side, the Smart Grid will greatly expand the amount of data that can be monitored, collected, aggregated and analyzed. For example, information about specific appliances and generators used by consumers can be tracked from the electric information “signatures” they produce. The driver of an electric vehicle will also leave an electrical roadmap of her travels.
.bmp)
In response to these concerns, the National Institute of Standards and Technology (NIST) released guidance earlier this month entitled Smart Grid Cyber Security Strategy and Requirements. The three-volume guidance document is intended for “Smart Grid stakeholders” including vendors of energy information and management services, equipment manufacturers, utilities, system operators, network specialists and regulators.
Kudos to anyone who can decipher the NIST’s “Logical Reference Model” pictured below. Nevertheless, the guidance provides a useful framework for addressing these complex issues.
.bmp)
The February 27 issue of The Economist has an excellent special report, "Data, data everywhere: A special report on managing information." It features a series of articles on the volume of information that is overtaking business and society, and the means by which business and governments are responding.
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
The Foley Hoag Security, Privacy and the Law Blog focuses on the security and privacy issues encountered by businesses thatMore...