Brian T. Casey, PartnerPatrick J. Hatfield, Partner
e-Matters, Privacy, and More: What YOU Need to
Know!Presented by:
October 13, 2009Association of Corporate Counsel – Georgia Chapter
Monthly LuncheonATL Doc# 381372_3
2
Agenda
• Preliminary Comments• 6 Point Risk Framework• Case Law Update• Overview of e-Payments• e-Delivery• Assurances for your e-Sign vendor/IT
Department• Telemarketing Rules Updates
• Privacy & Security Laws Updates
• Q & A
3
Preliminary Comments
• A reasonably well designed process, supported by solid technology, can actually reduce risk, relative to traditional process
• It’s more about process and workflow than it is about technology, but technology plays important role
4
Preliminary Comments
• In designing where the records will be stored and which records will be kept, consider long-term e-discovery implications
• Use of e-signatures for existing customers still presents a huge opportunity for savings and customer retention
5
Preliminary Comments
• Consider use of e-sign process for your workforce for various acknowledgements, authorizations, enrollments, elections and deliveries
• Consider buying the solutions rather than building - the choice of vendors continues to improve
6
Preliminary Comments
• See link for more info: http://www.lockelord.com/services/ServiceDetail.aspx?service=371
• Occasionally we will send out an e-Matters alert on this and related topics, refer to last slide for more information
7
Basics of e-Sign Laws in the U.S.• Federal e-Sign law effective Oct 1, 2000
• 47 states have adopted UETA (not IL, NY or WA)
• Preemption in fed law limits state variation
• Companies can implement a national e-sign process
8
• “e-Signature”: electronic sounds, symbol, or process attached to or logically associated with a contract or record and executed or adopted with intent to sign the record
- Many different forms of e-sign technologies
- Clicking “I AGREE” or saying “I AGREE”
- One may sign electronically a tangible document
- May use a voice signature to sign a “hard copy”
Basics of e-Sign Laws in the U.S.
9
Basics of e-Sign
• e-Sign laws don’t elevate e-signatures, just that signatures and records may not be denied because they are electronic
• All other contract principles apply, such as evidentiary rules, unconscionability, fraud, etc.
10
Basics of e-Sign
• Documents required to be provided in writing may be e-delivered
• Consumer disclosures may be e-delivered, with an extra step
11
Voice Signatures
• Single call to do it all
• “4 Corners” principle
• Consumer disclosure challenge
• Need to audit
• Viable alternatives
• Shroyer v. New Cingular Wireless
6 Point Risk Framework
13
14
15
e-Signature Mock Trials
• Why we did it?
• Online customer purchase scenario
• Key Lessons:– Challenge of conveying complex
testimony about technology system and process
– Proper e-signature process and audit trail may reduce risks existing in current processes
16
Web: Unknown CustomerWork Flow Process Diagram
17
6-Point Framework
• Developed over time from risks identified by clients and attendees at sessions like this
• Framework helps distinguish the risk, to match the mitigation strategy with level of paranoia
• Helps multi-disciplinary team communicate
18
6-Point Framework: Risks
• Authentication Risk – “That’s not my signature”
• Repudiation Risk – “That’s not what I signed”
• Admissibility Risk – “Objection, your honor!”
• Compliance Risk – “I never saw that”
• Adoption Risk – “Am I done yet?”
• Relative Risk – “How does it compare to the traditional way?”
19
6-Point Framework: Mitigants• Authentication Risk – Use “shared secrets” or
other ways to affirm identity
• Repudiation Risk – Hash each document and hash the audit trail
• Admissibility Risk – Determine who is able and willing to testify – upfront, read Markel
• Compliance Risk - Varies
• Adoption Risk – Test, adjust, test, repeat
• Relative Risk – Still important
20
Sample Project 1 - Life Insurance Application E-Signed on PDA• Scenario: “Turbo App” - Face-to-Face home
life insurance solicitation; no consumer required device
• Document at Issue: Life insurance application and life insurance replacement notice and other consumer disclosures with delivery receipt
21
Sample Project 1 - Life Insurance Application E-Signed on PDA• Key Law in Play: Insurance code governing
insurance application, replacement notice
• Process Design: content provided in paper form but embedded in PDA; customer reads physical content, agent inputs answers in PDA with interactive pop-ups using stylus, customer signs on PDA and signed documents printed for customer on site or mailed
22
• Project A - Website delivery of e-privacy notice by national personal lines property & casualty insurance agency
• Project B - Telephonic IVR system for written consent to disclosure of non-public personal financial information of personal lines property & casualty insurance customer
Sample Project 2 – e-Delivery Notices of GLBA Privacy Notices
Case Law Update
24
Case Selection Criteria
• Some are employer/employee cases – employees and consumers may be viewed alike by the courts, esp. in area of disclosures
• Our review, based on broad Lexis net, is current
• Receive our e-Matters updates (see last slide)
25
Long v. Time Insurance Co.• Federal Court in OH, decided in mid 2008• Application for health insurance signed by the
agent, after reviewed and confirmed by insured (health insurance)
• Policy issued, with app attached• Based on pre-existing condition discovered at
claim time, Time denied coverage• Insured (rep of insured) claimed insured
verbally disclosed pre-existing condition to the agent
26
Long v. Time Insurance Co.• Very helpful case for insurers looking for
support of use of e-signature in application process, especially where the signed application is provided with the policy issue
• Court discusses various other traditional reasons to hold for Time
• See our extensive write-up in on this case
27
General Dynamics Line of Cases• Kerr v. Dillard (D. Kansas)
• Verizon Communications v. Pizzirani (Federal Court in PA, 2006)
• Bell v. Hollywood Entertainment Corp. (Ohio Appeals Court, 2006)
• Campbell v. General Dynamics (Federal Court of Appeals 1st Circuit, 2005)
28
General Dynamics Line of Cases• Cases are instructive in designing a process
(for employees or consumers in the new business process).
- e-Delivery can be effective, regardless of whether the person to be bound actually opens or reads the substantive new terms
- Critical to the process is masking the significance of the e-Delivered document very clear and requiring an affirmative act to signify acceptance, such as “clicking” I agree
29
Point of Sale Process
• Labajo v. Best Buy Stores (Federal Court NY, 2007)
• Process involved selling subscriptions by including not-so-conspicuous notices on printed receipts, when the consumer used the electronic signature pad to sign for purchases
• Case was a class action based on improper charges when plaintiff did not timely cancel “free” subscription
30
Point of Sale Process
• The court held the process was flawed because BB did not show the keypad made clear to the consumer the consequence of signing for a “free” subscriptions
• BB compounded by not responding to consumer complaints very well
• Case is noteworthy on the process of making the significance of certain actions very clear and the class action risk
31
Voice Signature
• Shroyer v. New Cingular Wireless (Federal Appeals Court, 2007)
• Process involved printed terms and conditions in the box with the phone – to activate the phone, consumer dials a number and electronically accepts the printed terms in the box
• The court held that the process was just fine• The terms in the box can of course be signed
in this fashion
32
Voice Signature
• The court refused to enforce the terms of the contract signed in this fashion, they were unconscionable
• Case is instructive because, as we have helped clients do, one can use an electronic signature (including saying “I agree”) to sign a document in hard paper
33
Class Action Risk
• Brueggemans v NCOA Select, et al. (Federal District, June 29 2009)
• Process involved website sale of insurance-extended warranty insurance for a phone
• Website T’s&C’s – mandatory arbitration• By clicking to proceed, consumer accepted T’s
& C’s• Court enforced the T’s & C’s, including
arbitration
34
Class Action Risk
• Automated e-sign processes will result in greater consistency and more accessible record of each person involved
• Consistently right, or consistently wrong
• Possibly greater class action risk
• Options for mitigating the greater class action risk
• Seriously consider the class action risk
35
Absent Cases
• The opinions re: the processes used in Time, Bell, Verizon and Kerr are helpful for the financial services sector broadly
• We have yet to see the case where the consumer claims he never signed the application for insurance or the loan (Long in Time may have come close) – to do so admits no coverage
36
Summary
• We’ve yet to see a bad case, but there are a few bad processes
• The courts are not struggling to recognize electronic signatures can be enforceable
• Take-away: Courts continue confirming e-Delivery and e-Signatures in the employee/consumer settings, as long as it is made clear to the person the significance of the action accepting new terms
• Plan for admissibility, we suspect there will be more disputes in this area
Overview of e-Payments
38
e-Payments
• Remember the other payment laws and rules:- ACH – Reg E and NACHA rules and the contract with your bank- Credit cards and debit cards – merchant
aggreements, PCI standards• Rules vary by payment type (ACH vs. card)
and whether one-time vs. Recurring payment• Consider using payment processor better
equipped to handle some of these compliance burdens
e-Delivery of the Fulfillment Package:
Can it be Done?
40
e-Delivery
• Yes – e-Delivery is permissible
• Requires clear consent from recipient
• Consider obtaining consumer’s consent for e-delivery for all permitted notices, such as:
- GLB annual notices
- FCRA opt-out notices
- Security breach notices
- Other notices that may be required
41
e-Delivery
• e-Delivery method can reduce risk:
- proof of delivery of complete package
- proof of when delivery occurred
• e-Delivery can also present a quandary: what happens if consumer does not retrieve package/notice?
42
e-Delivery
• Better method appears to be:
- email alert that something is ready
- consumer logs into secure site to access
materials
What Assurances Should You Get From Your e-Sign Vendor or
Internal IT Shop?
44
Assurances from e-Sign Vendors/IT• Avoid surprises- ask now who will be there to
testify on critical points:– System creates an Audit Trail– Audit Trail is securely archived – What is generated and available as evidence
• One credible source reports significantly improved settlement conferences
45
• Audit Trail and each document/record presented, including each that was signed, are unaltered without detection
• Who will testify as to the above?
• Requires specific opt-out mechanisms for customers
Assurances from e-Sign Vendors/IT
46
• In sum, ask for full sample of what would be generated to prove:
- To a judge, how the company is sure the
application with the misrepresentations
is in fact what the customer signed; and
- To a regulator, how you are so sure
that each and every required disclosure was in fact provided to the PI/PO
Assurances from e-Sign Vendors/IT
Telemarketing Rules Updates:Prerecorded Telemarketing
Callsand Automatic Telephone
Dialing Systems
48
FTC Telemarketing Sales Rules (TSR) Amendments
• Prerecorded Telemarketing Call Amendment (16 C.F.R. 310)
• Prerecorded = Not defined, but should mean any message not delivered by a live human voice
• Requires specific opt-out mechanisms for customers (effective December 2008)
• Requires prior written consent for placing pre-recorded calls to consumers, including those with established business relationship (effective September 2009)
• Preempts less restrictive state laws but does not preempt more restrictive state laws
• Healthcare/HIPAA exemption
49
Prerecorded TelemarketingOpt-Out Requirement Rules• Minimum 15 seconds/4 rings before disconnecting an
unanswered call
• Within 2 seconds of end of greeting, call must identify seller, state purpose is to sell, describe product/service followed immediately by: In Person answered calls- provide opt-out via IVR or
keypad usable anytime during call, which must add caller’s number to DNC list and disconnect call
Answering Machine/Voice Mail answered calls- provide toll-free phone number for opt-out that connects to opt-out via IVR or keypad, which must add caller’s number to DNC list and disconnect call
50
Prerecorded TelemarketingPrior Written Consent Rules Request for written consent must be preceded by a
“clear and conspicuous” disclosure to consumer that agreement authorizes seller to make prerecorded sales calls to consumer
Consent must be in writing and cannot be condition to buying product or service
Consent must have callee’s telephone number and signature
E-signature for consent expressly recognized by amended rule
51
Telephone Consumer Protection Act (TCPA) - Autodialers Rule
• “Automatic Telephone Dialing System” (ATDS) = equipment with capacity to (1) store or produce telephone numbers, using a random or sequential number generator, and (2) to dial such numbers
• TCPA prohibits using ATDS to cell number or other service for which called party is charged (not limited to telemarketing calls)
52
• TCPA prohibits calls using artificial or prerecorded voice to residential number except:Prior express consent of called person;Emergencies; orFCC exemption by order or rule
Telephone Consumer Protection Act (TCPA) - Autodialers Rule
53
• FCC Declaratory Ruling (December 2007, ACA International)Cell numbers provided by debtor in connection
with existing debt are made with prior express consent
Predictive Dialer is a form of Automatic Telephone Dialing System, rejecting argument that predictive dialer is not ATDS if it is used from a list of numbers which are not randomly or sequentially generated
Telephone Consumer Protection Act (TCPA) - Autodialers Rule
54
Recent Key Cases
• Satterfield v. Simon & Schuster (N.D. California 2007)Plaintiff contended that Defendant violated TCPA
when her minor son received promotional text message after she agreed to receive promotional texts when she purchased a ring tone from Nextones, an affiliated brand of the defendant.
Defendant argued no violation of TCPA as no ATDS was used and prior consent was granted.
55
• Satterfield v. Simon & Schuster (N.D. California 2007)“Yes! I would like to receive promotions from Nextones affiliates and brands. Please note, that by declining you may not be eligible for our FREE content.”
“By clicking Submit, you accept that you have read and agreed to the Terms and Conditions.” The Terms and Conditions state that Nextones and its affiliates may use a user’s mobile phone number in connection with any text message offering or other campaign.
Recent Key Cases
56
• Satterfield v. Simon & Schuster (N.D. California 2007)Court determined that there was no violation of the
TCPA because the equipment used to send text messages was not an “automatic telephone dialing system” and because Plaintiff consented to receipt of text messages.
Summary Judgment in favor of Defendant
Recent Key Cases
57
• Satterfield v. Simon & Schuster (9th Cir. 2009)Reversed grant of summary judgmentMaterial question of fact whether the dialing system
at issue had the “capacity” to store or produce randomly or sequentially generated numbers and to dial them; issue was not whether the system actually randomly or sequentially stored or produced the numbers
Text Message = a call No consent as Simon & Schuster not an affiliate of
Nextones
Recent Key Cases
58
• Leckler v. CashCall, Inc. (N.D. California 2008)Plaintiff debtor claimed in class action that
Defendant creditor violated TCPA when it contacted her cell phone using an autodialer to provide a prerecorded debt collection message.
Defendant contended that the Plaintiff had consented to being contacted via her cell phone through providing her cell phone on loan application.
Recent Key Cases
59
• Leckler v. CashCall, Inc. (N.D. California 2008)Court found that Defendant violated the TCPA
when it called Plaintiff’s cell phone using an autodialer and prerecorded messages without plaintiff’s “prior express consent.”
Plaintiff providing cell phone number during loan process was, at best, implied consent, but not express consent, rejecting FCC’s prior Declaratory Ruling and noting that the Satterfield consent sufficed.
Recent Key Cases
60
• Leckler v. CashCall, Inc. (N.D. California 2008) Court held that it had jurisdiction in a diversity action under
Class Action Fairness Act even though 9th Circuit Court has held state courts have exclusive jurisdiction over TCPA suits.
Defendant moved for appeal to 9th Circuit Court and then moved to vacate District Court’s summary judgment in favor of Plaintiff on grounds that on federal appeals courts have exclusive jurisdiction to review final FCC orders, and Plaintiff moved to amend to add new plaintiffs who did not provide cell numbers to Defendant
Court dismissed case on jurisdictional FCC order review grounds
Recent Key Cases
Privacy & Security Laws Updates:
Data Security Breach Laws
62
State Security Breach Laws Update
• 45 states now have data security breach statutes (AL, KY, MS, NM and SD do not)- wide disparity
• Massachusetts (Chapter 93H)/OCABR’s Security Breach Regulation Applies to all persons that own, license or store personal information
about a Mass resident Implement, maintain and monitor written comprehensive information
security program- more detailed standards that the vast majority of other states’ data security laws
Originally contracts with 3rd party service providers, but now relaxed to reasonable verification requirement
Originally required encryption of all personal information transmitted but now requires only encryption on wirelessly and stored on laptops or other portable devices
Compliance date extended to March 1, 2010
63
State Security Breach Laws Update
• NevadaOriginal law (NRS 597.970) effective October 1, 2008, but
replaced with revised law (NRS 603A) effective January 1, 2010
Mandates encryption of electronic transmission of personal information (same as NV security breach law) by “a business in NV.”
New law codifies encryption based on Payment Card Industry Data Security Standard for persons that accept credit card payments and for all other persons requires encryption using technology adopted by standards setting body, including National Institute of Standards & Technology
64
HIPAA Security Breach Notification Regulations
• The American Recovery and Reinvestment Act of 2009• Health Information Technology for Economic and Clinical
Health (HITECH) Act Stimulus package included funds to increase use of Electronic Health
Records (EHRs)
• HITECH Act contained significant changes to HIPAA laws and rules many of which will significantly impact Business Associates (BA) and their relationships with Covered Entities (CE)
• Key element of which is notice obligations of CEs and BAs for security breach of unsecured protected health information
65
HIPAA Security Breach Notification Regulations
• CEs and their BAs must provide certain notification in the event of a breach of protected health information (PHI).– “Breach” – The acquisition, access, use or disclosure of
unsecured PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI.
• Interim Final Rule published August 24, 2009 and is effective September 23, 2009 enforcement is delayed until February 22, 2010
66
What is a Breach?Step 1: Secured vs. Unsecured PHI• Does the potential “breach” involve unsecured
PHI?– PHI is individually identifiable health information
that is transmitted or maintained in any form or medium, including electronic information.
– PHI is unsecured if it is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of specified technology or methodology.
– The methodologies have been designated in guidance from DHHS
67
What is a Breach?Step 2: Privacy Rule Violation Occurrence• Has there been an impermissible use or disclosure?
Must determine whether the alleged “breach” violates the Privacy Rule.
Violation must involve the use or disclosure of PHI.A violation of an administrative requirement would not
constitute a breach.e.g., inadequate policies or training unless it results
in a use or disclosure of PHI in violation of the Privacy Rule
A violation of the security rule would not suffice unless it resulted in an impermissible use or disclosure of PHI.
68
What is a Breach?Step 3: Risk Assessment• Does the potential “breach” result in a
significant risk to the subject individual?
Conduct a fact-specific risk assessment• Consider who used the PHI and to whom it was disclosed• Was the potential breach mitigated?• Was the PHI returned prior to being improperly accessed?• What is the type and amount of PHI involved? Can it reasonably
cause financial, reputational or other harm?
CE or BA has the burden of proof in demonstrating that no breach has occurred
Strong documentation of the risk assessment is best defense
69
What is a Breach?Step 4: Exceptions• Unintentional acquisition, access or use of PHI by a
workforce member or person acting under the authority of a CE or BA
• Inadvertent disclosure by a person who is authorized to access PHI at the CE or BA to another person authorized to access PHI at same CE, BA or organized health care arrangement
• Disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
• CE and BA have the burden of proof for showing why breach notification was not required.
70
Summary of Covered Entity’s Notification Obligations• Individual notification by first class mail required
(unless individual has consented to electronic notice)
• Substitute notice required if contact info is out of date. For 10 or more, must either post on website for 90 days or post notice in major print or broadcast media for 90 days
• Media notification required for breach involving 500 or more residents of a state or jurisdiction
71
Summary of Covered Entity’s Notification Obligations• Must notify DHHS
• If more than 500 people involved, then notify at time• If less, then file log on annual basis
72
Summary of Business Associate’s Notification Obligations• Notify applicable CE without unreasonably delay and in no
case later than 60 calendar days after discovery of breach. • Time period for breach notification begins when incident is first
known, not when investigation of incident is complete, even if it is initially unclear whether the incident constitutes a breach.
• Multiple CEs – BA should notify only the CE to which the breached information relates. If the breach involves unsecured PHI of multiple CEs and it is unclear to whom the breached information relates, it may be necessary to notify all potentially affected CEs.
• Individuals should not receive notifications from both CE and the BA about the same breach.
73
For further information/materials or to be added to our e-Matters email alert, please send your request
Questions? Answers!
Brian T. [email protected]
Patrick J. [email protected]
ATL Doc# 381372_3