- Количество слайдов: 73
e-Matters, Privacy, and More: What YOU Need to Know! Presented by: Brian T. Casey, Partner Patrick J. Hatfield, Partner October 13, 2009 Association of Corporate Counsel – Georgia Chapter Monthly Luncheon TL Doc# 381372_3
Agenda • • • Preliminary Comments 6 Point Risk Framework Case Law Update Overview of e-Payments e-Delivery Assurances for your e-Sign vendor/IT Department • Telemarketing Rules Updates • Privacy & Security Laws Updates • Q&A
Preliminary Comments • A reasonably well designed process, supported by solid technology, can actually reduce risk, relative to traditional process • It’s more about process and workflow than it is about technology, but technology plays important role
Preliminary Comments • In designing where the records will be stored and which records will be kept, consider longterm e-discovery implications • Use of e-signatures for existing customers still presents a huge opportunity for savings and customer retention
Preliminary Comments • Consider use of e-sign process for your workforce for various acknowledgements, authorizations, enrollments, elections and deliveries • Consider buying the solutions rather than building - the choice of vendors continues to improve
Preliminary Comments • See link for more info: http: //www. lockelord. com/services/Service. Det ail. aspx? service=371 • Occasionally we will send out an e-Matters alert on this and related topics, refer to last slide for more information
Basics of e-Sign Laws in the U. S. • Federal e-Sign law effective Oct 1, 2000 • 47 states have adopted UETA (not IL, NY or WA) • Preemption in fed law limits state variation • Companies can implement a national e-sign process
Basics of e-Sign Laws in the U. S. • “e-Signature”: electronic sounds, symbol, or process attached to or logically associated with a contract or record and executed or adopted with intent to sign the record - Many different forms of e-sign technologies - Clicking “I AGREE” or saying “I AGREE” - One may sign electronically a tangible document - May use a voice signature to sign a “hard copy”
Basics of e-Sign • e-Sign laws don’t elevate e-signatures, just that signatures and records may not be denied because they are electronic • All other contract principles apply, such as evidentiary rules, unconscionability, fraud, etc.
0 Basics of e-Sign • Documents required to be provided in writing may be e-delivered • Consumer disclosures may be e-delivered, with an extra step
1 Voice Signatures • • • Single call to do it all “ 4 Corners” principle Consumer disclosure challenge Need to audit Viable alternatives Shroyer v. New Cingular Wireless
6 Point Risk Framework
5 e-Signature Mock Trials • Why we did it? • Online customer purchase scenario • Key Lessons: – Challenge of conveying complex testimony about technology system and process – Proper e-signature process and audit trail may reduce risks existing in current processes
Web: Unknown Customer Work Flow Process Diagram 6
7 6 -Point Framework • Developed over time from risks identified by clients and attendees at sessions like this • Framework helps distinguish the risk, to match the mitigation strategy with level of paranoia • Helps multi-disciplinary team communicate
8 6 -Point Framework: Risks • Authentication Risk – “That’s not my signature” • Repudiation Risk – “That’s not what I signed” • Admissibility Risk – “Objection, your honor!” • Compliance Risk – “I never saw that” • Adoption Risk – “Am I done yet? ” • Relative Risk – “How does it compare to the traditional way? ”
9 6 -Point Framework: Mitigants • Authentication Risk – Use “shared secrets” or other ways to affirm identity • Repudiation Risk – Hash each document and hash the audit trail • Admissibility Risk – Determine who is able and willing to testify – upfront, read Markel • Compliance Risk - Varies • Adoption Risk – Test, adjust, test, repeat • Relative Risk – Still important
0 Sample Project 1 - Life Insurance Application E-Signed on PDA • Scenario: “Turbo App” - Face-to-Face home life insurance solicitation; no consumer required device • Document at Issue: Life insurance application and life insurance replacement notice and other consumer disclosures with delivery receipt
1 Sample Project 1 - Life Insurance Application E-Signed on PDA • Key Law in Play: Insurance code governing insurance application, replacement notice • Process Design: content provided in paper form but embedded in PDA; customer reads physical content, agent inputs answers in PDA with interactive pop-ups using stylus, customer signs on PDA and signed documents printed for customer on site or mailed
2 Sample Project 2 – e-Delivery Notices of GLBA Privacy Notices • Project A - Website delivery of e-privacy notice by national personal lines property & casualty insurance agency • Project B - Telephonic IVR system for written consent to disclosure of non-public personal financial information of personal lines property & casualty insurance customer
Case Law Update
4 Case Selection Criteria • Some are employer/employee cases – employees and consumers may be viewed alike by the courts, esp. in area of disclosures • Our review, based on broad Lexis net, is current • Receive our e-Matters updates (see last slide)
5 Long v. Time Insurance Co. • Federal Court in OH, decided in mid 2008 • Application for health insurance signed by the agent, after reviewed and confirmed by insured (health insurance) • Policy issued, with app attached • Based on pre-existing condition discovered at claim time, Time denied coverage • Insured (rep of insured) claimed insured verbally disclosed pre-existing condition to the agent
6 Long v. Time Insurance Co. • Very helpful case for insurers looking for support of use of e-signature in application process, especially where the signed application is provided with the policy issue • Court discusses various other traditional reasons to hold for Time • See our extensive write-up in on this case
7 General Dynamics Line of Cases • Kerr v. Dillard (D. Kansas) • Verizon Communications v. Pizzirani (Federal Court in PA, 2006) • Bell v. Hollywood Entertainment Corp. (Ohio Appeals Court, 2006) • Campbell v. General Dynamics (Federal Court of Appeals 1 st Circuit, 2005)
8 General Dynamics Line of Cases • Cases are instructive in designing a process (for employees or consumers in the new business process). - e-Delivery can be effective, regardless of whether the person to be bound actually opens or reads the substantive new terms - Critical to the process is masking the significance of the e-Delivered document very clear and requiring an affirmative act to signify acceptance, such as “clicking” I agree
9 Point of Sale Process • Labajo v. Best Buy Stores (Federal Court NY, 2007) • Process involved selling subscriptions by including not-so-conspicuous notices on printed receipts, when the consumer used the electronic signature pad to sign for purchases • Case was a class action based on improper charges when plaintiff did not timely cancel “free” subscription
0 Point of Sale Process • The court held the process was flawed because BB did not show the keypad made clear to the consumer the consequence of signing for a “free” subscriptions • BB compounded by not responding to consumer complaints very well • Case is noteworthy on the process of making the significance of certain actions very clear and the class action risk
1 Voice Signature • Shroyer v. New Cingular Wireless (Federal Appeals Court, 2007) • Process involved printed terms and conditions in the box with the phone – to activate the phone, consumer dials a number and electronically accepts the printed terms in the box • The court held that the process was just fine • The terms in the box can of course be signed in this fashion
2 Voice Signature • The court refused to enforce the terms of the contract signed in this fashion, they were unconscionable • Case is instructive because, as we have helped clients do, one can use an electronic signature (including saying “I agree”) to sign a document in hard paper
3 Class Action Risk • Brueggemans v NCOA Select, et al. (Federal District, June 29 2009) • Process involved website sale of insuranceextended warranty insurance for a phone • Website T’s&C’s – mandatory arbitration • By clicking to proceed, consumer accepted T’s & C’s • Court enforced the T’s & C’s, including arbitration
4 Class Action Risk • Automated e-sign processes will result in greater consistency and more accessible record of each person involved • Consistently right, or consistently wrong • Possibly greater class action risk • Options for mitigating the greater class action risk • Seriously consider the class action risk
5 Absent Cases • The opinions re: the processes used in Time, Bell, Verizon and Kerr are helpful for the financial services sector broadly • We have yet to see the case where the consumer claims he never signed the application for insurance or the loan (Long in Time may have come close) – to do so admits no coverage
6 Summary • We’ve yet to see a bad case, but there a few bad processes • The courts are not struggling to recognize electronic signatures can be enforceable • Take-away: Courts continue confirming e. Delivery and e-Signatures in the employee/consumer settings, as long as it is made clear to the person the significance of the action accepting new terms • Plan for admissibility, we suspect there will be more disputes in this area
Overview of e-Payments
8 e-Payments • Remember the other payment laws and rules: - ACH – Reg E and NACHA rules and the contract with your bank - Credit cards and debit cards – merchant aggreements, PCI standards • Rules vary by payment type (ACH vs. card) and whether one-time vs. Recurring payment • Consider using payment processor better equipped to handle some of these compliance burdens
e-Delivery of the Fulfillment Package: Can it be Done?
0 e-Delivery • Yes – e-Delivery is permissible • Requires clear consent from recipient • Consider obtaining consumer’s consent for e-delivery for all permitted notices, such as: - GLB annual notices - FCRA opt-out notices - Security breach notices - Other notices that may be required
1 e-Delivery • e-Delivery method can reduce risk: - proof of delivery of complete package - proof of when delivery occurred • e-Delivery can also present a quandary: what happens if consumer does not retrieve package/notice?
2 e-Delivery • Better method appears to be: - email alert that something is ready - consumer logs into secure site to access materials
What Assurances Should You Get From Your e-Sign Vendor or Internal IT Shop?
4 Assurances from e-Sign Vendors/IT • Avoid surprises- ask now who will be there to testify on critical points: – System creates an Audit Trail – Audit Trail is securely archived – What is generated and available as evidence • One credible source reports significantly improved settlement conferences
5 Assurances from e-Sign Vendors/IT • Audit Trail and each document/record presented, including each that was signed, are unaltered without detection • Who will testify as to the above? • Requires specific opt-out mechanisms for customers
6 Assurances from e-Sign Vendors/IT • In sum, ask for full sample of what would be generated to prove: - To a judge, how the company is sure the application with the misrepresentations is in fact what the customer signed; and - To a regulator, how you are so sure that each and every required disclosure was in fact provided to the PI/PO
Telemarketing Rules Updates: Prerecorded Telemarketing Calls and Automatic Telephone Dialing Systems
8 FTC Telemarketing Sales Rules (TSR) Amendments • Prerecorded Telemarketing Call Amendment (16 C. F. R. 310) • Prerecorded = Not defined, but should mean any message not delivered by a live human voice • Requires specific opt-out mechanisms for customers (effective December 2008) • Requires prior written consent for placing prerecorded calls to consumers, including those with established business relationship (effective September 2009) • Preempts less restrictive state laws but does not preempt more restrictive state laws • Healthcare/HIPAA exemption
9 Prerecorded Telemarketing Opt-Out Requirement Rules • Minimum 15 seconds/4 rings before disconnecting an unanswered call • Within 2 seconds of end of greeting, call must identify seller, state purpose is to sell, describe product/service followed immediately by: Ø In Person answered calls- provide opt-out via IVR or keypad usable anytime during call, which must add caller’s number to DNC list and disconnect call Ø Answering Machine/Voice Mail answered calls- provide toll-free phone number for opt-out that connects to optout via IVR or keypad, which must add caller’s number to DNC list and disconnect call
0 Prerecorded Telemarketing Prior Written Consent Rules Ø Request for written consent must be preceded by a “clear and conspicuous” disclosure to consumer that agreement authorizes seller to make prerecorded sales calls to consumer Ø Consent must be in writing and cannot be condition to buying product or service Ø Consent must have callee’s telephone number and signature Ø E-signature for consent expressly recognized by amended rule
1 Telephone Consumer Protection Act (TCPA) - Autodialers Rule • “Automatic Telephone Dialing System” (ATDS) = equipment with capacity to (1) store or produce telephone numbers, using a random or sequential number generator, and (2) to dial such numbers • TCPA prohibits using ATDS to cell number or other service for which called party is charged (not limited to telemarketing calls)
2 Telephone Consumer Protection Act (TCPA) - Autodialers Rule • TCPA prohibits calls using artificial or prerecorded voice to residential number except: ØPrior express consent of called person; ØEmergencies; or ØFCC exemption by order or rule
3 Telephone Consumer Protection Act (TCPA) - Autodialers Rule • FCC Declaratory Ruling (December 2007, ACA International) ØCell numbers provided by debtor in connection with existing debt are made with prior express consent ØPredictive Dialer is a form of Automatic Telephone Dialing System, rejecting argument that predictive dialer is not ATDS if it is used from a list of numbers which are not randomly or sequentially generated
4 Recent Key Cases • Satterfield v. Simon & Schuster (N. D. California 2007) ØPlaintiff contended that Defendant violated TCPA when her minor son received promotional text message after she agreed to receive promotional texts when she purchased a ring tone from Nextones, an affiliated brand of the defendant. ØDefendant argued no violation of TCPA as no ATDS was used and prior consent was granted.
5 Recent Key Cases • Satterfield v. Simon & Schuster (N. D. California 2007) “Yes! I would like to receive promotions from Nextones affiliates and brands. Please note, that by declining you may not be eligible for our FREE content. ” “By clicking Submit, you accept that you have read and agreed to the Terms and Conditions. ” The Terms and Conditions state that Nextones and its affiliates may use a user’s mobile phone number in connection with any text message offering or other campaign.
6 Recent Key Cases • Satterfield v. Simon & Schuster (N. D. California 2007) Ø Court determined that there was no violation of the TCPA because the equipment used to send text messages was not an “automatic telephone dialing system” and because Plaintiff consented to receipt of text messages. Ø Summary Judgment in favor of Defendant
7 Recent Key Cases • Satterfield v. Simon & Schuster (9 th Cir. 2009) ØReversed grant of summary judgment ØMaterial question of fact whether the dialing system at issue had the “capacity” to store or produce randomly or sequentially generated numbers and to dial them; issue was not whether the system actually randomly or sequentially stored or produced the numbers ØText Message = a call ØNo consent as Simon & Schuster not an affiliate of Nextones
8 Recent Key Cases • Leckler v. Cash. Call, Inc. (N. D. California 2008) ØPlaintiff debtor claimed in class action that Defendant creditor violated TCPA when it contacted her cell phone using an autodialer to provide a prerecorded debt collection message. ØDefendant contended that the Plaintiff had consented to being contacted via her cell phone through providing her cell phone on loan application.
9 Recent Key Cases • Leckler v. Cash. Call, Inc. (N. D. California 2008) ØCourt found that Defendant violated the TCPA when it called Plaintiff’s cell phone using an autodialer and prerecorded messages without plaintiff’s “prior express consent. ” ØPlaintiff providing cell phone number during loan process was, at best, implied consent, but not express consent, rejecting FCC’s prior Declaratory Ruling and noting that the Satterfield consent sufficed.
0 Recent Key Cases • Leckler v. Cash. Call, Inc. (N. D. California 2008) Ø Court held that it had jurisdiction in a diversity action under Class Action Fairness Act even though 9 th Circuit Court has held state courts have exclusive jurisdiction over TCPA suits. Ø Defendant moved for appeal to 9 th Circuit Court and then moved to vacate District Court’s summary judgment in favor of Plaintiff on grounds that on federal appeals courts have exclusive jurisdiction to review final FCC orders, and Plaintiff moved to amend to add new plaintiffs who did not provide cell numbers to Defendant Ø Court dismissed case on jurisdictional FCC order review grounds
Privacy & Security Laws Updates: Data Security Breach Laws
2 State Security Breach Laws Update • 45 states now have data security breach statutes (AL, KY, MS, NM and SD do not)- wide disparity • Massachusetts (Chapter 93 H)/OCABR’s Security Breach Regulation Ø Applies to all persons that own, license or store personal information about a Mass resident Ø Implement, maintain and monitor written comprehensive information security program- more detailed standards that the vast majority of other states’ data security laws Ø Originally contracts with 3 rd party service providers, but now relaxed to reasonable verification requirement Ø Originally required encryption of all personal information transmitted but now requires only encryption on wirelessly and stored on laptops or other portable devices Ø Compliance date extended to March 1, 2010
3 State Security Breach Laws Update • Nevada Ø Original law (NRS 597. 970) effective October 1, 2008, but replaced with revised law (NRS 603 A) effective January 1, 2010 Ø Mandates encryption of electronic transmission of personal information (same as NV security breach law) by “a business in NV. ” Ø New law codifies encryption based on Payment Card Industry Data Security Standard for persons that accept credit card payments and for all other persons requires encryption using technology adopted by standards setting body, including National Institute of Standards & Technology
4 HIPAA Security Breach Notification Regulations • The American Recovery and Reinvestment Act of 2009 • Health Information Technology for Economic and Clinical Health (HITECH) Act Ø Stimulus package included funds to increase use of Electronic Health Records (EHRs) • HITECH Act contained significant changes to HIPAA laws and rules many of which will significantly impact Business Associates (BA) and their relationships with Covered Entities (CE) • Key element of which is notice obligations of CEs and BAs for security breach of unsecured protected health information
5 HIPAA Security Breach Notification Regulations • CEs and their BAs must provide certain notification in the event of a breach of protected health information (PHI). – “Breach” – The acquisition, access, use or disclosure of unsecured PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI. • Interim Final Rule published August 24, 2009 and is effective September 23, 2009 enforcement is delayed until February 22, 2010
6 What is a Breach? Step 1: Secured vs. Unsecured PHI • Does the potential “breach” involve unsecured PHI? – PHI is individually identifiable health information that is transmitted or maintained in any form or medium, including electronic information. – PHI is unsecured if it is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of specified technology or methodology. – The methodologies have been designated in guidance from DHHS
7 What is a Breach? Step 2: Privacy Rule Violation Occurrence • Has there been an impermissible use or disclosure? Ø Must determine whether the alleged “breach” violates the Privacy Rule. Ø Violation must involve the use or disclosure of PHI. Ø A violation of an administrative requirement would not constitute a breach. Øe. g. , inadequate policies or training unless it results in a use or disclosure of PHI in violation of the Privacy Rule Ø A violation of the security rule would not suffice unless it resulted in an impermissible use or disclosure of PHI.
8 What is a Breach? Step 3: Risk Assessment • Does the potential “breach” result in a significant risk to the subject individual? Ø Conduct a fact-specific risk assessment • • Consider who used the PHI and to whom it was disclosed Was the potential breach mitigated? Was the PHI returned prior to being improperly accessed? What is the type and amount of PHI involved? Can it reasonably cause financial, reputational or other harm? Ø CE or BA has the burden of proof in demonstrating that no breach has occurred Ø Strong documentation of the risk assessment is best defense
9 What is a Breach? Step 4: Exceptions • Unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a CE or BA • Inadvertent disclosure by a person who is authorized to access PHI at the CE or BA to another person authorized to access PHI at same CE, BA or organized health care arrangement • Disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. • CE and BA have the burden of proof for showing why breach notification was not required.
0 Summary of Covered Entity’s Notification Obligations • Individual notification by first class mail required (unless individual has consented to electronic notice) • Substitute notice required if contact info is out of date. For 10 or more, must either post on website for 90 days or post notice in major print or broadcast media for 90 days • Media notification required for breach involving 500 or more residents of a state or jurisdiction
1 Summary of Covered Entity’s Notification Obligations • Must notify DHHS • If more than 500 people involved, then notify at time • If less, then file log on annual basis
2 Summary of Business Associate’s Notification Obligations • Notify applicable CE without unreasonably delay and in no case later than 60 calendar days after discovery of breach. • Time period for breach notification begins when incident is first known, not when investigation of incident is complete, even if it is initially unclear whether the incident constitutes a breach. • Multiple CEs – BA should notify only the CE to which the breached information relates. If the breach involves unsecured PHI of multiple CEs and it is unclear to whom the breached information relates, it may be necessary to notify all potentially affected CEs. • Individuals should not receive notifications from both CE and the BA about the same breach.
Questions? Answers! Brian T. Casey [email protected] com Patrick J. Hatfield [email protected] com For further information/materials or to be added to our e-Matters email alert, please send your request to [email protected] com TL Doc# 381372_3 3