Sometimes overlooked on the cyber side, however, is the interaction of cyber with real world, physical security and how the two can mutually reinforce and benefit each other and security overall.

This fact was brought home as I attended in New York City this week ASIS International’s Security Conference and Expo, which was colocated with the Computer Forensics Show  and CyBit (Cyber security and IT security) Expo.

The frequently beefy, bull-necked attendees at the NYC ASIS conference, where you couldn’t turn around without running into someone wearing the dress uniform of a federal, state or municipal law enforcement agency, were a far cry from the populace that generally patrols and sits on panels at cyber security events. But we should rub elbows with our colleagues manning the physical security wall more, for a variety of reasons, not the least of which is that many physical “security” solutions will soon or already have embraced the digital and increasingly digital security controls and contracts address – or should be addressing – physical security specifics with more particularly that in days past.

For example the well-received and increasingly influential final of NIST’s Security and Privacy Controls for Federal Information Systems and Organizations, SP 800-54 Rev.4, released last month, makes frequent note that one of the eighteen members of the security control family is squarely that of “Physical and Environmental Protection” (see SP 800-53 Rev.4 Appendix D, Page D-5 and Table D-13: Summary – Physical and Environmental Protection Controls). NIST additionally offers several special publication devoted to aspects of PEP controls, such as NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.

In a closing conversation at CyBit with Matt Gardiner, Sr. Manager, Product Manager, at RSA, we discussed the foundational premise of his presentation on “Security Monitoring and Data Privacy – How to Strike the Right Balance” which is that cyber security has traditionally focused on prevention, detection and then responses.  While each leg of the three-legged cyber security stool is fully formed, the “detection” leg isn’t as sturdy these days as the prevention and response legs, which gives the entire stool a notable wobble (a fact confirmed by the recent 2013 Verizon Data Breach Investigation Report, which we covered here, noting that in 66% of the cases reviewed it took from months to years to detect the security incident).

Granted, the ASIS exhibit floor was chock full of specialized metal detectors, hardened equipment, emergency supplies and vendor after vendor providing digital video and camera surveillance solutions along with booths from the U.S. Secret Service and, yes, cloud software vendors. But I think we on the “cyber” side of the security fence can learn a great deal from how our counterparts on the physical perimeter plan for, detect and address security issues because we should, when possible, apply a more “holistic” security approach to the goals sought, regardless of the “form” of data.

This final conclusion was vividly driven home as I worked recently with a “traditional” records storage client (read truck loads of redwelds and bankers boxes rolling into secure warehouses) that is developing a cloud-based digital records service firmly at the intersection of the physical and digital records arena and implicating every security need.  Contract and security controls set in the physical records world have historically and still reflect an approach to security and liability allocation that is starkly different from a typical “cyber” services agreement. It is high time for the two facets of security to meet and join forces to address overall data “security” as one: neither exclusively physical, nor totally cyber.  Stay tuned for further coverage of this topic, specifically on what contract and SOW provisions to probe deeply regarding the physical security front.

First introduced in February by Assemblywoman Bonnie Lowenthal (D-Long Beach), the proposed Right to Know Law (AB 1291) would have implemented major revisions to existing law and created new rights for consumers.  Specifically, the proposed law would require

any business that has a customer’s personal information, as defined, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer.

This new level of transparency might have helped sooth consumer concerns.  According to a 2012 USC Dornsife/Los Angeles Times poll, “82 percent of Californians said they are “very concerned” or “somewhat concerned” about Internet and smartphone companies collecting their personal information.”   On the other hand, providing a full and accurate accounting of who had access to a consumer’s data – even to only the small percentage of consumers who would actually take the time to request it – would have generated a major undertaking for a wide range of companies.  It is not surprising that the companies who fought so hard to pull the plug on this bill represent a very diverse coalition of businesses.

Even if this bill does not get revived in a new form sometime in the future, the prospect of what it might have brought to the table should serve as a wake up call to those businesses deep into online behavioral advertizing.  It may be time to better understand just who has access to what information – and it may not eventually matter whether that information belongs to a current client or consumer or whether it was anonymized.  As usual, staying in front of the regulatory curve remains a sound business practice.

An employer shall not require, request, suggest, or cause a current or prospective employee to:

(A) Disclose his or her username and password to the current or prospective employee’s social media account;

(B) Add an employee, supervisor, or administrator to the list or contacts associated with his or her social media account; or

(C) Change the privacy settings associated with his or her social media account.

Although the Arkansas law closes potential loopholes created by some other similar state laws that did not prohibit employers from requiring employees or job applicants to become a “friend” or “connection” with the employer or its employees, this provision may also raise potential new concerns that could be tested in a future case. For instance:

• Is a supervisor prohibited from sending a friend request to an employee he or she supervises? One could argue that the act of sending a request constitutes a ‘request’ or ‘suggestion’ that is prohibited by the statute. If so, potential First Amendment problems may arise. Is this particular act of the supervisor imputed to the employer if the employer otherwise has no hand in causing the friend request to be sent?
• From whose perspective is it determined whether a connection request is a statutory “request?” Employers and employees or job applicants may have different perspectives on this question.

Even those employers that do not maintain a policy of requiring access to employee social media accounts may wish to keep an eye on the development of these laws, based on possible issues noted above. As more states will likely enact similar laws in the future and tinker with the restrictions on employer conduct, the waters could get murkier still. Proactive employers may wish to begin considering potential revisions to their social media policies.

• The Rule will take effect on July 1, 2013 – the FTC has not granted an extension.

Anticipate the FTC may act quickly to enforce the new Rule.  All web sites and other online services should evaluate whether they are in full compliance with COPPA and the amended Rule and, if applicable, take immediate steps to compliance in order to meet the July 1 deadline.

• The FTC clarified the extent to which the new Rule will apply to previously collected data:

Geolocation Data:  The Rule only covers geolocation information precise enough to identify street name and city or town.  The FTC considers its specific delineation of this type of data a mere clarification of existing regulation.  Accordingly, if prior to July 1 an online service collected precise geolocation data without parental consent, the online service must immediately obtain parental consent.  Note that this data may be collected passively and unintentionally, as geolocation information is sometimes automatically associated with uploaded files (such as pictures and video).

Photos, Videos and Audio Files:  Online services may retain previously collected files containing a child’s image or voice without obtaining parental consent.  However, the FTC recommends ceasing use or disclosure of this type of information without parental consent — as a “best practice.”  Thus, businesses should consider carefully whether they will continue to use, disclose or retain photographs, videos and audio files after the Rule takes effect July 1.  Note, too, that the FTC states it is acceptable to post photos where the child’s face is blurred and not recognizable.

User Names and Screen Names:  The amended Rule is more broad in its definition of user and screen names as personal information, such that as of July 1, these types of identifiers are “personal information” if they permit direct online contact with a person.  Similar to photos, videos and audio files, organizations may retain previously collected user and screen names (and similar identifiers) that are newly included as subject to the Rule without parental consent.  However, the Rule will apply to these identifiers if an organization associates any new information with the identifier after the Rule takes effect July 1.  In addition, the FTC recommends obtaining parental consent — as a “best practice.”  Thus, online services should fully analyze their use of screen names and similar identifiers to determine if they will trigger the new Rule and consider obtaining parental consent.

Persistent Identifiers:  Starting July 1, a persistent identifier (such as an IP address) is “personal information” subject to the Rule if it can be used to recognize a user over time and across different web sites or online services (whether or not combined with individually identifiable information).  Here, too, organizations may retain, without parental consent, persistent identifiers that are now covered by the Rule but were not previously subject to it.  However, the Rule applies to any collection on or after July 1 of that persistent identifier or any association of information with that persistent identifier (e.g., association of an IP address with browsing activity on a web site).  Accordingly, beginning July 1, online services will need prior parental consent to collect data using persistent identifiers unless the information is used solely for support of internal operations or falls within another exception under the Rule.

• Mobile phone numbers are not “online contact information” as defined by the Rule.

Accordingly, operators of online services must not collect mobile phone numbers from children as part of the process to obtain parental consent.  Instead, operators should collect an email address, IM user identifier, VOIP identifier, video chat user identifier or other substantially similar identifier.  However, once in contact with the parent, the parent may provide his or her mobile phone number for further communications.

• The FTC provided App-specific guidance:

Parental Notice and Consent:  All operators of online services (whether App, website or other online service) may collect from the child the parent’s online contact information for the sole purpose of providing direct notice to the parent.  The FTC also recognizes that other acceptable means are available through Apps, and operators may use those other means, such as through the mobile device, so long as the mechanism used provides notice and obtains the parent’s consent prior to collection of personal information from the child and is reasonably designed to ensure that it is the parent who receives the notice and gives consent.  Note, however, that an App may not rely on collection of an app account number or password to fulfill the Rules’ notice and consent requirements without other indicia or reliability, which may include knowledge-based authentication questions, because it is too unlikely that the app store account information (user name or account number and password) is provided by the child and not the parent.

Locally Stored Content: An app is not “collecting” personal information and does not trigger compliance obligations merely because it includes features that allow a user to upload photos or otherwise interact with personal information stored on the device — so long as that information remains locally stored and is never transmitted from the device.

Privacy Policies.  All operators of online services — including apps — must post a clear and prominent link to the applicable privacy policy on the home or landing page or screen and any place where personal information is collected from children (e.g., on a registration form).  The Rule does not require a privacy policy at point of purchase for apps, but note that operators must provide direct notice and obtain verifiable parental consent prior to collecting personal information from children.  Thus, if an app subject to COPPA collects personal information as soon as it is downloaded, the operator must provide notice and obtain consent at the point of purchase or through a landing page prior to the completion of the download.  In addition, the FTC encourages all apps to provide the privacy policy link at the point of purchase as a “best practice.”

• The FTC provided specific guidance regarding online advertising:

Key points from the FAQs with regard to how the Rule impacts online advertising include:

• Behavioral advertising triggers the Rule; it does not fall within the term “support for internal operations,” and thus there is no exception for collecting persistent identifiers if they are used for behavioral advertising.
• A child-directed content provider will be strictly liable for any collection of personal information (including persistent identifiers such as IP address) by a third party.
• A child-directed content provider must provide notice and obtain prior parental consent before allowing any third party to collect personal information from visitors.
• It is acceptable for a child-directed content provider to allow for contextual advertising on the site – but it must ensure that doing so does not otherwise violate COPPA or the Rule.
• A company (for example, an online advertising service) that collects information through a third party web site or other online service will have “actual knowledge” that it has collected personal information from users of a child-directed site or service if: (1) the content provider directly provides that information; (2) if a representative of the company recognizes that the nature of the content on the third party site or service is child-directed.

• Online services partially directed to children may age-screen but may not block users who are younger than age 13

The Rule allows a web site, app or other online service that falls under the definition of being directed toward children — but where children are not the primary audience — to use an age screen to differentiate between child and non-child users.  Businesses must then either obtain parental consent or not allow children to participate in features and activities that collect personal information as defined by the Rule.  However, the FTC makes clear repeatedly in the FAQs that businesses must not altogether prohibit children from participating in a site or service that is “child-directed” as determined by a preponderance of factors as set forth in the Rule and FAQs.  Organizations should take care in determining whether their online service is “directed to children” and, if so, whether it is directed to children as the “primary audience.”  Any age-screening mechanism should comply with FTC guidance (including with regard to not blocking child-users for at least certain types of sites and taking care not to encourage children to falsify their information).

• Reasonable security measures include contract provisions and periodic monitoring

Organizations must determine that third parties have reasonable practices in place to maintain the confidentiality and security of data prior to sharing personal information of children with those third parties.  The FAQs state that contracts with service providers should specifically address this issue and that the entity sharing the data must use reasonable means, such as periodic monitoring, to confirm that the third party is, in fact, maintaining the confidentiality and security of the information.

• Operators of online services may need to update their privacy policies and online practices.

All businesses operating websites, apps and other online services, particularly those targeting children and teenagers, should evaluate whether their business practices trigger the Rule and take appropriate compliance steps, including updating the privacy policy as needed.  For example, an online operator may need to update the description of personal information it collects from children to reflect the updated definition of “personal information” in the Rule and may need to address third parties (such as those providing plug-ins or online advertising services).

What does this year’s Verizon Data Breach Investigations Report reveal? Read on.

The DBIR is broadly broken down into reviewing threat actors, threat actions, assets and data that are frequently compromised, attack targeting, breach timelines and breach discovery methods topped with final conclusions and recommendations.  We recommend a leisurely full read of the DBIR’s 63-pages (Beach weather is approaching!) as it vividly highlights trends, major breaches and new threat vectors to provide a clear snapshot of the prior year’s infosec battles with often eye-popping findings. Can’t wait until you’re sitting by the pool to read the full DBIR? Not to worry, here’s a high level sampling of its findings followed by the DBIR’s eight key recommendations:

• As in the prior 2012 DBIR, the clear leading source of data breaches continues to be “financially motivated cybercrime” originating from the US or Eastern Europe (i.e., Romania, Bulgaria and the Russian Federation), which accounted for 75% of all opportunistic breaches studied by the DBIR.
• Somewhat more surprising to many (but not to active infosec professionals) is that 19% of all attacks studied by the DBIR were conducted by “state-affiliated actors” – in short state-sponsored “cyber espionage” seeking acquisition of classified information, trade secrets, intellectual property, financial data and insider information.
• A notable proportion of incidents, holding study from 2011 to 2012, reviewed by the DBIR track back to “hacktivists” whose goals are “to maximize disruption and embarrassment to their victims.”
• Contrary to popular memes, only 14% of attacks involve “insiders” – whereas external attacks remain responsible for 92% of data breaches. Interestingly, “only” 1% of data breaches were traceable to business partners.
• While sophistication of attacks is growing, less than 1% of breaches in this year’s DBIR were attributable to tactics deemed high on the VERIS difficulty scale. In fact, the DBIR notes that most breaches could still be easily prevented, with 78% of techniques reviewed judged to be in the low or very low category of sophistication.
• Regarding the corporate actors involved in internal data breaches, customer service personnel were responsible for a whopping 46% – followed up by end-users (17%), administrators (16%), managers (7%) and executives (5%).
• Vividly highlighting the rise of social engineering and media, the proportion of breaches utilizing social tactics, like phishing, was 4x higher in 2012 than in prior years.
• As to attack methods, yes, hacking remains the number one breach vector, factoring in 52% of data breaches. Surprised?
• Seventy-six percent of network intrusions resulted from weak or stolen credentials; 40% relied on malware in some fashion; 35% involved physical attacks (e.g., ATM skimming); and 29% leveraged social tactics (i.e., phishing).
• Interestingly, not a single case in which the Verizon Investigative Response team was called in involved data “in transit,” whereas two-thirds of breaches involved data “at rest” with the remaining breaches occurring during processing.
• Spotting and detecting a data breach still takes significant time, which the length of time getting longer. In the 2012 DBIR 56% of breaches took a month or more to be discovered. The 2013 DBIR reports the sobering finding that 66% of breaches took months or even years to discover (62% – months; 4% – years).
• Worse 9% of breaches are discovered by customers first and 28% by unrelated external parties. In a bright spot of news 24% of breaches are identified by fraud detection mechanisms. Nevertheless, the vast majority of breaches are discovered by external parties – not internal IT audits or intrusion detection procedures.

Recommendations: The DBIR provides 8 key recommendations resulting from its findings. They are:

• Eliminate unnecessary data; keep tabs on what’s left.
• Perform regular checks to ensure that essential controls are met.
• Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.
• Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection.
• Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology.
• Regularly measure things like “number of compromised systems” and “mean time to detection”, and use these numbers to drive better practices.
• Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security.
• Don’t underestimate the tenacity of your adversaries, especially espionage driven attackers, or the power of the intelligence and tools at your disposal.

The vast amount of analysis and data presented in the 2013 DBIR takes time to digest and respond to, however, the most frightening finding  in the entire DBIR is organizations’ inability to quantify data loss.  What does that mean?   According to Verizon, for breach events in its data set, entities had a complete and accurate count of compromised records in only 15% of breach incidents.  That is entities could not determine the full scope of a breach in 85% of breach incidents.

To discuss the 2013 Verizon DBIR or to review how to apply its findings to your own risk management programs or data security policies and procedures feel free to contact me or any of the attorneys at the InfoLawGroup.

Here’s a case that shows how with just a couple minutes’ effort and a only a few dollars, marketing professionals can prevent loads of trouble and expense for their organizations down the road.

Plaintiff, a local government-run tourism bureau, announced at a public meeting that it had come up with a marketing phrase (“Visit Michigan City LaPorte”) to promote local commerce. An employee of one of the businesses attending the meeting went home and registered the phrase as a domain name, and had it redirect to the company’s website.

Plaintiff sued (in state court), and got the trial court to order the domain name be transferred, and a permanent injunction against defendant’s use of the purported mark. Defendant sought review with the Indiana Appellate Court. On appeal, the court reversed and remanded.

The appellate court found that the mark comprising the domain name was geographically descriptive, and had not acquired secondary meaning prior to defendant’s registration of the domain name. The court held that without this protection as a trademark, plaintiff’s claims of infringement and cybersquatting failed, and that the lower court erred by finding in plaintiff’s favor.

The real moral of the story is that organizations that are adopting trademarks as part of a branding campaign should take at least the minimal steps necessary to protect those proposed marks. In this case, a simple $12 investment in the prospective domain name hours before the meeting would have saved thousands of dollars in litigation costs over the next three years.

California legislators recently proposed a bill that would significantly broaden its “Shine the Light Law,” Cal. Civ. Code § 1798.83.  Enacted ten years ago, the Shine the Light Law became the de facto federal law regulating online privacy, requiring online operators to disclose to consumers how they use and share consumers’ personal information.

The proposed bill (which has been come to know as the “Right to Know Act” (AB 1291)), applies to online operators who have 20 or more employees.  There would be two ways to comply with the bill.  An online operator may provide consumers, upon request, a description of the categories of personal information it has shared with third party marketers and the names of those marketers. The bill would only require an online provider to respond to each consumer’s request for personal data collection and sharing information once per year.  Alternatively, an online provider may disclose in its privacy policy a free method by which consumers may opt-in or opt-out of all disclosure of their personal information by the online provider. The bill would not regulate or impose restrictions upon internet operators’ information collection, sharing, or selling practices.

Proponents of the bill argue that it would provide more transparency to consumers about the data collection and sharing practices of online operators. Proponents also contend that the bill would more closely align United States law with the data disclosure laws in Europe, laws with which many online operators in the United States already comply.

Opponents of the bill see things differently.  They argue that the bill is too broad and unworkable. For example, the California Chamber of Commerce contends that the bill unnecessarily expands the definition of “personal information” to include device identifiers.  Opponents also argue that it would be impractical to require online operators to provide the name and address of every entity with which they share consumer information.  Even more harrowing, opponents argue, are the bill’s failure to define what constitutes injury to the consumer and the bill’s stiff penalties.  If an online operator fails to comply, the consumer may recover a civil penalty of up to $500 per violation and up to $3,000 per willful, intentional or reckless violation.  The bill provides, however, that non-willful violations may be cured within 90 days of notice to avoid a penalty.

The bill for the “Right to Know Act” is scheduled for a hearing in the state legislature at the end of this month.

It appears consumers and merchants alike may be missing out on fully cultivating a very valuable commodity.  According to the World Economic Forum, “personal data represents an emerging asset class, potentially every bit as valuable as other assets such as traded goods, gold or oil.”  Rethinking Personal Data:  Strengthening Trust, at 7, World Economic Forum Report (May 2012).  Before this asset class can ever be completely exploited and fully commercialized, however, its constituent value components must be correlated by all in the privacy food chain.

Over three decades ago, it was recognized that the three pillars of privacy – the very foundation of personal data – secrecy, anonymity, and solitude, were distinct yet interrelated.  See Gavison, Ruth, Privacy and the Limits of Law, 89 The Yale Law Journal 421, 428-429 (1980) (“A loss of privacy occurs as others obtain information about an individual, pay attention to him, or gain access to him. These three elements of secrecy, anonymity, and solitude are distinct and independent, but interrelated, and the complex concept of privacy is richer than any definition centered around only one of them.”).

Current OBA has made it so these three privacy pillars may be confusing for consumers to value, manage, and isolate when online – it is not generally up to consumers whether they will be fed an ad based on previous website visits or purchases – it will just happen.  Indeed, according to a survey of 1,000 persons conducted by Ipsos Public Affairs and released by Microsoft in January 2013, forty-five percent of respondents felt they had little or no control over the personal information companies gather about them while they are browsing the Web or using online services.  This view may not be unfounded given that data routinely gathered online, e.g., operating system, browser, IP address, persistent cookies, last used server, can be used to divulge the activity of individual devices.

The privacy trade-offs being researched by Mr. Acquisti and others offer insight into the true value of these data constituents.  Consumers who try to “shut off” or render anonymous access to their device’s data or settings, would not only likely fail in their attempt at being anonymized, they would also lose out on access to most social media and other websites requiring browsers to accept cookies as well as product offers that may presumably be of interest.  Indeed, this coordinated tracking of consumers is not even unique to the Internet.   See generally Bibas, Steve, A Contractual Approach to Data Privacy, 17 Harv. J. Law & Public Policy 591 (Spring 1994) (“Although the ready availability of information helps us to trust others and coordinate actions, it also lessens our privacy. George Orwell presciently expressed our fear of losing all privacy to an omniscient Big Brother.  Computers today track our telephone calls, credit-card spending, plane flights, educational and employment records, medical histories, and more.  Someone with free access to this information could piece together a coherent picture of our actions.”).  There are even companies that bridge the gap between offline and online activities by taking in-store point of sale purchases and converting such data to an anonymous online cookie ID that will eventually be used online by clients.  Such use of in-store data is generally permissible under a retailer’s loyalty program.

Current law does not generally prevent someone from collecting public information to create consumer profiles – nor is there the right to opt out of having your public record information sold or shared.  And, when one wants to self-determine whether data will be disclosed or whether he or she will be “untraceable”, “anonymous” or “left alone”, there may not always exist the ability to easily curtail these rights from being exploited – there is certainly no way to obtain a direct financial gain in return for the relinquishment of such privacy rights.  Instead, there has generally been a “privacy for services” marketing/advertizing arrangement that has been accepted by consumers – which, in fact, has helped pay for and fuel the growth of the commercial Internet.

The current OBA ecosystem does not posit a “loss of privacy” as much as it offers a bartering system where one party feels the value of what is being bartered away while the other party actually quantifies with cascading/monetizing transactions what is only felt by the other party.  In other words, it is not a financial transaction.  Those who are able to find an entertaining online video or locate a product online using a search engine don’t really mind that an ad will be served to them while visiting some other website given they feel this loss of privacy is worth the value of the services being provided.

Ironically, the interactive advertising industry itself may believe it is collecting too much sensitive consumer data.  According to a study conducted by the Ponemon Institute, 67 percent of responding online advertisers believe “limiting sensitive data collection for OBA purposes is key to improving consumer privacy and control when browsing or shopping online.” Leading Practices in Behavioral Advertising & Consumer Privacy:  A Study of Internet Marketers & Advertisers, at 2, The Ponemon Institute (February 2012).

As recognized by privacy researchers, “[e]mpirical evidence on the behavioral effects of privacy is rather scarce.”  Regner, Tobias; Riener, Gerhard, Voluntary Payments, Privacy and Social Pressure On The Internet: A Natural Field Experiment, DICE Discussion Paper, No. 82 (December 2012) at 6.  Although “some consumers are willing to pay a premium to purchase from privacy protective websites”; there is no measure of what that premium should be or how widespread a factor it is for consumers as a whole.  Id. at 7.

More often than not, consumers have been “often willing to provide personal information for small or no rewards.”  Losses, Gains, and Hyperbolic Discounting: An Experimental Approach to Information Security Attitudes and Behavior, presented by Alessandro Acquisti and Jens Grossklags at the 2nd Annual Workshop on Economics and Information Security, College Park, Maryland, May 2003, at 4.

This does not mean researchers have not tried to quantify a “privacy valuation” model.  In 2002, a Jupiter Research study found 82% of online shoppers willing to give personal data to new shopping sites in exchange for the chance to win $100.  See c.f. Tsai, Janice; Egelman, Serge; Cranor, Lorrie; Acquisti, Alessandro; The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study, Information Systems Research (February 2010) at 22 (describing survey results which concludes that “people will tend to purchase from merchants that offer more privacy protection and even pay a premium to purchase from such merchants.”); Beresford, Alastair; Kübler, Dorothea; Preibusch, Sören, Unwillingness To Pay For Privacy: A Field Experiment, 117 Economics Letters 25 (2010) (“Thus, participants predominantly chose the firm with the lower price and the more sensitive data requirement, indicating that they are willing to provide information about their monthly income and date of birth for a 1 Euro discount.”).

In his 1994 paper, A Contractual Approach to Data Privacy, Steve Bibas suggests that individual contracts may provide the best solution to the privacy compensation dilemma:  “In the hands of the contracting parties, however, flexibility allows people to control their lives and efficiently tailor the law to meet their needs. Flexibility is the market’s forte; the pricing mechanism is extremely sensitive to variations in valuation and quickly adjusts to them.”  Bibas, 17 Harv. J. Law & Public Policy 591 (Spring 1994).   Mr. Bibas, however, recognized the limitations in what could be accomplished with privacy transactions that relied only on static privacy trades.  In other words, a model that might be effective is one that customizes the financial rewards to consumers and are based on a continuous exchange of information between the consumer and merchant.

One problem most consumers face when using commonly marketed solutions that are meant to safeguard their privacy is that these solutions fail to also create an acceptable value proposition for merchants.  As well, those recently formed companies promising a private web experience will not be able to – nor should they even try – to curtail firms from using OBA to reach consumers.  For the foreseeable future, OBA will continue to drive the Internet and “pay” for a much richer and rewarding consumer experience than would otherwise exist.  It may one day be determined, however, that an even more effective means to satisfy all constituent needs of the OBA ecosystem (consumer, merchant, publisher, agency, etc.) will be to find a means to directly correlate between privacy rights, consumer data, and a merchant’s revenue.

The Rules and the HHS commentary are lengthy and complex.  In this post, we offer a detailed look at the Rules’ key changes that are likely to affect most covered entities.  We also discuss several additional requirements that will mostly affect covered health care providers and some non-covered entities.  To help organizations devise a compliance strategy, the blog post also suggests action items, where appropriate.

Key Dates:

• March 26, 2013:  The Rules became effective.
• September 23, 2013:  Covered entities must comply with most of the new Rules’ provisions.
• September 25, 2013:  Disclosures of PHI become subject to the new restrictions on sale of PHI.
• September 22, 2014:  Covered entities must bring all of their Business Associate Agreements (“BAAs”) into compliance with the Rules; the new Rules also apply this requirement to Business Associates’ agreements with their covered subcontractors.

While the Rules in some respects represent a major departure from the existing HIPAA and HITECH requirements, many of the new provisions accept without change the requirements that the HHS had previously proposed in the interim final HITECH Breach Notification Rule, in October 2009, and in the proposed Privacy, Security and Enforcement Rules updates in July 2010 (the “Interim Rules”).   Entities that have aligned their practices with the Interim Rule will, therefore, have fewer changes to implement.

Overview of the New Rules

The changes that the Rules bring for most organizations include:

• The expansion of the definition of Business Associates to include subcontractors that access PHI;
• The imposition of direct liability under the Rules on Business Associates for compliance with certain HIPAA Privacy and Security Rule requirements;
• Additional and revised provisions that covered entities and Business Associates must include in their BAAs, and a requirement for all existing BAAs to comply with the new Rules by September 22, 2014;
• Additional disclosures in covered entities’ HIPAA Privacy Notices, including informing individuals of their right to be notified of breaches of their PHI;
• Substantial lowering of the threshold for notification of affected individuals in the event of a breach of PHI, and a requirement to conduct a documented risk assessment in the event notification is not provided in reliance on the harm threshold; and
• An expansion of individuals’ rights to access their PHI.

Several other significant changes are primarily relevant to covered health care providers and certain non-covered third parties.  These changes include:

• Individuals’ enhanced ability to restrict disclosures of certain PHI; this revision affects mostly covered health care providers;
• Restrictions on the circumstances in which adherence programs can be conducted without individuals’ authorization; these changes are most relevant to pharmacies and adherence communications providers and their service providers, and non-covered organizations that sponsor adherence communications; and
• Clarification of the circumstances in which providers of patient health record portals are subject to HIPAA; these requirements primarily concern covered and non-covered portal owners, sponsors and operators.

We address these requirements in detail below:

Business Associate Definition Scope Expansion

The Rules clarify the circumstances in which vendors are deemed to be Business Associates, and expand the definition of “Business Associate” to include most subcontractors that access PHI.

Vendors

The Rules clarify that vendors that require “routine” or “more than random” access to PHI are Business Associates, while those that act as “mere conduits” for or have “random access” to PHI continue to be outside the scope of the definition.  This distinction is not based on whether a vendor or a subcontractor has an “opportunity” to access the data, but rather on whether that opportunity is “transient” or “persistent,” with persistent opportunity more likely to deem a vendor a Business Associate.  While entities that are “mere conduits” for PHI are not Business Associates, the Rules emphasize that this exception is narrow.  It is limited to entities providing data transmission services, including services that involve temporary storage of PHI that is incident to the transmission, i.e., courier services and their electronic equivalents, such as ISPs or telecoms.

For those looking for clarity, the HHS notes that the determination of whether access to PHI is “routine” or “more than random” is fact-specific, based on (1) the nature of the services and (2) the extent to which the vendor needs access to the PHI to perform the services.  The HHS expects to issue additional guidance on the types of entities that are and are not Business Associate under the Rules.

Examples of vendors that are likely to be deemed Business Associates include:

• Providers of data transmission services, to the extent they require “routine access” to the PHI;
• Data storage or document storage vendors – whether or not they view the PHI they maintain;
• Operators of portals or other interfaces created on behalf of covered entities that allow patients to share their data with the covered entity; and
• Entities that provide oversight and governance for electronic heath information exchanges.

Subcontractors

The Rules also deem a Business Associate any subcontractor to the extent the subcontractor requires access to PHI (a “subcontractor” is an agent or other person other than a member of the workforce to whom a Business Associate delegates a covered function or activity).  The “access” analysis applicable to first tier vendors applies equally to subcontractors.  Importantly, a subcontractor that accesses PHI for the purposes of the Business Associate’s own management or administration or legal compliance does not itself become a Business Associate by virtue of such access.  While subcontractors whom the Rules deem Business Associates have direct obligations to comply with the Security Rule and certain provisions of the Privacy Rule, the new Rules continue to require Business Associates to obtain assurances of confidentiality of the PHI from non-Business Associate subcontractors.

Hybrid Entities

The Rules now require hybrid entities to include within the covered component of the entity Business Associate-like functions that were previously outside the covered component.  An example of a hybrid entity includes an organization that is not generally in the business of providing health care, but, for example, operates on-site health clinics.

Suggested Action Items

• Inventory vendors that provide services to the cover entity; Business Associates should in turn inventory their subcontractors;
• Determine whether the vendors are Business Associates under the revised Rules;
• Review whether each vendor or subcontractor requires access to PHI to perform services for the covered entity or first tier vendor, or whether the access should be curtailed or data de-identified;
• Enter into Business Associate agreements with vendors and subcontractors that have become Business Associates under the Rules;
• Consider reminding vendors/subcontractors about their obligation to review the Rules and ensure compliance with the relevant Privacy and Security requirements; and
• Examine internal health-care related operations, such as on-site clinics and health care plans, to ensure that Business Associate-like functions are brought within the covered components of those organizations.

Direct Applicability of Certain Privacy and Security Requirements to Business Associates

Direct Applicability of Security Rule Requirements

The new Rules make Business Associates directly responsible to regulators for complying with the Security Rule.  The HHS does not view this direct extension of liability as burdensome to Business Associates because, previously, covered entities were required to flow the requirements of the Security Rule to Business Associate via a contract.

Direct Applicability of Certain Privacy Rule Requirements

The Rules require Business Associates to:

• Use or disclose PHI only as permitted or required by the BAA or required by law; any other use or disclosure of PHI would be a violation of the HIPAA Privacy Rule for which the Business Associate would be directly liable (such a violation would likely be deemed a breach subject to the requirement to notify affected individuals);
• Not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity;
• Disclose PHI when required by the HHS to investigate or determine the Business Associate’s compliance with HIPAA/HITECH;
• Disclose PHI to the covered entity, or to the individual or individual’s designee to facilitate compliance with the individual’s request for his or her electronic PHI;
• Provide an individual or the individual’s designee with a copy of their PHI in an electronic format, if the individual so chooses, to the extent the entity maintains PHI in an electronic health record;
• Limit the PHI that Business Associates use, disclose or request to the minimum necessary to accomplish the intended purposes of the use, disclosure or request; and
• Respond to known noncompliance with the Rules or BAA restrictions by their Business Associate subcontractors.

As a result, Business Associates are directly liable under the Rules for failures to fulfill these responsibilities, including:

• Uses and disclosures of PHI that are inconsistent with the relevant BAA or with the Privacy Rule;
• Uses and disclosures of PHI that would violate the Privacy Rule if done by the covered entity;
• Failure to disclose PHI when required by the Secretary of the HHS to investigate and determine the Business Associate’s compliance with the Rules;
• Failure to disclose PHI to the covered entity, or to the individual to whom the information pertains, or the individual’s designee, as necessary to fulfill covered entity’s obligations to provide the information to the individual;
• Failure to make reasonable effort to limit PHI to the minimum necessary to accomplish the intended purposes of use or  disclosure of, or request for, the PHI;
• Failure to enter into a BAA with subcontractors that access PHI on their behalf; and
• Failure to take reasonable action in response to a covered subcontractor’s noncompliance with the Rules or the requirements of the BAA.

Business Associates’ direct liability for violations of the Privacy Rule continues to be limited, and, except as articulated above, liability for Privacy Rule obligations that a covered entity may delegate to a Business Associate remains contractual to the covered entity.

Suggested Action Items

• Business Associates should review the Rules’ relevant provisions and ensure that they have the policies, procedures and processes in place to comply with the privacy and security requirements for which they are directly liable under the Rules;
• Business Associates should ensure that they have processes in place to monitor their covered subcontractors’ compliance with the Rules’ and the limitations of the BAAs, and mechanisms in place to take measures to address noncompliance;

BAA Updates

Key Date

While the Rules make significant changes to BAA requirements, covered entities and Business Associates (and Business Associates and their subcontractors) may continue to operate under existing agreements until September 22, 2014.

Requirements

The Rules now require Business Associates to enter into BAAs with their subcontractors pursuant to the same requirements that apply to covered entities with respect to their first tier vendors.  The Rules do not require covered entities to enter into BAAs with their covered subcontractors.

Further, the Rules modify the provisions that govern the content of BAAs, mandating that BAAs:

• Require Business Associates that carry out covered entity’s obligations under the Privacy Rule to comply with the requirements of the Privacy Rule that are applicable to that obligation;
• Require Business Associates to comply, where applicable, with the Security Rule in handling PHI;
• Require Business Associates to ensure that any subcontractors enter into a contract or other arrangements to protect the security of PHI; and
• Require Business Associates to report security incidents to covered entity “as required by Section 164.410 of the breach notification rules.”

Suggested Action Items

• Covered entities and Business Associates should prepare and update BAA form agreements to fit their requirements and comply with the new Rules;
• Identify Business Associates and, for Business Associates, subcontractors that will be required to sign a new or updated BAA;
• Ensure that, going forward, new Business Associate engagements use the updated BAA; and
• Initiate update cycle for BAAs with existing Business Associates to ensure that all BAAs are up to date by September 22, 2014.

HIPAA Privacy Notice Updates

The Rules introduce several new requirements for content of HIPAA Privacy Notices and mandate the redistribution of the updated notices.

Additional Requirements for HIPAA Privacy Notices

In additional to the existing HIPAA Privacy Rule requirements, the new Rules require the HIPAA Privacy Notice to inform individuals that:

• They have a right to be notified following a breach of their unsecured PHI;
• They may be contacted to raise funds and have the right to opt out of receiving such communications;
• Most uses of and disclosures of PHI for marketing purposes and sales of PHI require the individual’s authorization (entities that record or maintain psychotherapy notes also must state specifically that most uses or disclosures of such notes require the individual’s authorization);
• Uses and disclosures not described in the Privacy Notice will be made only with the authorization from the individual; and
• Covered health care providers must state in their Privacy Notices that individuals have the right to restrict certain disclosures of PHI to a health plan when the individual (or any person other than the health plan) pays for treatment at issue out of pocket in full.

Redistribution of HIPAA Privacy Notices

The Rules deem the revisions to HIPAA Privacy Notices “material,” and therefore, require redistribution of the updated HIPAA Privacy Notices.  Accordingly, pursuant to the existing HIPAA Privacy Rule, covered entities must (1) prominently post the revised Privacy Notice (or a summary linked to the notice) on their site by the effective date of the changes (i.e., September 23, 2013 at the latest), and (2) provide the revised Privacy Notice in the covered entity’s next annual mailing to affected individuals.  If the notice is not provided via a website, the covered entity must provide it to affected individuals within 60 days of the effective date of the updated notice.

Suggested Action Items

• Update HIPAA Privacy Notice to comply with the new Rules;
• Verify that the notice accurately reflects the covered entity’s actual practices;
• Determine the appropriate mechanism for redistributing the Privacy Notice; and
• Redistribute the Privacy Notice within the appropriate timeframe.

Breach Notification Requirement Update

The Rules introduce comprehensive updates to the requirements governing the investigation and response to potential breaches of electronic PHI.  Specifically, the Rules lower the threshold for notification of affected individuals in the event of unauthorized access to PHI by:

• Abandoning the current harm threshold that required notification only if the individuals affected by a breach were exposed to a “significant risk of financial, reputation or other harm;” and instead
• Presuming that notification is required in all circumstances, except when:

-   The covered entity conducts a risk assessment that establishes that there is a “low probability” of compromise of the PHI; or
-   One of the existing exceptions to the definition of the breach applies (i.e., unintentional good faith acquisition, access, or use of PHI by a workforce member; inadvertent disclosure between two individuals who are otherwise authorized to access the PHI; or disclosure to an unauthorized person who would not reasonably have been able to retain such information).

The required risk assessment to determine the probability of PHI compromise must be thorough, completed in good faith, and reach conclusions that are reasonable.  To meet these requirements, the risk assessment must consider at least:

• The nature and extent of the PHI involved (i.e., types of identifiers, likelihood of re-identification, and the amount of data and its sensitivity);
• The type of unauthorized person who used the PHI or to whom the data was disclosed;
• Whether the PHI was actually acquired or viewed; and
• The extent to which risk to the PHI has been mitigated.

The Rules provide detailed guidance on considering and weighing these factors.  The HHS indicated that it will issue further guidance on conducting risk assessments of frequently-occurring scenarios.

Suggested Action Items

• Revise PHI breach investigation and notification policies, procedures and processes to ensure compliance with the new, lower notification threshold; and
• Implement a process to conduct and document risk assessments for determining the probability of PHI compromise in the event of a breach.

Revised Restriction on Sale of PHI

The Rules define the sale of PHI as any disclosure of the information for which the covered entity or Business Associate receives remuneration from or on behalf of the recipient.  Such remuneration may be direct or indirect, and financial or non-financial.  The Rules prohibit such sales, except with a written authorization of the individual to whom the PHI pertains.  The authorization must explain (in terms left to the disclosing entity’s discretion) that the disclosure will result in the covered entity or Business Associate receiving remuneration for the PHI.

The Rules permit disclosures of PHI without the individual’s authorization pursuant to several exceptions, such as:

• Disclosures by a Business Associate in connection with performance of services for a covered entity (or by a subcontractor for a first tier Business Associate vendor);
• Disclosures to individuals to whom the PHI pertains to comply with the individual’s request for access to the PHI or accounting for the disclosure of the information;
• Disclosures of PHI required by law;
• Disclosures associated with grants or other arrangements to perform studies; and
• Certain disclosures for public health purposes and for research purposes (if the remuneration reflects a reasonable fee to cover the cost of data preparation and disclosures).

Entities that disclose PHI, should verify that the disclosures do not constitute a “sale” under the new Rules.  The revised requirements will apply to any disclosures after September 25, 2013.

Fundraising Restrictions

The Rules require fundraising communication to include a method for the recipient to opt out from receiving such communications.  The opt-out methods may not burden recipients with more than nominal cost, and may include a toll-free number or an email address, but not a requirement to write and send a letter, for example, which would be considered too burdensome.

The Rules also clarify that the PHI that may be used for fundraising purposes is limited to individuals’ names, addresses, other contact information, age, gender, date of birth, dates during which the individual received the relevant health care, general department of treatment, and treatment outcome information.

The Rules prohibit conditioning of treatment or payment on the individual’s choice with respect to receiving fundraising communications.

Marketing – Changes in Adherence Communications Requirements

The new Rules require authorization for all treatment and health care operations communications where the covered entity or the covered entity’s Business Associate receives financial remuneration specifically for making the communication from a third party whose product or service is being marketed.   The Rules, however, exempt from this authorization requirement refill reminders or communications about a drug or biologic agent currently being prescribed to the individual.  The HHS clarified that “adherence communications encouraging individuals to take their prescribed medications as directed fall within the scope of the exception.”  However, for this exception to apply, the financial remuneration for sending the communication must be “reasonably related” to the cost of making the communication, i.e., limited to the costs of drafting, printing and mailing the communications, and associated costs.  If, however, the remuneration includes an additional payment (e.g., to encourage covered entity’s or its Business Associate’s continued willingness to send the communications), the exception likely will not apply, and the patient’s authorization will be required to send the communications.

Notably, the new Rules represent a departure from the HHS’s previous characterization of adherence communications in 2002, when the agency did not agree that “the simple receipt of remuneration should transform a treatment communication into a commercial promotion of a product or service…. For example, health care providers should be able to, and can, send patients prescription refill reminders regardless of whether a third party pays or subsidizes the communication. The covered entity also is able to engage a legitimate business associate to assist it in making these permissible communications.”

In addition to the HIPAA/HITECH Rules, adherence communications may also by subject to state laws, such as the California Confidentiality of Medical Information Act (CMIA), which is more restrictive than HIPAA/HITECH and is not preempted by the federal rules.  The practice is also subject to self-regulatory requirements of the National Consumer League’s (NCL’s) Best Practices for Pharmacy Direct to Patient Communications.

Suggested Action Items

• Covered entities and Business Associates that provide adherence communications should examine their programs to ensure continued compliance with the new Rules, as well as with existing requirements under state laws and self-regulatory requirements.
• Organizations that subsidize or provide adherence communications will need to examine the financial aspects of their relationships to ensure that the programs do not require individuals’ authorization under the new Rules.

Expansion of Individuals’ Rights

The Rules expand individuals’ rights to restrict certain disclosures of their PHI and enhance individuals’ access to their PHI.

PHI Disclosure Restrictions – Applicable Primarily to Covered Health Care Providers

The Rules specifically require covered entities to comply with individuals’ requests to restrict the disclosure of their information; to the extent the disclosure satisfies three conditions:

• The disclosure is for purposes of carrying out payment or healthcare operations;
• The disclosure is not otherwise required by law or regulations (including Medicare, Medicaid, and other requirements); and
• The PHI subject to the request pertains solely to a health care item or service for which the individual (or family member, or anyone other than the health plan) paid in full.

The requirement to restrict disclosure would also bar disclosures to Business Associates.  Under the Rule, the individual retains the discretion to determine for which services he or she wants to pay out of pocket.

A disclosure of PHI in violation of this requirement would violate the Privacy Rule and, therefore, potentially trigger breach response and notice obligations.

Enhanced PHI Access Rights

The Rules require covered entities to provide an individual or the individual’s designee with access to the individual’s PHI, if an individual requests an electronic copy of his or her PHI that a covered entity maintains in the ordinary course of business.

Covered entities must produce the information in the form and format requested by the individual to the extent it is readily producible in such form and format.  Otherwise the PHI must be provided to the individual in another agreed-upon computerized format, such as MS Word or Excel, text, HTML or PDF.  A covered entity that uses or maintains electronic health records with respect to the requested information must provide a copy of the information in an electronic format.

The rule establishes a 30-day period (with an extension available under certain circumstance) for covered entities to comply with an access request, and allows covered entities to charge certain reasonable fees to produce the information.

One of the key goals of the enhanced access rights is to allow individuals better access to electronic health records and to facilitate individuals’ ability to direct the transmission of their records to, for example, an online portal on which the individual maintains her personal health records.

Suggested Action Items

• With respect to individuals’ right to restrict the disclosure of their information, covered entities (particularly, health care providers) should ensure that their policies are consistent with the new Rules and that they have implemented the technical means to comply with individuals’ preferences.
• The enhanced access requirements should prompt covered entities to ensure that they have the technical means to provide copies of individuals’ electronic PHI in an appropriate electronic format consistent with the Rules’ requirements.

PHR Portals

The Rule clarifies that companies that offer personal health record services (e.g., personal health information storage portals) directly to individuals are not subject to HIPAA, while those that offer such services on behalf of covered entities are Business Associates.  The HHS notes that companies that offer services directly to individuals will not become Business Associates by virtue of entering into interoperability relationships with covered entities to enable consumers to share their information with covered entities, or for covered entities to provide data to a portal, for example, pursuant to the individual’s written authorization.

The HHS observed that health information portals represent a new opportunity that will likely call for additional guidance in the future.

Final Thoughts

The new Rules represent an evolution in enhancing the protection of and access to PHI.  While this is a comprehensive update that will require a significant implementation effort, the HHS has made it clear that it intends to issue further guidance on many aspects of the new Rules.  Thus covered entities, Business Associates and other organizations that come in contact with health information should continue to monitor this space closely.  The OCR listserve is a good resource for staying current.

The FFIEC is composed of members from the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Comptroller of the Currency, the Director of the Consumer Financial Protection Bureau and the Chairman of the State Liaison Committee.  In releasing the draft Guidance the FFIEC specifically invited public comment on any aspect, but specifically sought comments on the following:

1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
3. Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?

Eighty comments, from individuals and various institutions, were received by the FFIEC in response, available for review via www.regulations.gov.   Although the software utilized by regulations.gov is not exactly conducive to providing a quick method of downloading submitted public comments, my review indicates:

• Broad skepticism of and opposition to FFIEC’s Guidance from individual commenters
  
  • Numerous individual comments by those active in the financial industry expressed frustration or opposition to what was perceived by many as yet another regulation of financially-related practices after a period of several years where numerous additional rules, regs and statutes of the financial industry have been imposed.
  • A common refrain from individuals, perhaps best distilled by one comment, was “[p]lease stay out of the social media. There’s already too much regulation and the industry recovery is constantly being slowed down & costs to the consumer continue to go up because of unnecessary regulations.”
  • Others questions the potential intrusion by employers into employees’ privacy: “I do not see how you can impose a regulation that will require lenders/brokers to oversee their employees PERSONAL social media activity.  This proposed rule is far too broad and really starts infringing on personal privacy.  Can my employer demand access to all my online presences in order to keep their liability to a minimum?  Will in need to sign some agreement upon hiring to give my employer full access?  Do I no longer have privacy?”
  • Finally others highlight the failure of the Guidance to distinguish between differing social media applications, noting, for example, “[t]he guidelines fail to distinguish EXTERNAL (or PUBLIC) uses of social media from INTERNAL (or PRIVATE) uses. * * * The entire document appears to assume that all uses of social media are external. However, many organizations are successfully applying social media for internal uses only.”
• Tentative, but qualified, support from larger entities.
  • Given major financial institutions and entities already utilize sizable compliance and legal teams for analyzing and responding many entities provided comments along the lines of “”while creating additional work … the proposed Guidance does not present tremendous difficulties for our Bank, as our current policies and procedures include many of the best practices required under the Guidance,” while simultaneously questioning whether “the limited space often available on social media channels, [would be sufficient for] including the required disclosures.”
  • Likewise, many expressed sentiments along the lines of one comment that “[t]he major difficulty with trying to regulate social media is the lack of control intrinsic to the medium, and determining what the organization is responsible for.”
  • Others questioned whether it was too soon to set firm guidance in place, with thoughts such as “[e]stablishing sound basic guidelines is a good idea. Trying to accomplish too much too soon is just a bad idea; on any given day a new social media venue could blossom and an existing social media venue could vanish.”
  • Many also stated that the technical limitations of certain social media outlets could thwart the FFIEC’s Guidance.  For example, one comprehensive comment noted at one point, that “[n]ot every social networking site now enables (or will enable in the future) a practical, consumer-friendly way to include required language or logos” in urging the FFIEC to keep such matters in mind in formulating its positions.

Without doubt the small, but thoughtful, number of comments should provide the FFIEC with ample fodder in revising its Guidance prior to any ultimate rule making.  To discuss the Guidance in its current form or what social media best practices we often recommend to clients feel free to contact me or any of the attorneys at the InfoLawGroup.