Cybertorts,%20Privacy,%20and%20Government%20Regulation

1
Cybertorts, Privacy, and Government Regulation

• David Baumer
• Spring, 2001

2
Cybertorts

• The notion behind cybertorts is that the Internet
  has created a connectedness that was not present
  previously
• Two areas of tort that are most impacted by the
  Internet
• Defamation
• Invasions of Privacy
• For defamation much of the action pertains to
  liability of third parties for rebroadcasting the
  defamatory comments

3
Defamation in Cyberspace

• Defamation--can be oral or written
• By and large cyberspace defamation is written so
  libel standards apply
• Defamation requires a showing that
• The defendant made or repeated false statements
• that were witnessed by third parties, and
• Harmed the reputation of the plaintiff
• If the media is the defendant and the pl. is a
  public figure, the pl. must show that the def.
  knew or should have known that the statements
  were false

4
Defamation in Cyberspace

• The crucial issue in cyberspace defamation cases
  is how to treat ISPs
• If the ISP is treated as a publisher, then they
  have tremendous liability exposure
• If the ISP is treated as a bookstore, then they
  are basically not liable for the contents of
  those using their service unless they contribute
  to the content of the message
• Bookstores are treated as distributors of the
  material and are not liable unless they knew or
  should have known that the material they transmit
  is defamatory

5
Defamation in Cyberspace

• In the early cases, liability of the ISP was
  based on whether the ISP supervised the content
  of the users of their service
• The unfortunate result was that ISPs that tried
  to clean up content of users in terms of
  obscenity, were liable for defamatory content of
  other users
• Congress did not like this outcome so they passed
  the Communications Decency Act (CDA) of 1996
• Section 230(C) of the CDA provides that no
• provider or user of an interactive computer
  service shall be treated as the publisher or
  speaker of any information provided by another
  information content provider.

6
CDA of 1996

• Congress said in the CDA that there shall be no
  liability if a ISP restricted obscenity
• Inconsistent state laws dealing with defamation
  were preempted by this legislation
• Employer liability
• Given the ease of constructing ISPs, many
  employers are ISPs within the meaning of the CDA

7
CDA of 1996

• The CDA could be used to shield employers from
  liability--if the employer qualifies as an ISP
• the employer could say that they had evidence of
  wrongdoing by the former employee and therefore
• the employer had no reason to believe that the
  statements made about the employee were false
• Also note that there are an increasing number of
  states that have exempted employers from
  liability unless they knew or had reason to know
  the statements were false

8
Privacy and the Internet

• The value Americans place on privacy is enshrined
  in the 4th Amend.
• The 4th Amend. pertains to govt. intrusions
• For invasions of privacy by private
  (nongovernmental) sources
• Common law torts are available
• Increasingly, statutes are being passed to
  augment the reach of invasion of privacy claims

9
Privacy and the Internet

• The courts use the term reasonable expectation
  of privacy when analyzing whether an invasion of
  privacy has taken place
• The term is used both in 4th Amend. cases and in
  tort suits between citizens
• At common law an unreasonable intrusion into the
  pl.s solitude is considered a tort
• Hidden cameras would be an unreasonable intrusion
  as would wiretaps, listening devices,
• Reasonable expectation of privacy is not
  warranted w.r.t. information given out over the
  Internet

10
Privacy and the Internet

• While it is not reasonable to expect privacy when
  information is given to a third party over the
  Internet
• It is reasonable to expect privacy if the
  recipient guarantees that the information will
  remain private
• Companies that do not adhere to their stated
  privacy policies are vulnerable to suit both from
  a citizen and from the FTC
• Furthermore a web site may incur liability for
  invasion of privacy if the information is
  collected without knowledge or consent of the
  person
• Web sites that attach cookies or collect
  information for one purpose such as a contest
• Web sites that store sensitive information such a
  medical or financial are already subject to
  statutory regulation

11
Privacy on the Job

• For private employers
• Drug testing is very common
• There are some states that require probable cause
  once a person has been hired
• For public employers
• Drug testing is a search
• With a lot of exceptions there must be a showing
  of probable cause to require a drug test
• Exceptions occur when
• Public safety is involved
• The employee is in a sensitive position such as
  law enforcement

12
Polygraph and Psychological Testing

• Polygraph Testing Act of 1988 virtually outlawed
  employer testing unless
• The employee is working in security or
• Has been accused of theft and documented
  procedures are used
• A very few states guarantee the right of privacy
• In CA there have been employees questionnaires
  that have been violative of the right of privacy
• In general employees should not assume that on
  the job counselors will keep information conveyed
  to the confidential

13
On the Job Monitoring by Employers

• Technology has been enlisted to enhance
  on-the-job monitoring
• Software is available to track Internet journeys
  of employees
• Cameras, hidden or visible, monitor physical
  movements
• Monitoring unrelated to on the job performance
  can be a common law tort
• It is prudent to warn employees, thus negating
  reasonable expectations of privacy
• Monitoring itself can decrease undesirable
  behavior

14
Phone Calls and Email

• The Omnibus Crime Control Act of 1968 prohibited
  on-the-job monitoring of employee phone calls
  unless
• It occurs in the regular course of business or
• The employee consents to the monitoring
• The 1986 Electronic Communications and Privacy
  Act
• Allows employers the same access to employee
  emails on the job
• Again, if employees are informed that their
  emails can and will be monitored there is no
  reasonable expectation of privacy

15
Privacy On The New Frontier of Cyberspace

• The Federal Trade Commission (FTC) has authority
  to combat unfair and deceptive trade practices
• Much of the FTCs Internet work has been in their
  consumer protection branch
• http//www.ftc.gov/ftc/consumer.htm
• In the Consumer Protection branch there are a
  wide range of activities that the FTC has listed
  as unfair and deceptive trade practices

16
Privacy On The New Frontier of Cyberspace

• FTC Fair Information Practices
• Notice/Awarenessconsumers should be notified as
  to who is gathering the data and the uses that
  will be made of that data
• Choice/Consentconsumers should consent to any
  secondary use for the data. There should be
  opt-in and opt-out provisions.
• Access/Participationconsumers should have the
  right to contest the accuracy of the data
  collected.
• Integrity/Securitythere should be managerial
  mechanisms in place to guard against loss,
  unauthorized access, or disclosures of the data.
• Enforcement/Redressthere should be remedies
  available to victims of information misuse.

17
Privacy On The New Frontier of Cyberspace

• Essentially, the FTC would like all web sites
  that collect consumer information to adhere to
  these principles
• FTC surveys indicate that 97 of web sites
  collect personal information from visitors
• About 50 provide for opt-out provisions on the
  information collected
• About 43 of the web sites provided consumers
  with access to the records collected about them
• Only 20 of the web sites surveyed adhered to all
  of the FTC Fair Information Principles

18
Data Collection and Computers

• As everyone knows more and more records are being
  computerized
• Compared to paper records the opportunity for
  snooping has dramatically increased
• Much of the sensitive information is stored on
  government files
• In some (many?) cases the govt. is extremely lax
  in who they allow access to data collected from
  citizens

19
Internet Data Collection and Cookies

• Note that many web sites advertise their ability
  to equip you with the tools to snoop on
  neighbors, coworkers and relatives
• The FTC has developed information on identity
  thieves
• On a routine basis web sites attach cookies to
  visitors
• Cookies can have beneficial uses for web sites
  and visitors alike, but in general cookies amount
  to an
• involuntary extraction of information
• Web sites that use cookies are most interested in
  the clickstream of the browers--where have the
  brower been to since the last visit

20
Internet Data Collection and Cookies

• Certainly cookies violate some of the FTC Fair
  Information Principles
• More and more web sites are now discussing their
  use of cookies in their privacy statements
• The FTCs actions in the Geocities case
  illustrates some of what the FTC considers unfair
  and deceptive
• Certainly corrective action was taken by Yahoo,
  but there are thousands of violators
• Also third party verifiers have emerged such as
  TRUSTe that certify adherence to certain privacy
  policies

21
Internet Data Collection

• One of the problems is that online vendors are
  forced to collect a lot of information from
  customers in order to verify their identity
• Unless the vendors use commercially reasonable
  attribution procedures, they cannot charge
  customer credit cards
• Commercially reasonable attribution procedures
  include collecting name, credit card, addresses,
  email names and other names

22
Internet Data Collection

• According to the FTC your identity can be stolen
  by
• co-opting your name, Social Security number,
  credit card number, or some other piece of your
  personal information for their own use.
• Identity thieves can
• Use credit cards to defraud victims
• Open bank accounts
• Open cellular phone accounts

23
Internet Data Collection

• Egghead.coms privacy policy reflects the modern
  reality of E-Commerce
• For credit card transactions the transmissions
  are encrypted
• Egghead will refund 50 to you for any liability
  you encounter so long as you are blameless if
  your credit card number is used by a fraudulent
  party
• Egghead does make your email address available to
  third parties they select
• Note that there is an opt-out option
• Egghead claims that they will not sell consumer
  information to third parties

24
Internet Data Collection

• Egghead does collect information obtained from
  customers
• For purposes of reporting to advertisers
• Egghead gets more money from advertisers the more
  traffic they have at their web site.
• They claim not to reveal any unaggregated data to
  the advertisers
• In connection with games and contests information
  is collected and shared with third parties, again
  with an opt out option
• The third parties have to pledge not to resell
  the information

25
Internet Data Collection

• Egghead does attach cookies to your browser to
  assist them in determining your buying
  preferences
• Egghead says it does not sell or rent information
  collected from cookies to third parties

26
Childrens Sites

• Again the FTC has been active in this area
• The Geocities case is just one example
• The FTC considers it an unfair and deceptive
  trade practice to collect information from
  children without parental consent when that
  information will be used for another purpose
• Congress has passed the Childrens Online Privacy
  Protection Act of 1998, which basically requires
  the same safeguards
• Children are considered under 13
• Most of the FTC Fair Information Principles are
  required
• Notice, an opportunity to review, opt out,
  security and confidentiality

27
Financial Records

• Financial Records The Gramm-Leach-Bliley Act,
  1999
• The Privacy aspects of the Act are summarized by
  the beginning of Title V
• It is the policy of the Congress that each
  financial institution has an affirmative and
  continuing obligation to respect the privacy of
  its customers and to protect the security and
  confidentiality of those customers nonpublic
  personal information.
• The Act requires that financial institutions
  insure the privacy and confidentiality of
  customer records and information

28
Financial Records

• The Gramm-Leach-Bliley Act also
• Provide protection against any anticipated
  threats or hazards to the security or integrity
  of those records, and
• Protect against unauthorized access to or use of
  such records or information.
• It is clear that the Act prohibits giving out of
  nonpublic information to 3rd parties without
  notice and an opt out option
• The Act prohibits giving out account numbers and
  credit card information to unaffiliated third
  parties for use in telemarketing, email and
  direct mailings

29
Medical Records

• The Health Insurance Portability and
  Accountability Act of 1996
• There are two parts to this legislation
• One part deals with denial of health insurance
  when a person changes jobs and this part has been
  successful
• The other part deals with the privacy of medical
  records
• Regulations drafted by HHS prohibits
  nonconsensual secondary use of medical records
• It allows transfers of medical records among
  healthcare providers, insurers, and HMOs
• Other transfers of medical information must be
  approved unless they fall into certain exceptions

30
Medical Records

• The HIPAA exceptions include
• Public health authorities
• Medical researchers
• Law enforcement
• Officials performing oversight functions for
  purposes of determining whether fraud has taken
  place
• There are other exceptions
• The revised regs. from HHS have just been
  approved for use, implementation has been stayed

31
European Union and Privacy

• In the U.S. there is a much greater reliance on
  self-regulation than in the EU
• The EU passed a Data Protection Directive that
  prohibits sharing data with any country who does
  not subscribe to their heavily regulated
  standards
• The Department is Commerce has fashioned some
  regulations that seem to satisfy the EU at present

32
Medical Records

• Most people prefer to have control over their
  medical records
• Medical records can deal with some very sensitive
  issues
• In addition medical records typically deal with
  lifestyle issues
• Many people at one time in their lives sought the
  help of a mental health professional or
• Were treated for cancer, an STD, and so on

33
Passage of HIPAA in 1996

• At the time of the passage of HIPAA there was no
  federal protection for the privacy of medical
  records except for
• Privacy Act of 1974
• Does not cover records held by private entities
• Americans with Disabilities Act
• Does not cover the nondisabled or the disabled in
  many situations
• Doe v. Septa case is a real eye-opener

34
Invasions of Privacy

• Invasions of Privacy with respect to medical
  records can take many forms
• Unauthorized secondary use of medical records
• Inaccuracies that are not corrected
• Discovery and disclosure by unauthorized
  individuals such as hackers, employees, vendors,
  neighbors

35
Office Snooping

• Doe v. Septa
• There is a Linda Tripp in every office
• Note that there is no prohibition against
  employers making use of medical records in
  employment decisions
• Also note that computer files are more accessible
  than paper files

36
Future Privacy Issues

• In the future, medical privacy is only going to
  get more difficult to secure
• There is a trend toward larger and larger medical
  databases of computerized medical records
• Computerized records radically lower the costs of
  acquiring, storing, and integrating medical
  records
• DNA testing probably has the greatest potential
  for treatment breakthroughs
• DNA results in the medical records could have
  more damaging effects on future insurability and
  employability

37
Need For Reform

• Much of HIPAA is devoted to the privacy of
  medical records
• Since HIPAA was passed the issue of health
  insurance portability has receded while concern
  about privacy of medical records has increased
• Federal government is dealing with privacy issues
  on several fronts, most notably, on the Internet

38
Fair Information Principles

• The FTC developed Fair Information Principles in
  connection with the Geocities case, but other
  branches of govt. and private associations have
  reached the same conclusions regarding privacy
  and storage of information
• Fair Information Principles (according to the
  FTC)
• Notice/Awareness Choice/Consent
• Access/Participation Integrity/Security
• Enforcement/Redress

39
HIPAA-Mandated Rule

• When HIPAA was passed it was anticipated that
  Congress would enact privacy legislation
• Congress was given until August 21, 1999
• That deadline came and went and HHS was required
  to promulgate its own regulations
• These regulations became law in April of 2001.
• Actual implementation is scheduled to take place
  in phases several years from now--a minimum of 2
  years

40
HIPAA Rule Goals of HHS

• The goals of HHS HIPAA Regs. are an adaptation of
  the FTC Fair Information Principles
• Allow for free flow of medical information to
  promote treatment, payments, and healthcare
  operations
• Prohibit secondary uses of medical information
  unless authorized by the subject of the info
• Allow individuals access to their own records and
  give them an opportunity to correct errors

41
Goals of HIPPA Regs.

• Continuing with the goals of the HIPAA Rule
• Allow individuals to know who is using their
  health information and how it is being used
• Require persons who hold identifiable health
  information to safeguard that information from
  inappropriate use or disclosure
• Hold those who store health information
  accountable for their handling of the information

42
Rules of Thumb

• HIPAA limits jurisdiction of HHS Rule to covered
  entities
• Healthcare providers, health plans (insurance
  companies are included), and healthcare
  clearinghouses
• HHS laments its lack of ability to totally
  control electronic transfer of health information
• HHS develops the business partner concept for
  those that receive medical information from a
  covered entity

43
HIPAA Rules

• Protected healthcare information could be
  transferred within covered entities without
  authorization of the patient if
• The transfers were for the purpose of
  facilitating treatment, payment, or healthcare
  operations
• Special protections are provided for notes of
  psychotherapist

44
HIPAA Rules

• Other transfers of health information would
  require authorization of the patient except if
• The transfer of information fell into one of 12
  designated categories
• Oversight of the healthcare system, public
  health, medical research, law enforcement,
  emergency situations, government health data
  systems, financial payment plans through banks
  that facilitate credit cards, and where state law
  requires disclosure

45
Survey of Healthcare Workers

• We could discuss the exceptions for a good bit
  but we must move on.
• Basically the HHS Rule does not interfere with
  existing practice in the healthcare sector
• Most of the disclosures are taking place today
  under govt. authority, to prevent fraud, or to
  facilitate payments
• What we did is survey those in the trenches, the
  healthcare workers with access to medical records

46
Survey of Healthcare Workers

• Demographics of respondents
• 133 females, 30 males
• 114 whites, 40 AA, 9 Hispanics
• Average age 44.6, average experience 10.6, and
  average time with employer 5.2
• Respondents were quizzed about 14 statements from
  1strongly disagree to 7strongly agree

47
Survey of Healthcare Workers

• Variables that emerged from frequency data
• Collection of data
• Survey results indicate clearly that the
  respondents were not troubled by the collection
  of data from patients
• Presumably, collection of information facilitates
  treatment as well as providing healthcare workers
  with some valuable information

48
Survey of Healthcare Workers

• Variables that emerged from analysis of frequency
  data
• Accuracy of records
• Healthcare workers were very aware that medical
  records often contain errors.
• They agreed (an average of 5.31 on a 7 point
  scale) with 4 statements that indicated that
  their employer should spend more time and
  resources making sure that the records were
  accurate

49
Survey of Healthcare Workers

• Healthcare workers
• Were very concerned about who had access to the
  medical records of patients
• On a scale of 5.94 they agreed with statements
  that inappropriate and unauthorized access to
  medical records is made too easy by computerized
  records
• Healthcare professionals know that at their
  facility, anyone working there can gain access to
  any patients medical records

50
Survey of Healthcare Workers

• Unauthorized secondary use was nearly universally
  condemned by healthcare workers, especially if
  the records are sold for a profit
• Much the same implications emerge from factor
  analysis of these the responses to these 14
  statements
• Note that the sale of medical records for a
  profit is not one of the 12 exceptions in the HHS
  Rule

51
Implications

• Policymakers have acted to protect the privacy of
  medical records
• There are many who say that the Administrations
  actions have been too weak
• Others say just the opposite
• It is fair to say that the HHS Rule does not
  upset current commercial practices by allowing 12
  exceptions to the rule requiring individual
  authorization before secondary use
• On CNN HHS officials admitted that they could not
  anticipate threats to privacy of medical records
  in the future

52
Implications

• The results of our survey of healthcare workers
  revealed that they are well aware that
• Medical records are often inaccurate
• Too many people have access to these records
• Unauthorized secondary use of medical records is
  an abuse of the trust that patients place in
  healthcare providers
• Even though there are profits to be made from the
  sale of medical records, that such transactions
  are an abuse of patient trust