Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
As the need to help ensure privacy and data security compliance by U.S. companies grows larger, state and federal enforcement agencies are figuring out how best to work together in the absence of a central privacy authority.
Bloomberg BNA Privacy & Data Security News Senior Legal Editor George R. Lynch posed a series of questions to Kirk Nahra, partner at Wiley Rein LLP in Washington and a member of the Bloomberg BNA Privacy & Data Security Law Report advisory board, on the overlapping authority of federal agencies amongst themselves and with state attorneys general in enforcing privacy and data security laws.
There is currently a lot of overlap in areas where federal agencies have enforcement authority. Are there certain types of situations that are particularly problematic in the overlap they create?
Privacy and security enforcement is still a relatively immature/undeveloped area. There are lots of agencies that potentially have enforcement authority, and very little history for most of these agencies. While there is a sense of broad enforcement, in reality we have seen surprisingly little, given the high volume of potential enforcement situations and the large number of agencies that could take action.
Despite this multiplicity of potential enforcement agencies, at the same time, we also are finding that as technology, big data and business practices all change, many of the problems that arise don’t fit neatly into the various laws and existing regulations. So this leads to even more potential for overlaps and confusion.
The biggest areas for overlap today are where there is a specific agency assigned to something (such as the Department of Health and Human Services (HHS) Office for Civil Rights (ORC) for the Health Insurance Portability and Accountability Ace (HIPAA) Rules), and also other agencies that are given explicit authority or could exercise authority over the same people. Using this example, HHS OCR has primary authority for HIPAA violations, state attorneys general (AGs) have explicit and essentially concurrent authority, and the Federal Trade Commission (FTC) believes that it can take action against any company (subject to some jurisdictional limits) that violate the FTC’s own security standards, even if the entity is also subject to HIPAA specifically. And, because HIPAA now applies to business associates directly, there may be a broader variety of situations where there is substantial additional overlap, such as a telecommunications company who is both a HIPAA business associate and subject to the Federal Communication Commission’s (FCC) authority, or a bank that might be subject to both HIPAA and various Gramm-Leach-Bliley Act (GLB) standards.
You have the broad development of new kinds of health-care data that are being generated outside of the normal health-care industry (think wearables), and it is not clear who has authority over those entities, even if there is a lot of reason to be looking at their practices.
On top of that, you have the broad development of new kinds of health-care data that are being generated outside of the normal health-care industry (think wearables, for example), and it is not clear who has authority over those entities, even if there is a lot of reason to be looking at their practices. So, we can expect these overlapping issues to continue for many years, and for the agencies to seek to work together to allocate resources where reasonable.
For companies, it is important to understand any industry specific regulations that apply, but it is also critical to have an overall, holistic sense of the regulatory environment for privacy and security enforcement generally. I find that many companies focus exclusively on their own industry rules without thinking about the bigger picture.
Is going after only the most severe privacy violations the best way for state attorneys general and federal regulators to expend their limited enforcement resources?
Severe is a tricky word. I think about it in terms of impact from an enforcement action, magnitude of the problem and how the issue would come to the agency’s attention. Most agencies to date don’t go out looking for cases—the cases come to them.
Many of the biggest breaches have not (yet?) resulted in enforcement actions—remember, a security breach does not mean there has been any violation of security requirements.
For example, that means that a lot of cases involving recent enforcement come from prominent security breaches, where there has been either media attention or required public notifications. In those cases (if enforcement action follows, which it often does not), enforcement could be driven by volume of the breach (e.g., how many individuals are affected), but it tends to be driven by whether the entity made a meaningful effort at appropriate security practices or not (e.g., the most recent HIPAA cases, where there were modest breaches, but the breaches led to investigations that uncovered that companies were not making reasonable efforts at appropriate security practices). So, a lot of the cases actually involve relatively small breaches where the effort to comply was lacking.
Conversely, many of the biggest breaches have not (yet?) resulted in enforcement actions—remember, a security breach does not mean there has been any violation of security requirements. On the privacy side, you are more likely to see cases that involve particularly bad behavior or particularly prominent businesses. For example, the FTC has taken action against companies like Facebook and Google, driven by advocates who bring these issues to the FTC’s attention, with an apparent goal of addressing broad impact practices, with or without any kind of precedential effect or broader industry impact for other companies.
In other cases, they go after practices where they have one example of something that they see as a broader problem affecting many companies. So, agencies are always picking their spots, but “severe” is only one of the variables.
Is the legal authority delineating the situations in which the FTC, FCC, and HHS have jurisdiction clear, and are they being interpreted consistently by the agencies?
In most situations, there isn’t any effort in the laws or regulations to draw these lines. The FTC does what it thinks it can do, the FCC does what it can do (based on laws and regulations covering its authority) and HHS does the same. If there were some over-riding national privacy law, we might see an effort to draw these lines, but there is no such effort in the law today.
You have the theoretical situation where a company (for example, a business associate under HIPAA), could be subject to HHS, all 50 state AGs, the FTC, and some other industry regulator depending on their particular business. I am sure we will see some cases where there is this kind of pile-on in a coordinated case, but it has also been pretty unusual so far. There are more than enough potential cases to go around, so it is mainly an issue of enforcement philosophy and resources.
I think the agencies for the most part try to play nicely together on these issues, and that will work generally for as long as it works, but then there will come a situation where it won’t. There are a handful of situations (e.g., breach notification rules involving HIPAA records for HHS and personal health records for the FTC) where there was an explicit effort to draw these lines, but that is pretty unusual.
State attorneys general have been playing an increasingly significant role in privacy enforcement. Is there a clear standard dictating where they take the lead in enforcement versus federal agencies?
I’m not sure I’d agree that they are playing an increasingly significant role. I’ve actually been surprised that there haven’t been more cases involving state AGs. With that said, it is clear that more state AG offices are building expertise in this area and looking at enforcement potential. There is no clear standard at all dictating where a state (or many states) would take the lead over federal regulators.
Also, given most privacy and security situations, there also is no clear guidance on when one state would take a lead over another state. AGs have worked together in a lot of situations outside of privacy and security, so there are some working models, but they haven’t played out yet in this area.
They have been responsible and generally reasonable in their enforcement. If you have repeat problems, or aren’t making a meaningful effort to comply, enforcement is far more likely. If you make a mistake, but you have a good program and generally are in compliance, they don’t hammer you for the mistake.
For a large scale security breach, for example, there might be notification to about 20 states directly, with the possibility that any other state could also act. There is no current guidance on whether there is a primary state AG or not, based on number of impact individuals, the location of the breaching company or anything else. I would expect this to evolve over the next few years, but it has not yet been an issue since there haven’t been that many cases where a lot of AGs have tried to act (or where a state has tried to act instead of a federal regulator or on top of a federal regulator).
Are federal agencies on the right track towards making privacy and data security enforcement work effectively, or are more fundamental changes necessary?
I think they are generally on the right track, although (as I said above) this is not yet a mature enforcement area. The FTC has the longest tenure in this area, and while folks may quibble with individual cases, they generally have been very responsible and thoughtful on their enforcement efforts.
While you don’t publicly see the cases they investigate but do not bring, there obviously have been many situations where enforcement “could” have happened, but the FTC did not act. HHS OCR is the same way—they had an initial approach that focused on education, mitigation, training and guidance, rather than enforcement, and that has continued to be the primary approach.
They have been responsible and generally reasonable in their enforcement. If you have repeat problems, or aren’t making a meaningful effort to comply, enforcement is far more likely. If you make a mistake, but you have a good program and generally are in compliance, they don’t hammer you for the mistake. So, I think enforcement overall has been reasonable and appropriate (to borrow a phrase from the security area), and has reflected a reasonable compromise between the interests of individuals and the interests of the regulated businesses, as well as a realistic understanding by the regulators of the need for innovation and the efforts of businesses to protect data while at the same time serving their customers and others. So, I don’t think, there is any fundamental change needed on the enforcement side.
I do think we are seeing an increasing range of situations where there either are no clear privacy standards for certain kinds of activities or where the current sectoral approach to privacy isn’t working well, so that there will need to be some broader effort to define appropriate legal standards that could lead to enforcement. Right now, for most businesses that are outside of the handful of regulated areas, they are looking for guidance and rules (to some extent) to help guide their practices, but currently we do not have a lot of those standards as law or regulation, just reasonable best practices and emerging industry standards.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)