Brian T. Casey, PartnerPatrick J. Hatfield, Partner

e-Matters, Privacy, and More: What YOU Need to

Know!Presented by:

October 13, 2009Association of Corporate Counsel – Georgia Chapter

Monthly LuncheonATL Doc# 381372_3

2

Agenda

• Preliminary Comments• 6 Point Risk Framework• Case Law Update• Overview of e-Payments• e-Delivery• Assurances for your e-Sign vendor/IT

Department• Telemarketing Rules Updates

• Privacy & Security Laws Updates

• Q & A

3

Preliminary Comments

• A reasonably well designed process, supported by solid technology, can actually reduce risk, relative to traditional process

• It’s more about process and workflow than it is about technology, but technology plays important role

4

Preliminary Comments

• In designing where the records will be stored and which records will be kept, consider long-term e-discovery implications

• Use of e-signatures for existing customers still presents a huge opportunity for savings and customer retention

5

Preliminary Comments

• Consider use of e-sign process for your workforce for various acknowledgements, authorizations, enrollments, elections and deliveries

• Consider buying the solutions rather than building - the choice of vendors continues to improve

6

Preliminary Comments

• See link for more info: http://www.lockelord.com/services/ServiceDetail.aspx?service=371

• Occasionally we will send out an e-Matters alert on this and related topics, refer to last slide for more information

7

Basics of e-Sign Laws in the U.S.• Federal e-Sign law effective Oct 1, 2000

• 47 states have adopted UETA (not IL, NY or WA)

• Preemption in fed law limits state variation

• Companies can implement a national e-sign process

8

• “e-Signature”: electronic sounds, symbol, or process attached to or logically associated with a contract or record and executed or adopted with intent to sign the record

- Many different forms of e-sign technologies

- Clicking “I AGREE” or saying “I AGREE”

- One may sign electronically a tangible document

- May use a voice signature to sign a “hard copy”

Basics of e-Sign Laws in the U.S.

9

Basics of e-Sign

• e-Sign laws don’t elevate e-signatures, just that signatures and records may not be denied because they are electronic

• All other contract principles apply, such as evidentiary rules, unconscionability, fraud, etc.

10

Basics of e-Sign

• Documents required to be provided in writing may be e-delivered

• Consumer disclosures may be e-delivered, with an extra step

11

Voice Signatures

• Single call to do it all

• “4 Corners” principle

• Consumer disclosure challenge

• Need to audit

• Viable alternatives

• Shroyer v. New Cingular Wireless

6 Point Risk Framework

13

14

15

e-Signature Mock Trials

• Why we did it?

• Online customer purchase scenario

• Key Lessons:– Challenge of conveying complex

testimony about technology system and process

– Proper e-signature process and audit trail may reduce risks existing in current processes

16

Web: Unknown CustomerWork Flow Process Diagram

17

6-Point Framework

• Developed over time from risks identified by clients and attendees at sessions like this

• Framework helps distinguish the risk, to match the mitigation strategy with level of paranoia

• Helps multi-disciplinary team communicate

18

6-Point Framework: Risks

• Authentication Risk – “That’s not my signature”

• Repudiation Risk – “That’s not what I signed”

• Admissibility Risk – “Objection, your honor!”

• Compliance Risk – “I never saw that”

• Adoption Risk – “Am I done yet?”

• Relative Risk – “How does it compare to the traditional way?”

19

6-Point Framework: Mitigants• Authentication Risk – Use “shared secrets” or

other ways to affirm identity

• Repudiation Risk – Hash each document and hash the audit trail

• Admissibility Risk – Determine who is able and willing to testify – upfront, read Markel

• Compliance Risk - Varies

• Adoption Risk – Test, adjust, test, repeat

• Relative Risk – Still important

20

Sample Project 1 - Life Insurance Application E-Signed on PDA• Scenario: “Turbo App” - Face-to-Face home

life insurance solicitation; no consumer required device

• Document at Issue: Life insurance application and life insurance replacement notice and other consumer disclosures with delivery receipt

21

Sample Project 1 - Life Insurance Application E-Signed on PDA• Key Law in Play: Insurance code governing

insurance application, replacement notice

• Process Design: content provided in paper form but embedded in PDA; customer reads physical content, agent inputs answers in PDA with interactive pop-ups using stylus, customer signs on PDA and signed documents printed for customer on site or mailed

22

• Project A - Website delivery of e-privacy notice by national personal lines property & casualty insurance agency

• Project B - Telephonic IVR system for written consent to disclosure of non-public personal financial information of personal lines property & casualty insurance customer

Sample Project 2 – e-Delivery Notices of GLBA Privacy Notices

Case Law Update

24

Case Selection Criteria

• Some are employer/employee cases – employees and consumers may be viewed alike by the courts, esp. in area of disclosures

• Our review, based on broad Lexis net, is current

• Receive our e-Matters updates (see last slide)

25

Long v. Time Insurance Co.• Federal Court in OH, decided in mid 2008• Application for health insurance signed by the

agent, after reviewed and confirmed by insured (health insurance)

• Policy issued, with app attached• Based on pre-existing condition discovered at

claim time, Time denied coverage• Insured (rep of insured) claimed insured

verbally disclosed pre-existing condition to the agent

26

Long v. Time Insurance Co.• Very helpful case for insurers looking for

support of use of e-signature in application process, especially where the signed application is provided with the policy issue

• Court discusses various other traditional reasons to hold for Time

• See our extensive write-up in on this case

27

General Dynamics Line of Cases• Kerr v. Dillard (D. Kansas)

• Verizon Communications v. Pizzirani (Federal Court in PA, 2006)

• Bell v. Hollywood Entertainment Corp. (Ohio Appeals Court, 2006)

• Campbell v. General Dynamics (Federal Court of Appeals 1st Circuit, 2005)

28

General Dynamics Line of Cases• Cases are instructive in designing a process

(for employees or consumers in the new business process).

- e-Delivery can be effective, regardless of whether the person to be bound actually opens or reads the substantive new terms

- Critical to the process is masking the significance of the e-Delivered document very clear and requiring an affirmative act to signify acceptance, such as “clicking” I agree

29

Point of Sale Process

• Labajo v. Best Buy Stores (Federal Court NY, 2007)

• Process involved selling subscriptions by including not-so-conspicuous notices on printed receipts, when the consumer used the electronic signature pad to sign for purchases

• Case was a class action based on improper charges when plaintiff did not timely cancel “free” subscription

30

Point of Sale Process

• The court held the process was flawed because BB did not show the keypad made clear to the consumer the consequence of signing for a “free” subscriptions

• BB compounded by not responding to consumer complaints very well

• Case is noteworthy on the process of making the significance of certain actions very clear and the class action risk

31

Voice Signature

• Shroyer v. New Cingular Wireless (Federal Appeals Court, 2007)

• Process involved printed terms and conditions in the box with the phone – to activate the phone, consumer dials a number and electronically accepts the printed terms in the box

• The court held that the process was just fine• The terms in the box can of course be signed

in this fashion

32

Voice Signature

• The court refused to enforce the terms of the contract signed in this fashion, they were unconscionable

• Case is instructive because, as we have helped clients do, one can use an electronic signature (including saying “I agree”) to sign a document in hard paper

33

Class Action Risk

• Brueggemans v NCOA Select, et al. (Federal District, June 29 2009)

• Process involved website sale of insurance-extended warranty insurance for a phone

• Website T’s&C’s – mandatory arbitration• By clicking to proceed, consumer accepted T’s

& C’s• Court enforced the T’s & C’s, including

arbitration

34

Class Action Risk

• Automated e-sign processes will result in greater consistency and more accessible record of each person involved

• Consistently right, or consistently wrong

• Possibly greater class action risk

• Options for mitigating the greater class action risk

• Seriously consider the class action risk

35

Absent Cases

• The opinions re: the processes used in Time, Bell, Verizon and Kerr are helpful for the financial services sector broadly

• We have yet to see the case where the consumer claims he never signed the application for insurance or the loan (Long in Time may have come close) – to do so admits no coverage

36

Summary

• We’ve yet to see a bad case, but there are a few bad processes

• The courts are not struggling to recognize electronic signatures can be enforceable

• Take-away: Courts continue confirming e-Delivery and e-Signatures in the employee/consumer settings, as long as it is made clear to the person the significance of the action accepting new terms

• Plan for admissibility, we suspect there will be more disputes in this area

Overview of e-Payments

38

e-Payments

• Remember the other payment laws and rules:- ACH – Reg E and NACHA rules and the contract with your bank- Credit cards and debit cards – merchant

aggreements, PCI standards• Rules vary by payment type (ACH vs. card)

and whether one-time vs. Recurring payment• Consider using payment processor better

equipped to handle some of these compliance burdens

e-Delivery of the Fulfillment Package:

Can it be Done?

40

e-Delivery

• Yes – e-Delivery is permissible

• Requires clear consent from recipient

• Consider obtaining consumer’s consent for e-delivery for all permitted notices, such as:

- GLB annual notices

- FCRA opt-out notices

- Security breach notices

- Other notices that may be required

41

e-Delivery

• e-Delivery method can reduce risk:

- proof of delivery of complete package

- proof of when delivery occurred

• e-Delivery can also present a quandary: what happens if consumer does not retrieve package/notice?

42

e-Delivery

• Better method appears to be:

- email alert that something is ready

- consumer logs into secure site to access

materials

What Assurances Should You Get From Your e-Sign Vendor or

Internal IT Shop?

44

Assurances from e-Sign Vendors/IT• Avoid surprises- ask now who will be there to

testify on critical points:– System creates an Audit Trail– Audit Trail is securely archived – What is generated and available as evidence

• One credible source reports significantly improved settlement conferences

45

• Audit Trail and each document/record presented, including each that was signed, are unaltered without detection

• Who will testify as to the above?

• Requires specific opt-out mechanisms for customers

Assurances from e-Sign Vendors/IT

46

• In sum, ask for full sample of what would be generated to prove:

- To a judge, how the company is sure the

application with the misrepresentations

is in fact what the customer signed; and

- To a regulator, how you are so sure

that each and every required disclosure was in fact provided to the PI/PO

Assurances from e-Sign Vendors/IT

Telemarketing Rules Updates:Prerecorded Telemarketing

Callsand Automatic Telephone

Dialing Systems

48

FTC Telemarketing Sales Rules (TSR) Amendments

• Prerecorded Telemarketing Call Amendment (16 C.F.R. 310)

• Prerecorded = Not defined, but should mean any message not delivered by a live human voice

• Requires specific opt-out mechanisms for customers (effective December 2008)

• Requires prior written consent for placing pre-recorded calls to consumers, including those with established business relationship (effective September 2009)

• Preempts less restrictive state laws but does not preempt more restrictive state laws

• Healthcare/HIPAA exemption

49

Prerecorded TelemarketingOpt-Out Requirement Rules• Minimum 15 seconds/4 rings before disconnecting an

unanswered call

• Within 2 seconds of end of greeting, call must identify seller, state purpose is to sell, describe product/service followed immediately by: In Person answered calls- provide opt-out via IVR or

keypad usable anytime during call, which must add caller’s number to DNC list and disconnect call

Answering Machine/Voice Mail answered calls- provide toll-free phone number for opt-out that connects to opt-out via IVR or keypad, which must add caller’s number to DNC list and disconnect call

50

Prerecorded TelemarketingPrior Written Consent Rules Request for written consent must be preceded by a

“clear and conspicuous” disclosure to consumer that agreement authorizes seller to make prerecorded sales calls to consumer

Consent must be in writing and cannot be condition to buying product or service

Consent must have callee’s telephone number and signature

E-signature for consent expressly recognized by amended rule

51

Telephone Consumer Protection Act (TCPA) - Autodialers Rule

• “Automatic Telephone Dialing System” (ATDS) = equipment with capacity to (1) store or produce telephone numbers, using a random or sequential number generator, and (2) to dial such numbers

• TCPA prohibits using ATDS to cell number or other service for which called party is charged (not limited to telemarketing calls)

52

• TCPA prohibits calls using artificial or prerecorded voice to residential number except:Prior express consent of called person;Emergencies; orFCC exemption by order or rule

Telephone Consumer Protection Act (TCPA) - Autodialers Rule

53

• FCC Declaratory Ruling (December 2007, ACA International)Cell numbers provided by debtor in connection

with existing debt are made with prior express consent

Predictive Dialer is a form of Automatic Telephone Dialing System, rejecting argument that predictive dialer is not ATDS if it is used from a list of numbers which are not randomly or sequentially generated

Telephone Consumer Protection Act (TCPA) - Autodialers Rule

54

Recent Key Cases

• Satterfield v. Simon & Schuster (N.D. California 2007)Plaintiff contended that Defendant violated TCPA

when her minor son received promotional text message after she agreed to receive promotional texts when she purchased a ring tone from Nextones, an affiliated brand of the defendant.

Defendant argued no violation of TCPA as no ATDS was used and prior consent was granted.

55

• Satterfield v. Simon & Schuster (N.D. California 2007)“Yes! I would like to receive promotions from Nextones affiliates and brands. Please note, that by declining you may not be eligible for our FREE content.”

“By clicking Submit, you accept that you have read and agreed to the Terms and Conditions.” The Terms and Conditions state that Nextones and its affiliates may use a user’s mobile phone number in connection with any text message offering or other campaign.

Recent Key Cases

56

• Satterfield v. Simon & Schuster (N.D. California 2007)Court determined that there was no violation of the

TCPA because the equipment used to send text messages was not an “automatic telephone dialing system” and because Plaintiff consented to receipt of text messages.

Summary Judgment in favor of Defendant

Recent Key Cases

57

• Satterfield v. Simon & Schuster (9th Cir. 2009)Reversed grant of summary judgmentMaterial question of fact whether the dialing system

at issue had the “capacity” to store or produce randomly or sequentially generated numbers and to dial them; issue was not whether the system actually randomly or sequentially stored or produced the numbers

Text Message = a call No consent as Simon & Schuster not an affiliate of

Nextones

Recent Key Cases

58

• Leckler v. CashCall, Inc. (N.D. California 2008)Plaintiff debtor claimed in class action that

Defendant creditor violated TCPA when it contacted her cell phone using an autodialer to provide a prerecorded debt collection message.

Defendant contended that the Plaintiff had consented to being contacted via her cell phone through providing her cell phone on loan application.

Recent Key Cases

59

• Leckler v. CashCall, Inc. (N.D. California 2008)Court found that Defendant violated the TCPA

when it called Plaintiff’s cell phone using an autodialer and prerecorded messages without plaintiff’s “prior express consent.”

Plaintiff providing cell phone number during loan process was, at best, implied consent, but not express consent, rejecting FCC’s prior Declaratory Ruling and noting that the Satterfield consent sufficed.

Recent Key Cases

60

• Leckler v. CashCall, Inc. (N.D. California 2008) Court held that it had jurisdiction in a diversity action under

Class Action Fairness Act even though 9th Circuit Court has held state courts have exclusive jurisdiction over TCPA suits.

Defendant moved for appeal to 9th Circuit Court and then moved to vacate District Court’s summary judgment in favor of Plaintiff on grounds that on federal appeals courts have exclusive jurisdiction to review final FCC orders, and Plaintiff moved to amend to add new plaintiffs who did not provide cell numbers to Defendant

Court dismissed case on jurisdictional FCC order review grounds

Recent Key Cases

Privacy & Security Laws Updates:

Data Security Breach Laws

62

State Security Breach Laws Update

• 45 states now have data security breach statutes (AL, KY, MS, NM and SD do not)- wide disparity

• Massachusetts (Chapter 93H)/OCABR’s Security Breach Regulation Applies to all persons that own, license or store personal information

about a Mass resident Implement, maintain and monitor written comprehensive information

security program- more detailed standards that the vast majority of other states’ data security laws

Originally contracts with 3rd party service providers, but now relaxed to reasonable verification requirement

Originally required encryption of all personal information transmitted but now requires only encryption on wirelessly and stored on laptops or other portable devices

Compliance date extended to March 1, 2010

63

State Security Breach Laws Update

• NevadaOriginal law (NRS 597.970) effective October 1, 2008, but

replaced with revised law (NRS 603A) effective January 1, 2010

Mandates encryption of electronic transmission of personal information (same as NV security breach law) by “a business in NV.”

New law codifies encryption based on Payment Card Industry Data Security Standard for persons that accept credit card payments and for all other persons requires encryption using technology adopted by standards setting body, including National Institute of Standards & Technology

64

HIPAA Security Breach Notification Regulations

• The American Recovery and Reinvestment Act of 2009• Health Information Technology for Economic and Clinical

Health (HITECH) Act Stimulus package included funds to increase use of Electronic Health

Records (EHRs)

• HITECH Act contained significant changes to HIPAA laws and rules many of which will significantly impact Business Associates (BA) and their relationships with Covered Entities (CE)

• Key element of which is notice obligations of CEs and BAs for security breach of unsecured protected health information

65

HIPAA Security Breach Notification Regulations

• CEs and their BAs must provide certain notification in the event of a breach of protected health information (PHI).– “Breach” – The acquisition, access, use or disclosure of

unsecured PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI.

• Interim Final Rule published August 24, 2009 and is effective September 23, 2009 enforcement is delayed until February 22, 2010

66

What is a Breach?Step 1: Secured vs. Unsecured PHI• Does the potential “breach” involve unsecured

PHI?– PHI is individually identifiable health information

that is transmitted or maintained in any form or medium, including electronic information.

– PHI is unsecured if it is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of specified technology or methodology.

– The methodologies have been designated in guidance from DHHS

67

What is a Breach?Step 2: Privacy Rule Violation Occurrence• Has there been an impermissible use or disclosure?

Must determine whether the alleged “breach” violates the Privacy Rule.

Violation must involve the use or disclosure of PHI.A violation of an administrative requirement would not

constitute a breach.e.g., inadequate policies or training unless it results

in a use or disclosure of PHI in violation of the Privacy Rule

A violation of the security rule would not suffice unless it resulted in an impermissible use or disclosure of PHI.

68

What is a Breach?Step 3: Risk Assessment• Does the potential “breach” result in a

significant risk to the subject individual?

Conduct a fact-specific risk assessment• Consider who used the PHI and to whom it was disclosed• Was the potential breach mitigated?• Was the PHI returned prior to being improperly accessed?• What is the type and amount of PHI involved? Can it reasonably

cause financial, reputational or other harm?

CE or BA has the burden of proof in demonstrating that no breach has occurred

Strong documentation of the risk assessment is best defense

69

What is a Breach?Step 4: Exceptions• Unintentional acquisition, access or use of PHI by a

workforce member or person acting under the authority of a CE or BA

• Inadvertent disclosure by a person who is authorized to access PHI at the CE or BA to another person authorized to access PHI at same CE, BA or organized health care arrangement

• Disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

• CE and BA have the burden of proof for showing why breach notification was not required.

70

Summary of Covered Entity’s Notification Obligations• Individual notification by first class mail required

(unless individual has consented to electronic notice)

• Substitute notice required if contact info is out of date. For 10 or more, must either post on website for 90 days or post notice in major print or broadcast media for 90 days

• Media notification required for breach involving 500 or more residents of a state or jurisdiction

71

Summary of Covered Entity’s Notification Obligations• Must notify DHHS

• If more than 500 people involved, then notify at time• If less, then file log on annual basis

72

Summary of Business Associate’s Notification Obligations• Notify applicable CE without unreasonably delay and in no

case later than 60 calendar days after discovery of breach. • Time period for breach notification begins when incident is first

known, not when investigation of incident is complete, even if it is initially unclear whether the incident constitutes a breach.

• Multiple CEs – BA should notify only the CE to which the breached information relates. If the breach involves unsecured PHI of multiple CEs and it is unclear to whom the breached information relates, it may be necessary to notify all potentially affected CEs.

• Individuals should not receive notifications from both CE and the BA about the same breach.

73

For further information/materials or to be added to our e-Matters email alert, please send your request

to tmann@lockelord.com

Questions? Answers!

Brian T. Caseybcasey@lockelord.com

Patrick J. Hatfieldphatfield@lockelord.com

ATL Doc# 381372_3