When Congress enacted HIPAA and its Privacy Rule in the mid-1990s, it was a big deal. Healthcare providers surely protected patient privacy in the pre-HIPAA days, but the federal statute gave them a standard set of rules with which to comply and a uniform referent against which to gauge their privacy practices. All told, HIPAA’s
If you represented a large corporation or a wealthy individual, wouldn’t you want to know if your prospective jurors were campaigning for Bernie Sanders on Facebook? Or how about criminal prosecutors who might want to know if members of their jury panel had posted strong feelings on police conduct? If you were adverse to a drug or medical device company, maybe you would want to know if a prospective juror wrote for the Drug and Device Law Blog (although we can guarantee that you will find no more thoughtful and impartial jurors than the seven individuals who make up the collective “we”).
Millions of potential jurors make information like this (and much more) publicly available on the Internet through social media or otherwise, and what trial advocate would not want to uncover it? We got to thinking about this topic a few months ago when we read a unique order that came out of the Northern District of California in Oracle America, Inc. v. Google Inc., ___ F. Supp.3d ___, 2016 WL 1252794 (N.D. Cal. Mar. 25, 2016). The district judge in Oracle v. Google asked the parties in a high-stakes copyright action to abstain voluntarily from searching the jury panel’s social media. If the parties would not agree to a complete ban, then the court would impose specific limitations.
We’ll get to the details in a minute. But first, we set out to see if there are any rules that govern searching jurors’ social media (with research assistance from Reed Smith attorney David Chang). It turns out there are, mainly within the rules of ethics and professional conduct. The first rules obviously are our duties of competence and diligence. They are among the first duties listed under the ABA’s Model Rules and probably the rules governing lawyers in most every state. See Model Rules of Professional Conduct, Rules 1.1, 1.3. If there is publicly available information that would help us identify jurors with potential biases, a competent and diligent trial advocate needs to consider gaining access to it.
There are, however, countervailing considerations. On April 14, 2014, the ABA’s Standing Committee on Ethics and Professional Responsibility published “Formal Opinion 466, Lawyer Reviewing Jurors’ Internet Presence.” The ABA committee’s opinion came on the heels of an opinion from the Association of the Bar of the City of New York—“Formal Opinion 2012-2, Jury Research and Social Media.” These are not the only publications on the topic, but they were at the cutting edge, and they cover the major considerations.
We have been meaning for a while to write about LabMD’s epic data privacy fight against the FTC. We’re sure you have read about the action, and particularly about the administrative order dismissing the government’s Administrative Complaint in November 2015. The noteworthy part of the order is its holding that the government has to prove actual injury to consumers, not merely a theoretical “risk” of future harm, in data privacy enforcement actions. We like the sound of that. It reminds us of the old days of medical monitoring class actions, otherwise known as “money for nothing,” where uninjured plaintiffs would claim compensation for future medical surveillance, even though they had never experienced any actual complication. We don’t see those much anymore, but a similar battle has gone on in the context of data privacy. The vast majority of data security breaches result in no tangible harm to anyone, but plaintiffs still sue, and they still want money for the theoretical risk that someone, someday might use their private information to cause them harm—fraud, identity theft, and the
But back to LabMD. The FTC has gone after many companies for allegedly lax data security practices, and in almost every case, the target comes to a negotiated resolution, usually involving a fine and a consent decree requiring certain measures to better protect private information. What makes LabMD different is that, once it found itself in the FTC’s crosshairs, it fought back. That decision was bad for business—the company announced in 2014 that the government’s action essentially closed it down—but it resulted in a complete win at the administrative level and a landmark order pinning back the government’s ears. The action has been going on for years, but here is what you really need to know:
Why do we care? The issue is data privacy and security, and the drug and device industry holds reams of private information—employee data, customer data, consumer data, patient data, etc. The FTC remains the biggest bully in the schoolyard when it comes to data privacy, and the LabMD order is a landmark in delimiting the FTC’s usually unchallenged regulatory prerogative.
Dick Cheney famously disclosed a few years ago that he had the wireless function of his pacemaker disconnected while he was Vice President because he was concerned that hackers might fiddle with the device remotely and do him harm. We at the Drug and Device Law Blog can’t help but wonder whether the Veep placed himself ahead of or behind the risk-benefit curve. Sure, he mitigated the risk that some malicious and very clever hacker would successfully target him. But he also disabled an important feature of a device that was intended to protect and extend his life.
Was he better or worse off? We don’t know. We do know that when we first learned about wirelessly connected implanted medical devices, we were amazed by technology that appeared straight out of Star Trek. You know, like when Bones would treat some befallen Enterprise crew member in a color-coded T-shirt by waving a handheld device over his or her clothed skin. That’s how we pictured connected devices like cardiac defibrillators—capable of transmitting telemetry, issuing warnings, accepting software upgrades, taking commands, and otherwise treating human frailty—remotely and without the need for any invasive procedure.
The potential benefits to health are tremendous, and wireless connectivity is now common in numerous types of medical devices, implanted and not. But what about the potential risks? We are told that Cheney’s paranoia became the basis for an episode of Homeland, a show we have never seen, but that apparently involved a fictional Vice President harmed by pacemaker hackers with malice aforethought. (Although we have never watched Homeland, we have seen every episode of Veep, which stars Julia Louis Dreyfus as a different fictional Vice President (and later President) and is wickedly funny, but so profane that our mother-in-law elected to leave the room rather than watch it. But we digress).
We expanded our practice into data privacy and security out of practical necessity. Expectations surrounding privacy of personal information are evolving, and the laws that regulate data privacy change every day, generally to expand protection for private information. Another thing that has changed is that we used to say that drug companies and medical device…
Data privacy is a hot topic. We regularly speak on data privacy at Reed Smith’s annual California continuing legal education day, and it takes hours to prepare because the landscape changes so rapidly. The law changes day-by-day, both legislatively and in our courts, and entire emerging industries (e.g., the “apps” industry) are organized around the collection and monetization of personal information disclosing what we do, when we do it, for how long, and where we are located. The very definition of “privacy” is now robustly debated, which is a significant change from the days when everyone knew that “private” information meant name, date of birth, social security number, account numbers, or some combination thereof. Today if you asked 25 privacy professionals to define “private” information, you might get 25 answers, and some would say “everything.”
When we expanded our drug and medical device practice into the data privacy realm a few years ago (along with the co-author of this post, Reed Smith’s Joshua Marker, an outstanding privacy lawyer and active blogger in his own right), we found that the healthcare industry was, for the most part, ahead of the game because the rules were relatively clear. Everyone agreed that personal health information was private, and there was HIPAA, the ubiquitous federal law that has regulated the security and privacy of personal health information since enacted in 1996. Drug and medical device companies typically are not HIPAA-covered entities, but they often have possession of personal health information in connection with patients who use their products, and our experience is that our clients and the lawyers who represent them take patient privacy very seriously.
One thing that has not changed is that there is no private right of action under HIPAA. That does not mean, of course, that plaintiffs have not tried to sue over breaches of security involving their private information. A handful of cases have permitted state law claims supported in part by alleged HIPAA violations, pleaded as claims like “negligence per se.” And there are numerous state laws regulating medical information that have garnered more attention as data privacy has become front-page news.