< Back to Previous Page
Related Practices

E-Commerce Law Week, Issue 555

May 2, 2009

HHS Guidance Could Set Encryption Standard

New Department of Health and Human Services guidance on "render[ing] protected health information unusable, unreadable, or indecipherable to unauthorized individuals" could help establish a national standard for the use of encryption to protect sensitive information.  As we previously reported, the guidance applies to two sets of notification requirements for breaches of electronic health records that were created by the American Recovery and Reinvestment Act of 2009.  One set is administered by HHS (for entities covered by the Health Insurance Portability and Accountability Act, or HIPAA, and their business associates), while the other is administered by the Federal Trade Commission (for non-HIPAA entities).  But both sets state that covered entities will not be required to notify individuals if the breached information was secured using "technologies and methodologies" specified in the HHS guidance.  This guidance sets forth two approved methods of security -- encryption and destruction.  This is in line with breach notification laws already in force in many states, which often provide safe harbor if the information that has been accessed has been encrypted or otherwise rendered unreadable.  However, the HHS guidance goes  further by limiting the encryption methods that may be used to claim safe harbor to specified "encryption processes" that have been tested and approved by the National Institute of Standards and Technology.

UK Proposal Would Expand Data Retention Requirements for Communications Providers

The UK Home Office has presented a proposal to Parliament that would require UK-based communications providers to collect and store information beyond what they are required to retain under the EU Data Retention Directive -- including "third party data" that crosses their networks, "additional types of communications data about their own services," and "additional technical information" such as "routing of [I]nternet communications services and/or domain name allocations."  The proposal defines "third party data" as data that is "relat[ed] to [I]nternet-based services and communications services provided from outside the UK," but does not elaborate on what additional communications data might need to be retained.  In line with the UK transposition of the Data Retention Directive, these additional forms of data would generally have to be held for no longer than 12 months.  Communications providers would also be required to "organise" data retained under the proposal by "matching third party data to their own data where it ha[s] features in common."  While the Home Office acknowledged that its proposals would "put additional demands on industry," it also stressed that it was "actively seeking the views of industry on [the] proposals." 

FTC Delays Enforcement of "Red Flag" Rule" For Three More Months

The Federal Trade Commission announced last week that it will defer until August 1, 2009, enforcement of its final rule concerning identity theft "red flags."  This is the second time that the FTC has delayed enforcement of the rule; the first reprieve was issued last October and suspended enforcement until May 1, 2009.  The FTC stressed that its announcement would not affect other agencies’ enforcement of the original November 1, 2008, deadline for compliance with the rule.  The Commission also announced that it is developing a "template Red Flags program" that will allow covered entities to prepare their programs "without undue burden."

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.

CONTACT US | PRIVACY | TERMS OF USE | © 2010 STEPTOE & JOHNSON LLP, ALL RIGHTS RESERVED | ATTORNEY ADVERTISING | SITE BY FIRMSEEK
Beijing | Brussels | Century City | Chicago | London | Los Angeles | New York | Phoenix | Washington