Blog

INFORMATION PRIVACY LAW BLOG POST

Professor Ira Rubinstein

Esteban Rubio

February 28, 2017

The Secret Pooper Aftermath

There has not been a more significant case for genetic information privacy than Lowe v. Atlas Logistics Group Retail Services 102 F.Supp.3d 1360 (GA, 2015). Although it was decided in 2015, it has significant importance as the first case to go to trial and obtain a favorable decision after being rejected by the Equal Employment Opportunity Commission (EEOC)

Atlas Logistics involved a company that sought DNA tests of its employees to obtain information and identify of a “pooper” who routinely used the companies’ facilities to leave its feces. The company requested petitioners to submit to cheek swabs in 2012 to analyze them for genetic comparison with the stool samples. After the testing, Lowe and Reynolds sued the company under Genetic Information Nondiscrimination Act (GINA) for considering that the use of its genetic information was unlawful.

Atlas was arguing that GINA was not applicable because they were not seeking medical information of employers but rather trying to find the “mystery pooper”. However, the Court sided with petitioners by stating the clear language of GINA made it unlawful for employers to request, require, or purchase genetic information with respect to an employee and more so to do for dismissing people.

In today’s world in which genetic information is easily accessible and obtainable and where employers seek – and do obtain – information from every possible source, having a restraint on employees is more relevant than ever.

Atlas Logistics set an example both for companies and the EEOC. The EEOC saw its decision challenged and required to reinterpret its view about genetic information; companies looked at an example of high monetary cost – which in Atlas were of 2.25 million in damages.

The EEOC is still actively enforcing GINA because companies still try to obtain genetic information – but using deceiving mechanisms -. Such was the case in a recent 2016 settlement between BNV Home Care Agency and the EEOC, EEOC v. BNV Home Care Agency, Inc., Case No. 1:14-cv-05441-JBW-RML.

According to the EEOC, BNV engaged in the unlawful practice of collecting employees’ and applicants’ genetic information by asking them questions about their family medical history on an employee health assessment form. Such a request was considered illegal because you cannot obtain impermissible genetic information using health assessment forms and requesting family information.

“Forcing employees and applicants to provide genetic information in order to maintain or obtain their jobs is clearly against federal law, and EEOC will continue to combat this form of discrimination,” EEOC Acting New York District Director Judy Keenan said in a statement regarding this settlement.

For more information:

https://www.theatlantic.com/technology/archive/2015/08/the-case-of-the-mystery-pooper-dna-privacy/400355/

http://www.nature.com/news/why-the-devious-defecator-case-is-a-landmark-for-us-genetic-privacy-law-1.17857

https://www.eeoc.gov/eeoc/newsroom/release/11-1-16a.cfm

Sarah Benowich

Information Privacy Law

Professor Ira Rubinstein

February 24, 2017

Norma McCorvey, the anonymous plaintiff in the landmark case Roe v. Wade, died on February 18, 2017, bringing renewed attention to the case that established that the constitutional right to privacy extends to a woman’s right to an abortion, and continued a long line of jurisprudence shaping a woman’s constitutional right to privacy and abortion.

Although by the end of her life she actively opposed abortion, McCorvey will always be connected with the monumental decision of Roe v. Wade, 410 U.S. 113 (1973). Before becoming the plaintiff in Roe, then 22-year-old McCorvey had already suffered through sexual abuse, homelessness, and bouts of suicidal depression. Her case arose when she sought to terminate her third pregnancy by abortion, which in Texas was restricted only to instances in which abortion was necessary to save the life of the mother.

Ultimately, a 7-2 majority of the Court held that the constitutional right to privacy inherent in the 14^th Amendment to the United States Constitution guarantees a woman’s right to an abortion, particularly within the first trimester of the pregnancy. See also Griswold v. Connecticut, 381 U.S. 479 (1965). While Roe established this right for women, it was also very focused on doctors’ own autonomy and privacy rights under the fundamental rights approach that had been developing. See Skinner v. Oklahoma, 316 U.S. 535 (1942). The case also defined varying levels of state interest for regulating abortions based for the second and third trimesters.

This test was later changed in Planned Parenthood v. Casey, where a plurality of the Court upheld the central tenets of Roe, but held that the appropriate standard was whether a particular statute or regulation imposes an undue burden on a woman seeking an abortion of a nonviable fetus. 505 U.S. 833. In Casey, the only provision that the Court struck as unconstitutional was one requiring women seeking abortions to inform their husbands, focusing on the possibility for abuse and emphasizing the social utility in promoting and protecting inter-spousal communications. Justice Scalia’s dissent in Casey is of renewed relevance as Judge Neil Gorsuch of the 10th Circuit undergoes confirmation hearings to be a Supreme Court justice and lawmakers seek insight into his views on privacy and abortion. Gorsuch, many argue, is an ideological peer of Justice Scalia, who, in Casey, wrote that there is no constitutional right to abortion because it is not in the Constitution and states have a long history of restricting access to abortion.

This constitutional right to privacy was limited in 2003 with the passage of the Partial-Birth Abortion Act, which Gonzales, a late-term abortion provider who had been the target of arson and other violence, challenged in Gonzales v. Carhart, 550 U.S. 124 (2007). Writing for a 5-4 majority, Justice Kennedy upheld the provision – a significant narrowing of Roe – finding that because the law only restricted one type of popular abortion technique, it did not impose an undue burden.

Most recently, however, the Court rejected Texas HB2 as imposing an undue burden on women in Whole Women’s Health v. Hellerstedt, 136 S.Ct. 2292 (2016). In Whole Women’s Health, clinicians, on behalf of themselves and their patients, challenged HB2 alleging that the two main requirements – that clinics providing abortions have admitting privileges at hospitals within 30 miles of the clinic and maintain the standards of an ambulatory surgical center – imposed an undue burden on women seeking abortions while proponents of the bill argued that HB2 attempted to protect women’s health. The Court, finding that these requirements were medically unnecessary and would have dramatically reduced the number of clinics available, found that HB2 imposed an undue burden on women seeking to exercise their right to abortion as protected by the constitutional right to privacy.

In the absence of federal guidelines or laws, there is great variation among the states with respect to abortion and women’s privacy laws. A recent challenge against an Alaska law effectively banning outpatient health centers from providing second-trimester abortions builds on the jurisprudence of a woman’s right to privacy protecting her ability to seek and obtain an abortion free from undue burdens. Of course, the privacy implications of a woman’s choice to seek or obtain an abortion involve some of the most intimate and sensitive areas in life: medical decisions, sexual activity, religious beliefs and ideological leanings. With the recent death of Norma McCorvey and the impending confirmation hearings for Judge Gorsuch, the discussion of a woman’s right to privacy and abortion remain ever-relevant.

Sources:

https://www.nytimes.com/2017/02/06/us/politics/reading-between-the-lines-for-gorsuchs-views-on-abortion.html

https://www.nytimes.com/2017/02/18/obituaries/norma-mccorvey-dead-roe-v-wade.html

https://www.adn.com/politics/2017/02/21/the-alaska-medical-board-normally-licenses-doctors-but-now-its-in-the-court-fight-over-abortion/

https://www.aclu.org/legal-document/ak-complaint-declaratory-or-injunctive-relief

Phillip Brown

Information Privacy Law

Professor Rubenstein

February 22, 2017

Presidential Candidates, Their Health and the Law

There is no requirement that Presidential hopefuls disclose their health records or any health information to the public. Interest in the health of candidates, however, is a given today. In the recent Presidential election, public debate over candidate health took center stage repeatedly. Secretary Clinton, for example, disclosed that she had been diagnosed with and treated for pneumonia after becoming dehydrated and leaving a September 11^th memorial ceremony early.

President Trump, in a more comical instance of public health ‘disclosure’, had released a statement from his longtime physician rife with hyperbole and offering no real assessment of his health status.

Despite widespread believe that a candidate’s health is an important factor in their ability to lead (a 2004 Gallup poll found that 96% of Americans consider a President’s health very or somewhat important to their ability to be a good President), there appears to be little protection for those who would disclose a candidate’s health information or who would induce such a disclosure without the candidate’s authorization.

The First Amendment may well protect the ‘innocent’ publishing of health records obtained from an anonymous source–as Parth Baxi noted on this blog several weeks ago in the context of the New York Times’ unauthorized publishing of information gleaned from President Trump’s tax documents, “a stranger’s illegal conduct does not suffice to remove the First Amendment shield from speech about a matter of public concern.” Bartnicki v. Vopper, 532 U.S. 514 (2001).

Of course, whether the public’s concern should be taken seriously would seemingly have an impact, especially in the province of health information. While a candidate’s struggle with certain disorders (such as dementia, Alzheimer’s, etc.) are unquestionably of legitimate public concern, it is difficult to imagine what significance a candidate’s procedure to obtain hair plugs, for example, would have on their ability to perform the duties of their office.

Regardless of the public interest served by unauthorized disclosures of a candidate’s health, in addition to any violation of HIPAA by a healthcare provider or their business associates for improper disclosure, the breach of contract tort would almost certainly impose liability on any physician or similar healthcare provider who had entered an implied contract of confidentiality with the candidate in question, as well as any who would induce violations of that confidence through third party liability.

As was seen with the unauthorized disclosure of then-candidate Trump’s tax documents, there is a very real chance a candidate’s private information that has perceived public importance in an upcoming election will not remain private. This raises the question not only of how our current laws will treat healthcare-related ‘whistleblowers’, but how our laws should treat the persons responsible for such intrusions into a candidate’s privacy.

Sources:

http://time.com/4472265/clinton-trump-health-reports-history/

http://www.nytimes.com/roomfordebate/2016/09/15/what-do-we-need-to-know-about-candidates-health/releasing-candidates-health-records-is-campaign-spin-and-distortion

http://www.latimes.com/nation/la-na-presidential-health-disclosure-20160912-snap-story.html

2004 Gallup Poll:

http://www.gallup.com/poll/13558/fit-office-presidential-health-public-matter.aspx

Melissa Marrero

Information Privacy Law

Professor Ira Rubinstein

February 22, 2017

In February 2015 one of the largest data breaches in the American history took place in the database of Anthem, a health insurance company considered a ‘covered entity’ under Health Insurance Portability and Accountability Act (HIPAA). In this breach hackers gained access to circa 80 million records of current and former customers and employees at Anthem. The information accessed included names, Social Security numbers, birthdays, addresses and employment information.

More than a year after, in November 2016, hackers compromised the personal health information (PHI) of 34,000 people through a mobile health app developed by Quest Diagnostics. Quest is a medical laboratory company that developed an application through which its patients could access their lab results and other personal information.

Health data breaches are very common nowadays and the odds of it happening more often increase as we switch paper records to electronic databases. The apparent issue in this set of data breaches is how covered entities are storing the patient’s data. In ““The Health Data Conundrum”, Kathryn Haund and Eric Topol criticize how there are no major regulations or guideline to the covered entities on the storage of the PHI. The issue Haund and Topol spotted is that these entities store the information in centralized database and that they don’t usually encrypt the information. This makes breaches easier for hackers as they only have to access the database once to gain access to all the information in it.

Moreover, it is very hard to prosecute hackers as most of them commit the breaches from outside the United States of America. Consequently when companies like Anthem and Quest suffer one of these attacks, they rather just offer the victims identity repair services than go after the hackers.

As a solution of the storage problem Haund and Topol suggest the disaggregation of the medical data. Instead of storing it in centralized databases they propose individual encrypted databases divided in families, for example. This would make it harder for hackers to gain access too all the information possessed by these companies, and it would also make it easier for patients to manage their own information and share it with whomever they like to.

Sources:

https://www.nytimes.com/2017/01/02/opinion/the-health-data-conundrum.html

https://www.nytimes.com/2016/12/12/us/hack-of-quest-diagnostics-app-exposes-data-of-34000-patients.html

https://www.nytimes.com/2015/02/05/business/hackers-breached-data-of-millions-insurer-says.html

Adriana Acuña
Information Privacy Law
Professor: Ira Rubinstein
February 21st, 2017
Major HIPAA settlement of $5.5 million

On February 16th, 2017, Memorial Healthcare Systems, a Florida based company, and the Department of Health and Human Services’ Office for Civil Rights (“OCR”), reached a settlement in light of probable
Health Insurance Portability and Accountability Act (“HIPAA” or the “Act”) violations. As part of the settlement, Memorial Healthcare Systems has agreed to pay $5.5 million and to implement a corrective
action plan.

This case originated in 2012, when the company discovered a breach regarding their patients’ electronic Protected Health Information (“ePHI”). Specifically, it involved employees who inappropriately accessed
such information in order to gain some money by filing phony tax return. The modus operandi of the employees was to use a legitimate login credential to access the information. As soon as Memorial
Healthcare Systems knew of this, the company proceeded to make the proper report to OCR.

It was established that a total of 115,143 patients’ information was accessed, including names, birthdates and Social Security numbers. Although Memorial Healthcare Systems indeed had procedures to secure
the access of ePHI, the company did not comply with further procedures to review, modify and terminate users’ access rights to ePHI, especially in those cases where authorization was no longer granted.

Kerting Baldwin, a Memorial Healthcare Systems’ spokeswoman, asserted that the company has made several changes in their internal procedures to secure the access of ePHI. As part of these efforts, the company also contracted with an independent technology firm and with IBM, in order to implement a better system to ultimately safeguard the patients’ confidential information.
This is just one of multiple settlement cases where a breach of ePHI is involved. It is clear that Memorial Healthcare Systems initially had good intentions in securing ePHI’s access. However, simple good intentions with general protective measures are not enough. In this technological era, covered entities (as defined by HIPAA) have to follow all provision of the Act in order to avoid any potential liability.

Furthermore, covered entities should go one step further and adopt, what I call, a “prevention system”, instead of a “remedial system”. This means that covered entities should not wait until there is a HIPAA violation to act and implement corrective actions, in other words, just to seek a remedy for the wrong that already occurred. Covered entities should instead seek to implement all measures possible in advance to safeguard the patients’ information and prevent any breach. It is true that there might be several obstacles to implement a prevention system, such as how to ensure the control over the employees.

However, I believe this could be addressed by the agency theory, where a fiduciary duty is owed. In sum, covered entities should use all best efforts to provide procedure that secure patients’ information. This ultimately will not only benefit the patients, but also the covered entities, as they might avoid severe financial penalties.

Links:
[1] http://www.hipaajournal.com/ocr-record-hipaa-settlement-memorial-healthcare-system-8695/
[2] https://www.nytimes.com/aponline/2017/02/18/us/ap-us-stolen-patient-information.html
[3] http://www.sun-sentinel.com/local/broward/fl-reg-memorial-hippa-settlement-20170217-story.html

You Jin Shin

Information Privacy Law

Professor Ira Rubinstein

February 17, 2017

In January 2017, the U.S. Department of Health and Human Services (HSS) settled an enforcement action for “failure to timely report the breach of unsecured protected health information (PHI)”. Considering the HIPAA Breach Notification Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009, it is notable that this rule was enforced for the first time in 2017. This seems to suggest HSS is taking an increasingly strong stance on enforcement against privacy breaches.

Under the notification requirement, individual notifications must be provided no later than “60 days following the discovery of a breach.” The notification requires the covered entity to provide affected individuals with instructions on how they can protect themselves, providing for quick protection measures. If notified early enough, protection measures may be taken before the stolen data is misused. Furthermore, by ensuring information exchange between HSS and entities on the event of a breach, this rule may help the HSS identify trends and changing ways of data privacy breaches more efficiently. It also ensures that companies are held accountable, and that they do not sit on their breaches for a long time.

There is also a deterrence factor – if the 60 day requirement is enforced strictly, it is likely that groups considering their options after their discovery of the breach may be encouraged to report because they would have increased “counts” of liability if they pass the 60 day timeline.

On the other hand, it does not appear that there is additional penalty imposed on the breach of the notification requirement – Presence Health Network settled by paying $465,000 and implementing a corrective action plan. Hence it is unclear if this rule actually has any bite.

http://www.lexology.com/library/detail.aspx?g=04469d35-f155-4c94-8d02-3619909b867d

https://www.hhs.gov/hipaa/for-professionals/breach-notification/

Evan Hall

Information Privacy Law

Professor Rubinstein

February 16, 2017

Among the questions arising from National Security Adviser Michael Flynn’s resignation this Monday, some are wondering whether the U.S. intelligence officials who recorded Flynn’s phone conversation with the Russian ambassador acted lawfully.  A recent Wall Street Journal editorial states that “U.S. intelligence services routinely get orders from the Foreign Intelligence Surveillance Court to monitor foreign officials. But under U.S. law, when they get those orders they are supposed to use ‘minimization’ procedures that don’t let them listen to the communications of Americans who may be caught in such eavesdropping. That is, they are supposed to protect the identity and speech of innocent Americans.”  On the other hand, by virtue of his position, the Russian ambassador is an “agent of a foreign power,” and is therefore a valid target for wiretapping under FISA.

The minimization procedures required of such wiretaps are only required to the extent “consistent with the need for the United States to obtain, produce, and disseminate foreign intelligence information.”  Substitutions are sometimes required when the name of a U.S. person is mentioned in the recording, but these substitutions are not required when that person’s name is necessary to understanding the intelligence significance of the information in question.  In short, Flynn’s involvement is largely what makes the phone conversation foreign intelligence information.  FISA legislative history supports this conclusion by way of analogy:

One example [of a situation in which a U.S. person’s name could be disseminated in an intelligence report] would be the identity of a person who is the incumbent of an office of the executive branch of the U.S. Government having significant responsibility for the conduct of U.S. defense or foreign policy, such as the Secretary of State or the State Department country desk officer. The identifiers of such persons would frequently satisfy the “necessary to understand” requirement, especially when such person is referred to in the communications of foreign officials.

At the time of the phone conversation, Flynn was not the incumbent, but this seems insufficient difference to justify reaching a different conclusion in determining whether wiretapping Flynn was proper.

Sources:

https://www.lawfareblog.com/treatment-flynns-phone-calls-complies-fisa-minimization-procedures

https://www.wsj.com/articles/eavesdropping-on-michael-flynn-1487031552

https://www.nytimes.com/2017/02/13/us/politics/donald-trump-national-security-adviser-michael-flynn.html

Mathilde Halle

Privacy Law

Professor Rubinstein

February 16, 2017

The Hack in Quest Diagnostics’ Health Data App and The Issue of Patient Privacy Online

Last November, Guest Diagnostics — a medical laboratory based in New Jersey — suffered a major hack through a mobile health app called « MyQuest by Care360 ». According to the company, an « unauthorized third party » accessed the patient information of about 34,000 individuals, including their names, date of birth, telephone numbers, and lab results. In response, Quest Diagnostics notified all affected patients and law enforcement authorities. The company also declared the investigation on the hack was still going on, and that it had taken security steps to address the vulnerability of the app in the future.

Attacks on patient databases have increased dramatically over recent years, both in terms of number and in terms of scale. In 2016 only, hundreds of breaches involving millions of health records were reported to the Department of Health and Human Services. In some cases, the attacks affected a significant portion of the U.S. population. For instance, the hacking of two major health insurers affected over 90 million Americans last year. Several hospitals and health care systems have even been held for ransom by hackers.

While the sensitivity of health data may seem obvious for each concerned individual, its value for cybercriminals is also substantial. In the case of the Quest Diagnostics attack, no misuse of the stolen data has been reported so far. Nevertheless, stolen health data are valuable: they can notably enable cybercriminals to fraudulently bill insurance companies for the purchase of medical equipment or drugs, which can further be resold on black markets.

Health data is also valuable for hackers for an extrinsic reason, namely the relatively low security standards in place that often make hacking feasible. Usually, health records are stored by service providers in huge central databases and are not encrypted. And with the proliferation of social media platforms, wearable devices and other healthcare applications, the numbers of such health-related databased have increased significantly. As a result, the opportunities for hackers have exploded.

Considering the increase in the potential threats to patients’ privacy and the actual number of attacks, many have called for greater regulatory protection for health information processing, including when the information is processed by entities that are not already covered by the HIPAA rules. Some have called for an extension of the scope of the notion of health data, to cover all health-related data, such as information collected by wearable devices or healthcare apps, but also anonymized data when re-identification remains possible. In terms of security, some consider that all entities processing health-related information should be required to encrypt all sensitive data, but also to disaggregate patient or consumer records in separate units. These units could take the form of digital wallets for each patient. This restructuring of health databases would reportedly allow more control by patients on their own medical data, including to consent to its further use by outside organizations for purposes unrelated to patient care (e.g., data analytics, advertising).

Sources:

https://www.nytimes.com/2016/12/12/us/hack-of-quest-diagnostics-app-exposes-data-of-34000-patients.html

https://www.nytimes.com/2017/01/02/opinion/the-health-data-conundrum.html

http://healthitsecurity.com/news/focusing-on-patient-data-privacy-in-health-data-exchange

Ally Hofman-Bang

Privacy Law

Professor Rubinstein

February 16, 2017

Health information privacy concerns: when data from a pacemaker leads to arrest

Mr. Compton, a 59-year old man from Ohio. was charged with arson and insurance fraud, based on information police obtained from his pacemaker. This case raises privacy concerns around medical devices, their data, and the use thereof.

In September 2016, Mr. Compton’s house caught on fire. After discovering the fire, Mr. Compton packed items in suitcases (clothes, computer, charger to the pacemaker), broke one of his windows, threw the suitcases out and eventually jumped out himself. Mr. Compton alleged that he then placed the suitcases in his car and escaped the burning house.

During the investigation, the police obtained a search warrant for the data from Mr. Compton’s pacemaker. The cardiologist analysing the medical data concluded “it is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.” As a result of the investigation, Compton has been arrested and charged with arson and insurance fraud.

The pacemaker data is likely protected health information (PHI) under The Health Insurance Portability and Accountability Act (HIPAA) because the data is “received by a health care provider” and “relates to the past, present or future physical or mental health or condition of any individual” (45 C.F.R. § 160.103). Also, HIPAA requires that the information is “individually identifiable health information” which is of no issue here since the data identifies Mr. Compton personally. Generally, in order for a health care provider to lawfully disclose PHI, the individual must authorize such disclosure in a written and signed instrument. However, there are exceptions to the authorization, if the disclosures are made “for a law enforcement purpose to a law enforcement officer” in compliance with a court order (45 C.F.R. § 164.512(f)).

In this case, as discussed above, there seem to be no direct statutory violation against the care provider (Mr. Compton’s hospital) disclosing the pacemaker data to the police. Here, the police had a valid search warrant and the information was indeed relevant for the investigation. However, arguably, the revealed pacemaker data raises concerns about what kind of data that is covered by HIPAA. Considering “traditional” PHI under HIPAA, the vast majority concerns medical records such as journals that describe the health status of the patient. With today’s technology, as seen in this case, information can be as detailed as what pulse a person had at an exact given time. This information is far more intimate than a report of your general health status. Despite PHI being defined as “present” information, one might argue that ”present” information should not include real time information such as a person’s pulse.

The issue with real time information is that the information is no longer only health information, it can also work as a surveillance and monitoring tool—which again raises clear privacy concerns. As technology evolves and changes the information landscape, the privacy protection of health information must adjust simultaneously. Therefore, Mr. Compton’s case is likely not the last we will see regarding this intricate privacy concern.

Parth Baxi

Information Privacy

Professor Rubinstein

February 14, 2017

“Did Publication of Donald Trump’s Tax Return Information Violate the Law?”

http://www.abajournal.com/news/article/did_publication_of_donald_trumps_tax_return_information_violate_the_law/

In September of 2016 during a visit to Harvard, The New York Times executive editor, Dean Baquet, said that he would risk jail time to publish Donald Trump’s tax returns.  On October 1, 2016, he did just that when The New York Times published excerpts of Trump’s 1995 tax records which showed that he had claimed losses of $916 million that year.  At that time there was speculation whether The New York Times violated federal law by doing so.  The federal law in question, 26 U.S.C. § 7213(a)(3), states that “it shall be unlawful for any person to whom any return or return information…is disclosed in a manner unauthorized by this title thereafter willfully to print or publish in any manner not provided by law any such return or return information.”  There are corresponding New York and New Jersey laws as well (states where the tax return documents were from).

However if any such lawsuit were to be pursued by Trump, it seems that The New York Times would be protected by the First Amendment as long as they did not illegally participate in accessing Trump’s tax documents.  According to the New York Times, they received the papers anonymously without any coercion.  In Bartnicki v. Vopper, Justice Stevens wrote that “a stranger’s illegal conduct does not suffice to remove the First Amendment shield from speech about a matter of public concern.”  Privacy should give way when balanced against the public interest in publishing matters of public importance.

There are clear and obvious exceptions to the First Amendment right to free speech and they are there for a reason.  But a presidential candidate’s tax returns would seem to meet the standard of “a matter of public concern” by a large degree.  If the courts were to decide that The New York Times violated the law as outlined above, that either they had participated in illegal conduct simply by publishing the documents or that the matter was not one of public concern, it could lead to a slippery slope of free speech restrictions.  This would be especially dangerous in a political climate like the one we find ourselves in now where we need the ability to speak out against “alternative facts” with truthful information.