Blog

Melissa Marrero

Information Privacy Law

Professor Ira Rubinstein

February 22, 2017

In February 2015 one of the largest data breaches in the American history took place in the database of Anthem, a health insurance company considered a ‘covered entity’ under Health Insurance Portability and Accountability Act (HIPAA). In this breach hackers gained access to circa 80 million records of current and former customers and employees at Anthem. The information accessed included names, Social Security numbers, birthdays, addresses and employment information.

More than a year after, in November 2016, hackers compromised the personal health information (PHI) of 34,000 people through a mobile health app developed by Quest Diagnostics. Quest is a medical laboratory company that developed an application through which its patients could access their lab results and other personal information.

Health data breaches are very common nowadays and the odds of it happening more often increase as we switch paper records to electronic databases. The apparent issue in this set of data breaches is how covered entities are storing the patient’s data. In ““The Health Data Conundrum”, Kathryn Haund and Eric Topol criticize how there are no major regulations or guideline to the covered entities on the storage of the PHI. The issue Haund and Topol spotted is that these entities store the information in centralized database and that they don’t usually encrypt the information. This makes breaches easier for hackers as they only have to access the database once to gain access to all the information in it.

Moreover, it is very hard to prosecute hackers as most of them commit the breaches from outside the United States of America. Consequently when companies like Anthem and Quest suffer one of these attacks, they rather just offer the victims identity repair services than go after the hackers.

As a solution of the storage problem Haund and Topol suggest the disaggregation of the medical data. Instead of storing it in centralized databases they propose individual encrypted databases divided in families, for example. This would make it harder for hackers to gain access too all the information possessed by these companies, and it would also make it easier for patients to manage their own information and share it with whomever they like to.

Sources:

https://www.nytimes.com/2017/01/02/opinion/the-health-data-conundrum.html

https://www.nytimes.com/2016/12/12/us/hack-of-quest-diagnostics-app-exposes-data-of-34000-patients.html

https://www.nytimes.com/2015/02/05/business/hackers-breached-data-of-millions-insurer-says.html

Adriana Acuña
Information Privacy Law
Professor: Ira Rubinstein
February 21st, 2017
Major HIPAA settlement of $5.5 million

On February 16th, 2017, Memorial Healthcare Systems, a Florida based company, and the Department of Health and Human Services’ Office for Civil Rights (“OCR”), reached a settlement in light of probable
Health Insurance Portability and Accountability Act (“HIPAA” or the “Act”) violations. As part of the settlement, Memorial Healthcare Systems has agreed to pay $5.5 million and to implement a corrective
action plan.

This case originated in 2012, when the company discovered a breach regarding their patients’ electronic Protected Health Information (“ePHI”). Specifically, it involved employees who inappropriately accessed
such information in order to gain some money by filing phony tax return. The modus operandi of the employees was to use a legitimate login credential to access the information. As soon as Memorial
Healthcare Systems knew of this, the company proceeded to make the proper report to OCR.

It was established that a total of 115,143 patients’ information was accessed, including names, birthdates and Social Security numbers. Although Memorial Healthcare Systems indeed had procedures to secure
the access of ePHI, the company did not comply with further procedures to review, modify and terminate users’ access rights to ePHI, especially in those cases where authorization was no longer granted.

Kerting Baldwin, a Memorial Healthcare Systems’ spokeswoman, asserted that the company has made several changes in their internal procedures to secure the access of ePHI. As part of these efforts, the company also contracted with an independent technology firm and with IBM, in order to implement a better system to ultimately safeguard the patients’ confidential information.
This is just one of multiple settlement cases where a breach of ePHI is involved. It is clear that Memorial Healthcare Systems initially had good intentions in securing ePHI’s access. However, simple good intentions with general protective measures are not enough. In this technological era, covered entities (as defined by HIPAA) have to follow all provision of the Act in order to avoid any potential liability.

Furthermore, covered entities should go one step further and adopt, what I call, a “prevention system”, instead of a “remedial system”. This means that covered entities should not wait until there is a HIPAA violation to act and implement corrective actions, in other words, just to seek a remedy for the wrong that already occurred. Covered entities should instead seek to implement all measures possible in advance to safeguard the patients’ information and prevent any breach. It is true that there might be several obstacles to implement a prevention system, such as how to ensure the control over the employees.

However, I believe this could be addressed by the agency theory, where a fiduciary duty is owed. In sum, covered entities should use all best efforts to provide procedure that secure patients’ information. This ultimately will not only benefit the patients, but also the covered entities, as they might avoid severe financial penalties.

Links:
[1] http://www.hipaajournal.com/ocr-record-hipaa-settlement-memorial-healthcare-system-8695/
[2] https://www.nytimes.com/aponline/2017/02/18/us/ap-us-stolen-patient-information.html
[3] http://www.sun-sentinel.com/local/broward/fl-reg-memorial-hippa-settlement-20170217-story.html

You Jin Shin

Information Privacy Law

Professor Ira Rubinstein

February 17, 2017

In January 2017, the U.S. Department of Health and Human Services (HSS) settled an enforcement action for “failure to timely report the breach of unsecured protected health information (PHI)”. Considering the HIPAA Breach Notification Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009, it is notable that this rule was enforced for the first time in 2017. This seems to suggest HSS is taking an increasingly strong stance on enforcement against privacy breaches.

Under the notification requirement, individual notifications must be provided no later than “60 days following the discovery of a breach.” The notification requires the covered entity to provide affected individuals with instructions on how they can protect themselves, providing for quick protection measures. If notified early enough, protection measures may be taken before the stolen data is misused. Furthermore, by ensuring information exchange between HSS and entities on the event of a breach, this rule may help the HSS identify trends and changing ways of data privacy breaches more efficiently. It also ensures that companies are held accountable, and that they do not sit on their breaches for a long time.

There is also a deterrence factor – if the 60 day requirement is enforced strictly, it is likely that groups considering their options after their discovery of the breach may be encouraged to report because they would have increased “counts” of liability if they pass the 60 day timeline.

On the other hand, it does not appear that there is additional penalty imposed on the breach of the notification requirement – Presence Health Network settled by paying $465,000 and implementing a corrective action plan. Hence it is unclear if this rule actually has any bite.

 

http://www.lexology.com/library/detail.aspx?g=04469d35-f155-4c94-8d02-3619909b867d

https://www.hhs.gov/hipaa/for-professionals/breach-notification/

Evan Hall

Information Privacy Law

Professor Rubinstein

February 16, 2017

Among the questions arising from National Security Adviser Michael Flynn’s resignation this Monday, some are wondering whether the U.S. intelligence officials who recorded Flynn’s phone conversation with the Russian ambassador acted lawfully.  A recent Wall Street Journal editorial states that “U.S. intelligence services routinely get orders from the Foreign Intelligence Surveillance Court to monitor foreign officials. But under U.S. law, when they get those orders they are supposed to use ‘minimization’ procedures that don’t let them listen to the communications of Americans who may be caught in such eavesdropping. That is, they are supposed to protect the identity and speech of innocent Americans.”  On the other hand, by virtue of his position, the Russian ambassador is an “agent of a foreign power,” and is therefore a valid target for wiretapping under FISA.

The minimization procedures required of such wiretaps are only required to the extent “consistent with the need for the United States to obtain, produce, and disseminate foreign intelligence information.”  Substitutions are sometimes required when the name of a U.S. person is mentioned in the recording, but these substitutions are not required when that person’s name is necessary to understanding the intelligence significance of the information in question.  In short, Flynn’s involvement is largely what makes the phone conversation foreign intelligence information.  FISA legislative history supports this conclusion by way of analogy:

One example [of a situation in which a U.S. person’s name could be disseminated in an intelligence report] would be the identity of a person who is the incumbent of an office of the executive branch of the U.S. Government having significant responsibility for the conduct of U.S. defense or foreign policy, such as the Secretary of State or the State Department country desk officer. The identifiers of such persons would frequently satisfy the “necessary to understand” requirement, especially when such person is referred to in the communications of foreign officials.

At the time of the phone conversation, Flynn was not the incumbent, but this seems insufficient difference to justify reaching a different conclusion in determining whether wiretapping Flynn was proper.

Sources:

https://www.lawfareblog.com/treatment-flynns-phone-calls-complies-fisa-minimization-procedures

https://www.wsj.com/articles/eavesdropping-on-michael-flynn-1487031552

https://www.nytimes.com/2017/02/13/us/politics/donald-trump-national-security-adviser-michael-flynn.html

Mathilde Halle

Privacy Law

Professor Rubinstein

February 16, 2017

The Hack in Quest Diagnostics’ Health Data App and The Issue of Patient Privacy Online

Last November, Guest Diagnostics — a medical laboratory based in New Jersey — suffered a major hack through a mobile health app called « MyQuest by Care360 ». According to the company, an « unauthorized third party » accessed the patient information of about 34,000 individuals, including their names, date of birth, telephone numbers, and lab results. In response, Quest Diagnostics notified all affected patients and law enforcement authorities. The company also declared the investigation on the hack was still going on, and that it had taken security steps to address the vulnerability of the app in the future.

 

Attacks on patient databases have increased dramatically over recent years, both in terms of number and in terms of scale. In 2016 only, hundreds of breaches involving millions of health records were reported to the Department of Health and Human Services. In some cases, the attacks affected a significant portion of the U.S. population. For instance, the hacking of two major health insurers affected over 90 million Americans last year. Several hospitals and health care systems have even been held for ransom by hackers.

 

While the sensitivity of health data may seem obvious for each concerned individual, its value for cybercriminals is also substantial. In the case of the Quest Diagnostics attack, no misuse of the stolen data has been reported so far. Nevertheless, stolen health data are valuable: they can notably enable cybercriminals to fraudulently bill insurance companies for the purchase of medical equipment or drugs, which can further be resold on black markets.

 

Health data is also valuable for hackers for an extrinsic reason, namely the relatively low security standards in place that often make hacking feasible. Usually, health records are stored by service providers in huge central databases and are not encrypted. And with the proliferation of social media platforms, wearable devices and other healthcare applications, the numbers of such health-related databased have increased significantly. As a result, the opportunities for hackers have exploded.

 

Considering the increase in the potential threats to patients’ privacy and the actual number of attacks, many have called for greater regulatory protection for health information processing, including when the information is processed by entities that are not already covered by the HIPAA rules. Some have called for an extension of the scope of the notion of health data, to cover all health-related data, such as information collected by wearable devices or healthcare apps, but also anonymized data when re-identification remains possible. In terms of security, some consider that all entities processing health-related information should be required to encrypt all sensitive data, but also to disaggregate patient or consumer records in separate units. These units could take the form of digital wallets for each patient. This restructuring of health databases would reportedly allow more control by patients on their own medical data, including to consent to its further use by outside organizations for purposes unrelated to patient care (e.g., data analytics, advertising).

 

Sources:

https://www.nytimes.com/2016/12/12/us/hack-of-quest-diagnostics-app-exposes-data-of-34000-patients.html

https://www.nytimes.com/2017/01/02/opinion/the-health-data-conundrum.html

http://healthitsecurity.com/news/focusing-on-patient-data-privacy-in-health-data-exchange

Ally Hofman-Bang

Privacy Law

Professor Rubinstein

February 16, 2017

Health information privacy concerns: when data from a pacemaker leads to arrest

Mr. Compton, a 59-year old man from Ohio. was charged with arson and insurance fraud, based on information police obtained from his pacemaker. This case raises privacy concerns around medical devices, their data, and the use thereof.

In September 2016, Mr. Compton’s house caught on fire. After discovering the fire, Mr. Compton packed items in suitcases (clothes, computer, charger to the pacemaker), broke one of his windows, threw the suitcases out and eventually jumped out himself. Mr. Compton alleged that he then placed the suitcases in his car and escaped the burning house.

During the investigation, the police obtained a search warrant for the data from Mr. Compton’s pacemaker. The cardiologist analysing the medical data concluded “it is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.” As a result of the investigation, Compton has been arrested and charged with arson and insurance fraud.

The pacemaker data is likely protected health information (PHI) under The Health Insurance Portability and Accountability Act (HIPAA) because the data is “received by a health care provider” and “relates to the past, present or future physical or mental health or condition of any individual” (45 C.F.R. § 160.103). Also, HIPAA requires that the information is “individually identifiable health information” which is of no issue here since the data identifies Mr. Compton personally. Generally, in order for a health care provider to lawfully disclose PHI, the individual must authorize such disclosure in a written and signed instrument. However, there are exceptions to the authorization, if the disclosures are made “for a law enforcement purpose to a law enforcement officer” in compliance with a court order (45 C.F.R. § 164.512(f)).

In this case, as discussed above, there seem to be no direct statutory violation against the care provider (Mr. Compton’s hospital) disclosing the pacemaker data to the police. Here, the police had a valid search warrant and the information was indeed relevant for the investigation. However, arguably, the revealed pacemaker data raises concerns about what kind of data that is covered by HIPAA. Considering “traditional” PHI under HIPAA, the vast majority concerns medical records such as journals that describe the health status of the patient. With today’s technology, as seen in this case, information can be as detailed as what pulse a person had at an exact given time. This information is far more intimate than a report of your general health status. Despite PHI being defined as “present” information, one might argue that ”present” information should not include real time information such as a person’s pulse.

The issue with real time information is that the information is no longer only health information, it can also work as a surveillance and monitoring tool—which again raises clear privacy concerns. As technology evolves and changes the information landscape, the privacy protection of health information must adjust simultaneously. Therefore, Mr. Compton’s case is likely not the last we will see regarding this intricate privacy concern.

Parth Baxi

Information Privacy

Professor Rubinstein

February 14, 2017

“Did Publication of Donald Trump’s Tax Return Information Violate the Law?”

http://www.abajournal.com/news/article/did_publication_of_donald_trumps_tax_return_information_violate_the_law/

In September of 2016 during a visit to Harvard, The New York Times executive editor, Dean Baquet, said that he would risk jail time to publish Donald Trump’s tax returns.  On October 1, 2016, he did just that when The New York Times published excerpts of Trump’s 1995 tax records which showed that he had claimed losses of $916 million that year.  At that time there was speculation whether The New York Times violated federal law by doing so.  The federal law in question, 26 U.S.C. § 7213(a)(3), states that “it shall be unlawful for any person to whom any return or return information…is disclosed in a manner unauthorized by this title thereafter willfully to print or publish in any manner not provided by law any such return or return information.”  There are corresponding New York and New Jersey laws as well (states where the tax return documents were from).

However if any such lawsuit were to be pursued by Trump, it seems that The New York Times would be protected by the First Amendment as long as they did not illegally participate in accessing Trump’s tax documents.  According to the New York Times, they received the papers anonymously without any coercion.  In Bartnicki v. Vopper, Justice Stevens wrote that “a stranger’s illegal conduct does not suffice to remove the First Amendment shield from speech about a matter of public concern.”  Privacy should give way when balanced against the public interest in publishing matters of public importance.

There are clear and obvious exceptions to the First Amendment right to free speech and they are there for a reason.  But a presidential candidate’s tax returns would seem to meet the standard of “a matter of public concern” by a large degree.  If the courts were to decide that The New York Times violated the law as outlined above, that either they had participated in illegal conduct simply by publishing the documents or that the matter was not one of public concern, it could lead to a slippery slope of free speech restrictions.  This would be especially dangerous in a political climate like the one we find ourselves in now where we need the ability to speak out against “alternative facts” with truthful information.

Hugh Bannister

Information Policy

Professor Rubinstein

February 14, 2017

The FCC’s recent privacy order – an unconstitutional burden of free commercial speech?

Several lobby groups representing the online advertising industry recently objected to the Federal Communications Commission’s (FCC) adoption of the October 27, 2016 privacy report and order.  The privacy order set out a number of privacy regulations applying to wireline and wireless broadband internet service providers (ISPs).  The advertisers’ objections were contained in a formal petition for reconsideration of the privacy order filed with the FCC on January 3, 2017 and centered around two key restrictions on ISPs’ ability to use and disclose their customer’s personal information to third parties, including to online advertisers which need information about customers’ internet activity to target advertising based on browsing behavior (behavioral advertising).  These objections have been based, in part, on legal and policy arguments grounded in commercial free speech protected under the First Amendment to the Constitution.

 

The FCC’s privacy order stems from its February 2015 open internet order, which introduced rules supporting the principle of net neutrality (the notion that ISPs should serve and handle all data, content and applications on the internet equally, without either favor or restriction).  One of the effects of the open internet order was to re-classify ISPs under the Communications Act to be types of telecommunications services provided by ‘common carriers’.  That re-classification means that broadband ISPs are no longer subject to scrutiny by the Federal Trade Commission (FTC) for the purposes of some unfair and deceptive acts and practices under section 5 of the Federal Trade Commission Act, which includes the FTC’s regulatory power over many privacy matters.

 

To fill this gap, the FCC adopted its privacy order, which comes into force in stages throughout 2017.  Unlike the FTC’s organization-specific, enforcement-based approach to privacy, the FCC’s privacy order sets regulations upfront and applies them to all telecommunications service providers, including ISPs.  Under the FCC’s privacy order, ISPs have a number of relatively standard obligations to protect and handle customer personal information responsibly.  However, the privacy order also creates a sub-class of ‘sensitive’ customer personal information which includes not just the usual health, financial and other intuitively ‘sensitive’ information, but also unusually extends to a customer’s web browsing history and application usage history.  ISPs must obtain customer consent to the use and disclose this ‘sensitive’ customer personal information and must obtain that consent on an opt-in basis only.  For non-sensitive personal information, ISPs may obtain customer consent on an opt-out basis.

 

The broader treatment of web and app usage history as ‘sensitive’ customer personal information and the opt-in consent requirement in the privacy order are the two restrictions that provoked the online advertisers’ objections and petition for reconsideration to the FCC.  These steps will make it harder for ISPs to provide online advertisers with the information they need about ISP customers’ internet activity to be able to target behavioral advertising online.  Although the advertisers have also warned about customers being constantly bombarded with opt-in consent requests, this is probably a more far-fetched complaint considering the FCC’s privacy order contemplates that an ISP may seek blanket opt-in consent from its customers at the point of sale of the ISP’s services and each time the ISP changes its privacy policy, rather than before each transaction online.

 

The advertisers’ legal basis for their objections rest in part on claims that the FCC has exceeded the jurisdiction granted to it under statute by regulating privacy in the broadband industry (which is unlikely to get much traction because the FCC has been regulating privacy for other common carriers in the telecommunications industry since 1996) and that the FCC failed to follow due process in making the privacy order.  The more-plausible legal basis for the advertisers’ objections rests on their claims that the FCC privacy order may be an unconstitutional burden on free commercial speech under the First Amendment.

 

The ‘speech’ of the ISPs is the collection and disclosure of personal information of ISP customers directed to the ‘audience’ of online advertisers – a standard scenario for commercial speech.  While commercial speech is afforded a lower level of Constitutional protection, the advertisers may have point about the FCC’s privacy order overstepping the bounds of permissible regulation under the First Amendment.  The advertisers rely on First Amendment case law involving a previous FCC attempt to regulate customer personal information for marketing purposes by telecommunications service providers, which has close parallels to the present FCC privacy order (U.S. West, Inc. v. Federal Communications Commission, 182 F.3d 1224 (10th Cir. 1999)).  Based on this precedent, the advertisers’ argument is that the FCC’s privacy order is not narrowly tailored enough to survive scrutiny by a court under the First Amendment.  In large part this is alleged to be because of the unusually broad category of ‘sensitive’ customer personal information and the supposedly onerous opt-in consent that the ISPs need to obtain from their customers to be able to use and disclose such information, including disclosure to online advertisers.  A more narrowly tailored alternative offered by the advertisers is an opt-out consent approach and a reduction in the scope of ‘sensitive’ information back to more traditional notions of highly confidential personal information, like health and financial information.

 

Despite the legal posturing in the advertiser’s petition for reconsideration to the FCC, the advertisers’ objections may not need to be carried through to a full court challenge to the validity of the FCC’s privacy order.  The recent change in government in Washington has also brought changes to the make-up of the commissioners at the FCC.  A new FCC chair has been appointed, Ajit Pai, who has been a consistent and forceful critic of the FCC’s open internet order as well as the privacy order flowing from it.  The new Administration must also appoint two new FCC commissioners to fill currently-vacant positions within the FCC’s leadership.  These changes will shift power within the FCC, as well as its regulatory course generally.  It seems likely that the FCC will narrow or even revoke the privacy order and open internet order in the near future.  Should that occur, there would also likely be a revival of the FTC’s privacy oversight of the broadband industry.

References:

October 26, 2016 FCC privacy report and order:

https://www.fcc.gov/document/fcc-releases-rules-protect-broadband-consumer-privacy

January 3, 2017 petition for reconsideration submitted to the FCC by the Association of National Advertisers, the American Association of Advertising Agencies, the American Advertising Federation, the Data & Marketing Association, the Interactive Advertising Bureau and the Network Advertising Initiative:

https://www.ana.net/content/show/id/42754

Chih Yun Wu

Information Privacy

Professor Rubinstein

February 14, 2017

One of several ongoing lawsuits brought by communications service providers against the federal government, Microsoft alleges that government-issued gag orders violate the First Amendment.  In contrast to the various First Amendment challenges that have been brought by companies to invalidate statutes that restrict their ability to use or access customer data, here Microsoft is using the First Amendment to protect its customer’s data against seizure by the Federal Government.

 

Under Section 2705(b) of the Electronic Communications Privacy Act (EPCA), the federal government can obtain court orders that prevent the companies from providing notice to their customers – sometimes indefinitely.  Microsoft challenged Section 2705(b) as violating its right as a business to talk to its customers under the First Amendment.  In particular, Microsoft alleges that the government orders are content-based because they categorically bar Microsoft from speaking about the orders.  As of this blog post, Microsoft’s First Amendment claim has passed the pleadings stage, with the District Court noting that the Government has the burden of showing that the statute meets strict scrutiny.

 

Microsoft also asserted a Fourth Amendment claim on behalf of its customers, alleging that indefinite nondisclosure orders prevents the customers from ever receiving notice of the government’s seizure of their private data.  However, the court found that established precedent prevents a third party from vicariously asserting another person’s Fourth Amendment rights, despite acknowledging Microsoft’s argument that some customers would not be able to assert their own claims because they may never know about the government’s actions.

 

https://www.techdirt.com/articles/20170209/13294436677/court-says-microsoft-can-sue-government-over-first-amendment-violating-gag-orders.shtml

Janie Buckley

Information Policy

Professor Rubinstein

February 14, 2017

The Association of National Advertisers (the ANA), the American Association of Advertising Agencies (the 4As) , the American Advertising Federation (the AAF) , the Data & Marketing Association (the DMA) , the Interactive Advertising Bureau (the IAB), and the Network Advertising Initiative (the NAI) have together submitted to the Federal Communications Commission a petition for reconsideration of the FCC’s fine agency order entitled Protecting the Privacy of Customers of Broadband and Other Telecommunications

Services, published as a final rule December 2, 2016.

The trade associations challenge the Rule on a number of grounds, including an allegation that the Rule as promulgated is violative of the trade associations’ members’ First Amendment rights.  The Rule applies to Broadband Internet Access Service (BIAS) providers and requires that BIAS providers have customers’ approval before sharing certain sensitive data with third parties.  The Rule includes, in what the trade associations characterize as a departure, all web browsing and application usage history.  The Rule requires opt–in consent from customers’ rather than allow customers to opt-out of such usage.

In their filing for reconsideration, the trade associations rely on U.S. West, Inc. v. FCC, 182 F.3d 1224, 1232 (10th Cir. 1999) and argue that U.S. West requires that the FCC adopt the least restrictive means necessary to regulate commercial speech in order to be in accordance with First Amendment principles and jurisprudence.  Specifically, the trade associations assert that the opt-in approach required by the new Rule is not the least restrictive means necessary and that the 10th Circuit’s rejection of an opt-in regime in U.S. West means that requiring opt-in here is not the least restrictive means necessary to protect privacy.  The trade associations also argue that U.S. West requires the government to detail the specific privacy interest it is protecting, and that broad statements regarding general privacy interests do not reach the threshold required by the substantial state interest prong of the First Amendment inquiry.

In their petition, the trade associations do not reference later court opinions from the D.C. Circuit which recognized that opt-in regimes were not violative of the First Amendment.  In National Cable & Telecommunications Association v. FCC, 555 F.3d 996 (D.C. Cir. 2009), the court specifically noted that the FCC’s decision to require opt-in consent, as opposed to mandating that covered entities provide consumers the opportunity to opt-out of data sharing, was supported by substantial evidence.  The FCC found that opt-in consent was more protective of consumer privacy, in large part due to the reality that many people are not aware of the ability to opt-out and often do not understand opt-out notices.  This comports with other findings in the realm of behavioral psychology which show that default rules have impact on later behavior by persons faced with choices.  Simply framing one choice as the default choice affects later behavior.

National Cable & Telecommunications Association further undermines the trade associations’ arguments because the D.C. Circuit specifically rejected the 10th Circuit’s requirement that the government articulate a specific privacy interest it was protecting.  The D.C. Circuit refused to follow U.S. West’s requirement that privacy interests must be stated in terms of protecting consumers from the public revelation of “embarrassing” information.  Rather, the D.C. Circuit noted that privacy deals with much more than keeping “embarrassing” details private. Privacy, which is a substantial interest even in the general, also deals explicitly with making determinations for oneself about whether and to whom to disclose private or personal information.