Data Miners go Back to the Salt Mines of New Hampshire

Following the Texas Attorney General's decision to sue CVS for mishandling consumer information, as detailed in my previous post, I have been spending my free time surveying state laws regarding use and protection of data, as well as the proper care and feeding of business documents.

While grinding through that self-imposed project, Judge Paul Barbadoro, US District Judge for the District of New Hampshire handed down a welcome, and related, diversion. In a case styled IMS Health Incorporated, et. al. v. Kelly Ayotte, as Attorney General of the State of New Hampshire, Case No. 06-cv-280-PB (Opinion No. 2007 DNH 061 P), the court ruled that a New Hampshire state law prohibiting data mining companies from the commercial use of patient-identifiable and prescriber-identifiable data violates First Amendments rights to free speech. The statute specifically prohibits the licensing, transfer, use or sale of such data for any marketing, promotion or advertising purposes. See N.H. Rev. Stat. Ann. sections 318:47-f, 318:47-g, 318-B:12(IV) (2006). According to the Court, the New Hampshire law was the first of its kind in the U.S.

As described by the Court, the process generally works this way. Data is gathered from the participating pharmacies computers, which includes patient name, prescriber's name, dosage, quantity, etc. Apparently, the data miners have software installed on the pharmacy computers that collects all of this information.

The opinion is not clear on how the patient data is removed from the data before being pooled and sold to third parties. In the first paragraph of the opinion, individual personal data is "removed" before being sold. Later, the court explains that the patient information is encrypted, thereby "de-identifying" the patient information. Each de-identified record is then assigned a unique identification number, so that all subsequent prescriptions by the same individual can be aggregated. The opinion does not explain the level or complexity of the encryption, nor does the court address the sticky issue that, even if encrypted, the patient's identifying information is still present. Short of DOD approved/Tom Clancy endorsed encryption, other recent events have made it clear that encryption ain't necessary a complete bill of goods.

In any event, this was not the thrust of the underlying suit as the data miners make their gold coin from data concerning the prescriber, not the patient. The plaintiffs sell the data to the mega-pharm industry who uses the data, at least in part, to focus their marketing and promotional efforts on certain health care providers.

The Court ruled that the plaintiff's desire to use and disclose factual information, even if devoid of opinion or expression, constitutes speech for these purposes. The statutory text makes it pretty clear that the restrictions applied to commercial use of the data, meaning that an intermediate level of scrutiny is applied to the statute. In a thorough analysis, the Court explains why the statute, as applied to data miners' use of prescriber information doesn't muster-up to the demands of the First Amendment.

From an insolvency point of view, this case is interesting because it re-affirms, as though reaffirmation was required, that electronically stored information (ESI for all my readers in Mangum, Oklahoma) is a valuable asset of the enterprise. Beyond ensuring the safety and security of the ESI, this case also illustrates growing tensions between valuable commercial applications of ESI, competing interests in the ESI (the court raised briefly the potential that the use of the information might be subject to claims of confidential trade secrets), and the privacy of consumers or other third parties.

The musical chair scenarios are interesting to consider, especially in a bankruptcy context.