Nixon Law Group

View Original

Femtech Data Privacy and the Changing Abortion Landscape: What Femtech Companies and Founders Need to Know

The landscape of reproductive rights in the U.S. is on the precipice of change. Recognizing a woman’s constitutional right to abortion since 1973 through the landmark decision Roe v. Wade, the U.S. Supreme Court now appears poised to strike down this federal protection and return abortion regulation to the states.

In a draft majority opinion leaked to Politico earlier this month, Justice Samuel Alito argued that “Roe was egregiously wrong from the start” and “must be overruled.”

Lacking both explicit and implicit protection in the U.S. Constitution and failing to qualify as a “deeply rooted” right in U.S. history, the Supreme Court concluded that the decision on abortion must be returned to the people’s elected representatives. If the final decision mirrors the leaked draft, this ruling will result in an immediate end to federal protection of abortion rights, and the activation of trigger laws in at least 13 states that will immediately ban or criminalize abortion.

The femtech industry has been rapidly working to understand and analyze the implications to women if Roe falls.

In addition to compiling resources about where and how to obtain legal abortions in a post-Roe era, femtech and women’s rights companies are finding ways to provide low cost or free access to birth control and emergency contraception nationwide. Some are also lobbying for federal codification of the rights expressed in Roe.

However, the perspective that some femtech companies and founders have not yet considered or solved is how their privacy and security frameworks may inadvertently lead to the prosecution of women who obtain illegal abortions in the future. Numerous articles have already been published since the leak calling for women to delete their period tracking apps and remove sensitive health data from menstrual and fertility applications. The concern is that this sensitive data could make its way into the hands of law enforcement and result in criminal prosecution. As a result, consumer trust in the femtech industry is uncertain at best, and femtech companies should expect increased consumer and media scrutiny into their privacy policies and security practices.

This article explains the privacy and security concerns worrying femtech consumers and identifies actionable insights that femtech companies can undertake right now to rebuild and enhance consumer trust.

 

Why are femtech consumers worried about data privacy and security?

Following the leaked Supreme Court opinion, consumers have become increasingly aware of the lack of federal privacy and security protections for data collected by femtech applications. Currently, most femtech companies in the U.S. do not have significant restrictions on how they collect, use, store, or disclose health data. The majority of femtech companies, particularly startups, are not subject to the Health Insurance Portability and Accountability Act (HIPAA), which is the primary federal law regulating healthcare privacy.

As a result, data disclosure for most femtech companies is restricted by the Federal Trade Commission (FTC) – which prohibits companies from committing unfair or deceptive acts or practices – and applicable state laws. With the potential reversal of Roe, consumers fear that femtech companies’ data privacy and security practices could result in the disclosure of their reproductive data to law enforcement, who can use it to investigate and criminally prosecute women who have had illegal abortions. These fears are not unfounded.

There are at least four ways in which a woman’s reproductive health data could make its way to law enforcement:

First, data may be obtained directly from a woman’s digital device and the applications on it. There is ample data showing that law enforcement officers regularly request and obtain digitally held data about suspected criminals. In 2017, for example, Mississippi charged Latice Fisher with second-degree murder for the death of her fetus. As part of the case, prosecutors reviewed Ms. Fisher’s cell phone data and found internet searches related to the purchase of abortion pills. The data was used to help prove her intent to receive an abortion. This means data contained on a device (including any of its applications) or stored in the cloud may be accessible to law enforcement officers.  

Second, data can make its way to law enforcement through downstream third parties who have obtained the data either directly from the femtech company or through a data broker. A data broker is an individual or entity that collects personal data – either from public or private sources – and then sells or licenses that information to third parties. In their privacy policies, some femtech companies note that personal data may be sold downstream, which can include sale to data brokers. Indeed, this is often a way for tech companies to capitalize on the high value of health data and may serve as a steady income stream. This data, regardless of whether it is anonymized, can sometimes be traced back to an identifiable consumer. If reproductive data is sold by femtech companies, purchasers of that data may be able to identify consumers who have obtained abortions or who have traveled to get reproductive services.

This threat is not purely theoretical. VICE recently reported that data broker SafeGraph sold data related to abortion clinic visits. For a small fee, purchasers could obtain data points, such as how long a person stayed at a clinic and where the person traveled to/from, which could result in consumer identification. Given that data brokers can sell reproductive data to both public and private actors, law enforcement officers could purchase such data (without a subpoena) and trace abortion-related data points back to identifiable individuals.

Third, law enforcement officers can try to obtain data directly from femtech companies through subpoenas. Privacy policies for femtech companies will often permit data disclosure to law enforcement officers for legitimate purposes and in response to subpoenas or other legal requests.

Finally, reproductive health data may be stolen through a breach or cyberattack and disclosed to law enforcement by a cybercriminal. If the abortion landscape shifts this summer, the value of reproductive data on the black web will likely significantly increase. Hackers who gain entry into and compromise femtech applications or devices may be able to steal women’s health data. If the stolen files contain any data points related to abortion services, hackers may try to blackmail or extort companies and the women whose data they possess. As a result, women may be faced with the threat of data disclosure to authorities that could lead to criminal charges. In addition, the mere threat of public exposure for obtaining an abortion – even in states where abortion is legal – can cause women significant distress.  

Rebuilding and Enhancing Consumer Trust in Femtech

Consumers are concerned that their health data may not be adequately protected by femtech companies, and some consumers have stopped using femtech applications altogether. To mitigate the risk to consumers, femtech companies can take actionable steps to address consumers’ concerns with data privacy and security. This article presents four strategies that femtech companies and startups can undertake starting today to show consumers that they value their trust.

 

1.  Map Your Company’s Data Flow and Only Collect the Minimum Necessary Data.

First, each femtech company should have an in-depth and detailed understanding of its data flow and lifecycle. A company cannot protect data if it does not know what data it collects and where that data is stored. Mapping the data flow can be particularly useful for identifying all the places where data is inputted, created, and stored, who has access to such data, and which data collection entry points may introduce security vulnerabilities.

Once you understand the data flow, you should identify precisely what data is necessary for the application to function properly. A lot of femtech applications collect substantially more data than what is necessary for the application to work. If a company collects and stores excessive sensitive data, that data is unnecessarily exposed to privacy and security risks. Companies that collect more data assume more risk to adequately safeguard that data. To that end, femtech companies should only collect the minimum necessary data from consumers. Take time to compare the data requested with the application’s functionality and determine whether any data categories can be deleted.

2.  Limit the Sale of Reproductive Health Data.

Second, femtech companies should determine their position on the sale of reproductive data. Whenever possible, the sale of reproductive data should be avoided or substantially limited to enhance consumer privacy and trust. While selling health data may be necessary for some business models, consumers should have the ability to opt-in to the sale of their data (rather than the traditional opt-out methodology). Consider changing the nature and structure of user consents and permissions to promote affirmative and informed consent for all consumers. Policies and practices that provide consumers with control over the sharing and disclosure of their data will be appreciated in this uncertain climate.

 

3.   Review and Update Privacy Policies.

Third, it is essential that your privacy policy accurately and transparently communicates to consumers how and for what purposes you will use and disclose their personal data. Remember, privacy policies are, in essence, promises to consumers and users of your product or application about how you will treat and handle their data. Privacy policies that are inaccurate or misleading may be deemed unfair or deceptive trade practices and expose femtech companies to investigation by the FTC. Your privacy policy should be a living, breathing document that is regularly reviewed and updated to ensure the external promises match your company’s business model and real-time data collection practices.

Privacy policy accuracy and completeness also serves an essential risk mitigation function. If reproductive data is disclosed downstream in violation of the privacy policy or in a manner not disclosed in the privacy policy, you may face investigations and lawsuits not only from the FTC, but also from state attorneys general and consumers. If consumers show harm (e.g., prosecutorial action for an illegal abortion) based on improperly disclosed data, your company’s liability and exposure can significantly increase (not to mention the damage to the company’s reputation).

For these reasons, it is essential to have an appropriately tailored privacy policy for your platform. Copying and pasting a competitor’s privacy policy is extremely risky, given that your company will likely collect, store, use, and disclose data differently than your competitor. If you’re making changes to an existing privacy policy to enhance consumer privacy protections, highlight those changes for consumers so they know you’re taking their concerns seriously.

 

4.  Enhance Your Cybersecurity Protocols and Infrastructure.

Finally, if the abortion landscape changes in the U.S., cybercriminals will have increased incentives to target reproductive health data. Healthcare data in general is already valued at $250 per record on the black market (compared to $5.40 for financial data). If Roe is overturned, the value of reproductive data will increase in states where abortion is criminalized. Should this occur, cybercriminals can target both the femtech company and the individual consumers whose data was exposed. This creates a heightened risk for extortion and blackmail in a way we haven’t traditionally seen in women’s health.

Now is the perfect time to review and enhance your cybersecurity protocols and infrastructure. Oftentimes, early-stage femtech startups do not have the resources to invest in and prioritize cybersecurity. Initial funding rounds are dedicated to product design, development, and commercialization. Founders may also believe there is a low risk of a cyberattack or breach because the company is new, small, and relatively unknown. While this might be true, cybercriminals may increasingly target femtech companies – both established and new – if Roe is overturned.

Here are a few key cybersecurity actions you can take now:

Implement Data Access Controls – Restrict who within your company can access sensitive health data. Not every employee of an organization should have full access to all data. Rather, access should be determined by position and need. This is a central step to minimizing risk because it reduces the number of access points for data to leave the confines of the company’s network. Insiders (including employees) represent a great threat to cybersecurity, so access controls are essential (especially as your company grows and scales).

Vet and Audit Vendors – Data access and control goes beyond your organization and extends to any entity that stores, accesses, or uses your company’s data. Third-party vendors with lax security policies and procedures can serve as a hacking “stepping-stone” for entry to your IT system. Be diligent with vetting and auditing any vendors on a routine and continuous basis and ensure your vendor contracts grant you audit rights.

Purchase Cyber Insurance – Cyber insurance is a must-have for any femtech company that collects or stores health data. This cyber policy should be separate from your general liability policy and should provide sufficient minimum coverage for the types of services your company provides and the types of data you handle. If a breach or cyber incident happens, don’t be afraid to call your insurer. Cyber insurance gives you access to a full team of professionals who can help you investigate, navigate, and respond to a breach.

Develop and Test a Cyber Incident Response Plan – Cyberattacks have become a routine occurrence in the digital health space and response times matter. For that reason, it is necessary to create and test a cyber incident response plan. An incident response plan contains key tools and procedures that you can use to evaluate, stop, and recover from cybersecurity incidents. The incident response plan should detail your incident response strategy, the roles and responsibilities of each team member in responding to the incident, and the exact steps to be taken if a security incident occurs. Incident response plans will evolve as your company grows, but early-stage companies can go ahead and set the foundation for good cyber hygiene through the creation of a simple incident response plan. Knowing that your company is prepared to handle a breach is a great comfort to consumers.

Looking to the future

The next few months will be filled with uncertainty, as we wait to receive the final Supreme Court decision. Regardless of the outcome, femtech companies should prioritize and emphasize consumer privacy and security, given the sensitive nature of the health data collected by these companies. The actionable insights presented above are just a fraction of the steps femtech companies should take if they are interested in enhancing their privacy and security frameworks. If you would like assistance reviewing and enhancing your privacy and security protocols, or if you feel like privacy and security compliance is a daunting task, please reach out to us!