In the very active cyber threat landscape of today, organizations dealing with sensitive consumer data must adopt effective security policies to shape their organizational culture into an effective protector of sensitive information and data. A consumer’s banking information and personal health information are valuable information assets for both the service provider as well as the cyber threat actor. Given the consumer concerns, the United States Federal Government and various state governments have increasingly passed regulations that businesses must comply with to ensure the safety of its citizens. Failure to do so can expose businesses to enforcement liability and even civil liability as seen in the Illinois Biometric Information Privacy Act.
Stripe is a growing company in the heavily regulated financial technology space and has a robust policy framework available on its website. Similarly, Ingalls Memorial Hospital of the UChicago Healthcare system (“IMH”), is a heavily regulated healthcare institution with a robust policy framework on its website. Both of these organization and the consumer data they possess are high value targets for cyber threats and their privacy and data policies include some commonalities related to policy scope, they differ in relevancy of the data they collect.
Key Policy Tenets of the Stripe Privacy Policy.
Good policy can be judged using the following seven characteristics, 1) Endorsed, 2) Relevant, 3) Realistic, 4) Attainable, 5) Adaptable, 6) Enforceable, and 7) Inclusive. In reviewing the Stripe privacy policy, easily accessible on their consumer-facing website, it is apparent the policy favors relevance, realism, and adaptability.
First, the privacy policy favors relevance because it takes the business’s operating environment into account. The opening statement of this privacy policy acts as a guiding principle and establishes context by defining what the organization does.[1]. By offering this guiding principle, the reader can better understand the relevance of the policy in the context and perspective of the service provider.
Second, Stripe’s privacy policy appears to be genuine and realistic. A realistic policy establishes purpose and procedure that reflects the reality of the environment in which they will be implemented. Stripe’s privacy policy is intended to be implemented by both its current consumer and business customers as well as prospective ones. As a result of this environment, Stripe uses a plain language writing style to express the subject matter in a simple and straightforward way, easily understood by the average consumer. For example, the policy uses the defined terms “We” and “Us” to refer to stripe and the defined term “You” to refer to the ends user subject to the policy. This simple act allows the policy contents to feel more conversational and personal which makes understanding the message and information easier, which leads to more effective compliance.
Third, the privacy policy favors adaptability because it recognizes that its requirements are not static but rather an ongoing process designed to support Stripe’s organizational mission. Stripe’s Privacy Policy website contains a well-structured outline with separate webpages for each specific standard and procedure subcategory. For example, in the outline underneath the privacy policy is a Cookies Policy. Clicking on this takes the reader to a separate webpage with more specific information related to cookies. By using separate webpages for each standard and procedure, the policy remains highly adaptable to changing regulatory requirements and technical innovations. If something changes with cookies, Stripe can simply update the cookie webpage.
Key Policy Tenets of the Ingalls Memorial Hospital Privacy Policy.
Similar to Stripe, IMH does business with data that is highly targeted and valued by cyber threat actors. Given the sensitivity of the data, IMH has enacted a privacy policy readily available on its website. Like Stripe, this policy also appears to favor endorsement by dedicated management, enforceability, and inclusivity.
First, IMH’s privacy policy is endorsed because management actively demonstrated a commitment to the policy. This policy begins with a notice signed by the organization’s chief privacy officer and establishes its guiding principle, to comply with the HIPAA privacy statute. By framing the guiding principles as a letter from a chief privacy officer, this demonstrates management’s dedication and direct involvement in its endorsement of the policy.
Second, the privacy policy is enforceable because its guiding principle is rooted in HIPAA applicability. Overall, the privacy policy describes the data subject’s and the organization’s various rights and responsibilities as it relates to sensitive personal health information and data. Failure to comply can result in statutory liability and enforcement actions ranging from $100 to $50,000 per violation. The policy makes it clear what the rules are and identifies a mechanism for reporting violations which are enforced by the government through the HIPAA statute.
Third, this privacy policy is inclusive because it addresses the applicability to external affiliated independent entities still covered by the policy. The website contains a “organized heath care arrangements” section in the privacy policy. This section discloses and considers that IMH may share PHI with its related hospitals. For example, if a patient goes to IMH for a regular annual check-up, but also seeks treatment for an ear infection, IMH would likely refer the patient to another doctor employed by IMH’s ear specialist subsidiary entity. Disclosing the transfer of the patient’s records to the subsidiary makes the transition more effective and in compliance with HIPAA disclosure requirements.
Regulations in Stripe’s Privacy Policies.
Stripe’s privacy policy reflects compliance with a broad set of international and domestic data privacy and security regulations. While the policy does not include an exhaustive list of applicable laws, it clearly addresses obligations under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Payment Card Industry Data Security Standard (PCI DSS).
The GDPR is a comprehensive privacy regulation applicable to residents of the European Union. Stripe expressly references its role as both a controller and a processor of data within the framework of this law. The company uses its privacy policy to outline users’ rights under GDPR, including access, corrections, data portability, and the right to be forgotten. The CCPA is similar to GDPR but is applicable to residents of the state of California. This privacy policy also outlines its California users’ rights including their right to know what personal data is collected and the ability to opt out of the sale of its data. However, Stripe asserts in the privacy policy that it does not “sell” data within the meaning of the CCPA. By complying with the CCPA and having the disclosures in their privacy policy, Stripe will be able to move faster if they make the business decision to sell data in the future.
Although the privacy policy does not expressly reference the FTC’s Financial Privacy Rule under the Gramm-Leach-Bliley Act (GLBA) (the “Rule”), this Rule is broadly applicable to financial institutions like banks and mortgage lenders, and non-bank entities such as tax preparers and payment processors. The Rule requires those financial institutions to give clear privacy notices to their customers and otherwise explain what personal information is being collected, how it’s being shared, and they must allow their customers to opt out of the sharing. Stripe appears to comply with the Rule because the privacy policy, easily available online to its customers, addresses the requirements described above. Stripe also complies with the PCI DSS regulatory requirements around using encryption, access controls, and secure data handling practices, particularly related to consumer credit card data.
To enforce compliance, Stripe uses a layered approach including 1) robust internal governance structures, technical security measures, and third-party audits and certifications. Stripe has a dedicated data protection officer, as required by the GDPR, to raise compliance concerns and internal enforcement of its data practices. Stripe requires its sub-processors and third-party service providers to contractually commit to its high level of confidentiality and security to ensure their whole business is compliant, not just the company itself. Stripe also proudly displays various certifications by both external and internal audit teams, such as its Service Organization Controls (SOC) certification.
Regulations in IMH’s privacy policy.
Ingalls Memorial Hospital’s, under the University of Chicago medicine healthcare organization, privacy policy and the practices they describe reflect strict compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Illinois state Biometric Information Privacy Act (BIPA).
IMH operations in healthcare are primarily governed first and foremost by HIPAA which regulates how its applicable entities (“Covered Entities”) collect, use, and safeguard specifically defined protected health information (“PHI”). The privacy policy formally outlines to its patients the permitted uses of PHI, such as for treatment, payment, and the organization’s operations. This policy also informs patients of their rights, including access, corrections, and the restrictions on disclosure.
HIPAA dates back to the 1990s and did not anticipate the advances in technology brought on by the internet, nor did it anticipate the value of PHI to a modern-day cyber threat actor. As such the United States federal government passed the HITECH act as part of the broader American Recovery and Reinvestment act (ARRA). HITECH enhances HIPAA by requiring breach notifications and establishing security standards for electronic health records.
The privacy policy also indicates that IMH complies with the BIPA. This biometric specific privacy law requires business that collect, possess, sell, store, or use, certain biometric identifiers to establish privacy policy that expressly states their retention period of biometric records and gives the consumer a right to opt out of sharing their biometric data. IMH expressly has a biometric sub-policy that complies with the requirements of BIPA available on their website.[2]
The privacy policy indicates that compliance with these regulatory schemes is enforced both internally through technical controls, staff trainings, access controls, and audits as well as externally by the US Department of Health and Human Services (HHS)’s Office for Civil Rights, which can investigate complaints and impose steep fines for non-compliance, and a statutory private cause of action in the case of BIPA. Rather than dedicating governmental resources to actively enforce BIPA, the Illinois legislature include a private right of action in the statute, which allows enforcement through civil plaintiff attorneys.
Commonalities in Privacy Frameworks: Stripe and IMH
Despite operation in vastly different sectors, financial technology and healthcare, Stripe and IMH share several foundational elements in their privacy policy and procedures. Both organizations demonstrate a strong commitment to protecting the personal, financial, and health data of their customers and patients through transparency, legal compliance, and user empowerment.
First, both privacy policies use plain language to clearly outline the type of personal information collected and how it will be used. Stripe collects data in the form of customer names, contact information, financial identifiers, device information, and usage data for the purpose of processing payments, fraud prevention, and product improvement. IMH collects similar data alongside PHI which it uses for treatments, payments, and operations as defined by HIPAA.
Next, both privacy policies address the use of third parties in that personal data may be shared in some circumstances for the purpose of the delivery of service. Both organizations also disclose that they may share personal data with government entities when legally mandated. However, both policies also quantify that the sharing of personal data will be limited only to the specific purpose of sharing. User rights are another area of overlap with the policies. While Stripe describes the user’s rights under the GDPR and CCPA, such as the right to correction and opt out, IMH highlights similar rights, but under HIPAA.
Finally, both organizations use their privacy policy to reassure their customers and patients that the sensitive data is adequately protected. Both organizations do this by highlighting their use of administrative, physical, and technical controls. These include access controls, internal monitoring, external auditing, and platform security certifications.
Differences in Privacy Frameworks: Stripe and IMH)
The Stripe and IMH privacy policies differ not only in their regulatory scope but also in how they are enforced, penalties for violations, and the mechanisms institutions use to ensure compliance. While both organizations are in the business of handling sensitive information, and do have some similarities, their privacy policies indicate that each has a distinct and separate privacy framework.
As discussed above, data privacy for IMH is primarily governed by HIPAA and HITECH which federally mandates the protection of PHI. The HHS actively enforces this statute through investigation of complaints and whistleblowing, and audits. The HHS is empowered to levy civil and criminal penalties for noncompliance. These penalties can amount to millions of dollars for substantial negligence in compliance with reduced penalties for less negligent noncompliance. Overall, this regulatory framework is prescriptive and consistent nationwide which leads to standardized compliance practices in healthcare.
Data privacy for Stripe on the other hand, is governed by a mixture of international, federal and state regulations such as the GDPR and the GLBA. The FTC is empowered to conduct enforcement actions; however, these actions are centered around consumer complaints in general. Given the scope and lack of a federal statute specific to data privacy, the FTC enforcement actions are more reactive and are less frequent than an HHS HIPAA audit.
In terms of efficacy, healthcare Covered Entities like IMH tend to be more effective in establishing a consistent national baseline of protections and consequences due to the breadth of HIPAA. In contrast, fintech companies like Stripe are faced with a mixed bag of data privacy regulations that can change as their business operations change. This makes enforcement inconsistent. However, Stripe’s privacy policy is clearly over-inclusive given the lack of centralized regulation. It appears Stripe is focusing its data privacy compliance requirements on the stricter regulation it could be subject to. In this, Stripe hopes to be in compliance of the less rigorous laws in the mixed bag of applicable law.
[1] Quoted in part “We provide financial infrastructure for the internet. Individuals and businesses of all sizes use our technology and services to facilitate purchases, accept payments, send payouts, and manage online businesses. This Privacy Policy (“Policy”) describes the Personal Data that we collect, how we use and share it, and details on how you can reach us with privacy-related inquiries. The Policy also outlines your rights and choices as a data subject, including the right to object to certain uses of your Personal Data. . . .”
[2] In Mosby v. Ingalls Memorial Hospital (Ill. 2023), the Illinois Supreme Court ruled that HIPAA covered entities are exempt from BIPA when the data is used for purposes related to healthcare treatment, payments, or operations as defined by HIPAA.
