Wearables and the Challenge for Consumer Device Makers

Wearable devices such as Fitbit, Jawbone, and others cater to consumers who want to improve themselves. Jawbone's website, for example, tells visitors that, "There's a better version of you out there. GET UP® AND FIND IT." These wearables allow people to better understand their sleep patterns, monitor their exercise regime, and improve their diet. But, that's not all. Reporters from Forbes and The Atlantic have reported on a personal injury case out of Calgary, Canada where, according to the reporters, the plaintiffs' firm is seeking to use its client's Fitbit data to help demonstrate the adverse impacts of a car accident on the client.[1]

More interestingly, the firm is not only looking to Fitbit, but is running the data through the analytics offered by Vivametrica. As Kate Crawford explains in When Fitbit Is the Expert Witness (The Atlantic):
As an additional twist, it is not the raw Fitbit data that will be used in the courtroom. The lawyers are relying on an analytics company called Vivametrica, which compares individual data to the general population by using "industry and public research." Vivametrica claims that they "define standards for how data is managed, bringing order to the chaos of the wearable." In other words, they specialize in taking a single person's data, and comparing it to the vast banks of data collected by Fitbits, to see if that person is above or below average.
But, as Ms. Crawford notes:
Medical research on the relationship between exercise, sleep, diet, and health is moving extremely rapidly. The decisions about what is "normal" and "healthy" that these companies come to depends on which research they're using. Who is defining what constitutes the "average" healthy person? This contextual information isn't generally visible. Analytics companies aren't required to reveal which data sets they are using and how they are being analyzed.
This type of case, where data from wearables is used as evidence, is one that legal professionals have been expecting. (See for example, the presentation from me and my colleagues on managing ESI in healthcare at the ABA's Information Governance, Electronic Discovery and Digital Evidence National Institute, Tampa, FL, Jan. 29, 2014). After all, these devices have treasure troves of data-storing workouts, heart rate,  sleep patterns, gps, and fall detection. But the data can be even more detailed (and significantly more sensitive). In 2012, the FDA cleared an ingestible digital sensor (similar to an RFID) for use as a medical device.[2]

The device was developed by Proteus Digital Health, Inc. and "is part of the Proteus digital health feedback system, an integrated, end-to-end personal health management system that is designed to help improve patients' health habits and connections to caregivers." In effect, the goal of the device is to help patients remember to take their medications and to notify providers and caregivers if a patient has failed to take his or her medication.

It's true that wearables have the potential to help people live better and improve their lives. But, this Fitbit case brings up some interesting legal issues. For one, as reported, the plaintiffs' firm is not seeking to use raw Fitbit data. Instead, the plan is to use data analyzed by a third party analytics firm. US courts are well versed in dealing with data, analytics, and experts. But consider, does the fact that this is data from a consumer device being pushed through a third party analytics solution change the reliability of the information? Further, are analytics firms and consumer device manufacturers prepared to disclose and be questioned on the ins and outs of their software, their algorithms, and defend their data sources?

Additionally, for consumer device companies, this case also brings to light the issue of responding to subpoenas and having the company's technology being subjected to the discovery and litigation process. Complying with subpoenas, being deposed, or having to appear in court is not free. Every minute a company devotes to any aspect of litigation is precious time that its employees are not spending on more productive activities. So, who pays for these efforts? Can a company add terms to its terms of service advising buyers and licensees that, in the event of litigation where the individual's data is at issue, the individual must reimburse the consumer device company for its efforts? And if such terms can be added, should they?

Finally, no one is forcing consumers to wear wearables and track every aspect of their lives. But, now that they have, who else can have that data and what obligations do companies like Vivametrica have to protect consumer information? As Parmy Olson notes in Fitbit Data Now Being Used In The Courtroom (Forbes):
Insurers wouldn't be able to force claimants to wear Fitbits as part of an "assessment period," like [Simon] Muller's client, but they could request a formal court order from whoever holds the data to release it to them, says Dr. Rick Hu, co-founder and CEO of Vivametrica. "We would not release the information," he adds. Insurers could instead request it from a law firm or even from Fitbit directly.
While Dr. Rick Hu's position that the company will "not release the information" is admirable, the company may not have an option as a number of technology companies have learned over the last several years.[3]

Consumer device companies should understand that the data they hold is valuable and someone may want it at some point, whether by way of a subpoena or through a search warrant. As such, companies should draft their contracts and privacy policies accordingly and take other appropriate steps to minimize risks and liabilities (including, for example, those related to data breaches). Company management should also consider whether a consumer education program is needed so that consumers clearly understand how their data may be disclosed.

[1] Parmy Olson, Fitbit Data Now Being Used In The Courtroom, Forbes.com, Nov. 16, 2014, https://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/. Kate Crawford, When Fitbit Is the Expert Witness: An Upcoming Court Case Will Use Fitness-Tracking Data to Try and Prove a Plaintiff's Claim, Bringing Us One Step Closer to the New Age of Quantified Self Incrimination, TheAtlantic.com, Nov. 19, 2014, https://www.theatlantic.com/technology/archive/2014/11/when-fitbit-is-the-expert-witness/382936/.

[2] Press Release, Proteus Digital Health, Inc., Proteus Digital Health Announces FDA Clearance of Ingestible Sensor, July 30, 2013, https://www.proteus.com/proteus-digital-health-announces-fda-clearance-of-ingestible-sensor/. According to Proteus, their design is superior to the RFID because "[t]he IEM contains no battery, antenna or radio, but rather uses the body to power the device and to pass along the unique, pill-specific signal in a private manner that is far superior to complicated, expensive and privacy-challenged approaches like RFID." Press Release, Proteus Digital Health, Inc., Proteus Announces Issuance of U.S. Patent for Ingestible Digital Devices, July 14, 2011, https://www.proteus.com/proteus-announces-issuance-of-u-s-patent-for-ingestible-digital-devices/ (quoting Mark Zdeblick, Chief Technical Officer at Proteus and co-inventor).

[3] See e.g., Sean Gardiner, Twitter Turns Over Occupy Wall Street Tweets, WSJ.com, Sept. 14, 2012, https://blogs.wsj.com/metropolis/2012/09/14/twitter-turns-over-occupy-wall-street-tweets/?mod=google_news_blog; Brian Grow, In U.S. Courts, Facebook Posts Become Less Private, Reuters.com, Jan. 27, 2011, https://www.reuters.com/article/2011/01/27/us-facebook-privacy-idUSTRE70Q7EG20110127; Ellen Nakashima, Microsoft Fights U.S. Search Warrant for Customer E-mails Held in Overseas Server, WashingtonPost.com, June 10, 2014, https://www.washingtonpost.com/world/national-security/microsoft-fights-us-search-warrant-for-customer-e-mails-held-in-overseas-server/2014/06/10/6b8416ae-f0a7-11e3-914c-1fbd0614e2d4_story.html.

Posted by Tatiana Melnik on November 19, 2014.

November 2021

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)