Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

OCR Announces Major HIPAA Enforcement Initiative

Posted in Cybersecurity / Data Security, Data Breach, Health IT
Elliot GoldingStephanie Willis

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes, it is often only through investigations following a reported breach that OCR uncovers more widespread HIPAA compliance issues, and it is those additional issues that often lead to monetary settlements or fines. Particularly given this increased enforcement initiative, covered entities and business associates should continue to evaluate and, where appropriate, strengthen their HIPAA compliance efforts.

OCR’s announcement listed several factors that will influence whether a small breach is investigated:

  • the size of the breach;
  • whether theft of or improper disposal of unencrypted Protected Health Information (“PHI”) occurred;
  • whether unwanted intrusions to IT systems (for example, by hacking) occurred;
  • the amount, nature and sensitivity of the PHI involved; or
  • cases where an entity has numerous breaches involving similar issues.

OCR also notes that investigation decisions may be influenced by the lack of breach reports by an entity compared to similarly situated entities.  This signifies that OCR is closely analyzing the trends revealed by annual breach reports that covered entities and business associates must submit to OCR.

For more information about steps covered entities and business associates can take to improve compliance efforts, contact the authors or your regular Crowell & Moring contact.

Privacy & Cybersecurity Weekly News Update Week of August 7

Posted in Privacy
Matthew B. WellingHarvey RishikofLisa Weinert

EU Commission publishes first results of consultation of e-Privacy Directive; Irish DPA issues Guidance on Location Data.

European Commission publishes summary report on consultation of e-Privacy Directive

On August 4, 2016, the European Commission has published a first summary report on the public consultation on the evaluation and review of the e-Privacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), also known as ‘e-Privacy’ or ‘Cookie’ Directive.

Two weeks ago, on July 19, 2016, the Article 29 Working Party, an EU advisory body comprised by representatives of the national Data Protection Authorities, had also published a detailed opinion on this issue.

The ‘e-Privacy Directive’, which contains specific rules relating to the processing of personal data in the e-Communications sector, needs to be adapted to the new European General Data Protection Regulation (‘GDPR’), which will replace the former EU Directive 95/46/EC as from May 25, 2016. The GDPR aims to ensure modernized rules and increased harmonization for Privacy in Europe and is part of the European Commission’s Digital Single Market (DSM) Strategy.

The 421 stakeholders in the consultation, of whom more than ¼ are situated in Germany, agree with a vast majority of 83% that specific privacy rules for e-Communication are useful to ensure the confidentiality of communications. In addition, 76% of respondents believe that the Directive should as well apply to so-called ‘over-the-top’ service providers (OTT), when offering VoIP services or instant messaging. However, more than ¾ of the respondents also said that until now, the Directive has achieved its aims only to a limited extent, due to – among others – too little enforcement and compliance pressure.

The Commission’s conclusions drawn from the consultation, as well as proposals on how to adapt the Directive are expected to be released later this year.

Continue Reading

Upcoming Free Privacy/Cyber Event: Healthy Data Management Webinar

Posted in Cybersecurity / Data Security, Health IT, Privacy
Elliot Golding

On Thursday, September 8, 2016 from 1:00 PM to 2:00 PM ET Crowell & Moring’s Elliot Golding will be speaking as part of a 60-minute Bloomberg BNA Webinar on Healthy Data Management: Essential Strategies for Governing PHI, PII, and Highly Sensitive Data during an Acquisition or Divestiture.  The panel discussion will cover the information governance life cycle for health care, life sciences, and pharmaceutical companies, from identification of sensitive data to storing and protecting that data during mergers and divestitures.  The webinar is free and open to all.

Objectives:

  • Data management considerations for companies responsible for maintaining personally identifiable information (PII), protected health information (PHI), and confidential or sensitive data.
  • Unique issues that arise when highly sensitive data is involved during the merger and divestiture transaction process.
  • Strategies to develop effective policies and procedures for data life cycle management.

Privacy & Cybersecurity Weekly News Update – Week of July 31

Posted in Cybersecurity / Data Security, Data Breach, Health IT, Privacy, Social Media
Matthew B. WellingMaida Oringher LernerLisa Weinert

‘Privacy Shield’ certifications possible since August 1, 2016; Hamburg DPA aims to challenge ‘Privacy Shield’; EU Court rules on applicability of EU privacy laws to online companies; Pokémon Go violating EU Privacy Laws?; Norwegian DPA criticizes ‘Facebook at Work’; Advocate Health to Pay Largest HIPAA Settlement Ever; FTC Overrules LabMD Dismissal; Banner Health Cyberattack Affects 3.7M; HHS Announces Grant for Healthcare Sector Information Sharing Organization

Privacy Shield’ certifications possible since August 1, 2016

On Monday, August 1, 2016, the U.S. Department of Commerce has opened up the registration process for multinationals so that they can self-certify their compliance with the newly adopted ‘EU-U.S. Privacy Shield’ (‘Privacy Shield’) for transfers of personal data from Europe to the U.S.

The ‘Privacy Shield’, which had been formally approved via the European Commission’s adequacy decision on July 12, 2016, is replacing the formerly invalidated ‘U.S.-EU Safe Harbor’ Framework that had been struck down before the European Court of Justice in October 2015. The national Data Protection Authorities (‘DPAs’), in their function as Article 29 Working Party (‘WP29’), had also okayed the new Framework, by stating that they would not seek to challenge it “at least until the next annual review”.

Companies, who decide to sign up with the new framework as from now, may therefore rely on it at least until next May. For more details, see also our Client Alert on Privacy Shield as well as our previous week’s blog post.

Continue Reading

Proposals to Protect Health Data Outside of HIPAA

Posted in Health IT, Privacy
Jodi G. DanielElliot GoldingJennifer Williams

Last month, the Office of the National Coordinator for Health Information Technology (“ONC”) sent a report to Congress highlighting the absence of adequate privacy and security safeguards for health data collected by entities not regulated by HIPAA.  For a discussion regarding the next steps to address these privacy and security gaps, please see our recent article in Bloomberg BNA’s Health Care Policy Report.

 

Privacy & Cybersecurity Weekly News Update – Week of July 24

Posted in Cybersecurity / Data Security, Data Breach, Privacy
Justin KingsolverHarvey RishikofFrederik Van RemoortelLisa Weinert

Russians Hack Clinton Campaign System; FTC: LabMD Liable in Data Security Suit; EU Member States issue statement on Privacy Shield; NIS Directive published – Implementation into national law by May 2018; EU Data Protection Supervisor: e-Privacy directive should meet GDPR-requirements.

Clinton Campaign Data Breach brings data security into 2016 campaign yet again

On July 29, an F.B.I. official told the New York Times that computer systems used by the Clinton presidential campaign were hacked in the latest in a string of cybersecurity attacks targeting political entities. The Times noted the attacks appeared to have been carried out by the Russian intelligence services.  These revelations follow news of similar attacks carried out earlier in the summer, including a Russian government hack of the Democratic National Committee’s computer network. Investigations into both attacks are ongoing.

FTC Reasserts Data Security Enforcement Powers in suit against LabMD

Late last week, the FTC issued its long-awaited final order in its investigation of LabMD’s alleged unfair data security practices. FTC filed charges against LabMD, a clinical laboratory used by physicians, for allegedly failing to protect sensitive personal information for over 750,000 patients.  An ALJ had earlier dismissed FTC’s charges, holding that LabMD’s data security practices failed to cause substantial consumer injury. The Commission unanimously reversed that decision.

FTC claimed that LabMD “lack[ed] even basic precautions to protect . . . sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” Firms collecting personal information should note that future FTC enforcement is likely to note the absence of any of these systems as evidence of sub-par data security practices.

This suit follows the FTC’s 2014 victory in the Wyndham case, which validated the FTC’s authority to regulate data security.  For more information on the Wyndham decision, see the Crowell Data Law blog post on the subject.

Continue Reading

Privacy & Cybersecurity Weekly News Update – Week of July 17

Posted in Accessibility, Criminal Law, Cybersecurity / Data Security, Privacy
Justin KingsolverHarvey RishikofLisa Weinert

DOJ Proposes Workaround to Microsoft Ruling; United States Joins Irish Facebook Case; St. Louis Cardinals Scouting Director Sentenced to 46 Months; EU’s Advocate General Okays National Data Retention Laws; Data Protection Authority of Hamburg Becomes “Completely Independent”; 9th Circuit Suggests Password Sharing is a Federal Crime

DOJ Seeks Legislative Circumvention of 2nd Circuit’s Microsoft Ruling

Late last week, Assistant Attorney General Peter Kadzik sent a letter to Vice President Biden (in his role as presiding officer of the U.S. Senate) asking Congress to amend the Electronic Communications Privacy Act (ECPA) to permit government warrants to reach data stored overseas. This letter was written in response to the Second Circuit’s ruling earlier this month in Microsoft v. U.S., in which the Second Circuit ruled that ECPA’s data seizure provisions did not apply extraterritorially and in which Judge Lynch, in concurrence, called for congressional intervention.  For more information about the Microsoft ruling, please see the Crowell & Moring “Data Law Insights” blog post detailing the court’s decision.

ECPA reform, General Kadzik’s letter argued, will resolve cross-border data access issues for both domestic and foreign governments investigating criminal activity, including terrorism. The proposal seeks to change U.S. law to “authorize law enforcement to obtain electronic data located abroad.” Admonishing the Second Circuit’s decision, General Kadzik noted the “significant public safety implications of the Microsoft decision.”

Continue Reading

Privacy & Cybersecurity Weekly News Update- Week of July 9

Posted in Admissibility, Cybersecurity / Data Security, Government Agencies, Information Management, Privacy, Rules, Social Media, Transnational Discovery
Justin KingsolverHarvey RishikofLisa Weinert

“Pokémon Go” Developer feels the heat over data collection; 2nd Circuit Ruling limits government’s access to data stored overseas; 9th Circuit CFAA Ruling increases Facebook’s control over its Users’ Data; Dutch Study reveals tension between EU Trade Deals and Data Protection

“Pokémon Go” Developer in Hot Water over Extensive Data Collection Practices

In early July, mobile game developer Niantic released “Pokémon Go,” a free-to-download “augmented reality” game for Android and iOS devices. In less than a week, the game had been downloaded by more than 15 million unique users, making the game’s launch one of the most widely-adopted in history. Privacy advocates soon raised serious questions about the game and its accompanying privacy policy, which until July 12 granted full access to users’ Google account data unless users opted-out of such permissions—prompting Niantic to issue its first update resolving the permissions issue.

On July 12, Senator Al Franken (D-MN) sent a letter to Niantic CEO John Hanke demanding the company explain in detail the types of data Niantic collects from players, why that data “in necessary for the provision or improvement of services,” and how the company plans to use the data gathered. Franken’s letter also questioned the company’s opt-out data collection practices, suggesting that “Niantic consider making this collection/access opt-in.”  Franken, who serves as the Ranking Member on the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law, has in the past spoken out against similar practices by other mobile app developers, including Uber and Lyft. Mr. Hanke has until August 12 to respond to Sen. Franken’s questions.

Continue Reading

2nd Circuit: Government Cannot Force Companies to Hand Over Communications Data Stored Overseas

Posted in Accessibility, Criminal Law, Government Agencies, Information Management, Privacy, Transnational Discovery
Stephen M. ByersJeffrey L. PostonEvan D. WolffKate M. GrowleyJustin Kingsolver

The Second Circuit today issued a much-anticipated ruling holding that U.S. firms are not required to turn over user data stored overseas, even in the face of a government warrant.  This decision arose from Microsoft’s December 2014 appeal of a civil contempt ruling against the tech giant for refusing to turn over the personal data of an MSN email user, data that Microsoft stored in Ireland.

This decision overturns a July 2014 decision by Judge Loretta Preska of the Southern District of New York holding Microsoft in civil contempt for its refusal to turn over the foreign data.  To secure that 2014 contempt citation, the government argued that § 2703 of the Stored Communications Act, the provision requiring service providers to disclose the contents of stored communications in the face of a valid warrant, applied overseas.  In its appeal, Microsoft emphasized the “presumption against extraterritoriality” the Supreme Court enunciated in its 2010 decision in Morrison v. National Australian Bank.  For a federal statute to apply to conduct in foreign nations, Microsoft claimed, Congress must clearly articulate its intention for the statute to do so.  The Second Circuit agreed.  Finding that “[n]either explicitly nor implicitly does the statute envision the application of its warrant provisions overseas,” the panel held that government could not use § 2703 to force companies to hand over data stored overseas.

This ruling will certainly be heralded as a significant victory for American tech firms.   Dozens of the most prominent American media, telecommunications, and technology companies, as well as issue-advocacy organizations across the ideological spectrum, filed amicus curiae briefs supporting Microsoft’s appeal.

 

Privacy & Cybersecurity Weekly News Update- Week of July 3

Posted in Cybersecurity / Data Security, Data Breach, Government Agencies, Health IT, Privacy
Justin KingsolverHarvey RishikofLisa Weinert

Article 31 Committee approves Privacy Shield; House Cuts FCC Funding Over Attempted Broadband Privacy Regulations; No Charges for Clinton in Data Security Probe; European Commission launches public-privacy partnership on cybersecurity; European Parliament adopts NIS Directive; Privacy Code of Conduct for mHealth app providers finalized; French parliament about to make French Privacy act more severe; Russia introduces new data retention obligations.

Article 31 Committee approves Privacy Shield

On July 8, 2016, the Article 31 Committee has finally given its support for the adoption of the “EU-U.S. Privacy Shield”, the new framework for cross-Atlantic data transfers.

For more details, please see our latest client alert here.

House Defunds FCC’s Data Privacy Efforts for Broadband Providers

On July 7, the House of Representatives voted to cut off funding for the FCC’s proposed privacy regulations of broadband service providers. The measure, attached as an amendment to the 2017 Financial Services and General Government Appropriations Bill, cut the FCC’s funding by more than 17%. Calling the FCC’s proposed rules “extreme,” Rep. Marsha Blackburn (R-TN), the amendment’s author, claimed the measure was necessary to reassert the Federal Trade Commission’s status as the go-to federal data privacy regulator. The FCC, Rep. Blackburn asserted, “simply doesn’t have the requisite technical expertise to regulate privacy.”

The proposed regulations, which the FCC announced in March 2016, would require ISPs to disclose how data regarding customers’ online activities could be collected and recorded. These proposed rules represented the FCC’s first major attempt to regulate broadband providers in the aftermath of the agency’s February 2015 decision to treat broadband as a public utility. Several broadband providers had expressed public reservations about the FCC’s proposed rulemaking and actively lobbied legislators to act. The bill, which passed in a 239-185 vote, next heads to the Senate for consideration.

Continue Reading