Hospital pays $2.1MM HIPAA settlement; Dynamic IP addresses protected under EU laws; EU guidance on GDPR coming soon; California’s new privacy compliance tool; banking regulators consider cybersecurity; FCC privacy proposal comments; OMB’s new privacy office; DFARS finalizes Safeguarding Rule

Hospital pays $2.1M to settle alleged HIPAA violations

St. Joseph Health, a California-based health system, reached an agreement this week to pay $2.1 million to settle alleged HIPAA violations based on the public exposure of patients’ health records in 2011 and 2012.  The HHS Office of Civil Rights (OCR) investigated the potential violation in 2012, after St. Joseph reported that a server malfunction inadvertently caused protected health information to be accessible and searchable via online search engines such as Google.  According to OCR, the server St. Joseph purchased to store patient information included a file sharing application that, by default, permitted access by “anyone with an internet connection.”  This settlement with HHS follows a $7.5 million settlement, reached earlier this year, of a class action filed on behalf of the affected patients.

This is yet another example of HHS’ focus on privacy and cybersecurity compliance.  Perhaps more importantly, and in light of the recent HHS guidance regarding HIPAA and cloud computing, the underlying facts illustrate the importance of actively managing cloud storage and other vendor services to minimize potential information exposure, data breaches, and regulatory violations.

ECJ rules that IP addresses are protected personal data under EU laws

On October 19, 2016, the European Court of Justice decided on a preliminary request in the framework of proceedings between Mr. Patrick Breyer and Germany concerning the registration and storage by the German authorities of the dynamic internet protocol address (“IP address”) allocated to Mr Breyer when he accessed certain internet websites of German Federal institutions.

One of the questions raised was whether an IP address which an online media service provider stores when his website is accessed constitutes “personal data” for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject.

This question concerns the definition of “personal data,” which is “any information relating to an identified or identifiable natural person (“data subject”).”

According to the Court, it is common ground that a dynamic IP address does not constitute information relating to an “identified” natural person, since such an address does not directly reveal the identity of the natural person who owns the computer from which a website was accessed, or that of another person who might use that computer.

It therefore had to be assessed whether such an IP address may be treated as data relating to an “identifiable” natural person.

German law does not seem to allow the internet service provider to transmit directly to the online media services provider the additional data necessary for the identification of the data subject, but, subject to verifications to be made in that regard by the referring court, it appears that, in particular, in the event of cyber-attacks legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings.  Hence, according to the Court, it appears that the online media services provider who operates the website has the means which “may likely reasonably be used” in order to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider.  The dynamic IP address is therefore to be considered “personal data” for the service provider.

The European Court’s decision confirms the broad reach of the concept of “personal data” in the EU.  Online companies, such as search engines, social media platforms and others should therefore reassess their policies and consider that, even though they may not be able to identify the visitor on the basis of that information alone, the collected data may be considered personal in view of the possible additional information of third parties that renders the data subjects “identifiable.”

EU guidance on the GDPR coming soon

Isabelle Falque-Pierrotin, the chairwoman of the Article 29 Working Party, has confirmed that the Article 29 Working Party’s initial guidance on specific topics of the new EU General Data Protection Regulation (GDPR), more in particular with respect to enforcement, the appointment of a DPO and data portability, are expected to be released before the end of 2016.  In 2017, there will likely be further guidance on consent and the Privacy Shield.

California creates online portal for reporting privacy violations

The California Attorney General’s office announced a new online form that consumers can use to report companies that violate the California Online Privacy Protection Act (CalOPPA) by failing to conspicuously post privacy policies governing use of websites and mobile applications.  Under CalOPPA, website and app operators must identify information collection, third parties with whom the operator may share information, instructions on how consumers can request changes to the information, how the operator treats “do not track” requests, and whether third parties can collect personally identifiable information from users.  According to the California Attorney General’s office, this “online tool allows consumers to ‘crowdsource’ privacy policy violations, exponentially increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.”

In conjunction with this online reporting form, the California Attorney General is also partnering with an initiative at Carnegie Mellon University to identify mobile applications that violate CalOPPA.  The joint effort is focused on creating a tool that compares policies of mobile apps and the apps’ actual data collection practices.

This two-pronged approach is likely to lead to increased scrutiny in California.  Companies that fall within CalOPPA’s reach should continue to be proactive and ensure their privacy policies are clear, conspicuous, and actually reflect the operation of the relevant website or app.

Federal banking regulators consider cybersecurity rules

A proposal by three federal banking agencies suggests the agencies may establish requirements aimed at preventing and mitigating the effects of cyberattacks on financial institutions.  The Federal Reserve, Federal Deposit Insurance Corp., and the Office of the Comptroller of the Currency jointly drafted an advance notice of proposed rulemaking (ANPR) that takes a significant step toward imposing on “the largest and most connected entities under their supervision” certain standards designed to prevent cyberattacks from spreading to other firms and allow compromised firms to recover from an attack within hours.

The ANPR suggests the standards would be imposed in a “tiered” manner, such that more stringent rules would apply to entities “that are critical to the functioning of the financial sector.”  Any enhanced standards “would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyber-attack, or the failure to implement appropriate cyber risk management.”

These potential rules would address various aspects of cybersecurity planning.  One proposal is that institutions have a written cyber risk management strategy approved by the board and implemented into the institution’s overall business strategy.  Another proposal would require covered entities to create and implement a plan to have sector-critical systems recover from disruptive or destructive attacks within two hours.  Covered entities may also be required to identify and implement methods of preventing malware from spreading from a compromised system to any other connected system.  The period for public comment ends January 17, 2017.

Given the debate about the propriety of creating standards that may be too restrictive or quickly outdated, there will likely be comments that push back on some of the specific proposals.  Even so, there may be great value in revisiting—or creating, if necessary—cyber risk management plans to ensure they consider and address concerns identified in the ANPR.  Before following any of the proposed rules, however, potentially affected companies may be well served in waiting to see how, if at all, the proposals are finalized and implemented.

Legislators, stakeholders weigh in on FCC broadband privacy proposal

Multiple parties are weighing in on the Federal Communications Commission’s (FCC) proposed rules for broadband providers regarding collection and use of consumers’ information.  Earlier this month, Sen. Edward Markey of Massachusetts expressed his support of the proposal’s requirement that internet service providers obtain consumer consent before sharing sensitive data.  Sen. Markey also agreed with the FCC’s proposal to consider as sensitive data information regarding web browsing and app usage.  Privacy advocates and interest groups also support these aspects of the FCC proposal.

In the last week, representatives from broadband providers and trade associations expressed the opposite view, stating that the category of sensitive information is too broad in its inclusion of, among other things, geolocation and app usage data.  Opponents of the proposal also believe the FCC’s rules would effectively create a rigid opt-in regime that overly restricts providers in offering services to consumers.

OMB announces new privacy office

The Office of Management and Budget (OMB) announced the creation of a privacy branch in the Office of Information and Regulatory Affairs (OIRA), which is part of OMB.  The OIRA’s office will focus on coordinating federal privacy policies and strategies, identify areas requiring government-wide solutions, and oversee and evaluate initiatives that concern government collection of private information from the public.

New DFARS Safeguarding Rule Published

On October 21, 2016, the Department of Defense finalized the Defense Federal Acquisition Regulation Supplement’s (DFARS) Safeguarding Rule regarding the protection of “covered defense information” provided to or generated by defense contractors.  The Final Rule mostly aligns with the interim rule first issued almost three years ago.  The significant changes include:  (a) the expansion of “covered defense information” to include all “controlled unclassified information,” (b) the application of FedRAMP security requirements to any external cloud service that houses covered defense information, and (c) a requirement that subcontractors notify prime contractors when requesting variance from NIST security controls.