Leigh Colihan

Discussion headlines: UMass settles alleged HIPAA violations; FCC combatting robotexts and robocalls; TCPA class certification; failed investor suit over data breach; UK surveillance bill became law

UMass pays $650,000 to settle alleged HIPAA violations

The University of Massachusetts Amherst (UMass) reached an agreement to pay $650,000 to settle alleged HIPAA violations based on the disclosure of electronic protected health information (ePHI) of 1,670 individuals.  In June 2013, UMass reported to HHS’s Office of Civil Rights (OCR) that a workstation in its Center for Language, Speech, and Hearing (Center) was infected with a malware program, which infiltrated the system because UMass did not have a firewall in place.  Mistakenly believing that the Center was not a covered health care component, UMass failed to put in place policies and procedures at the Center to ensure compliance with HIPAA.  In effect, UMass failed to designate all of its health care components when it “hybridized.”  A hybrid entity is an entity that performs both covered and non-covered functions as part of its business.  Universities that also double as health care providers can elect to become a “hybrid entity,” and thereby have functions that fall outside the scope of HIPAA.  To do so, universities must designate in writing the components that perform functions covered by HIPAA.  While hybridization is a convenient option for legal entities that perform both covered and non-covered functions, it is important to scrutinize each of the business operations to determine whether it meets the definition of a covered entity.  This settlement suggests that OCR might be scrutinizing more hybrid entities in the future.

FCC clarifies restrictions on robocalls and robotexts

The Federal Communications Commission issued an Enforcement Advisory on November 18th to explain its position on autodialed text messages or “robotexts.”  Last year, the FCC expanded the definition of “automatic telephone dialing systems” under the Telephone Consumer Protection Act of 1991 (“TCPA”).  Since the change, the FCC has issued a series of clarifications.  The Advisory clarifies that the TCPA bars autodialed calls or texts to cellphones or mobile devices unless prior express consent is provided and the robotext sender has the burden of proving that it had prior express consent.  The mere presence of a consumer’s wireless number on a contact list does not, by itself, establish consent to receive robotexts.  Recipients can revoke their consent using any reasonable method.  Beyond obtaining concrete consent from its customers, companies are foreclosed from using text messages to advertise its products.  And proving that a company obtained consumer consent can be difficult to show, especially since consumers can revoke their consent.

The agency is also focused on taking robocall and robotext enforcement beyond US borders. The FCC has partnered with international law enforcement agencies to combat robocall scams.  On November 21st, Enforcement Bureau Chief Travis LeBlanc published a blog post where he claimed unsolicited calls and text messages are a “global problem” and that they are “more than just a nuisance these days.”  They are used to commit criminal fraud and phishing frauds.  The FCC recently signed a Memorandum of Understanding (MOU) with Canada and members of the Unsolicited Communications Enforcement Network, which will allow participating agencies to share enforcement data.  FCC continues to be focused on implementing consumer-focused initiatives and seems intent on aggressively cracking down on any robotext or robocall abuses.  It appears the FCC is using the telecommunications arena to illustrate its ability to regulate in the privacy/cybersecurity space.

TCPA plaintiff denied class certification

Suits alleging TCPA violations often take the form of a class action lawsuit and defendants can sometimes successfully challenge the suit through class certification. In a suit against Dick’s Sporting Goods Inc., U.S. District Judge Cormac J. Carney allowed the suit to go forward but denied the request for class certification.  The judge concluded that the plaintiff “alleg[ed] a concrete and particularized injury by laying out the elements of a TCPA violation,” but failed to present evidence that he was a suitable class representative.  The crux of Dick’s defense, the court concluded, would be centered on whether the plaintiff did or did not sign up for its mobile alert programs.  Therefore, the focus will be on issues and defenses unique to the plaintiff and not on the claims of the class.  This case demonstrates that defendants may be able to avoid class certification by placing emphasis on facts illustrating individualized, including consent.  Since proving lack of consent is an element of a TCPA claim, the issue of whether the entire class provided (or did not provide) consent can be problematic for a plaintiff.

Home Depot executives avoid investor suit

On November 29th, a Georgia federal judge ruled that investors in The Home Depot Inc. could not pursue a shareholder derivative lawsuit against members of the board of directors relating to the 2014 customer data breach.  Two shareholders filed suit in August 2015 alleging that current and former members of the board breached their duty of loyalty by failing to implement safeguards against a security breach or take measures to address one.  The shareholders could not prove beyond a reasonable doubt that the board “consciously failed to act in the face of a known duty to act,” which, according to the judge, “is an incredibly high hurdle for plaintiffs to overcome.” The shareholders simply alleged that the board moved too slowly to address the security breach, which was insufficient to show a breach of loyalty or a waste of corporate assets.  The court acknowledged that the board could have done more, but it was protected by the Business Judgment Rule—a judicially created presumption that, in making business decisions, directors act on an informed basis and in the best interest of the company.  The court’s ruling illustrates the high evidentiary burden that plaintiffs face in seeking to pursue fiduciary claims against directors following a data breach.

UK surveillance bill became law

On November 29th, a British surveillance bill—the Investigatory Powers Act 2016—became law after receiving royal assent.  The law requires communications companies to retain records such as users’ browser history for a year and permits authorities to see which websites individuals have visited, including apps or social media accessed on a smartphone.  The law also outlines, for the first time, rules governing authorities’ powers to hack computers to gain access to communications.  Opponents claim the bill permits mass surveillance without proper oversight. Home Secretary Amber Rudd called the act “world-leading legislation”  that is essential to combat terrorism.  This is another example of the growing requirements placed on telecommunications companies from government surveillance efforts.