Data Breach Liability Requires Actual Misuse; More U.S.-EU Data Transfer Uncertainty; Airline App Exempt from State Privacy Law; Pending Cyber Bill Would Create Consortium; Encryption-Related Deceptive Advertising Settlement; PayPal Fined for Deceptive Trade Practices

The Spokeo effect: data breach claims require actual examples of information misuse

Last week, a federal court dismissed claims alleging harm from a hospital data breach, on the grounds that the plaintiff failed to allege more than the mere threat of injury.  In Khan v. Children’s National Health System, No. 8:15-cv-2125 (D. Md.), the plaintiff alleged that phishing attacks compromised hospital employees’ email accounts containing patient information, including social security numbers, addresses, dates of birth, and other private healthcare information.  The court held that the plaintiff lacked standing and could not proceed in federal court because the plaintiff failed to allege either specific instances of misuse from the particular breach at issue or “a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.”

The court’s reasoning also demonstrates the favorable impact that this month’s Supreme Court decision in Spokeo v. Robbins may have for defendants in data breach actions.  The Khan opinion explained that mere violation of a statute does not necessarily create the “concrete harm,” such as actual misuse of information, required by Spokeo.  Although it remains to be seen what the Ninth Circuit does with Spokeo on remand and how Spokeo will impact future cases, it seems likely that federal courts will continue to be inclined to disfavor claims where the harm alleged is the “diminished value” of personal information, a general loss of privacy, or simply a technical statutory violation.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of May 23, 2016

The Panama Papers Leak – An overview on histories’ biggest data leak; Article 29 Working Party about to release opinion on EU-U.S. Privacy Shield; EU: GDPR and PCJ DPD about to be approved next week – final consolidated text published by Council; US: New HIPAA Audit Protocol Released as a Guidance Tool for phase two of Compliance Audits; U.S. Sneak News: Defend Trade Secrets Act, NPRM and Sony Settlement Approval. EU: GDPR, PCJ DPD and PNR Directive adoped by Parliament; U.S.: House Judiciary Committee approves E-Mail Privacy Act; Senate to require airlines to report cyberattacks; FTC issues online tool identifying applicable law for health apps; Global: Turkey releases first comprehensive Data Protection law; Connected cars found vulnerable for cyberattacks; Data Breaches May Waive Attorney-Client Privilege?; Encryption Continues to Dominate Privacy Headlines; Hospital Settles with HHS for $ 2.2 Million in HIPAA Action; Southern District of New York Adds Ransomware Conspirator to Hacking Case; European and Canadian Data Protection Authorities Investigate IoT Devices; Norway Requires Data Breach Notification for Individuals

The Panama Papers Leak – An overview on histories’ biggest data leak

On April 3, 2016, reports revealed that a set of 11.5 million confidential documents (“the Panama Papers”), providing detailed information about more than 200,000 offshore companies connected to Panamanian legal service provider Mossack Fonseca, had been made available to German Daily Newspaper Süddeutsche Zeitung by an anonymous source in 2015.

The documents, which form part of the biggest data leak in history, reveal aspects on (potential) exploitations of offshore tax regimes and other illegal purposes, such as fraud or drug trafficking. Among the people concerned are not only big companies, but also twelve national leaders among 143 politicians, celebrities, government officials or other law firms. The Süddeutsche Zeitung, given the scope of the leak, involved the International Consortium of Investigative Journalists (ICIJ) and about 400 other journalists in 76 different countries to investigate and analyze the documents. ICIJ has promised to publish a full list of companies involved in early May 2016.

Mossack Fonseca, the leaked firm, defended its commercial conduct, stating that itself would always comply with applicable laws and carry out thorough due diligence on its clients. However, the leak will have a huge impact on the offshore business, as the biggest selling point of this business, secrecy, has been massively cracked.Continue Reading Privacy & Cybersecurity News Update- 3 Week Summary

Yesterday, Crowell & Moring hosted an International Association of Privacy Professionals (IAPP) KnowledgeNet featuring the Federal Trade Commission’s (FTC) new Chief Technologist, Lorrie Cranor.

In her short time at the FTC, Cranor has already made waves by encouraging companies to rethink mandatory password changes.  At the event, Cranor spoke about the focus of her

Uncertainty surrounding the U.S.-EU Safe Harbor (Safe Harbor) replacement, the EU-U.S. Privacy Shield (Privacy Shield), will remain for now. On April 13, 2016 the European Union (EU) Article 29 Working Party (WP29) comprised of all 28 EU member state data protection authorities (DPAs) announced its official but non-binding opinion on the European Commission’s (EC) draft

On Tuesday, the FTC simultaneously released a “Mobile Health App Interactive Tool” and “Best Practices,” to help mobile health app developers navigate the maze of federal regulation, including data privacy regulation.  The tool walks developers through a series of high level questions about the nature of their app, and uses the

FCC Adopts a NPRM for Privacy Proposal; FTC Chairwoman Wants IoT Threat Addressed; Consumer Reports Hit with Privacy Class Action; DOJ Accesses Shooter’s Phone and Drops Apple Suit

FCC Adopts a NPRM for Privacy Proposal

On Thursday, March 31 in a 3-2 party-line vote, the FCC advanced a Notice of Proposed Rulemaking (NPRM) for broadband privacy. The proposed rules would restrict ISP’s use of basic consumer data and require consumer consent for certain types of data collection.  Although ISPs under the rule could still collect basic consumer data to market communications- related services to subscribers, ISPs would have to allow users to opt-out of that data collection.  On the other hand, ISPs would have to allow used to opt-in to the use and sharing of other types of data, such as browsing history and physical location.  Under the proposed rules, providers are also required to share how data is used or shared with consumers.  Some have criticized the proposed rules, arguing that they have the potential to create an uneven enforcement regime as companies have the potential to face varied FCC and FTC standards.

FTC Chairwoman Wants IoT Threat Addressed

On Thursday, March 31, FTC Chairwoman Edith Ramirez urged manufacturers of Internet of Things (IoT) devices to “design devices that take into consideration unexpected uses of their IoT data, and the potential for misuse.” In a speech at the American Bar Association’s conference on IoT in Washington, DC, Chairwoman Ramirez outlined a series of steps that she recommends manufacturers take as they develop new IoT technology.  Drawing on common privacy practices, Chairwoman Ramirez advised manufacturers to provide consumers with clear notice of data collection practices and to allow consumers to opt in or out of particular data collection practices.  She also encouraged manufacturers to build security into devices from the outset and keep track of issues through a device’s life cycle.   The FTC plans to hold a series of workshops this fall to look at a series of issues arising from new technology, such as smart televisions and UAVs.Continue Reading Privacy & Cybersecurity Weekly News Update

OCR Launches Next Round of HIPAA Audits; French Privacy Office Levies € 100,000 Fine on Google; SEC Reaches $18 Million Settlement for Alleged Hacker-Trader Conspiracy; FTC and Canadian Regulator Execute Anti-Spam MOU; FTC Commissioner Announces She Will Step Down

OCR Launches Next Round of HIPAA Audits

Last Monday, following much anticipation, the Department of Health and Human Services OCR announced Phase 2 of its audit program to measure compliance with the patient privacy provisions of HIPAA. This audit follows OCR’s pilot audit of 115 Covered Entities and will likely examine 200 additional Covered Entities. For more information about what entities can expect, read Elliot Golding’s March 23 post.

French Privacy Office Levies € 100,000 Fine on Google

The French data protection authority (CNIL), one of the most active privacy regulators in Europe, fined Google € 100,000 for “failure to comply with the obligation to respect the rights of individuals to erase data” under the European “right to be forgotten.”  In May 2014, the European Court of Justice ruled that the compilation of Google search result links were “data processing,” and, as such, search engines should remove links at the request of data subjects.  The CNIL faulted Google for only removing links from searches that originated from EU IP address and not delisting all “Google Search” extensions.

SEC Reaches $18 Million Settlement for Alleged Hacker-Trader Conspiracy

The SEC secured settlements, totaling almost $18 million, with seven defendants accused of participating in a scheme to trade on hacked newswire information. These seven defendants are part of a larger alleged scheme of 32 defendants who, over five years, hacked newswires to obtain earnings announcements before they were released and then distributed and traded on those stolen statements. The government has also brought a parallel criminal action against some of the 32 defendants in the District of New Jersey and has stayed a massive civil suit based on the same hacking scheme.  The $18 million in recent SEC settlements come on the heels of a $4.2 million SEC settlement with Concorde Bermuda Ltd., also accused of taking part in the scheme.Continue Reading Privacy & Cybersecurity Weekly News Update

The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) has finally announced it is starting Phase 2 of its audit program.  OCR previously conducted a pilot audit of 115 Covered Entities in 2011-2012 to assess controls and processes.  Building on that experience, OCR will target approximately 200 Covered Entities and Business Associates in Phase 2.  Here is what entities can expect:

What: The audits will largely be “paper” reviews of policies and procedures, but will also include some on-site visits.  OCR indicates that it is “enhancing” its prior audit protocol, which OCR has already edited, based on changes in the Omnibus Rule.  OCR will first conduct desk audits of Covered Entities followed by a second round of desk audits for Business Associates (though these audits may also include site visits). A third set of audits will be conducted primarily onsite and will consider a broader range of issues than covered with the desk audits.  Some entities subject to a desk audit will also receive an onsite audit.  The audits will cover HIPAA only, not state privacy and security rules.

How: If selected for a desk audit, the timeline will generally be: (1) entities have 10 business days to provide requested documents electronically through a secure portal; (2) OCR will prepare draft findings; (3) auditees will have 10 business days to review and return written comments to OCR regarding the draft findings; and (4) OCR will complete a final audit report within 30 days of receiving comments back from the auditee.  Onsite audits will be more comprehensive than desk audits and will typically last 3-5 days.  In Phase 1 of the audit program, OCR typically provided 30-90 days advanced notice, but has not indicated how much notice will be provided for Phase 2.  Like desk audits, onsite auditees will have an opportunity to respond to OCR’s preliminary findings before a final report is prepared.  Continue Reading OCR Announces Phase 2 of HIPAA Audits

OCR Announces a Settlement … Again; HHS Eases Restrictions on Mental Health Information Sharing to Facilitate Gun Control Efforts; Facebook: Users Lack Standing in Cookie MDL; Plaintiffs Argue for Summary Judgment in $5 Million Twitter TCPA Suit

OCR Announces a Settlement … Again

For the second time this week, OCR announced another huge settlement. The