FTC Settles IoT Enforcement Action; HHS Releases HIPAA/NIST Crosswalk; HHS Provides FAQs on Patient Fees for PHI Release; Judicial Redress Act Becomes Law

FTC Identifies Reasonable Security Measures Through IoT Enforcement Action

The Federal Trade Commission (FTC) settled charges with ASUSTek Computer, Inc. (ASUS), a manufacturer of home router and home networking (or “home cloud”) equipment, related to the security of the devices. According to the settlement, ASUS advertised that its home routers and networking equipment could protect the connected computers “from any unauthorized access, hacking, and virus attacks.” The FTC alleged, however, that ASUS did not secure data in a reasonable way and instead exposed consumers to hackers. The settlement emphasizes the FTC’s interest in securing devices connected to the Internet of Things (IoT) and provides additional guidance regarding the FTC’s view of “reasonable” security.Continue Reading Privacy & Cybersecurity Weekly News Update

California AG Defines “Reasonable Security;” Apple Opposes FBI Hack Request; Russia to Enforce Data Localization with (Surprise) Audits; HHS Helps Health App Developers Determine if Subject to HIPAA; Carrier IQ Agrees to $9M Data Leak Settlement

California AG Defines “Reasonable Security”

California Attorney General (AG) Kamala Harris published the 2016 “California Data Breach Report,” which lays out what the state believes to be “reasonable security” for the purpose of California’s law that requires protecting personal information.

This is the first time California has recommended an external industry standard as a baseline “reasonable security” requirement. According to the California AG, the chosen standard (Center for Internet Security’s (CIS) Critical Security Controls (formerly known as the SANS Top 20)), is a consensus list of the “best defensive controls to detect, prevent, respond to, and mitigate damage from cyber attacks,” and is updated periodically to keep up with technology. The FTC has previously recommended using industry standards, but did not go as far as California in prescribing a particular one.Continue Reading Privacy & Cybersecurity Weekly News Update

President announces cybersecurity action plan; Congress passes Judicial Redress Act; French DPA notice provides compliance guidance; and FCC set to enforce CPNI rules.

President Obama Announces Cybersecurity Action Plan

The President announced his Cybersecurity National Action Plan (CNAP) this week, with a FY 2017 Budget proposal that includes $19 billion on CNAP initiatives – a 35 increase in cybersecurity spending over his FY 2016 budget. While the CNAP focuses on the private sector’s role in shoring up the nation’s cybersecurity, it contemplates only voluntary activities and does not impose obligations on the private sector. The CNAP includes plans to expand support for critical infrastructure, improve cyber hygiene, enhance cyber incident response, establish the Commission on Enhancing National Cybersecurity, modernize government IT and governance, and develop cybersecurity technology and workplace skills. To read more about the proposals and what it means for companies, please see our Client Alert on the CNAP.Continue Reading Privacy & Cybersecurity Weekly News Update

HHS proposes new substance abuse information confidentiality rules; HHS releases PHI disclosure fact sheets; U.S.-EU Safe Harbor replacement announced; OCR levies civil monetary penalties; and FTC settles charges with technology company for installing apps without consent.

HHS Proposes Update to Substance Abuse Confidentiality Rules

The U.S. Department of Health and Human Services (“HHS”) announced a proposed rule to modernize the federal substance abuse confidentiality rules (42 C.F.R. Part 2), which were last substantively updated in 1987. The proposed updates are intended to help health care providers improve integrated care efforts in the electronic environment. For further information, see our C&M Health Law blog post on the topic.Continue Reading Privacy & Cybersecurity Weekly News Update

For only the second time in its history (following the $4.3 million Cignet case) the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) imposed civil money penalties (CMPs) on a company for violating the Health Insurance Portability and Accountability (HIPAA) Privacy Rule.

Lincare, Inc. (Lincare), a home health provider, was required to pay $239,800 in CMPs after an HHS Administrative Law Judge (ALJ) found that the undisputed evidence in the case established that Lincare violated HIPAA because it did not implement policies and procedures to safeguard records containing its patients’ protected health information (PHI).

The OCR investigation began when an individual complained to OCR that a Lincare employee left behind documents containing the PHI of 278 patients when the employee moved residences. According to the ALJ, Lincare had inadequate policies and procedures in place to safeguard PHI taken offsite even though employees regularly removed material from the business premises. Further evidence suggested that Lincare had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time.Continue Reading OCR Levies Second Ever HIPAA Civil Monetary Penalty

Certain European Union (EU) Member States’ data protection authorities (DPAs) have already started to announce investigations and or “prudential measures” for data transfers solely relying on the invalidated “U.S.-EU Safe Harbor Framework” (Safe Harbor).

In the aftermath of the announcement of the “EU-U.S. Privacy Shield” (Privacy Shield), the Article 29 Working Party (WP29), comprised of all EU Member State DPAs, announced an extension of the “grace period” for U.S. data transfers based on alternative transfer mechanisms (e.g., EU standard contractual clauses and Binding Corporate Rules) other than Safe Harbor, at least until the Privacy Shield has been reviewed by WP29 (likely by the end of March 2016).Continue Reading EU Member States to Investigate EU-U.S. Transfers That Rely Solely on Invalidated Safe Harbor: Starting Now

The European Commission (EC) and U.S. Department of Commerce (DOC) announced today that they have replaced the invalidated U.S.-EU Safe Harbor framework with an updated transatlantic framework which adds several new layers of transparency and oversight.

Though the text of the agreement will not be available for a few weeks, both parties announced a number

U.S.-EU Safe Harbor renegotiation misses deadline; FDA provides medical device design guidance; FTC settles false advertising claim with health care software vendor over encryption.

U.S.-EU Safe Harbor Renegotiation Misses Deadline

The deadline for the U.S.-EU Safe Harbor renegotiation, set by the EU Data Protection Authorities (DPAs) after the October 2015 invalidation of Safe Harbor was January 31. The EU DPAs have a meeting scheduled for February 2 to discuss the results of the renegotiation. Final terms of the new EU-U.S. data flows framework are reportedly on the table.

On February 1, the European Commission announced to the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the deadline had not been met, but once again stated that the parties are very close to an agreement. EU Commissioner Věra Jourová told the Parliament committee, “I believe the close relationship between the United States and European Union deserves these special efforts. We are close but an additional effort is needed.”

The DPAs have already begun discussing collaborative enforcement actions against companies that continue to rely solely on the invalidated Safe Harbor. The DPAs are expected to clarify their plans at their February 2 meeting, and at that meeting certain DPAs are expected to call for the collective halt to all data flows to the U.S. if a new U.S.-EU framework is not available.Continue Reading Privacy & Cybersecurity Weekly News Update

Crowell & Moring LLP is pleased to release its “2016 Litigation & Regulatory Forecasts: What Corporate Counsel Need to Know for the Coming Year.” The reports examine the trends and developments that will impact corporations in the coming year—from the last year of the Obama administration to how corporate litigation strategy is transforming from the inside out. This year will bring remarkable change for companies, as market disruptions and the speed of innovation transform industries like never before, and the litigation and regulatory environments in which they operate are keeping pace.
Continue Reading Crowell & Moring’s 2016 Litigation & Regulatory Forecasts: What Corporate Counsel Need to Know for the Coming Year