Information Management

With Memorial Day unofficially kicking off summer, those keeping up on recent changes to state data breach laws are eyeing their calendars, as a series of state amendments are due to come into effect.  Beginning on July 1, both Nevada and Wyoming will expand their definitions of personal information.  One month later on August 1, North Dakota will follow suit, slightly limiting its definition of personal information but expanding its reporting duties.  Key takeaways from the state amendments are detailed below.

The states’ legislative actions will likely up the ante at a time when Congress is considering a national data breach notification standard.  The recent flurry of activity reflects the states’ growing interest in how data breaches affect their residents.  Even in the face of national legislation, that interest is unlikely to subside.
Continue Reading Three State Data Breach Laws Set to Change This Summer

In an open letter to President Obama, 143 of the nation’s most well-known businesses, trade associations, academics, and organizations urged the President to promote strong encryption technologies. The letter was prompted by recent law enforcement (including the FBI and NSA) advocacy for built-in government access to encrypted data despite a December 2013 recommendation by the President’s Review Group on Intelligence and Communications Technologies to support encryption without such vulnerabilities.

As the letter states, strong encryption helps protect individuals and organizations from street criminals pilfering information from stolen devices; computer criminals from defrauding individuals to steal their identities; corporate spies from stealing trade secrets; repressive governments from stifling dissent; and foreign intelligence agencies from stealing national security secrets. The letter argues that any attempt to provide law enforcement with an encryption key leaves individuals and companies vulnerable to such bad actors.Continue Reading Technology Coalition tells the President: Encryption Back Doors are a Bad Idea

One year ago, data broker Spokeo, Inc. asked the Supreme Court to reconsider the Ninth Circuit’s revival of a putative class action against it for willfully violating the Fair Credit Reporting Act (“FCRA”) by publishing personal information without notice.  This week, the Court heeded that request, granting certiorari.  In doing so, it has paved the way for yet another decision by the highest court on how the issue of standing plays out in the context of privacy violations.

Plaintiff Thomas Robins sued Spokeo under the FCRA after the data broker allegedly published false information about him without his knowledge.  Interestingly, Robins claims that the information falsely stated that he had more education than he actually did and that he was in a better financial position than he actually was.  But according to Robins’s complaint, these false facts made it more difficult for him to find employment, credit, or insurance and thus caused actual harm.  He seeks to represent a class of individuals whose personal information has been similarly misstated. 
Continue Reading Supreme Court to Consider Congressionally-Conferred Privacy Breach Standing

On April 22, 2015, Cornell Prescription Pharmacy (Cornell), a small pharmacy with a single location in the Denver, Colorado area, agreed to settle potential violations of the HIPAA Privacy Rule with the Department of Health and Human Services Office for Civil Rights (“OCR”).  The settlement requires Cornell to pay a $125,000 fine and agree to implement a Corrective Action Plan (“CAP”).  The settlement is the result of an OCR investigation commenced after OCR received a tip from a local news outlet that Cornell had improperly disposed of documents containing Protected Health Information (PHI) of its patients.  In the course of the investigation, OCR discovered that Cornell had left documents containing PHI of 1,610 patients in a publicly-accessible dumpster without shredding the information.  The investigation also revealed that Cornell had not implemented any written policies and procedures or trained its workforce as required by the HIPAA Privacy Rule.  Thus, in addition to the fine, the CAP requires Cornell to draft policies and procedures governing the security, use, and disclosure of PHI, to train its workforce on those policies, and to report to OCR periodically on the progress of those efforts.
Continue Reading OCR Fines Pharmacy Over Potential Violation of HIPAA Privacy Rule

Crowell & Moring would like to invite government contractors to ring-side seats for the fight of the year – Congress v. the White House.  This year’s Ounce of Prevention Seminar (OOPS) will focus on the dynamic interplay between the opposite ends of Pennsylvania Avenue and how it will ultimately impact government contractors across the industry.  

Smaller health care practices and providers now have another reason to bookmark the website of the Office of the National Coordinator for Health Information Technology (ONC).  Yesterday, the ONC published Version 2.0 of its “Guide to Privacy and Security of Electronic Health Information” (the Guide).  Overall, the 62-page Guide provides health care providers with “plain English” explanations of their privacy and security-related obligations under the Health Insurance Portability and Accountability Act (HIPAA) and in relation to the Medicare and Medicaid Electronic Health Record Incentive Programs (EHR Incentive Programs).  Of note, this version of the Guide addresses:
Continue Reading ONC’s Privacy & Security Guide Updates Information on HIPAA Rules & EHR Incentive Program

On April 7, 2015 the Federal Trade Commission (FTC) announced two new U.S.-EU Safe Harbor cases. TES Franchising, LLC and American International Mailing, Inc. have agreed to settle FTC charges that the companies falsely claimed they were abiding by the U.S.-EU Safe Harbor Framework, a voluntary but enforceable framework that enables U.S. companies to transfer personal data from the European Union to the United States in compliance with the EU data protection directive’s adequacy requirement.

According to the TES settlement, TES allegedly deceived consumers about the nature of its dispute resolution procedures by noting on its website that Safe Harbor-related disputes would be settled by an arbitration agency, would take place in Connecticut, and costs would be split between the consumer and the company. Aside from the fact that it would be nearly impossible to argue that a dispute resolution process like that is “readily available and affordable,” as the Safe Harbor Framework requires, the TES policy also allegedly failed to align with the TES Safe Harbor certification filing, which stated that TES would resolve disputes through the European data protection authorities, a process which does not require in-person hearings and which costs the consumer nothing. Finally, the FTC complaint notes the alleged misrepresentation by TES that it was a licensee of TRUSTe’s privacy compliance products when in fact TES was not a licensee of TRUSTe.Continue Reading FTC dives deeper on U.S.-EU Safe Harbor enforcement

In conjunction with his remarks at the White House Summit on Cybersecurity at Stanford University earlier this month, President Obama signed Executive Order 13691, entitled “Promoting Private Sector Cybersecurity Information Sharing.”  Published in the Federal Register last week, the Order is intended to encourage and facilitate cybersecurity information sharing within the private sector, and

Beginning August 1, 2015, New Jersey health insurers must encrypt personal information maintained on their computer systems and transmitted through public networks, or face civil penalties and fines under the state’s newly enacted Senate Bill No. 562 (“SB 562”). While SB 562’s requirements will have broad applicability to a wide range of “end user computer

President Obama recently proposed several new laws reflecting the administration’s increased focus on privacy and cyber issues. The proposals seek to create a consistent national data breach notification law (to replace the current patchwork of 47 state laws), to encourage cyber threat information sharing, and to update cybercrime enforcement. Although Immediate reactions to the proposed