California AG Defines “Reasonable Security;” Apple Opposes FBI Hack Request; Russia to Enforce Data Localization with (Surprise) Audits; HHS Helps Health App Developers Determine if Subject to HIPAA; Carrier IQ Agrees to $9M Data Leak Settlement

California AG Defines “Reasonable Security”

California Attorney General (AG) Kamala Harris published the 2016 “California Data Breach Report,” which lays out what the state believes to be “reasonable security” for the purpose of California’s law that requires protecting personal information.

This is the first time California has recommended an external industry standard as a baseline “reasonable security” requirement. According to the California AG, the chosen standard (Center for Internet Security’s (CIS) Critical Security Controls (formerly known as the SANS Top 20)), is a consensus list of the “best defensive controls to detect, prevent, respond to, and mitigate damage from cyber attacks,” and is updated periodically to keep up with technology. The FTC has previously recommended using industry standards, but did not go as far as California in prescribing a particular one.

Continue Reading Privacy & Cybersecurity Weekly News Update

President announces cybersecurity action plan; Congress passes Judicial Redress Act; French DPA notice provides compliance guidance; and FCC set to enforce CPNI rules.

President Obama Announces Cybersecurity Action Plan

The President announced his Cybersecurity National Action Plan (CNAP) this week, with a FY 2017 Budget proposal that includes $19 billion on CNAP initiatives – a 35 increase in cybersecurity spending over his FY 2016 budget. While the CNAP focuses on the private sector’s role in shoring up the nation’s cybersecurity, it contemplates only voluntary activities and does not impose obligations on the private sector. The CNAP includes plans to expand support for critical infrastructure, improve cyber hygiene, enhance cyber incident response, establish the Commission on Enhancing National Cybersecurity, modernize government IT and governance, and develop cybersecurity technology and workplace skills. To read more about the proposals and what it means for companies, please see our Client Alert on the CNAP.

Continue Reading Privacy & Cybersecurity Weekly News Update

On February 8, 2016, the French Data Protection Authority (CNIL) publicly issued a formal notice to Facebook, following a joint investigation with four other EU regulators, asking the U.S. social network provider to comply with the French Data Protection Act within three months’ time. The notice (unofficial English translation available here), outlined several alleged violations of the law, including:

  1. collection of non-user data;
  2. collection of sensitive data (sexual orientation and political/religious views) without users’ “explicit consent” (i.e., a tick box);
  3. collection of “excessive” information to verify identities (e.g., requesting medical records when users replace their surname with that of a celebrity);
  4. use of cookies without notice or consent;
  5. failure to define and observe proportional data retention periods and failure to ensure data security (e.g., stronger password requirements);
  6. failure to obtain CNIL authorization for processing related to preventing fraud and banning users; and
  7. transfer of data to the U.S. under the invalidated U.S.-EU Safe Harbor (Safe Harbor) (alleged based on the company’s privacy statement).

Continue Reading Facebook Hit with French Data Protection Authority Action – Including a Safe Harbor Count

HHS proposes new substance abuse information confidentiality rules; HHS releases PHI disclosure fact sheets; U.S.-EU Safe Harbor replacement announced; OCR levies civil monetary penalties; and FTC settles charges with technology company for installing apps without consent.

HHS Proposes Update to Substance Abuse Confidentiality Rules

The U.S. Department of Health and Human Services (“HHS”) announced a proposed rule to modernize the federal substance abuse confidentiality rules (42 C.F.R. Part 2), which were last substantively updated in 1987. The proposed updates are intended to help health care providers improve integrated care efforts in the electronic environment. For further information, see our C&M Health Law blog post on the topic.

Continue Reading Privacy & Cybersecurity Weekly News Update

For only the second time in its history (following the $4.3 million Cignet case) the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) imposed civil money penalties (CMPs) on a company for violating the Health Insurance Portability and Accountability (HIPAA) Privacy Rule.

Lincare, Inc. (Lincare), a home health provider, was required to pay $239,800 in CMPs after an HHS Administrative Law Judge (ALJ) found that the undisputed evidence in the case established that Lincare violated HIPAA because it did not implement policies and procedures to safeguard records containing its patients’ protected health information (PHI).

The OCR investigation began when an individual complained to OCR that a Lincare employee left behind documents containing the PHI of 278 patients when the employee moved residences. According to the ALJ, Lincare had inadequate policies and procedures in place to safeguard PHI taken offsite even though employees regularly removed material from the business premises. Further evidence suggested that Lincare had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time.

Continue Reading OCR Levies Second Ever HIPAA Civil Monetary Penalty

Certain European Union (EU) Member States’ data protection authorities (DPAs) have already started to announce investigations and or “prudential measures” for data transfers solely relying on the invalidated “U.S.-EU Safe Harbor Framework” (Safe Harbor).

In the aftermath of the announcement of the “EU-U.S. Privacy Shield” (Privacy Shield), the Article 29 Working Party (WP29), comprised of all EU Member State DPAs, announced an extension of the “grace period” for U.S. data transfers based on alternative transfer mechanisms (e.g., EU standard contractual clauses and Binding Corporate Rules) other than Safe Harbor, at least until the Privacy Shield has been reviewed by WP29 (likely by the end of March 2016).

Continue Reading EU Member States to Investigate EU-U.S. Transfers That Rely Solely on Invalidated Safe Harbor: Starting Now

The Article 29 Working Party (WP29), consisting of the data protection authorities (DPAs) of all 28 European Union (EU) Member States, met February 2-3 to discuss the future of EU-U.S. data flows. The meeting coincided with an end-of-January deadline that WP29 had set for the European Commission and U.S. Department of Commerce to provide a replacement for the invalidated U.S.-EU Safe Harbor framework (Safe Harbor). Fortunately, the European Commission announced the successful conclusion of those negotiations yesterday and introduced the “EU-U.S. Privacy Shield” (Privacy Shield) to WP29 at their meeting in Brussels.

Today, WP29 released a statement welcoming the conclusion of the negotiations on the replacement framework. The WP29 agreed to partially extend the deadline for widespread enforcement actions until they review the Privacy Shield framework documents in detail – a timeline which will likely bleed into late March and early April. The WP29 reiterated that EU Member State DPAs will continue to deal with EU-U.S. data flows cases and complaints on a case-by-case basis as they normally would.

The WP29 was also clear about what they expect from any data transfer mechanism – including clear program rules, necessity and proportionality tests regarding national security access, independent oversight mechanisms, and individual remedies. To read more about the WP29 expectations and company guidance, see today’s Client Alert on the WP29 Privacy Shield reaction.

The European Commission (EC) and U.S. Department of Commerce (DOC) announced today that they have replaced the invalidated U.S.-EU Safe Harbor framework with an updated transatlantic framework which adds several new layers of transparency and oversight.

Though the text of the agreement will not be available for a few weeks, both parties announced a number of high-level changes to the transatlantic pact, now called the EU-U.S. Privacy Shield (Privacy Shield), including:

  • Improved safeguards and transparency obligations regarding U.S. government access to data;
  • Annual review of the Privacy Shield by the EC and DOC to include input from the European Union (EU) member state data protection authorities (DPAs) and U.S. national security agencies;
  • An ombudsman in the U.S. State Department to handle referrals from EU DPAs regarding EU citizen complaints about national security data use;
  • Binding arbitration as a last resort for EU citizen data use complaints against a Privacy Shield certified company which are not resolved after the use of usual Safe Harbor dispute resolution mechanisms; and
  • Further subprocessor liability commitments for onward transfers.

The Article 29 Working Party (WP29), consisting of the DPAs of all 28 Member States, will discuss the Privacy Shield at their February 3 meeting. We will provide further information after the meeting. For further details regarding the new Privacy Shield and possible outcomes of the next stages of implementation, see our Client Alert on the new Privacy Shield.

U.S.-EU Safe Harbor renegotiation misses deadline; FDA provides medical device design guidance; FTC settles false advertising claim with health care software vendor over encryption.

U.S.-EU Safe Harbor Renegotiation Misses Deadline

The deadline for the U.S.-EU Safe Harbor renegotiation, set by the EU Data Protection Authorities (DPAs) after the October 2015 invalidation of Safe Harbor was January 31. The EU DPAs have a meeting scheduled for February 2 to discuss the results of the renegotiation. Final terms of the new EU-U.S. data flows framework are reportedly on the table.

On February 1, the European Commission announced to the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the deadline had not been met, but once again stated that the parties are very close to an agreement. EU Commissioner Věra Jourová told the Parliament committee, “I believe the close relationship between the United States and European Union deserves these special efforts. We are close but an additional effort is needed.”

The DPAs have already begun discussing collaborative enforcement actions against companies that continue to rely solely on the invalidated Safe Harbor. The DPAs are expected to clarify their plans at their February 2 meeting, and at that meeting certain DPAs are expected to call for the collective halt to all data flows to the U.S. if a new U.S.-EU framework is not available.

Continue Reading Privacy & Cybersecurity Weekly News Update

Crowell & Moring LLP is pleased to release its “2016 Litigation & Regulatory Forecasts: What Corporate Counsel Need to Know for the Coming Year.” The reports examine the trends and developments that will impact corporations in the coming year—from the last year of the Obama administration to how corporate litigation strategy is transforming from the inside out. This year will bring remarkable change for companies, as market disruptions and the speed of innovation transform industries like never before, and the litigation and regulatory environments in which they operate are keeping pace.

Continue Reading Crowell & Moring’s 2016 Litigation & Regulatory Forecasts: What Corporate Counsel Need to Know for the Coming Year