Facebook faces government investigations on both sides of the Atlantic after recent revelations that Cambridge Analytica, a British political data firm with ties to President Trump’s 2016 campaign, collected and used the personal information of more than 50 million Facebook users in a manner that violates Facebook’s stated policy regarding access, disclosure, and use of personal information. Legislators in the U.S. and the UK have called for hearings.

The Federal Trade Commission (“FTC”) has confirmed it is conducting an investigation into whether Facebook violated the terms of its November 2011 consent decree requiring it to, among other things, “not misrepresent . . . the extent to which it maintains the privacy or security of [personal] information,” and “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [personal] information.” Several state attorneys general have also announced investigations, and Facebook faces at least one a shareholder lawsuit alleging that Facebook did not properly disclose the third-party access to users’ personal information.
Continue Reading

On January 8, 2018, the FTC announced settlement of its first connected toy case with VTech Electronics Ltd (“VTech”) for violating the Children’s Online Privacy Protection Act (COPPA) Rules by failing to properly collect and protect personal information about and from children and violating the FTC Act by misrepresenting its security practices. In addition to paying a $650,000 civil penalty, VTech agreed to comply with COPPA, implement and maintain a comprehensive information security program with regular third-party security audits for the next twenty years, and not misrepresent its privacy and data security practices.

The settlement comes more than two years after VTech learned that a hacker had gained remote access to databases for its interactive electronic learning products (ELPs), including for its Kid Connect chat application, in what was described at the time as the largest known hack targeting children. According to the FTC’s Complaint, the hacker accessed VTech’s databases “by exploiting commonly known and reasonably foreseeable vulnerabilities,” and VTech was unaware of the intrusion until it was informed by a reporter.
Continue Reading

Earlier this month, the Federal Bureau of Investigation (FBI) issued a public comment about privacy, cybersecurity, and safety risks associated with internet-connected toys.  The FBI’s comment builds on the Federal Trade Commission’s recent amendment to the Children’s Online Privacy Protection Act (COPPA), which explicitly states that connected toys are deemed “websites or online services”

Last week, the Federal Trade Commission (“FTC”) announced an agreement settling claims against a television manufacturer arising from the alleged unauthorized collection of television viewing data.  The FTC, along with the State of New Jersey, alleged that certain “smart TVs” manufactured and sold by VIZIO, Inc. and its subsidiary VIZIO Inscape Services (collectively, “VIZIO”) failed

FCC adopts privacy rules; Privacy Shield challenge; Amendments to EU data transfer decisions; FTC data breach guidance; DOT vehicle cybersecurity best practices; HHS guidance on HIPAA and FTC compliance

FCC approves privacy rules for broadband providers

In a 3-2 vote, the Federal Communications Commission approved new rules governing internet service providers’ collection and use

Guidance on HIPAA & cloud computing; Senators question FTC enforcement standards

HHS publishes guidance on HIPAA’s impact on cloud computing

This week, the Department of Health and Human Services issued guidance for HIPAA-covered entities and business associates regarding cloud computing.  When a covered entity seeks to use cloud services in connection with the use

FCC broadband privacy proposal; Potential challenge to FTC privacy enforcement power

FCC to consider broadband privacy proposal

On October 6, the Chairman of the Federal Communications Commission (FCC) issued proposed rules that would impose on broadband providers privacy regulations similar to those implemented and enforced by the Federal Trade Commission (FTC).  The proposal calls for

Hamburg DPA orders WhatsApp to stop sharing data with Facebook; GAO: HHS Needs to Improve is Digital Health Protection Rules; Notice and Choice Becoming Par for the Course for Interest-Based-Ads in Apps

German Data Protection Authority of Hamburg orders WhatsApp to stop sharing data with Facebook

On September 27, 2016, the Hamburg Commissioner for

HHS Jumps on the Cybersecurity Information Sharing Bandwagon; Third Circuit on Economic Loss as a basis for Negligence Claim; FTC workshop on Ransomware; German draft implementing law for GDPR revealed.

HHS Jumps on the Cybersecurity Information Sharing Bandwagon

Because of recent news reports confirming that cyberattacks against healthcare agencies have increased 125 % in the past five years, HHS is encouraging HIPAA Covered Entities and Business Associates to share information to combat future attacks.

HHS, based on authority from Executive Order 13591 and the Cybersecurity Information Security Act (CISA), is urging Covered Entities and Business Associates to join Information Sharing and Analysis Organizations (ISAOs) to share security threat and vulnerability information related to electronic protected health information (ePHI).

Ideally, ISAOs will provide a mechanism for sharing information bi-directionally “between HHS and the Health Care and Public Health (HPH) sector regarding cyber threats and will also provide outreach and education to the HPH sector.” This press release from HHS follows a similar measure by the Department of Homeland Security, which also encourages information sharing to mitigate the risk of cyberattacks.

In developing ISAOs in the health care sector, it is critical to consider three things:

  • the standards and best practices for the creation of ISAOs to ensure that covered entities and business associates that participate gain the protections of such information sharing under CISA;
  • the data that is shared in light of what is permitted under the HIPAA Privacy Rule; and
  • how participation in an ISAO can support compliance with the HIPAA Security Rule.

Crowell & Moring is a leading expert in the creation of ISAOs and HIPAA compliance and can help stakeholders that seek to comply with HHS’s call to action to consider the intersection of these various legal frameworks


Continue Reading

On Tuesday, the FTC simultaneously released a “Mobile Health App Interactive Tool” and “Best Practices,” to help mobile health app developers navigate the maze of federal regulation, including data privacy regulation.  The tool walks developers through a series of high level questions about the nature of their app, and uses the