Shipman & Goodwin attorney William Roberts will be joined by attorney Marco Mello Cunha, from the Brazilian firm, Tess Advogados, as they discuss data privacy and security issues and analyze global trends in Brazil and the United States, two of the world’s top ten economic leaders.  Today’s businesses collect, transfer and store a wide range of data on a daily basis. These records often contain vast amounts of sensitive and personal information, which, if lost or misused, would create significant business risk. To be successful in the modern environment, businesses need to know how to use, protect and transfer their data in an efficient and compliant manner.

Topics include:

  • An overview of data privacy laws in Brazil and the United States (including Brazil’s new general data protection law which will become effective in 2020)
  • Understanding global trends and cross-border transfer of data
  • Taking a proactive approach to privacy data security issues

Glenn Cunningham, Shipman & Goodwin Partner and Chair of the Board of Directors of Interlaw, will provide an introduction to the program and how the Interlaw relationship allows a global network of member firms to offer clients high quality legal advice via a single point of contact.

When: May 8, 2019, 2:00 PM – 3:00 PM EDT
Where: Webinar

Last week, the Supreme Court remanded a privacy class action settlement to the Ninth Circuit over concerns about the named plaintiffs’ standing. Specifically, the Court ordered the Ninth Circuit to conduct a Spokeo analysis to determine whether any of the three named plaintiff’s suffered a concrete injury as a result of Google’s alleged violation of the Stored Communications Act. As a brief reminder, the Court held in Spokeo v. Robbins in 2015 that a technical or procedural violation of a statute is insufficient to meet the “concrete injury” requirement of Article III standing absent actual harm to the plaintiff. Even in cases where Congress has created a private right of action for plaintiffs to pursue violations of a statute, the Court held that does not mean the plaintiff has automatically suffered actual harm or an actual injury due to a statutory violation. In the case at bar, the Court said it could not rule on the validity of the class action settlement before these standing issues presented by Spokeo were addressed by the Ninth Circuit, which issues it also declined to decide.

In another branch of government, freshman Representative Katie Porter highlighted the Spokeo standard without naming it last month in a hearing of the Financial Services Committee, and also seemed to call its conclusion into question. During a round of questioning of a CEO facing a data breach class action lawsuit, Rep. Porter asked him why the company’s lawyers were arguing in court filings that the data breach did not cause harm to consumers, when the CEO himself was clearly uncomfortable with the idea of sharing his own personal information with the Committee. Continue Reading Congress, SCOTUS and the States Consider Harm

The U.S. Department of Health and Human Services (“HHS”) recently released a publication entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” which sets forth a “common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” to improve cybersecurity in the health care and public health sector. This publication was developed by a task group consisting of more than 150 health care and cybersecurity experts from the public and private sectors and focuses upon the “five most prevalent cybersecurity threats and the ten cybersecurity practices to significantly move the needle for a broad range of organizations” in the health care industry.

The five cybersecurity threats addressed in the publication are: (i) e-mail phishing attacks; (ii) ransomware attacks; (iii) loss or theft of equipment or data; (iv) insider, accidental or intentional data loss; and (v) attacks against connected medical devices that may affect patient safety.

The publication recognizes that cybersecurity recommendations will largely depend upon an organization’s size. Therefore, the publication is broken up into two separate technical volumes that are intended for IT and IT security professionals: (i) Technical Volume 1, which discusses ten cybersecurity practices for small health care organizations and (ii) Technical Volume 2, which discusses ten cybersecurity practices for medium-sized and large health care organizations. Specifically, the ten cybersecurity practices described in the Technical Volumes are as follows: Continue Reading HHS Warns Health Care Organizations of Cybersecurity Threats

The popular social media app, Muscial.ly (now known as TikTok), which allows users to make videos of themselves lip syncing to songs, recently entered into a record $5.7 million settlement with the Federal Trade Commission (“FTC”) to resolve allegations of illegal collection of children’s data in violation of the Children’s Online Privacy Protection Act of 1998 (“COPPA”).

To register for the Musical.ly app, users provide their email address, phone number, username, first and last name, short bio, and a profile picture. In addition to allowing users to create music videos, the Musical.ly app provides a platform for users to post and share the videos publicly. The app also had a feature whereby a user could discover a list of other users within a 50-mile radius with whom the user could connect and interact.

The FTC’s complaint alleged that Musical.ly was operating within the purview of COPPA in that (i) the Musical.ly app was “directed to children” and (ii) Musical.ly had actual knowledge that the company was collecting personal information from children. Specifically, the complaint alleged that the app was “directed to children” because the music library includes songs from popular children’s movies and songs popular among children and tweens. Furthermore, the FTC asserted that Musical.ly had actual knowledge that children under the age of 13 were registered users of the app because: (i) in December 2016, a third party publicly alleged in an interview with the cofounder of Musical.ly, Inc. that seven of the app’s most popular users appeared to be children under age 13; (ii) many users self-identify as under 13 in their profile bios or provide school information indicating that they are under the age of 13; and (iii) since at least 2014, Musical.ly received thousands of complaints from parents of children under the age of 13 who were registered users of the app. Continue Reading Fines for COPPA Violations Continue to Trend Upward

On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also to those that merely do business in New York. The Regulations also do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to, and providing an overview, of the Regulations and on and February 6, 2018 and August 28, 2018 we published follow-ups highlighting the next round of disclosures required under the Regulations. Shipman & Goodwin LLP Data Privacy Team members Bill Roberts and Damien Privitera also conducted a CLE webinar – Compliance Checkup: NY DFS Cybersecurity Regulations – on August 7, 2018, which can be accessed hereContinue Reading NYSDFS Upcoming Deadlines Fast Approaching: Next Key Dates are February 15, 2019 and March 1, 2019

Last week, the French data privacy authority fined Google €50 million (about $57 million) for what it called “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” The Commission Nationale de L’informatqiue et des Libertés (CNIL) said that it began its investigation of Google on June 1, 2018 after receiving complaints from two different digital rights advocacy groups on May 25 and May 28, 2018, right when the GDPR was entering into force. In response, the CNIL set out to review the documents available to a user when creating a Google account during Android configuration. Upon that review, the CNIL found two alleged violations of the GDPR, including: (1) a lack of transparency and specificity about essential information such as the purpose of the data processing and the categories and data retention periods of personal data used for personalizing advertisements; and (2) lack of valid consent for ads personalization.

The first alleged violation feeds the second alleged violation here, as the CNIL said users’ consent to ads personalization could not be sufficiently informed when the information presented to them was dispersed over several documents requiring “sometimes up to 5 or 6 actions.” Thus, it isn’t that Google does not provide enough information, but that it does not present the information in one place for the about 20 services that are being offered. And the CNIL stated that the purposes of processing are too vague, meaning a user cannot tell if Google is relying on his or her consent or Google’s own legitimate interests as the legitimate basis of processing. Last, the CNIL found certain of Google’s ads personalization options were pre-checked, although GDPR views unambiguous consent as coming only from an affirmative action such as checking a non-pre-checked box, and that Google’s non-pre-checked boxes for accepting its Privacy Policy and Terms of Service were all-or-nothing consents for all processing activities, whereas GDPR requires specific consent for each purpose. Continue Reading Google Fined by French Regulators for GDPR Gaps

Back in 2008, Illinois became the first state to pass legislation specifically protecting individuals’ biometric data. Following years of legal challenges, some of the major questions about the law are about to be resolved (hopefully). Two major legal challenges, one now at the Illinois Supreme Court and another with the Court of Appeals for the Ninth Circuit, seek to clarify the foundational issues that have been a battleground for privacy litigation — standing and injury. To understand the stakes, Illinois’ Biometric Information Privacy Act requires companies who obtain a person’s biometric information to: (1) obtain a written release prior to their information being stored and collected; (2) provide notice that their information is being stored and collected; (3) state how long the information will be stored and used; and (4) disclose the specific purpose for its storage and use. The law further provides individuals with a private right of action. However, in order to trigger that private right, an individual must be “aggrieved.” Continue Reading Biometric Data Risks on the Rise

After eleven years of litigation, including two decisions by the Connecticut Supreme Court, Byrne v. Avery Center for Obstetrics and Gynecology, P.C. has finally reached a verdict. Last month, the jury awarded the plaintiff $853,000 in damages in connection with her physician practice’s 2005 release of medical records in response to a non-HIPAA compliant subpoena. The subpoena was issued in connection with a paternity suit brought by the plaintiff’s former boyfriend, a man whom the plaintiff had specifically requested her physician practice not share her medical information with.

Without speculating too much about its judicial progeny, Byrne nevertheless highlights several areas of HIPAA compliance that should be areas of heightened review for physicians and medical providers now. Please click here for a detailed analysis of this verdict and its implications for providers.

On December 12, 2018, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a Request for Information (“RFI”) “to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information.” Through this RFI, OCR seeks public comment regarding whether and how the HIPAA Privacy and Security Rules could be revised to promote value-based care and care coordination without jeopardizing individuals’ rights to privacy. OCR will accept comments through February 12, 2019.

Specifically, OCR has requested comments regarding the following four topics: Continue Reading OCR Seeks Public Comment on HIPAA Reform

The Upper San Juan Health Service District d/b/a Pagosa Springs Medical Center (“PSMC”), a critical access hospital in Colorado, has agreed to a $111,400 settlement with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) to resolve a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar because PSMC failed to deactivate the former employee’s username and password following termination of employment. OCR investigated the complaint and discovered that PSMC impermissibly disclosed the protected health information (“PHI”) of 557 patients to the former employee. Moreover, OCR determined that PSMC did not have a Business Associate agreement in place with the vendor of the web-based scheduling calendar.

The Resolution Agreement also includes a two-year Corrective Action Plan. Under the Corrective Action Plan, PSMC must: (i) revise its policies and procedures relating to Business Associates and uses and disclosures of PHI; (ii) submit proposed training materials on the revised policies and procedures for OCR’s review and train workforce members in accordance with the approved training materials; (iii) develop a current Risk Analysis and submit such analysis to OCR for review; and (iv) upon OCR’s approval of the Risk Analysis, provide OCR with a risk management plan that addresses and mitigates the security risks and vulnerabilities identified in the Risk Analysis and documentation that the risk management plan is being implemented.

The Resolution Agreement and Corrective Action Plan are available here.

Our take:

HIPAA requires covered entities and business associates to terminate a workforce member’s access to all systems and databases containing PHI upon the date the workforce member’s employment, or other arrangement with the entity, ends. The PSMC settlement serves as a reminder that the electronic health record is not the only database for which access must be terminated. HIPAA entities should develop a checklist that identifies all systems and databases containing PHI to ensure all access to PHI is terminated upon a workforce member’s separation from the entity.