Photo of Damian Privitera

Damian Privitera advises clients on the design and implementation of data privacy and cybersecurity compliance strategies. He regularly counsels businesses across sectors on data breach identification, investigation and response, internal policy and procedure development, contracting procurement, and website privacy policies and terms of use. Damian helps clients comply with specific data privacy and cybersecurity rules including the GDPR, New York DFS cybersecurity regulations, and HIPAA. His privacy and cybersecurity-related interests include data subject rights, workforce education and compliance, and international data collection, use and transfer. Damian's complete biography can be found here.

Last week, the French data privacy authority fined Google €50 million (about $57 million) for what it called “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” The Commission Nationale de L’informatqiue et des Libertés (CNIL) said that it began its investigation of Google on June 1, 2018 after receiving complaints from two different digital rights advocacy groups on May 25 and May 28, 2018, right when the GDPR was entering into force. In response, the CNIL set out to review the documents available to a user when creating a Google account during Android configuration. Upon that review, the CNIL found two alleged violations of the GDPR, including: (1) a lack of transparency and specificity about essential information such as the purpose of the data processing and the categories and data retention periods of personal data used for personalizing advertisements; and (2) lack of valid consent for ads personalization.

The first alleged violation feeds the second alleged violation here, as the CNIL said users’ consent to ads personalization could not be sufficiently informed when the information presented to them was dispersed over several documents requiring “sometimes up to 5 or 6 actions.” Thus, it isn’t that Google does not provide enough information, but that it does not present the information in one place for the about 20 services that are being offered. And the CNIL stated that the purposes of processing are too vague, meaning a user cannot tell if Google is relying on his or her consent or Google’s own legitimate interests as the legitimate basis of processing. Last, the CNIL found certain of Google’s ads personalization options were pre-checked, although GDPR views unambiguous consent as coming only from an affirmative action such as checking a non-pre-checked box, and that Google’s non-pre-checked boxes for accepting its Privacy Policy and Terms of Service were all-or-nothing consents for all processing activities, whereas GDPR requires specific consent for each purpose. Continue Reading Google Fined by French Regulators for GDPR Gaps

After eleven years of litigation, including two decisions by the Connecticut Supreme Court, Byrne v. Avery Center for Obstetrics and Gynecology, P.C. has finally reached a verdict. Last month, the jury awarded the plaintiff $853,000 in damages in connection with her physician practice’s 2005 release of medical records in response to a non-HIPAA compliant subpoena. The subpoena was issued in connection with a paternity suit brought by the plaintiff’s former boyfriend, a man whom the plaintiff had specifically requested her physician practice not share her medical information with.

Without speculating too much about its judicial progeny, Byrne nevertheless highlights several areas of HIPAA compliance that should be areas of heightened review for physicians and medical providers now. Please click here for a detailed analysis of this verdict and its implications for providers.

A little more than six months after that day in May when privacy policy updates flooded our inboxes and the GDPR came into force, a new study of small business owners in the UK has found that many people and businesses remain essentially “clueless” about the law and its requirements. Commissioned by Aon, the study found that nearly half of the 1,000 small business owners polled are confused about the privacy and security requirements of the law, which could lead many businesses to be in breach of the GDPR without even realizing it. Some examples of potential violations reported by the businesses included paper visitor books logging all visitors to the business and viewable to subsequent visitors, training materials featuring full details of real-life case studies, the use of personal devices by employees for work purposes, and inadequate storage and disposal of paper records. The study also found that business owners were not clear on what constitutes a data breach – thinking the term did not apply to paper records or personal data that was mistakenly posted or sent to the wrong person by email or fax – nor were they clear on the notification requirements, either to the UK’s data protection authority, the Information Commissioner’s Office (“ICO”), or to affected individuals. These small business owners should avail themselves of the ICO’s recent insight into its GDPR enforcement approach from earlier this month, which indicates that ignorant non-compliance likely won’t be looked at favorably. Continue Reading GDPR Guidance and Other Goings-On

As of November 1, consumer credit reporting agencies Equifax, Experian and TransUnion are now subject to the New York DFS cybersecurity regulations that first went into effect back in March 2017. In October 2017, following Equifax’s 2017 data breach and smaller breaches suffered by Experian years earlier, DFS passed new proposed regulations applicable to consumer credit reporting agencies, which went into effect in June of this year. These regulations at 23 NYCRR 201 require consumer credit reporting agencies to register with DFS, outlines prohibited practices of consumer credit reporting agencies, and requires consumer credit reporting agencies to comply with DFS’ cybersecurity regulations at 23 NYCRR 500. Consumer credit reporting agencies were required to register with DFS either by September 15, or within 15 days of becoming subject to the regulations, and as with the Part 500 regulations, the Part 201 regulations have phased-in effective dates for compliance with the cybersecurity regulations, which began on November 1. Unlike the Part 500 regulations, consumer credit reporting agencies have less time between the first compliance date and the second, and less time overall from the first compliance date to the fourth and final compliance date on December 31, 2019. Continue Reading NYDFS Cybersecurity Check-In

Last week, four different settlement agreements were announced with four different Massachusetts hospitals to settle claims that they had violated HIPAA and state consumer protection and data security laws, by either not obtaining proper patient authorizations before allowing a television documentary to be filmed in the hospital or failing to investigate reports of inappropriate access to medical records by employees. Three hospitals entered settlement agreements and agreed to corrective action plans with the Department of Health and Human Services Office for Civil Rights (“OCR”), while the fourth hospital and an associated medical group entered into a settlement agreement with the Massachusetts Attorney General. OCR initiated its review of the three hospitals it settled with after reading news stories about the hospitals allowing a TV documentary to film inside those hospitals. In one instance, the news story OCR cited as launching its investigation was actually posted on one of the hospital’s websites by the hospital itself. OCR’s investigation revealed that while the hospitals had taken some precautions by, for example, conducting a HIPAA training with the filming crew, the hospitals nevertheless failed to obtain proper authorizations from patients. Collectively, the three hospitals settled with OCR for $999,000.

The settlement with the Massachusetts AG stemmed from two employees of the hospital and medical group inappropriately accessing information on more than 15,000 Massachusetts residents while employed with the settling organizations, ultimately opening cell phone and credit card accounts with the information they improperly obtained. Although the AG alleges that the hospital and medical group were informed of these employees’ misconduct by an inside informant, its complaint further alleged that the hospital and group failed to properly investigate those complaints, verify its information was safeguarded, or discipline the employees in question. The providers did eventually perform a sufficient investigation, but not until after a deceased patient’s widow complained that her husband’s information had been fraudulently used. The AG’s office alleged violations of the Massachusetts consumer Protection Act, Data Security Law, and HIPAA in its complaint filed simultaneously with the consent decree, which included a payment of $230,000.

Our take

Despite what any of us might be feeling or inclined to think to the contrary, HIPAA enforcement is alive and well, both at the federal and state levels. Although there is some indication that OCR has been selective in its enforcement, and is focusing on pursuing large dollar value settlements, the Massachusetts AG settlement demonstrates that state attorneys general can and do enforce HIPAA violations of all sizes, either standing alone or as part of an enforcement action for a state data privacy or data breach law, the latter of which all 50 states now have. These settlements also show on the one hand how regulators will bring enforcement actions and levy fines even in the absence of a patient complaint or when a provider believes it is doing everything right, and how regulated entities need to take reports of unauthorized access or use of PHI seriously, including investigating and reprimanding employees involved, subject to whistleblower protections.

As the lazy days of summer wind down slowly at first, and then all at once, now is a good time for a reminder that your own employees returning to work full steam may pose the biggest threat to your cybersecurity. According to the U.S. Department of Health and Human Services Office for Civil Rights, July was the worst month this year for healthcare data breaches. So far in 2018, more individual records have been exposed than for all of 2017, including 1.4 million individual records exposed in the biggest breach from July, which was attributed to a phishing attack. These statistics back up a Verizon report on PHI data breaches that came out earlier this year and found that 58% of PHI data breaches involved insiders, and that healthcare is the only industry in which internal actors post the biggest threat to organizations.

But that doesn’t mean healthcare alone is vulnerable to insider threats, as a Department of Justice criminal complaint filed in June and released earlier this month demonstrates. That complaint alleges that an $81 million bank heist suffered by a Bangladesh bank was carried out by North Korean cybercriminals and started with the criminals sending spearphishing emails to targeted individuals. In those emails, a purported job applicant would ask for a personal interview and attach a .zip file that the applicant claimed was a resume. When opened, the .zip file automatically downloaded malware to the recipient’s computer, which ultimately made its way to the bank’s IT system. This allowed the hackers to allegedly impersonate bank employees, access the SWIFT network, and transfer funds from the bank’s account to an account in the Philippines. Additional malware was used to cover their tracks.

Our take

While certain manipulation of a network as seen in the Bangladesh bank heist may take some skill and expertise, phishing and its targeted variant of spearphising are straightforward exploitations of human error. They demonstrate that allocating budget to pay for cybersecurity technology may not be enough, and resources also need to be spent on employee training and culture shifting. Certainly, layered technology solutions that address different weak points, including two-factor authentication, are important and helpful, but organizations need to take a wider view of cybersecurity and risk reduction to both account for, and attempt to correct, human error.

Members of Shipman & Goodwin’s Privacy and Data Protection team join their health law colleagues in explaining how health centers can protect their client data as health care transforms with the use of tools like patient portals and telemedicine in the breakout session The Digital Era: Ensuring Data Privacy in the Age of Transformation.

For more information, please click here.

When: September 14, 2018
2:30 PM – 3:15 PM EDT
Where: Toyota Oakdale Theatre, 95 S Turnpike Road, Wallingford, CT 06492

Nielsen, famed global information and measurement company, was hit last week with a shareholder lawsuit in the Southern District of New York alleging that the EU’s new privacy regulation is to blame for missed targets in its Q2 earnings report, and that Nielsen should have known the hit was coming. The proposed class action claims that Nielsen and two top executives not only made false and misleading statements regarding the company’s preparation for the implementation of the GDPR and the increased restrictions it places on the collection of personal data, but also concealed the adverse effects these restrictions would have on Nielsen’s market position. The lawsuit also argues that Nielsen’s reliance on and access to large data set providers, such as Facebook, was far more important for its financial growth than previously disclosed. Nielsen admitted in its reporting of second quarter results that consumer data privacy considerations placed pressure on it, its clients, and its partners, and specifically cited the GDPR as one such consideration. Nielsen also announced in its second quarter earnings report that its current CEO would retire at the end of 2018. In addition to this proposed class action filed last week, several other law firms have posted notices in the financial press indicating they have filed class actions against Nielsen on behalf of investors, and notifying potential class members of deadlines to act or participate.

One of those law firms has also posted in the financial press that it has commenced class action lawsuits on behalf of shareholders against Facebook, mirroring somewhat the claims against Nielsen. The suits allege in particular that Facebook made materially false or misleading claims and failed to disclose that GDPR’s implementation would have a negative impact on the use of Facebook, its revenue growth and profitability due to new restrictions data collection and the imposition of an informed consent requirement in some contexts. Those suits also allege that Facebook failed to disclose that the costs to Facebook of complying with GDPR would have a materially adverse effect on its revenue, projected growth, and overall financial health.

Our take

While traditional shareholder suits related to data privacy and security tend to allege that a company failed to comply with data privacy regulations, such as following a data breach, the allegations in these recently announced suits alter the formulation to say that these companies were unprepared for the negative business impacts of proper compliance, and then lied about it. If these suits are successful, they will have far-reaching implications for the ways that publicly-traded companies and their boards conceptualize and assess “cyber risk” and the impacts of new data privacy regulations on their business models. Regardless of whether they are successful or not, however, they reiterate the need for companies from across the business spectrum to pay attention to data privacy and begin assessing both the burdens and benefits of complying with new data privacy regulations as soon as possible after they are announced.

Two developments last month concerning the EU-US Privacy Shield–which is the mechanism designed by the US Department of Commerce and the European Commission to allow US companies to transfer personal data from the EU to the US–highlight the ongoing tension between the EU and US approaches to privacy, particularly post-GDPR. First, the US Federal Trade Commission announced an agreement with a California company, settling allegations that the company falsely claimed in its website privacy policy to be in the process of self-certification with the Privacy Shield, when it fact it had begun the application process but failed to complete all the steps. The FTC Chairman stated that the settlement “demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.” A few days later, the European Parliament passed a non-binding resolution to suspend the EU-US Privacy Shield unless the US becomes fully compliant by September 1, 2018. Considering that the Privacy Shield does not provide adequate protection, the European Parliament cited among its reasons the fact that non-US citizens have been excluded by the protections of the Privacy Act by executive order, the fact that the US has failed to appoint any independent supervisory authority, and the fact that there is insufficient monitoring and enforcement. Continue Reading Privacy Shield Developments at Home and Abroad

Regulatory compliance and data privacy and security are often cited as two of the top priorities for corporate counsel. Complying with the “first-in-the-nation” cybersecurity regulations passed by the New York Department of Financial Services last year combines those two priorities into one challenging corporate endeavor. With transitional periods, exemptions, and effective dates of different sections of the regulations phasing in over the next several years, entities subject to these regulations are currently in the midst of, and must remain engaged in compliance efforts. In this program, Shipman & Goodwin attorneys William Roberts and Damian Privitera will provide an overview of the regulations and compliance strategies and discuss data privacy and security programs more generally.

Topics will include:

  • Scope of regulations and regulated entities;
  • Limited exemptions, affiliates, third party service providers;
  • Currently effective sections of the regulations that require compliance and self-checkups to ensure compliance;
  • Preparing for sections of the regulations that become effective and require compliance by September 2018, including encryption, audit trails, application security, limitations on data retention, and training and monitoring of authorized users;
  • Identifying gaps in your cybersecurity program and policies, and steps to take to come into compliance;
  • Meeting reporting deadlines and approaches to annual Certifications of Compliance.

Who Should Attend: C-Suite Executives, Legal Counsel and IT Personnel in the Insurance and Financial Services Industries

When: August 7, 2018, 12:00 PM – 1:00 PM EDT

Where: Webinar


This CLE program has been approved in accordance with the requirements of the New York CLE Board for a maximum of 1.0 credit hour, of which 1.0 can be applied toward the Professional Practice requirement. This program is appropriate for both transitional and nontransitional attorneys.

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approves or accredits CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to one hour toward your annual CLE requirement in Connecticut, including zero hour(s) of ethics/professionalism.