Largest Electoral Data Breach Exposes Personal Data of Nearly 200 Million U.S. Citizens

Largest Electoral Data Breach Exposes Personal Data of Nearly 200 Million U.S. Citizens

By Amanda J. Katzenstein

In what is being described as the largest breach of U.S. electoral data, personal data relating to almost 200 million U.S. citizens was accidentally exposed by a Republican National Committee vendor. According to BBC, the 1.1 terabytes of data exposed “includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population.” 

Read More

AlphaGo Beats The World’s Top Go Player

AlphaGo Beats The World’s Top Go Player

By Zuzana S. Ikels

Google/Alphabet’s new and improved artificial intelligence program, AlphaGo, just beat the best human player of the game Go as reported by Wired. Go was invented in China thousands of years ago, and it is considered the most complicated game in the world. AlphaGo is the newest version of Alphabet’s artificial intelligence program. According to Google’s DeepMind Lab, AlphaGo was completely redesigned and reconfigured so that the AI system would learn the game from playing the game against itself, as well as analyze the data of wins and losses by humans.

Read More

The Power of a Transparent and Broad Privacy Policy

The Power of a Transparent and Broad Privacy Policy

By Zuzana Ikels and Erin Fleming Dunlap

The enforceability of privacy policies and consumer consent as to targeted advertisements related to medical or healthcare conditions is a hot button topic in the law and business. In Smith v. Facebook et al (filed in March 2016), plaintiffs sought to test the boundaries. In a surprising result, and after a year of briefing and oral argument, Judge Edward Davila of the Northern District of California issued his order a few days ago.  In a surprising twist, the Court dismissed the entire complaint without leave to amend. Polsinelli attorneys Zuzana S. Ikels and Erin Dunlap provided analysis and recommendations regarding the power of a transparent and broad privacy policy in an article published by Law360

Read More

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

By Jean Marie R. Pechette and Thomas Kiser

The U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”) issued a May 10, 2017 press release stating that Memorial Herman Health System, a Texas-based not-for-profit health system (“MHHS”), agreed to pay $2.4M and enter into a two- year corrective action plan (“CAP”) to settle potential HIPAA violations for alleged disclosure of protected health information (“PHI”) without the patient’s authorization. The CAP requires MMHS, among other things, to submit an implementation report and an annual report to HHS on MHHS’ compliance with the CAP.

Read More

Massive Global Ransomware Attack

Massive Global Ransomware Attack

By JJ Bollozos

A cybersecurity attack of global proportions...

As of this afternoon, cybersecurity company Avast reported a ransomware attack, known as WanaCrypt0r 2.0, has been detected over 57,000 times across 99 countries. Of note, the attack has allegedly infected a large telecommunications company in Spain, hospitals across England, and a shipping company based in the U.S., as well as other companies throughout the world. According to the New York Times, the ransomware was included in a compressed file sent via email that would infect a victim’s device once it was opened. 

Read More

Faxing Without Opt-Out Leads to $1.35M Payment to Get Out of TCPA Class Action

Faxing Without Opt-Out Leads to $1.35M Payment to Get Out of TCPA Class Action

By Amanda J. Katzenstein, Jean Marie R. Pechette, and Jarno J. Vanto

Florida-based radiology provider, SRA Ventures, and two units of Canada-based cardiology and imaging service provider, KMH Labs, have agreed to pay Medical & Chiropractic Clinic Inc. $1.35 million to settle a proposed class action lawsuit after the providers faxed nearly 5,600 advertisements that did not contain necessary opt-out language, allegedly in violation of the Telephone Consumer Protection Act (“TCPA”), as amended by the Junk Fax Prevention Act of 2005 (“JFPA”), and FCC regulations.

Read More

1 Million Google Users Hit with Fake Google Docs Phishing Attack

1 Million Google Users Hit with Fake Google Docs Phishing Attack

By Joseph D. McClendon

A new phishing attack is making the rounds through email, this time using a fake Google Docs app to trick you into granting permissions to your real Google account. The attack starts by sending you an invitation to view a document in what appears to be Google Docs. Clicking on the link takes you to a fake Google login screen, which logs you into a third party web app that’s been named “Google Docs.” Next, you are instructed to give permissions to the web app to access your email and contacts list. Once the malicious web app has access to your account, the attack spreads by sending more phishing emails from “you” to your contact list. 

Read More

$2.5M HIPAA Settlement against CardioNet is the First Involving a Wireless Health Services Provider

$2.5M HIPAA Settlement against CardioNet is the First Involving a Wireless Health Services Provider

By Jean Marie R. Pechette

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced on April 24, 2017, a $2.5 Million settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), with CardioNet, Inc., based on its alleged impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  

Read More

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

By Jean Marie R. Pechette, Jarno J. Vanto, and Clif Ruch

A class action suit filed in the U.S. District Court of the Southern District of Florida has accused national telehealth provider and mobile application developer MDLive of designing the MDLive App that secretly captures patients’ sensitive health information and unbeknownst to the patients, transmits their health information to an off-shore third party tech company. The suit also alleges that contrary to MdLive’s representation that it respects and takes patient privacy “very seriously,” MDLive fails to restrict access to a patient’s health information only to the patient’s healthcare provider but instead grants broad access to its employees (including software developers), agents and third parties. The suit also alleges that MDLive breached its contract with the patients by failing to implement adequate security measures to ensure that access to their health information was appropriately restricted (such as through the use of encryption). 

Read More

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

By Jarno J. Vanto, Amanda J. Katzenstein, and Jean Marie R. Pechette

Bose has been slapped with a class-action lawsuit accusing the company of essentially spying on their wireless headphone customers by secretly collecting and transmitting the users’ private music and other audio selections to third parties without disclosure and user consent. 

Read More

Swiss-U.S. Privacy Shield Opens for Self-Certifications

Swiss-U.S. Privacy Shield Opens for Self-Certifications

By Amanda J. Katzenstein

On April 12, 2017, the Department of Commerce will begin accepting self-certifications to the Swiss-U.S. Privacy Shield. The Swiss-U.S. Privacy Shield was approved to be an adequate legal mechanism for compliance with Swiss requirements to transfer personal data from Switzerland to the United States after the Swiss-U.S. Safe Harbor was declared invalid following the Schrems decision on October 6, 2015. 

Read More

Senate Votes to Repeal FCC Privacy Rule Governing ISP Providers

Senate Votes to Repeal FCC Privacy Rule Governing ISP Providers

By Zuzana S. Ikels

In a vote of 50 to 48, along party lines, the Senate voted to overturn the privacy rules governing ISP providers that were issued in October 2016 by the Federal Communications Commission (FCC). Click here to view the FCC Privacy Rules. The FCC Privacy Rules required ISP and broadband providers to obtain an individual’s consent and authorization – through an “opt-in” mechanism – before a provider could collect, use, share or sell the customer’s information to third party marketers and companies. It also included data security and data breach notification recommendations and requirements. The FCC also imposed a blanket prohibition on ISP providers that offered “take-it-or-leave-it” broadband services contingent on pre-authorization. 

Read More

New Guidance This Week from FTC on Best Practices Against Phishing

New Guidance This Week from FTC on Best Practices Against Phishing

By Zuzana S. Ikels

On March 6, 2017, the Federal Trade Commission (FTC) issued new guidelines for businesses as to how to deter and reduce the risk of phishing attacks. The recommendations should be shared and discussed with your company’s Information Technology (IT) department to make sure that the email servers and systems have the requisite safeguards. Compliance with these standards will reduce risk and is one way of showing that the company is making a prudent and reasonable effort to protect personal information. 

Read More

‘Tis The Season…For Dangerous W-2 Phishing Scams

‘Tis The Season…For Dangerous W-2 Phishing Scams

By Daniel L. Farris

For each of the last few years, February and March have seen a sharp increase in the frequency and volume of W-2-related phishing scams. According to a recent IRS Notice, 2017 is no different, except perhaps that the threat is evolving.  

Traditionally, the W-2 scam works like this: 

Cyber criminals use social engineering to identify certain key Human Resources (HR) and/or accounting personnel within a company. Targeting those HR and/or accounting employees, the cyber criminals send emails with a “spoofed” sender address. The emails appear to come from the company’s CEO or other executive, and they generally claim that the CEO has an urgent need for Form W-2s for all employees in advance of a meeting the CEO has with the IRS.  Unsuspecting mid-level HR and accounting personnel send on the W-2s, and inadvertently cause a data breach. 

Read More

FTC Shakeup May Shift Privacy & Data Security Enforcement – Focus on Actual Harm

FTC Shakeup May Shift Privacy & Data Security Enforcement – Focus on Actual Harm

By D. Rockwell Bower

A leadership change at the Federal Trade Commission (FTC) may spell relief for U.S. businesses grappling with the agency’s enforcement measures amidst an increasingly dangerous cybersecurity landscape. On January 25, 2017, President Donald Trump named Maureen Ohlhausen (currently a commissioner of the FTC) as acting chairman of the FTC. Ohlhausen has served at the agency in various capacities for more than a decade, and is now the lone Republican remaining on what will soon be a two-member commission, after former-Chair Edith Ramirez’s announced resignation. When Ramirez leaves the agency on February 10th, only Ohlhausen and Commissioner Terrell McSweeney (Democrat) will remain at the helm with three vacant commissioner seats for President Trump to appoint. 

Read More

Trump Executive Order Puts Privacy Shield’s Future in Doubt

Trump Executive Order Puts Privacy Shield’s Future in Doubt

By Amanda Katzenstein and By Daniel L. Farris

President Trump signed an Executive Order last week that potentially puts the six-month old Privacy Shield in jeopardy. While mostly aimed at immigration and border patrol, the Executive Order entitled “Enhancing Public Safety in the Interior of the United States,” also includes a provision aimed at eliminating privacy protection for foreigners. Section 14 of the Executive Order reads:

"Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

By specifically excluding non-U.S. citizens or residents from the protections of the Privacy Act, the U.S. safeguards provided by the Privacy Shield regarding the adequacy of protection of the personally identifiable information of EU citizens could be destroyed, leading to the invalidation of the Privacy Shield Agreement outright. 

Read More

Privacy and Data Security: 2017 Year in Preview

Privacy and Data Security:  2017 Year in Preview

Few issues keep executives awake at night more than Privacy and Data Security. New regulations and threats alike are plentiful, varied, and evolving. The rate of change for cybersecurity and information governance continues to increase, while corporate budgets to address them remain stretched.  

As your organization prepares for 2017, data security, privacy compliance, and new technological threats are sure to be on your list of priorities. This guide highlights some key Privacy and Data Security trends and expectations for the new year. Organizations that are well prepared to address the issues highlighted in this guide will be better positioned to mitigate risk and strengthen compliance efforts.

Read More

As the GDPR Compliance Date Looms, Risks and Budgets Grow in Tandem

As the GDPR Compliance Date Looms, Risks and Budgets Grow in Tandem

By Jean Marie R. Pechette and Daniel L. Farris

As the May 2018 effective date of the General Data Protection Regulation’s (GDPR) looms, U.S. companies have had to expand their investment in implementing measures to ensure compliance with the GDPR. According to a recent PwC Pulse Survey, 92% of respondents considered GDPR a “top priority” in 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million. 

Read More

Following EU, U.S. and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

Following EU, U.S. and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

By Daniel L. Farris

The United States and Switzerland finalized a new “Privacy Shield” Agreement on Wednesday that mirrors the existing U.S.-E.U. Privacy Shield framework. The new deal will allow multinationals to continue to transfer data between the U.S. and Switzerland while complying with Swiss data protection requirements. 

The new deal replaces the existing U.S.-Swiss Safe Harbor Agreement, the validity of which has been in question since the Schrems decision was issued in October of 2015. Companies that have maintained their Swiss Safe Harbor certification may begin certifying under the new U.S.-Swiss Privacy Shield framework on April 12th. The 90 day delay is intended to provide companies with time to review the new Swiss principles and the commitments they entail. 

Read More

Big Law, Big Data, Big Problem

Big Law, Big Data, Big Problem

By Kathryn T. Allen

The Year of the Breach: 2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama. Millions of documents and terabytes of leaked data aired the (dirty) laundry of dozens of companies, celebrities and global leaders. Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed.

Read More