Winter is Coming…and so is PSD2

Winter is Coming…and so is PSD2

By Reece Clark

Consumers can expect increased competition, efficiency, and innovation in the payment services sphere when the European Union’s long-anticipated revised Payments Service Directive (“PSD2”) comes into effect on January 13, 2018. However, European banks and service providers will not be required to immediately harden their customer data exchange security measures in response. According to a recent press release from the European Commission, payments service providers will have up to 18 months after the release of the PSD2’s Regulatory Technical Standards (“RTS”) to upgrade their payment security systems. RTS is slated for release in September 2019, giving market players until Q1 2021 to move their systems and procedures into compliance.

Read More

Guidance from the FTC says “Don’t Worry: It’s Just a Phrase"

Guidance from the FTC says “Don’t Worry: It’s Just a Phrase"

By Rachel A. Rice

In a new policy enforcement statement, the Federal Trade Commission (“FTC”) has provided additional guidance on when verifiable parental consent must be obtained for a website operator or provider of online services to receive or use voice recordings from children under 13. Under the Children’s Online Privacy Protection Act (“COPPA”), verifiable parental consent must be obtained prior to collecting personal information from children over the internet. The definition of “personal information” includes audio files such as voice recordings. 16 C.F.R. § 312.2. However, in the recent policy enforcement statement, the FTC has stated it will not take enforcement action (subject to the limitations described below) against parties who do not obtain parental consent when a voice recording is used “solely as a replacement of written words” so long as the voice recording is (a) briefly used solely for that purpose; and (b) is deleted immediately thereafter. In doing so, the FTC made a distinction between voice recordings that are made in connection with purposes such as verbal searches or verbal instructions to a connected device and voice recordings that are made for other purposes. According to the FTC, voice recordings made for the purpose of verbal searches and verbal instructions are the result of a technological evolution where voice is beginning to replace written words in some scenarios. 

Read More

Privacy Shield Updates: Positive Joint Annual Review; Mandated Arbitral Fees

Privacy Shield Updates: Positive Joint Annual Review; Mandated Arbitral Fees

By Steven A. Hengeli, Jr.

The EU-U.S. Privacy Shield has passed its first test: the first joint annual review. If your organization has been waiting for a positive review of the Privacy Shield to join, now is a good time to consider moving forward. 

The European Commission and the U.S. Department of Commerce conducted the first joint annual review of the Privacy Shield in September. The joint annual review helps ensure that the Privacy Shield remains “adequate” under EU data protection law over time. The European Commission’s published report following the review generally expresses support for the Privacy Shield—with some noted opportunities for improvement, including increased enforcement activity and efforts to raise awareness among EU residents of their Privacy Shield rights. 

Read More

WPA2 KRACK ATTACK

WPA2 KRACK ATTACK

By Aaron M. Levine

Several news reports today sounded the alarm that the WPA2 protocol, currently the most popular method of securing Wi-Fi communications, is vulnerable to the “KRACK” attack. Despite the amusing name, this vulnerability is extremely serious. 

KRACK stands for Key Reinstallation Attack. In essence, this attack tricks Wi-Fi enabled devices into reinstalling the “nonce,” which is a randomly generated, one-time numerical key used to encrypt communications between the targeted device and the router/gateway. Once the attacker has compromised this key, it can eavesdrop on the packets that are sent to/from the target device or, alternatively, it can forge packets to inject viruses or other malicious code onto a target machine.

Read More

Privacy-Class-Action-Plaintiffs' Emerging Litigation Strategy Avoids Arbitration

Privacy-Class-Action-Plaintiffs' Emerging Litigation Strategy Avoids Arbitration

By Zuzana S. Ikels 

On September 5, 2017, the Ninth Circuit Court of Appeals reversed a district court’s decision granting Turn Inc.’s motion to compel arbitration of a putative, privacy class action related to targeted adverting efforts on mobile devices.

In Re Anthony Henson and William Cintron v. Turn, Inc. was filed in the Northern District of California by two Verizon cellular and data subscribers against Turn. The case reflects a notable pivot in strategy in data privacy litigation. Data privacy cases have, previously, been directed at the webpage/content-providers or telecommunication providers that shared or processed users’ online activities. The plaintiffs in Henson did not sue Verizon or the webpages; instead, they sued the technology companies that enable the targeting.

Read More

The Potential of “Elastic Sensitivity” to Protect Privacy in Big Data Analytics

The Potential of “Elastic Sensitivity” to Protect Privacy in Big Data Analytics

By Zuzana S. Ikels

Three University of California-Berkeley researchers have written a paper discussing the first “practical approach for differential privacy.” This new method, referred to as “Elastic Sensitivity,” excludes the components of tables in large data sets and big data databases that contain individual information from the other data before running the query. 

Read More

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

By Zuzaka S. Ikels

In June 2017, the Health Care Industry Cybersecurity Task Force issued its Report on Improving Cybersecurity in the Health Care Industry. To view the report, click here.

The task force was created by Congress as part of the Cybersecurity Act of 2015, and is comprised of subject matter experts from the public and private sector that evaluated the cybersecurity threats, the security of IT systems, and the regulations and laws that relate to the health care industry. In the Report, the task force discusses the evolution and transition from paper to electronic healthcare records (“EHR”), and tailors the recommendations to encourage opportunities for efficiencies, research and sharing of information, while responding to the increasing threat of cybersecurity breaches to the health care providers’ technical infrastructure.

Read More

Largest Electoral Data Breach Exposes Personal Data of Nearly 200 Million U.S. Citizens

Largest Electoral Data Breach Exposes Personal Data of Nearly 200 Million U.S. Citizens

By Amanda J. Katzenstein

In what is being described as the largest breach of U.S. electoral data, personal data relating to almost 200 million U.S. citizens was accidentally exposed by a Republican National Committee vendor. According to BBC, the 1.1 terabytes of data exposed “includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population.” 

Read More

AlphaGo Beats The World’s Top Go Player

AlphaGo Beats The World’s Top Go Player

By Zuzana S. Ikels

Google/Alphabet’s new and improved artificial intelligence program, AlphaGo, just beat the best human player of the game Go as reported by Wired. Go was invented in China thousands of years ago, and it is considered the most complicated game in the world. AlphaGo is the newest version of Alphabet’s artificial intelligence program. According to Google’s DeepMind Lab, AlphaGo was completely redesigned and reconfigured so that the AI system would learn the game from playing the game against itself, as well as analyze the data of wins and losses by humans.

Read More

The Power of a Transparent and Broad Privacy Policy

The Power of a Transparent and Broad Privacy Policy

By Zuzana Ikels and Erin Fleming Dunlap

The enforceability of privacy policies and consumer consent as to targeted advertisements related to medical or healthcare conditions is a hot button topic in the law and business. In Smith v. Facebook et al (filed in March 2016), plaintiffs sought to test the boundaries. In a surprising result, and after a year of briefing and oral argument, Judge Edward Davila of the Northern District of California issued his order a few days ago.  In a surprising twist, the Court dismissed the entire complaint without leave to amend. Polsinelli attorneys Zuzana S. Ikels and Erin Dunlap provided analysis and recommendations regarding the power of a transparent and broad privacy policy in an article published by Law360

Read More

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

By Jean Marie R. Pechette and Thomas Kiser

The U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”) issued a May 10, 2017 press release stating that Memorial Herman Health System, a Texas-based not-for-profit health system (“MHHS”), agreed to pay $2.4M and enter into a two- year corrective action plan (“CAP”) to settle potential HIPAA violations for alleged disclosure of protected health information (“PHI”) without the patient’s authorization. The CAP requires MMHS, among other things, to submit an implementation report and an annual report to HHS on MHHS’ compliance with the CAP.

Read More

Massive Global Ransomware Attack

Massive Global Ransomware Attack

By JJ Bollozos

A cybersecurity attack of global proportions...

As of this afternoon, cybersecurity company Avast reported a ransomware attack, known as WanaCrypt0r 2.0, has been detected over 57,000 times across 99 countries. Of note, the attack has allegedly infected a large telecommunications company in Spain, hospitals across England, and a shipping company based in the U.S., as well as other companies throughout the world. According to the New York Times, the ransomware was included in a compressed file sent via email that would infect a victim’s device once it was opened. 

Read More

Faxing Without Opt-Out Leads to $1.35M Payment to Get Out of TCPA Class Action

Faxing Without Opt-Out Leads to $1.35M Payment to Get Out of TCPA Class Action

By Amanda J. Katzenstein, Jean Marie R. Pechette, and Jarno J. Vanto

Florida-based radiology provider, SRA Ventures, and two units of Canada-based cardiology and imaging service provider, KMH Labs, have agreed to pay Medical & Chiropractic Clinic Inc. $1.35 million to settle a proposed class action lawsuit after the providers faxed nearly 5,600 advertisements that did not contain necessary opt-out language, allegedly in violation of the Telephone Consumer Protection Act (“TCPA”), as amended by the Junk Fax Prevention Act of 2005 (“JFPA”), and FCC regulations.

Read More

1 Million Google Users Hit with Fake Google Docs Phishing Attack

1 Million Google Users Hit with Fake Google Docs Phishing Attack

By Joseph D. McClendon

A new phishing attack is making the rounds through email, this time using a fake Google Docs app to trick you into granting permissions to your real Google account. The attack starts by sending you an invitation to view a document in what appears to be Google Docs. Clicking on the link takes you to a fake Google login screen, which logs you into a third party web app that’s been named “Google Docs.” Next, you are instructed to give permissions to the web app to access your email and contacts list. Once the malicious web app has access to your account, the attack spreads by sending more phishing emails from “you” to your contact list. 

Read More

$2.5M HIPAA Settlement against CardioNet is the First Involving a Wireless Health Services Provider

$2.5M HIPAA Settlement against CardioNet is the First Involving a Wireless Health Services Provider

By Jean Marie R. Pechette

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced on April 24, 2017, a $2.5 Million settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), with CardioNet, Inc., based on its alleged impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  

Read More

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

By Jean Marie R. Pechette, Jarno J. Vanto, and Clif Ruch

A class action suit filed in the U.S. District Court of the Southern District of Florida has accused national telehealth provider and mobile application developer MDLive of designing the MDLive App that secretly captures patients’ sensitive health information and unbeknownst to the patients, transmits their health information to an off-shore third party tech company. The suit also alleges that contrary to MdLive’s representation that it respects and takes patient privacy “very seriously,” MDLive fails to restrict access to a patient’s health information only to the patient’s healthcare provider but instead grants broad access to its employees (including software developers), agents and third parties. The suit also alleges that MDLive breached its contract with the patients by failing to implement adequate security measures to ensure that access to their health information was appropriately restricted (such as through the use of encryption). 

Read More

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

By Jarno J. Vanto, Amanda J. Katzenstein, and Jean Marie R. Pechette

Bose has been slapped with a class-action lawsuit accusing the company of essentially spying on their wireless headphone customers by secretly collecting and transmitting the users’ private music and other audio selections to third parties without disclosure and user consent. 

Read More

Swiss-U.S. Privacy Shield Opens for Self-Certifications

Swiss-U.S. Privacy Shield Opens for Self-Certifications

By Amanda J. Katzenstein

On April 12, 2017, the Department of Commerce will begin accepting self-certifications to the Swiss-U.S. Privacy Shield. The Swiss-U.S. Privacy Shield was approved to be an adequate legal mechanism for compliance with Swiss requirements to transfer personal data from Switzerland to the United States after the Swiss-U.S. Safe Harbor was declared invalid following the Schrems decision on October 6, 2015. 

Read More