Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

By Jean Marie R. Pechette, Jarno J. Vanto, and Clif Ruch

A class action suit filed in the U.S. District Court of the Southern District of Florida has accused national telehealth provider and mobile application developer MDLive of designing the MDLive App that secretly captures patients’ sensitive health information and unbeknownst to the patients, transmits their health information to an off-shore third party tech company. The suit also alleges that contrary to MdLive’s representation that it respects and takes patient privacy “very seriously,” MDLive fails to restrict access to a patient’s health information only to the patient’s healthcare provider but instead grants broad access to its employees (including software developers), agents and third parties. The suit also alleges that MDLive breached its contract with the patients by failing to implement adequate security measures to ensure that access to their health information was appropriately restricted (such as through the use of encryption). 

Read More

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

By Jarno J. Vanto, Amanda J. Katzenstein, and Jean Marie R. Pechette

Bose has been slapped with a class-action lawsuit accusing the company of essentially spying on their wireless headphone customers by secretly collecting and transmitting the users’ private music and other audio selections to third parties without disclosure and user consent. 

Read More

Swiss-U.S. Privacy Shield Opens for Self-Certifications

Swiss-U.S. Privacy Shield Opens for Self-Certifications

By Amanda J. Katzenstein

On April 12, 2017, the Department of Commerce will begin accepting self-certifications to the Swiss-U.S. Privacy Shield. The Swiss-U.S. Privacy Shield was approved to be an adequate legal mechanism for compliance with Swiss requirements to transfer personal data from Switzerland to the United States after the Swiss-U.S. Safe Harbor was declared invalid following the Schrems decision on October 6, 2015. 

Read More

Senate Votes to Repeal FCC Privacy Rule Governing ISP Providers

Senate Votes to Repeal FCC Privacy Rule Governing ISP Providers

By Zuzana S. Ikels

In a vote of 50 to 48, along party lines, the Senate voted to overturn the privacy rules governing ISP providers that were issued in October 2016 by the Federal Communications Commission (FCC). Click here to view the FCC Privacy Rules. The FCC Privacy Rules required ISP and broadband providers to obtain an individual’s consent and authorization – through an “opt-in” mechanism – before a provider could collect, use, share or sell the customer’s information to third party marketers and companies. It also included data security and data breach notification recommendations and requirements. The FCC also imposed a blanket prohibition on ISP providers that offered “take-it-or-leave-it” broadband services contingent on pre-authorization. 

Read More

New Guidance This Week from FTC on Best Practices Against Phishing

New Guidance This Week from FTC on Best Practices Against Phishing

By Zuzana S. Ikels

On March 6, 2017, the Federal Trade Commission (FTC) issued new guidelines for businesses as to how to deter and reduce the risk of phishing attacks. The recommendations should be shared and discussed with your company’s Information Technology (IT) department to make sure that the email servers and systems have the requisite safeguards. Compliance with these standards will reduce risk and is one way of showing that the company is making a prudent and reasonable effort to protect personal information. 

Read More

‘Tis The Season…For Dangerous W-2 Phishing Scams

‘Tis The Season…For Dangerous W-2 Phishing Scams

By Daniel L. Farris

For each of the last few years, February and March have seen a sharp increase in the frequency and volume of W-2-related phishing scams. According to a recent IRS Notice, 2017 is no different, except perhaps that the threat is evolving.  

Traditionally, the W-2 scam works like this: 

Cyber criminals use social engineering to identify certain key Human Resources (HR) and/or accounting personnel within a company. Targeting those HR and/or accounting employees, the cyber criminals send emails with a “spoofed” sender address. The emails appear to come from the company’s CEO or other executive, and they generally claim that the CEO has an urgent need for Form W-2s for all employees in advance of a meeting the CEO has with the IRS.  Unsuspecting mid-level HR and accounting personnel send on the W-2s, and inadvertently cause a data breach. 

Read More

FTC Shakeup May Shift Privacy & Data Security Enforcement – Focus on Actual Harm

FTC Shakeup May Shift Privacy & Data Security Enforcement – Focus on Actual Harm

By D. Rockwell Bower

A leadership change at the Federal Trade Commission (FTC) may spell relief for U.S. businesses grappling with the agency’s enforcement measures amidst an increasingly dangerous cybersecurity landscape. On January 25, 2017, President Donald Trump named Maureen Ohlhausen (currently a commissioner of the FTC) as acting chairman of the FTC. Ohlhausen has served at the agency in various capacities for more than a decade, and is now the lone Republican remaining on what will soon be a two-member commission, after former-Chair Edith Ramirez’s announced resignation. When Ramirez leaves the agency on February 10th, only Ohlhausen and Commissioner Terrell McSweeney (Democrat) will remain at the helm with three vacant commissioner seats for President Trump to appoint. 

Read More

Trump Executive Order Puts Privacy Shield’s Future in Doubt

Trump Executive Order Puts Privacy Shield’s Future in Doubt

By Daniel Farris and Amanda Katzenstein

President Trump signed an Executive Order last week that potentially puts the six-month old Privacy Shield in jeopardy. While mostly aimed at immigration and border patrol, the Executive Order entitled “Enhancing Public Safety in the Interior of the United States,” also includes a provision aimed at eliminating privacy protection for foreigners. Section 14 of the Executive Order reads:

"Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

By specifically excluding non-U.S. citizens or residents from the protections of the Privacy Act, the U.S. safeguards provided by the Privacy Shield regarding the adequacy of protection of the personally identifiable information of EU citizens could be destroyed, leading to the invalidation of the Privacy Shield Agreement outright. 

Read More

Privacy and Data Security: 2017 Year in Preview

Privacy and Data Security:  2017 Year in Preview

Few issues keep executives awake at night more than Privacy and Data Security. New regulations and threats alike are plentiful, varied, and evolving. The rate of change for cybersecurity and information governance continues to increase, while corporate budgets to address them remain stretched.  

As your organization prepares for 2017, data security, privacy compliance, and new technological threats are sure to be on your list of priorities. This guide highlights some key Privacy and Data Security trends and expectations for the new year. Organizations that are well prepared to address the issues highlighted in this guide will be better positioned to mitigate risk and strengthen compliance efforts.

Read More

As the GDPR Compliance Date Looms, Risks and Budgets Grow in Tandem

As the GDPR Compliance Date Looms, Risks and Budgets Grow in Tandem

By Daniel L. Farris and Jean Marie R. Pechette

As the May 2018 effective date of the General Data Protection Regulation’s (GDPR) looms, U.S. companies have had to expand their investment in implementing measures to ensure compliance with the GDPR. According to a recent PwC Pulse Survey, 92% of respondents considered GDPR a “top priority” in 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million. 

Read More

Following EU, U.S. and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

Following EU, U.S. and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

By Daniel L. Farris

The United States and Switzerland finalized a new “Privacy Shield” Agreement on Wednesday that mirrors the existing U.S.-E.U. Privacy Shield framework. The new deal will allow multinationals to continue to transfer data between the U.S. and Switzerland while complying with Swiss data protection requirements. 

The new deal replaces the existing U.S.-Swiss Safe Harbor Agreement, the validity of which has been in question since the Schrems decision was issued in October of 2015. Companies that have maintained their Swiss Safe Harbor certification may begin certifying under the new U.S.-Swiss Privacy Shield framework on April 12th. The 90 day delay is intended to provide companies with time to review the new Swiss principles and the commitments they entail. 

Read More

Big Law, Big Data, Big Problem

Big Law, Big Data, Big Problem

By Kathryn T. Allen

The Year of the Breach: 2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama. Millions of documents and terabytes of leaked data aired the (dirty) laundry of dozens of companies, celebrities and global leaders. Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed.

Read More

Yahoo Announces Second Data Breach in Four Months

Yahoo Announces Second Data Breach in Four Months

By Joseph D. McClendon
 
Yahoo, fresh off its September 2016 announcement of a 2014 cyber attack that breached 500 million user accounts, announced on December 14 that there is evidence of a second data breach, which affects twice as many user accounts than the initial 2014 breach. 
 
The beleaguered search engine company disclosed that an internal investigation has uncovered a second data breach dating back to 2013, where cyber criminals were able to steal an estimated 1 billion end user names, email addresses, telephone numbers, and dates of birth. The cyber criminals also stole hashed passwords as well as security questions and answers, some of which may have not been encrypted. Yahoo has not offered any information on why some account recovery questions and answers were encrypted, while others were not. The company does not believe financial data was stolen in the breach.

Read More

Don’t Stop At HIPAA: Why For-Profit Covered Entities and Business Associates that Collect and Share Consumer Health Data Must Consider Both HIPAA and the FTC Act

Don’t Stop At HIPAA:  Why For-Profit Covered Entities and Business Associates that Collect and Share Consumer Health Data Must Consider Both HIPAA and the FTC Act

By Lisa AcevedoDaniel Farris, Erin Fleming Dunlap, and Lindsay R. Dailey

The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued new guidance last month for organizations that handle consumer health information (Joint Guidance).  This is one of several joint-agency guidance documents issued this year in a collaboration effort by HHS and FTC, including best practices for mobile health app developers and a mobile health apps interactive tool.  

Read More

Recent Attack Demonstrates IoT Risks in Household Items

Recent Attack Demonstrates IoT Risks in Household Items

By Amanda Katzenstein

On October 21, 2016, hackers carried out a massive Denial of Service cyberattack that rendered some of the most popular websites in the country inaccessible to much of the East Coast.  Unlike past DoS attacks, this latest attack was undertaken by infecting millions of internet-connected devices with malware, causing new concerns about the ever-growing Internet of Things.

Read More

OCR Provides New BA Guidance to Cloud Providers

OCR Provides New BA Guidance to Cloud Providers

By Lisa J. AcevedoDaniel L. FarrisLisa S. KatzErin Fleming DunlapRebecca Frigy RomineKathleen D. Kenney, and Lindsay R. Dailey

In the past year, the Department of Health and Human Services, Office for Civil Rights (OCR) has issued a number of guidance documents* to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (collectively, the HIPAA Rules).  Its latest guidance clarifies OCR’s position on cloud service providers (CSPs) as business associates (the Cloud Guidance), and the related requirements under the HIPAA Rules through a series of FAQs.  Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).

OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time - whether a CSP is a business associate if the Protected Health Information (PHI) that is stored in its cloud is encrypted and the CSP does not possess the encryption key.

Read More

As Grace Period Ends, Burst of Privacy Shield Applications May Decrease

As Grace Period Ends, Burst of Privacy Shield Applications May Decrease

By Amanda Katzenstein

More than 700 companies have self-certified to comply with the Privacy Shield in the two months since the Department of Commerce began accepting submissions. The number of applications is expected to rise as the September 30, 2016 deadline for a special grace period looms, and the number is expected to slow down after October 1, 2016 because the compliance obligations increase after the deadline.

Read More

Yahoo Discloses Massive Data Breach

Yahoo Discloses Massive Data Breach

By Joseph D McClendon

Yahoo, the American technology company most famous for its use of a webportal to organize categories of websites and its contributions to early Internet search engine technology, announced today that at least 500 million user accounts were breached in a 2014 cyber attack. Data stolen by, what Yahoo believes are state-sponsored actors, include names, email addresses, telephone numbers, dates of birth, and hashed passwords. Breached data may also include account security questions and answers, however, whether or not that data was encrypted appears to be on an account-by-account basis. Yahoo was quick to note that its investigation into the data breach has not shown that the stolen data includes unhashed passwords or credit card or bank account information. This breach may be the largest data breach publicly disclosed and it comes on the heels of the $4.8 billion Verizon acquisition of Yahoo. Yahoo shares fell after the announcement but analysts have noted that the acquisition is unlikely to be affected by the news.

Read More

Recent Studies Show Increasing Need For Employee Training in Data Security

Recent Studies Show Increasing Need For Employee Training in Data Security

By: Mary Kathryn Curry

Two recent studies show an increasing need for companies to better train their employees in data security to prevent data and monetary loss. On September 7, 2016, Wells Fargo Insurance released a study on cyber security showing some interesting trends in companies with $100 million or more in annual revenue. The second-annual study questioned 100 decision makers on issues of data, hackers, network vulnerabilities, and other cyber security matters. The study showed that companies were nearly twice as concerned with losing private data as they were with being hacked or having some other security breach disrupt their system. 

Read More

Location Data Gathering Under Europe’s New Privacy Laws

Location Data Gathering Under Europe’s New Privacy Laws

By Kathryn Allen

The rise in popularity of apps and services that use location data (technology that pinpoints a consumer’s location automatically), like the smash-hit Pokémon Go, have EU privacy regulators calling on companies to ‘mind the gap.’ The much-anticipated General Data Protection Regulations (the “GDPR), as well as other EU privacy laws, aim to tighten up the rules for obtaining consent from consumers about what data they are sharing and to restrict how companies can use the data they are mining from consumers. There has been much speculation about how these new regulations, not directives, coupled with a much higher potential for fines, will impact U.S. companies that operate or plan to operate in the EU. Those using location data in apps and for passive tracking should pay close attention to EU regulators as GDPR implementation draws near. 

Read More