U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

By: Allison Trimble

The U.K. Information Commissioner’s Office announced it will impose the maximum fine of $660,000 for Facebook’s breach of the U.K. Data Protection Act (see Notice of Intent).  The breach, which includes both the failure to safeguard personal information and the failure to provide transparency as to how personal information was harvested by others, is tied to the Cambridge Analytica scandal in which the personal information of 87 million Facebook users was improperly shared with third parties without such users’ consent. 

Read More

Privacy-Class-Action-Plaintiffs' Emerging Litigation Strategy Avoids Arbitration

Privacy-Class-Action-Plaintiffs' Emerging Litigation Strategy Avoids Arbitration

By Zuzana S. Ikels 

On September 5, 2017, the Ninth Circuit Court of Appeals reversed a district court’s decision granting Turn Inc.’s motion to compel arbitration of a putative, privacy class action related to targeted adverting efforts on mobile devices.

In Re Anthony Henson and William Cintron v. Turn, Inc. was filed in the Northern District of California by two Verizon cellular and data subscribers against Turn. The case reflects a notable pivot in strategy in data privacy litigation. Data privacy cases have, previously, been directed at the webpage/content-providers or telecommunication providers that shared or processed users’ online activities. The plaintiffs in Henson did not sue Verizon or the webpages; instead, they sued the technology companies that enable the targeting.

Read More

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

By Jean Marie R. Pechette and Thomas Kiser

The U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”) issued a May 10, 2017 press release stating that Memorial Herman Health System, a Texas-based not-for-profit health system (“MHHS”), agreed to pay $2.4M and enter into a two- year corrective action plan (“CAP”) to settle potential HIPAA violations for alleged disclosure of protected health information (“PHI”) without the patient’s authorization. The CAP requires MMHS, among other things, to submit an implementation report and an annual report to HHS on MHHS’ compliance with the CAP.

Read More

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

By Jean Marie R. Pechette, Jarno J. Vanto, and Clif Ruch

A class action suit filed in the U.S. District Court of the Southern District of Florida has accused national telehealth provider and mobile application developer MDLive of designing the MDLive App that secretly captures patients’ sensitive health information and unbeknownst to the patients, transmits their health information to an off-shore third party tech company. The suit also alleges that contrary to MdLive’s representation that it respects and takes patient privacy “very seriously,” MDLive fails to restrict access to a patient’s health information only to the patient’s healthcare provider but instead grants broad access to its employees (including software developers), agents and third parties. The suit also alleges that MDLive breached its contract with the patients by failing to implement adequate security measures to ensure that access to their health information was appropriately restricted (such as through the use of encryption). 

Read More

Data Security Violations Found by the Consumer Financial Protection Bureau Against Payment Processor Dwolla, Inc.

Data Security Violations Found by the Consumer Financial Protection Bureau Against Payment Processor Dwolla, Inc.

By Mary Kathryn Curry

Dwolla, Inc., a company that claims secure, ready-to-use payment tools used to simplify how people send or receive money from anyone in the U.S., has been hit with a $100,000 penalty and an annual data-security audit compliance plan. Dwolla, based in Des Moines, Iowa, has collected and stored sensitive personal information from consumers since 2009, such as address, date of birth, telephone number and Social Security number. In addition, consumers provide their bank account and routing number to link their bank accounts to their Dwolla account. Dwolla has approximately 653,000 members and transfers as much as $5,000 per day.

Read More

FTC Issues Warning to Application Developers

FTC Issues Warning to Application Developers

By Zuzana S. Ikels

A few days ago, the Federal Trade Commission issued warning letters to 12 application developers because the apps use the software, Silverpush.   According to the FTC, Silverpush is designed to monitor a user’s television use regardless of whether the user is actively using the particular app, enabling it to provide a detailed record of the consumer’s' television use for the purpose of marketing analytics and targeted advertising. The FTC instructed the app developers to notify consumers if the software is being used in the U.S., which Silverpush claims it is not. 

Read More

EU Finalizes Text of New General Data Protection Regulation

EU Finalizes Text of New General Data Protection Regulation

By Joseph D. McClendon

Three years after Luxembourg politician Viviane Reding originally proposed overhauling the EU Data Protection Directive (“Directive”), European Union officials finally reached an agreement to replace the Directive with new comprehensive privacy legislation called the General Data Protection Regulation (“GDPR”).  The GDPR is not yet EU law; however, the EU Parliament is expected to approve the GDPR when it next meets in January 2016.  When approved, the GDPR will become law in 2018 across all 28 EU Member States and will supersede the inconsistent laws the EU Member States implemented in order to comply with the minimum data protection requirements set out in the Directive.

Read More

Target to Pay Nearly $40 Million to Settle with Banks over Data Breach; Total Costs Reach $290 Million

Target to Pay Nearly $40 Million to Settle with Banks over Data Breach; Total Costs Reach $290 Million

By Daniel L. Farris

A settlement filed Wednesday provides that Target Corp. will pay $39.4 million to the banks and credit unions who brought class action claims against the retailer for alleged losses the financial institutions suffered as a result of Target’s 2013 data breach. The breach, which impacted as many as 110 million individuals, compromised as many as 40 million credit cards. 

Read More

The Vast Reach of a Security Breach

The Vast Reach of a Security Breach

By Joseph D. McClendon

Experian’s most recent earnings report shows that it has spent $20 million to date on its response to the September 2015 data breach that exposed the personal information of nearly 15 million wireless carrier customers. The exposed information included names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers – all information Experian uses to process credit checks as part of the customer registration process. The $20 million spent so far on notification and credit monitoring for affected individuals may only be just the beginning of Experian’s financial woes – the credit monitoring firm still has several pending class action lawsuits to manage as well as cooperating with the government’s investigations in to the matter.

Read More

SEC Uses Safeguard Rule to Sanction, Penalize Investment Firm for Data Breach

SEC Uses Safeguard Rule to Sanction, Penalize Investment Firm for Data Breach

By Daniel L. Farris

Following a decision in August not to pursue penalties or other sanctions against Target for the company's massive 2013 data breach, the Securities and Exchange Commission announced new penalties last week against investment firm R. T. Jones Capital Management for its role in a much smaller 2013 breach involving investor data. The SEC's announcement came on the same day that it issued guidance to investors about how to protect their personal and financial information in the event of a financial institution data breach.  

Under section 504 of the Gramm-Leach-Bliley Act, which regulates disclosure of consumer information, the SEC has the authority to impose penalties on companies that don’t disclose the magnitude of data breaches, fail to properly detail their policies and procedures in protecting consumer data, or fail to implement adequate cybersecurity measures.  To-date, however, the SEC has largely left data breach enforcement activities to the Federal Trade Commission.  

Whether the SEC’s decision in the R.T. Jones case marks a shift in enforcement philosophy is unclear, particularly given the facts of the R.T. Jones case, which all but forced the SEC’s hand.  According to the SEC, R.T. Jones “failed to adopt written policies and procedures designed to protect consumer records and information, such as employing a firewall or encrypting data to protect the web server it used to store sensitive client information. As a result, the personal data of nearly 100,000 people was compromised in the hack.”  

Read More

Managing Cybersecurity in the Wake of FTC v. Wyndham

Managing Cybersecurity in the Wake of FTC v. Wyndham

By Dov H. Scherzer and Joseph D. McClendon

In a long-anticipated decision handed down on August 24, 2015, the US Third Circuit Court of Appeals held that the Federal Trade Commission (FTC) does have the authority to regulate cybersecurity and that the failure to take proper measures to protect consumer data can rise to the level of an unfair trade practice under the FTC Act. The decision also serves as a cautionary tale about how not to handle data collection and information security. This alert provides a brief overview of the Wyndham ruling and some practical guidance for staying out of the FTC’s crosshairs.

Read More