The FTC recently announced a revised settlement with Uber Technologies, Inc. (“Uber”) in which the ride-sharing company has agreed to expand the proposed settlement it reached with the FTC last year over charges that Uber deceived consumers about its privacy and data security practices.Read More
Polsinelli on Privacy | Privacy and Data Security Blog
In an increasingly competitive environment, effectively leveraging technology can be the difference between success and failure for companies in all sectors of the economy. Protecting your data and securing employee/end user privacy – this is the goal of Polsinelli’s Privacy and Data Security practice and it’s what keeps us up at night.
We offer compliance and security counseling, transactional support, data breach rapid response, and breach litigation and counseling. In 2017 we were named a Leader by BTI in their annual "Law Firms Best at Cybersecurity" ranking.
By: Zuzana S. Ikels
The Second Circuit recently addressed a matter of first impression, interpreting the scope and effect of the FCC’s Healthcare Exception from violations of the Telephone Consumer Protection Act (“TCPA”) to healthcare providers for contacting patients about their care. In Latner v. Mt. Sinai Health Center, the patient came for a routine visit and signed a written consent form containing his contact information and granted consent to Mt. Sinai to use his health information “for payment, treatment and hospital operations purposes.” Ten years later, the patient received a single text message reminding him to get an immunization shot. The plaintiff sued, asserting it violated the TCPA.
By Reece Clark
Consumers can expect increased competition, efficiency, and innovation in the payment services sphere when the European Union’s long-anticipated revised Payments Service Directive (“PSD2”) comes into effect on January 13, 2018. However, European banks and service providers will not be required to immediately harden their customer data exchange security measures in response. According to a recent press release from the European Commission, payments service providers will have up to 18 months after the release of the PSD2’s Regulatory Technical Standards (“RTS”) to upgrade their payment security systems. RTS is slated for release in September 2019, giving market players until Q1 2021 to move their systems and procedures into compliance.Read More
By Zuzana Ikels and Erin Fleming Dunlap
A class action suit filed in the U.S. District Court of the Southern District of Florida has accused national telehealth provider and mobile application developer MDLive of designing the MDLive App that secretly captures patients’ sensitive health information and unbeknownst to the patients, transmits their health information to an off-shore third party tech company. The suit also alleges that contrary to MdLive’s representation that it respects and takes patient privacy “very seriously,” MDLive fails to restrict access to a patient’s health information only to the patient’s healthcare provider but instead grants broad access to its employees (including software developers), agents and third parties. The suit also alleges that MDLive breached its contract with the patients by failing to implement adequate security measures to ensure that access to their health information was appropriately restricted (such as through the use of encryption).Read More
Bose has been slapped with a class-action lawsuit accusing the company of essentially spying on their wireless headphone customers by secretly collecting and transmitting the users’ private music and other audio selections to third parties without disclosure and user consent.Read More
By Amanda J. Katzenstein
On April 12, 2017, the Department of Commerce will begin accepting self-certifications to the Swiss-U.S. Privacy Shield. The Swiss-U.S. Privacy Shield was approved to be an adequate legal mechanism for compliance with Swiss requirements to transfer personal data from Switzerland to the United States after the Swiss-U.S. Safe Harbor was declared invalid following the Schrems decision on October 6, 2015.Read More
In a vote of 50 to 48, along party lines, the Senate voted to overturn the privacy rules governing ISP providers that were issued in October 2016 by the Federal Communications Commission (FCC). Click here to view the FCC Privacy Rules. The FCC Privacy Rules required ISP and broadband providers to obtain an individual’s consent and authorization – through an “opt-in” mechanism – before a provider could collect, use, share or sell the customer’s information to third party marketers and companies. It also included data security and data breach notification recommendations and requirements. The FCC also imposed a blanket prohibition on ISP providers that offered “take-it-or-leave-it” broadband services contingent on pre-authorization.Read More
A leadership change at the Federal Trade Commission (FTC) may spell relief for U.S. businesses grappling with the agency’s enforcement measures amidst an increasingly dangerous cybersecurity landscape. On January 25, 2017, President Donald Trump named Maureen Ohlhausen (currently a commissioner of the FTC) as acting chairman of the FTC. Ohlhausen has served at the agency in various capacities for more than a decade, and is now the lone Republican remaining on what will soon be a two-member commission, after former-Chair Edith Ramirez’s announced resignation. When Ramirez leaves the agency on February 10th, only Ohlhausen and Commissioner Terrell McSweeney (Democrat) will remain at the helm with three vacant commissioner seats for President Trump to appoint.Read More
By Daniel L. Farris
As markets tumble and many business leaders try to predict what the Brexit may mean for their organizations, privacy officers should remember the neo-classic British refrain: Keep Calm and Carry On.
There may be turmoil, confusion, new regulations, and new compliance regimes ahead, but it will likely take years for the UK to untangle itself from the European Union, and even then the UK may well remain within the European Economic Area. For US companies with transatlantic operations, the best course is to continue a measured but deliberate approach towards eventual GDPR compliance.Read More
By Daniel L. Farris
The U.S. House of Representative passed the Support for Rapid Innovation Act (H.R. 5388) and the Leveraging Emerging Technologies Act (H.R. 5389), on Tuesday. Both bills gained broad bipartisan report, after being recommended by the House Homeland Security Committee last week. If enacted, the bills will appropriate new funds to DHS for outreach and private-sector collaboration for the development of innovative cybersecurity technologies.Read More
By Daniel L. Farris
The U.S. House of Representatives Homeland Security Committee approved four cyber-security related bills on Wednesday, including one which could create a new federal cybersecurity agency. Most significantly, the Committee unanimously approved H.R. 5390 – a bill which aims to transform the Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) into a full-blown operational agency. The proposed Cybersecurity and Infrastructure Protection Agency would “realign and streamline” federal cybersecurity initiatives, and implement the Cybersecurity Information Sharing Act (CISA), which passed in December.Read More
By Nicole A. Poulos
The Federal Communications Commission (“FCC”) voted yesterday to propose new privacy rules for broadband Internet Service Providers (“ISPs”) a mere three weeks after Chairman Tom Wheeler proposed them. The proposed privacy rules, which are intended to give customers more control over their personal data, will now be released for public comment. Currently, no enforceable privacy rules exist for broadband networks.
Adoption of the Proposed Rulemaking did not go without a fight, as the final vote was a 3-2 split. Opponents to the rules argued that the regulations only target ISPs, and fail to reach social networks and other online services. Proponents of the proposed rules argued that ISPs can collect and piece together a wealth of information on customers, including private information.
By Darryl Drevna
Earlier this morning both the House and Senate voted to pass the Omnibus Appropriations Package, clearing the way for the Cybersecurity Act of 2015 to be signed into law. The House voted 316 to 113 to pass it and the Senate voted 65 to 33 in favor. The bill next goes to President Obama for signature and the White House has indicated that he intends to sign it. The bill establishes the Department of Homeland Security as the lead “portal” for reporting cyber threats. It also provides liability protections for companies that share – or do not share – cyber threat indicators or defensive measures with the government.Read More
By Darryl Drevna
The White House is reviewing, but has not yet approved, a nearly complete draft of cybersecurity legislation that may pass as early as next week. House and Senate negotiators are working to merge three cyber bills that are designed to encourage private companies to share more data on cybersecurity threats with the government. Negotiators are hoping to move compromise legislation through Congress in the coming days and have it ready for President Obama's signature by the end of the year. It appears, however, that final passage is tied to the ongoing appropriations process.Read More
By Darryl Drevna
On November 30, by voice vote, The House passed the Strengthening State and Local Cyber Crime Fighting Act (H.R. 3490), which formally authorizes the Department of Homeland Security to create a National Computer Forensics Institute (NCFI). The U.S. Secret Service will operate the institute, which will train and equip state and local law enforcement, prosecutors and judges on investigating cyber threats and forensic examinations of mobile devices.Read More
By Daniel L. Farris
The Federal Financial Institutions Examination Council (“FFIEC”) issued a press release last week “alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion.” The FFIEC went on to say that “financial institutions should develop and implement effective programs to ensure the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks.”Read More
The European Commission announced Monday that it has reached a deal in principle with the United States on what is being called “Safe Harbor 2.0” – a new data sharing agreement to replace the Safe Harbor agreement invalidated by the EU Court of Justice earlier this month. The Commission’s announcement came on the same day that the German DPA issued a position paper declaring all remaining alternatives to Safe Harbor – including model contract clauses and Binding Corporate Rules – to no longer be viable means for transatlantic data transfer.Read More
By Darryl Drevna
In something of a response to the EU’s invalidation of Safe Harbor earlier this month, the Senate voted 74 – 21 to pass the Cybersecurity Information Sharing Act (CISA) on Tuesday. The bill was originally introduced by Sen. Dianne Feinstein (D-CA) in June 2014, in the wake of several high-profile cyber attacks on US companies.
Recent high profile data breaches involving large, prominent insurers have caused state insurance regulators to ramp up efforts related to cybersecurity issues. These breaches have impacted tens of millions of individuals at a time, and resulted in multi-state market conduct examinations with each examination involving 50 plus jurisdictions.
For more information on market conduct examinations, insurance regulation of cybersecurity risks and on new state data security laws, please click below.