U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

By: Allison Trimble

The U.K. Information Commissioner’s Office announced it will impose the maximum fine of $660,000 for Facebook’s breach of the U.K. Data Protection Act (see Notice of Intent).  The breach, which includes both the failure to safeguard personal information and the failure to provide transparency as to how personal information was harvested by others, is tied to the Cambridge Analytica scandal in which the personal information of 87 million Facebook users was improperly shared with third parties without such users’ consent. 

Read More

Don’t be a Dummy – FTC Warns against Inadequate Security Controls in “Dummy” (Non-Production) Environments

Don’t be a Dummy – FTC Warns against Inadequate Security Controls in “Dummy” (Non-Production) Environments

By: Allison R. Trimble

The FTC recently announced a revised settlement with Uber Technologies, Inc. (“Uber”) in which the ride-sharing company has agreed to expand the proposed settlement it reached with the FTC last year over charges that Uber deceived consumers about its privacy and data security practices. 

Read More

Flu Shot Reminder Text Deemed "Health Care Message", TCPA Claim Dismissed

Flu Shot Reminder Text Deemed "Health Care Message", TCPA Claim Dismissed

By: Zuzana S. Ikels

The Second Circuit recently addressed a matter of first impression, interpreting the scope and effect of the FCC’s Healthcare Exception from violations of the Telephone Consumer Protection Act (“TCPA”) to healthcare providers for contacting patients about their care. In Latner v. Mt. Sinai Health Center, the patient came for a routine visit and signed a written consent form containing his contact information and granted consent to Mt. Sinai to use his health information “for payment, treatment and hospital operations purposes.” Ten years later, the patient received a single text message reminding him to get an immunization shot. The plaintiff sued, asserting it violated the TCPA.

Read More

Winter is Coming…and so is PSD2

Winter is Coming…and so is PSD2

By Reece Clark

Consumers can expect increased competition, efficiency, and innovation in the payment services sphere when the European Union’s long-anticipated revised Payments Service Directive (“PSD2”) comes into effect on January 13, 2018. However, European banks and service providers will not be required to immediately harden their customer data exchange security measures in response. According to a recent press release from the European Commission, payments service providers will have up to 18 months after the release of the PSD2’s Regulatory Technical Standards (“RTS”) to upgrade their payment security systems. RTS is slated for release in September 2019, giving market players until Q1 2021 to move their systems and procedures into compliance.

Read More

The Power of a Transparent and Broad Privacy Policy

The Power of a Transparent and Broad Privacy Policy

By Zuzana Ikels and Erin Fleming Dunlap

The enforceability of privacy policies and consumer consent as to targeted advertisements related to medical or healthcare conditions is a hot button topic in the law and business. In Smith v. Facebook et al (filed in March 2016), plaintiffs sought to test the boundaries. In a surprising result, and after a year of briefing and oral argument, Judge Edward Davila of the Northern District of California issued his order a few days ago.  In a surprising twist, the Court dismissed the entire complaint without leave to amend. Polsinelli attorneys Zuzana S. Ikels and Erin Dunlap provided analysis and recommendations regarding the power of a transparent and broad privacy policy in an article published by Law360

Read More

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

By Jean Marie R. Pechette, Jarno J. Vanto, and Clif Ruch

A class action suit filed in the U.S. District Court of the Southern District of Florida has accused national telehealth provider and mobile application developer MDLive of designing the MDLive App that secretly captures patients’ sensitive health information and unbeknownst to the patients, transmits their health information to an off-shore third party tech company. The suit also alleges that contrary to MdLive’s representation that it respects and takes patient privacy “very seriously,” MDLive fails to restrict access to a patient’s health information only to the patient’s healthcare provider but instead grants broad access to its employees (including software developers), agents and third parties. The suit also alleges that MDLive breached its contract with the patients by failing to implement adequate security measures to ensure that access to their health information was appropriately restricted (such as through the use of encryption). 

Read More

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

By Jarno J. Vanto, Amanda J. Katzenstein, and Jean Marie R. Pechette

Bose has been slapped with a class-action lawsuit accusing the company of essentially spying on their wireless headphone customers by secretly collecting and transmitting the users’ private music and other audio selections to third parties without disclosure and user consent. 

Read More

Swiss-U.S. Privacy Shield Opens for Self-Certifications

Swiss-U.S. Privacy Shield Opens for Self-Certifications

By  Amanda J. Katzenstein

On April 12, 2017, the Department of Commerce will begin accepting self-certifications to the Swiss-U.S. Privacy Shield. The Swiss-U.S. Privacy Shield was approved to be an adequate legal mechanism for compliance with Swiss requirements to transfer personal data from Switzerland to the United States after the Swiss-U.S. Safe Harbor was declared invalid following the Schrems decision on October 6, 2015. 

Read More

Senate Votes to Repeal FCC Privacy Rule Governing ISP Providers

Senate Votes to Repeal FCC Privacy Rule Governing ISP Providers

By Zuzana S. Ikels

In a vote of 50 to 48, along party lines, the Senate voted to overturn the privacy rules governing ISP providers that were issued in October 2016 by the Federal Communications Commission (FCC). Click here to view the FCC Privacy Rules. The FCC Privacy Rules required ISP and broadband providers to obtain an individual’s consent and authorization – through an “opt-in” mechanism – before a provider could collect, use, share or sell the customer’s information to third party marketers and companies. It also included data security and data breach notification recommendations and requirements. The FCC also imposed a blanket prohibition on ISP providers that offered “take-it-or-leave-it” broadband services contingent on pre-authorization. 

Read More

FTC Shakeup May Shift Privacy & Data Security Enforcement – Focus on Actual Harm

FTC Shakeup May Shift Privacy & Data Security Enforcement – Focus on Actual Harm

By D. Rockwell Bower

A leadership change at the Federal Trade Commission (FTC) may spell relief for U.S. businesses grappling with the agency’s enforcement measures amidst an increasingly dangerous cybersecurity landscape. On January 25, 2017, President Donald Trump named Maureen Ohlhausen (currently a commissioner of the FTC) as acting chairman of the FTC. Ohlhausen has served at the agency in various capacities for more than a decade, and is now the lone Republican remaining on what will soon be a two-member commission, after former-Chair Edith Ramirez’s announced resignation. When Ramirez leaves the agency on February 10th, only Ohlhausen and Commissioner Terrell McSweeney (Democrat) will remain at the helm with three vacant commissioner seats for President Trump to appoint. 

Read More

Brexit & Privacy: Keep Calm and Carry On

Brexit & Privacy:  Keep Calm and Carry On

By Daniel L. Farris

As markets tumble and many business leaders try to predict what the Brexit may mean for their organizations, privacy officers should remember the neo-classic British refrain: Keep Calm and Carry On.  

There may be turmoil, confusion, new regulations, and new compliance regimes ahead, but it will likely take years for the UK to untangle itself from the European Union, and even then the UK may well remain within the European Economic Area. For US companies with transatlantic operations, the best course is to continue a measured but deliberate approach towards eventual GDPR compliance.  

Read More

House Passes Cybersecurity Funding and Outreach Bills

House Passes Cybersecurity Funding and Outreach Bills

By Daniel L. Farris

The U.S. House of Representative passed the Support for Rapid Innovation Act (H.R. 5388) and the Leveraging Emerging Technologies Act (H.R. 5389), on Tuesday. Both bills gained broad bipartisan report, after being recommended by the House Homeland Security Committee last week. If enacted, the bills will appropriate new funds to DHS for outreach and private-sector collaboration for the development of innovative cybersecurity technologies.  

Read More

House Homeland Security Committee Approves Slew of Cybersecurity Proposals; Moves for the Creation of New Cybersecurity Agency

House Homeland Security Committee Approves Slew of Cybersecurity Proposals; Moves for the Creation of New Cybersecurity Agency

By Daniel L. Farris

The U.S. House of Representatives Homeland Security Committee approved four cyber-security related bills on Wednesday, including one which could create a new federal cybersecurity agency. Most significantly, the Committee unanimously approved H.R. 5390 – a bill which aims to transform the Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) into a full-blown operational agency. The proposed Cybersecurity and Infrastructure Protection Agency would “realign and streamline” federal cybersecurity initiatives, and implement the Cybersecurity Information Sharing Act (CISA), which passed in December.  

Read More

Giving Customers Control: FCC Confronts Internet Service Providers with Privacy Rules

Giving Customers Control: FCC Confronts Internet Service Providers with Privacy Rules

By Nicole A. Poulos

The Federal Communications Commission (“FCC”) voted yesterday to propose new privacy rules for broadband Internet Service Providers (“ISPs”) a mere three weeks after Chairman Tom Wheeler proposed them.  The proposed privacy rules, which are intended to give customers more control over their personal data, will now be released for public comment.  Currently, no enforceable privacy rules exist for broadband networks.

Adoption of the Proposed Rulemaking did not go without a fight, as the final vote was a 3-2 split.  Opponents to the rules argued that the regulations only target ISPs, and fail to reach social networks and other online services.  Proponents of the proposed rules argued that ISPs can collect and piece together a wealth of information on customers, including private information.

Read More

Congress Passes Omnibus Appropriations Package; Cybersecurity Bill to Become Law

Congress Passes Omnibus Appropriations Package; Cybersecurity Bill to Become Law

By Darryl Drevna

Earlier this morning both the House and Senate voted to pass the Omnibus Appropriations Package, clearing the way for the Cybersecurity Act of 2015 to be signed into law. The House voted 316 to 113 to pass it and the Senate voted 65 to 33 in favor. The bill next goes to President Obama for signature and the White House has indicated that he intends to sign it. The bill establishes the Department of Homeland Security as the lead “portal” for reporting cyber threats. It also provides liability protections for companies that share – or do not share – cyber threat indicators or defensive measures with the government.

Read More

Cybersecurity Bill Nears Passage as Negotiations Continue on Privacy Provisions

Cybersecurity Bill Nears Passage as Negotiations Continue on Privacy Provisions

By Darryl Drevna

The White House is reviewing, but has not yet approved, a nearly complete draft of cybersecurity legislation that may pass as early as next week.  House and Senate negotiators are working to merge three cyber bills that are designed to encourage private companies to share more data on cybersecurity threats with the government. Negotiators are hoping to move compromise legislation through Congress in the coming days and have it ready for President Obama's signature by the end of the year.  It appears, however, that final passage is tied to the ongoing appropriations process.  

Read More

House Advances Cyber Crime Bill

House Advances Cyber Crime Bill

By Darryl Drevna

On November 30, by voice vote, The House passed the Strengthening State and Local Cyber Crime Fighting Act (H.R. 3490), which formally authorizes the Department of Homeland Security to create a National Computer Forensics Institute (NCFI).  The U.S. Secret Service will operate the institute, which will train and equip state and local law enforcement, prosecutors and judges on investigating cyber threats and forensic examinations of mobile devices.  

Read More

FFIEC Warns Banks of Increased Cyber Attacks Involving Extortion

FFIEC Warns Banks of Increased Cyber Attacks Involving Extortion

By Daniel L. Farris

The Federal Financial Institutions Examination Council (“FFIEC”) issued a press release last week “alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion.” The FFIEC went on to say that “financial institutions should develop and implement effective programs to ensure the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks.”

Read More

US-EU Have Agreement in Principle on New Data Sharing Pact

US-EU Have Agreement in Principle on New Data Sharing Pact

By Gregory M. Kratofil, Jr.

The European Commission announced Monday that it has reached a deal in principle with the United States on what is being called “Safe Harbor 2.0” – a new data sharing agreement to replace the Safe Harbor agreement invalidated by the EU Court of Justice earlier this month. The Commission’s announcement came on the same day that the German DPA issued a position paper declaring all remaining alternatives to Safe Harbor – including model contract clauses and Binding Corporate Rules – to no longer be viable means for transatlantic data transfer. 

Read More

Senate Passes Cybersecurity Bill, Conference with House Expected

Senate Passes Cybersecurity Bill, Conference with House Expected

By Darryl Drevna

In something of a response to the EU’s invalidation of Safe Harbor earlier this month, the Senate voted 74 – 21 to pass the Cybersecurity Information Sharing Act (CISA) on Tuesday. The bill was originally introduced by Sen. Dianne Feinstein (D-CA) in June 2014, in the wake of several high-profile cyber attacks on US companies.

Read More