Today, in a 5-4 decision, the US Supreme Court ruled that the government’s acquisition of information regarding an individual’s location based on a cell phone record amounts to a Fourth Amendment search and generally requires a warrant.  In Carpenter v. United States, the government obtained nearly 13,000 location points on Carpenter’s movements over a 127-day period from Carpenter’s wireless carrier under the Stored Communications Act (SCA).  The standard for obtaining information under the SCA is much lower than the probable cause showing required for a warrant.  The government used these cell phone records to show that Carpenter’s phone was near four locations that had been robbed when those robberies occurred and obtained a conviction.  In reversing the decision of the Sixth Circuit and remanding the case, the Court held that individuals have a reasonable expectation of privacy in their physical movements.

Chief Justice Roberts delivered the 119-page opinion for the majority, joined by Justices Ginsburg, Breyer, Sotomayor and Kagan. Justices Kennedy, Alito, Thomas and Gorsuch each filed dissenting opinions.

HIPAA has teeth.  On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA.  In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR.  Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital

In March of this year, we told you that the D.C. Circuit Court of Appeals issued a decision in ACA Int’l. v. FCC, wherein the court set aside two FCC interpretations of the Telephone Consumer Protection Act, or TCPA. Specifically, the court ruled that the FCC’s interpretation as to what constitutes an autodialer under the TCPA was unreasonably expansive, and that the FCC’s treatment of reassigned numbers was also overly broad.

On May 22, the United States District Court for the Northern District of Georgia, Atlanta Division, issued a decision further restricting the scope of the TCPA. By way of reminder, the Congress passed the TCPA in 1991 in an effort to curb robo calls.  The case involved calls made by a debt collector to a former Comcast customer.  She sued, claiming that the calls were impermissible under the TCPA.  An essential aspect of the TCPA claim at issue was that the call must be made through the use of an “automatic telephone dialing system”, or ATDS, as defined in the statute. Continue Reading District Court Gives Narrow, Reasonable Scope to TCPA

This week, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the use of HIPAA-compliant authorizations for research based on a mandate in the Cures Act for such guidance.  The guidance addresses authorizations and expiration language for future research as well as revocation of the authorization.  A copy of the guidance can be obtained hereContinue Reading OCR Issues Guidance on the Use of HIPAA Authorizations for Research

On June 4, 2018, the Governor signed into law Public Act 18-90, An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies (the “Act”), likely in reaction to the Equifax breach among many others.  The title of the Act leaves little to the imagination as to its subject matter.

Continue Reading Connecticut Legislature Responds to Proliferation of Data Breaches

Today, the European General Data Protection Regulation (“GDPR”) takes effect. The GDPR is the most comprehensive and complex privacy regulation currently enacted. The GDPR can apply to a business or organization (including a non-profit organization) anywhere in the world and its potential financial impact is huge; fines can reach up to € 20 million Euros (over $23 million USD) or 4% of an entity’s total revenue, whichever is greater. Not surprisingly, the potential for this type of penalty has caused concern and chaos leading up to the May 25, 2018 effective date. In light of this significant international development, all organizations should consider the following: Continue Reading Three Important Considerations For All Businesses in Light of GDPR

Malware-infected servers of a Baltimore hospital system, LifeBridge, may have affected more than half a million patient records. LifeBridge reports in a statement on its website that it discovered malware on the servers that host electronic medical records as well as patient registration and billing systems.  The provider’s investigation determined that an unauthorized person accessed the server of its physician practice over a year and a half ago on September 27, 2016.  Accessed information may include patients’ names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and social security numbers.  LifeBridge sent letters to potentially affected patients and is offering one year of credit monitoring to individuals whose social security numbers may have been accessed.

While it appears that LifeBridge reported the breach to the state AG, as of the date of this post, this breach is not listed on OCR’s list of breaches affecting 500 or more patients (lovingly referred to as the OCR “Wall of Shame”).

The Department of Homeland Security (“DHS”) released its cybersecurity strategy on May 15, 2018.  The 35-page document sets forth a plan for managing cybersecurity risks through public and private sector collaboration.  By 2023, DHS seeks to have “improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.”  The strategy document is broken into five pillars:  risk identification; vulnerability reduction; threat reduction; consequence mitigation; and enable cybersecurity outcomes.  DHS assures that it “will maintain a leadership role, collaborating with other federal agencies, the private sector, and other stakeholders, across all of its cybersecurity mission areas to ensure that cybersecurity risks are effectively managed, critical networks are protected, vulnerabilities are mitigated, cyber threats are reduced and countered, incidents are responded to in a timely way, and the cyber ecosystem is more secure and resilient.”

Uber suffered a data breach in 2014 resulting in the compromise of more than 50,000 drivers’ personal information, including back account and social security numbers. Drivers brought a class action suit in federal court in the U.S. District Court for the Northern District of California.  On May 10, a judge tossed the suit for a third time for lack of standing because the two named plaintiffs failed to allege that they suffered an injury in fact. Continue Reading Uber Catches Break in Data Breach Class Action

On May 3, 2018, Governor Malloy announced the release of the State of Connecticut’s Cybersecurity Action Plan, which builds on the State’s Cybersecurity Strategy launched in July 2017.  Developed by Connecticut’s Chief Cybersecurity Risk Officer Arthur House and Chief Information Officer Mark Raymond, the Action Plan applies the seven principles set forth in the Cybersecurity Strategy –  leadership, literacy, preparation, response, recovery, communication, and verification – to individuals, organizations, government agencies, and businesses. Continue Reading Connecticut’s New Cybersecurity Action Plan