Just days before the EU Commission reassesses the EU-US Privacy Shield program in light of the EU Parliament’s recent adequacy criticisms, the Federal Trade Commission (FTC) announced settlements with four companies allegedly falsely claiming participation in the program.  One of the issues the EU Parliament cited this summer with the EU-US Privacy Shield program was lack of US oversight and enforcement. Continue Reading More FTC Privacy Shield Settlements, But Will It Be Enough For The EU?

On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country.  California enacted the CCPA in June and it takes effect on January 1, 2020.  Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses.  Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles.  Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months. Continue Reading California Governor Approves Revisions to Consumer Privacy Act

 

On September 20, the Department of Health and Human Services Office for Civil Rights (OCR) announced separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH) with penalties totaling $999,000.  In each instance, a news story about ABC News filming a medical documentary (a Boston Globe article on BMC and BWH and a posting on MGH’s website) prompted OCR to conduct “a compliance review.”  In all three separate investigations, OCR found deficiencies.  While the BMC settlement agreement does not provide any details on the specifically alleged improper conduct, the BWH and MGH agreements note that both hospitals took measures to protect patient information but nonetheless OCR found the efforts to be inadequate.  In those agreements, OCR implies that BWH and MGH obtained at least some written authorizations but disclosed information to the film crews before obtaining those authorizations. Continue Reading Boston-Area Hospitals Pay Nearly $1M in Penalties for Permitting Filming of “Boston Med”

On August 3, 2018, the Governor in Ohio signed into law the Data Protection Act, which provides businesses with an affirmative defense to data breach claims if the business was in compliance with reasonable security measures at the time of the breach.  Specifically, a business would have to show that it creates, maintains and complies with “a written cybersecurity program . . .  that reasonably conforms to an industry recognized cybersecurity framework.”  Acceptable standards include the NIST framework and compliance with PCI requirements.  For businesses subject to regulatory standards, evidence of compliance with those regulatory standards, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach Bliley (GLBA), will also provide protection.  Many believe that this legislation will encourage businesses in Ohio to allocate more resources for cybersecurity and data protection programs.

You could almost hear the cheers of plaintiffs’ class action lawyers in California last night, as California’s governor signed the most sweeping privacy law this country has seen to date.  Notably, the law gives consumers the right to statutory damages in the event of a breach if the company holding the consumer’s information failed to implement reasonable security measures.  Those statutory damages are not less than $100 and not more than $750 “per consumer per incident or actual damages, whichever is greater.” Continue Reading California Gets Its Very Own GDPR with Statutory Damages

Today, in a 5-4 decision, the US Supreme Court ruled that the government’s acquisition of information regarding an individual’s location based on a cell phone record amounts to a Fourth Amendment search and generally requires a warrant.  In Carpenter v. United States, the government obtained nearly 13,000 location points on Carpenter’s movements over a 127-day period from Carpenter’s wireless carrier under the Stored Communications Act (SCA).  The standard for obtaining information under the SCA is much lower than the probable cause showing required for a warrant.  The government used these cell phone records to show that Carpenter’s phone was near four locations that had been robbed when those robberies occurred and obtained a conviction.  In reversing the decision of the Sixth Circuit and remanding the case, the Court held that individuals have a reasonable expectation of privacy in their physical movements.

Chief Justice Roberts delivered the 119-page opinion for the majority, joined by Justices Ginsburg, Breyer, Sotomayor and Kagan. Justices Kennedy, Alito, Thomas and Gorsuch each filed dissenting opinions.

In March of this year, we told you that the D.C. Circuit Court of Appeals issued a decision in ACA Int’l. v. FCC, wherein the court set aside two FCC interpretations of the Telephone Consumer Protection Act, or TCPA. Specifically, the court ruled that the FCC’s interpretation as to what constitutes an autodialer under the TCPA was unreasonably expansive, and that the FCC’s treatment of reassigned numbers was also overly broad.

On May 22, the United States District Court for the Northern District of Georgia, Atlanta Division, issued a decision further restricting the scope of the TCPA. By way of reminder, the Congress passed the TCPA in 1991 in an effort to curb robo calls.  The case involved calls made by a debt collector to a former Comcast customer.  She sued, claiming that the calls were impermissible under the TCPA.  An essential aspect of the TCPA claim at issue was that the call must be made through the use of an “automatic telephone dialing system”, or ATDS, as defined in the statute. Continue Reading District Court Gives Narrow, Reasonable Scope to TCPA

In August, 2017, the Federal Trade Commission (“FTC”) proposed a settlement agreement with Uber stemming from its investigation of a 2014 data breach due to Uber’s “unreasonable security practices”. The lengthy investigation found that Uber’s employees were accessing customer’s personal information, and that there were security lapses in Uber’s third-party cloud storage service. That settlement agreement required Uber to implement a “comprehensive privacy program”; however, the agreement was withdrawn by the FTC and amended recently. Why, you ask? Uber experienced a second data breach in 2016, while the investigation from the 2014 breach was well underway. The 2016 breach was a result of those same security lapses in the third-party cloud storage service and Uber waited over one year to report that second breach. Uber’s handling of the second breach continued its trail of misconduct, clearly demonstrating that the company had not learned its lesson. Continue Reading Uber Goes 0-2 in Data Breach Notifications

In a report released on April 5, 2018, the Government Accountability Office (GAO) concluded that the Centers for Medicare and Medicaid Services (CMS) has not done enough to adequately protect the electronic data of Medicare beneficiaries.  There are over 59 million Medicare beneficiaries and beneficiary information contains some of the most sensitive personal information, making it very attractive to criminals.  Therefore, CMS’s protection of that data is critically important. Continue Reading GAO Says CMS Must Do More to Protect Medicare Info