Hurricane Florence has caused the Department of Health and Human Services (“HHS”) to declare a public health emergency ahead of the storm. Accordingly, HHS’ Office for Civil Rights (“OCR”) released guidance ahead of the hurricane. The focus of the guidance is that HIPAA should not impede patient care in a disaster situation. Continue Reading OCR Releases Hurricane Florence Guidance Ahead of Storm
On July 5, 2018, the EU Parliament passed a non-binding resolution encouraging the European Commission to suspend the EU-US Privacy Shield Program unless the US is fully compliant by September 1, 2018. The EU Parliament believes that the current Privacy Shield program does not provide an adequate level of protection required by European law. This comes roughly two years after the European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law. But a lot has changed in two years. Continue Reading EU Commission Recommends Suspension of Privacy Shield; Recent FTC Efforts May Be Too Little Too Late
In March of this year, we told you that the D.C. Circuit Court of Appeals issued a decision in ACA Int’l. v. FCC, wherein the court set aside two FCC interpretations of the Telephone Consumer Protection Act, or TCPA. Specifically, the court ruled that the FCC’s interpretation as to what constitutes an autodialer under the TCPA was unreasonably expansive, and that the FCC’s treatment of reassigned numbers was also overly broad.
On May 22, the United States District Court for the Northern District of Georgia, Atlanta Division, issued a decision further restricting the scope of the TCPA. By way of reminder, the Congress passed the TCPA in 1991 in an effort to curb robo calls. The case involved calls made by a debt collector to a former Comcast customer. She sued, claiming that the calls were impermissible under the TCPA. An essential aspect of the TCPA claim at issue was that the call must be made through the use of an “automatic telephone dialing system”, or ATDS, as defined in the statute. Continue Reading District Court Gives Narrow, Reasonable Scope to TCPA
On June 4, 2018, the Governor signed into law Public Act 18-90, An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies (the “Act”), likely in reaction to the Equifax breach among many others. The title of the Act leaves little to the imagination as to its subject matter.
Today, the European General Data Protection Regulation (“GDPR”) takes effect. The GDPR is the most comprehensive and complex privacy regulation currently enacted. The GDPR can apply to a business or organization (including a non-profit organization) anywhere in the world and its potential financial impact is huge; fines can reach up to € 20 million Euros (over $23 million USD) or 4% of an entity’s total revenue, whichever is greater. Not surprisingly, the potential for this type of penalty has caused concern and chaos leading up to the May 25, 2018 effective date. In light of this significant international development, all organizations should consider the following: Continue Reading Three Important Considerations For All Businesses in Light of GDPR
The conversation surrounding the data we put online continues to heat up. Bloomberg reports that in 2015, Twitter sold access to randomly selected tweets to Aleksandr Kogan, the individual who created the personality quiz that Cambridge Analytica then used to harvest Facebook user data. Working under his own commercial enterprise, Global Science Research, Mr. Kogan gained access to a random sampling of five months of Twitter posts, covering the dates of December 2014 to April 2015. As of the date of this blog post, Twitter has not provided any further details other than confirming that it provided access to this public data information through its application programming interface, known as API, and that Global Science Research paid for this access. While at this stage, not much is known about Global Science Research’s purpose for accessing this data, it becomes yet another example of a social media company sharing its users’ information, this time for a price. In our interconnected world, it will be interesting to see if social media users begin to retreat from sharing information online or whether such practice is already too entrenched in our day to day life to experience a shift.
Yesterday the United States Court of Appeals for the Seventh Circuit weighed in on the consumer class action standing issue. The court found that Barnes & Noble customers have standing to pursue a class action concerning the hacking of the retailer’s PIN pads. In doing so, the Seventh Circuit reversed a district court ruling dismissing the complaint for failure to adequately plead damages. The Court of Appeals determined that the time value of money which had been removed from plaintiffs’ accounts (even though it was ultimately returned), the costs of credit monitoring, and the time invested to create new accounts all were sufficient to provide standing. Continue Reading The Seventh Circuit Weighs In On Standing
The Federal Bureau of Investigation and the Department of Homeland Security issued a joint Technical Alert late last week to warn that Russian government-based hackers are actively targeting U.S. utilities, other critical infrastructure, aviation, manufacturing, and commercial facilities. The alert reports that the Russian hackers are initially obtaining access to suppliers or third-party vendors as “staged targets,” waiting for an opening, and then accessing their ultimate “intended target” utilizing malware and spear phishing techniques. Once the hackers gain access to the intended target, they conduct reconnaissance and collect information on the industrial control systems. The hackers use that information to take control of those systems, allowing them to conduct multiple, simultaneous shutdowns in a coordinated attack to deny necessary services such as electricity and water. These attacks highlight the necessity for third-party and vendor due diligence. See our Three Minute Check-In Series here to learn more.
*Brad Davis is a Legal Intern in the Privacy and Cybersecurity Practice Group of Murtha Cullina LLP.
In this inaugural episode of the Murtha Cullina Cybersecurity Three Minute Check In Series, Dena Castricone addresses vendors, the risk they pose and simple steps to reduce risk.