Yesterday, the FTC published a blog post outlining what companies should expect if they find themselves as the subject of an FTC data security investigation. In addition to highlighting the different phases of the FTC’s investigative process, the FTC’s discussed the types of information that it seeks as well as the questions it wants answered. The FTC highlights that it would consider a company’s cooperation with “criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion” as part of the “steps the company took to help affected consumers[,]” and such cooperation with law enforcement would lead the FTC to “likely . . . view that company more favorably than a company that hasn’t cooperated.” Notably, the FTC does not provide any guidance on what actions qualify as “cooperation with law enforcement” or whether withholding privileged information — such as internal or third-party forensic reports — would be viewed less favorably than a company that discloses such information. Continue Reading
Yesterday, the U.S. Supreme Court granted certiorari and agreed to consider Campbell-Ewald Company v. Gomez, in which the U.S. Court of Appeals for the Ninth Circuit held that a consumer’s failure to accept an advertiser’s settlement offer that would fully satisfy the consumer’s claim did not render moot either the consumer’s individual claim under the Telephone Consumer Protection Act (TCPA) or his putative class action, arising from the alleged transmission of unsolicited automated text messages.
A federal judge in the Northern District of California recently certified his denial of AT&T’s Motion to Dismiss the Federal Trade Commission’s (FTC’s) complaint alleging that AT&T misled consumers by limiting its “unlimited” data plan for mobile customers. This means that AT&T will now be able to appeal that decision to the Ninth Circuit.
The Digital Advertising Alliance (DAA), a consortium of the nation’s largest media and marketing associations that has established self-regulatory standards for online behavioral advertising, announced on May 7 that the Council of Better Business Bureaus and the Direct Marketing Association will begin enforcement of the Application of Self-Regulatory Principles to the Mobile Environment (DAA Mobile Guidance) on September 1, 2015. As discussed previously on InsidePrivacy, the DAA Mobile Guidance explains how the existing DAA Self-Regulatory Principles for Online Behavioral Advertising and Multi-Site Data apply to mobile websites and applications and includes requirements for the collection and use of personal directory data (i.e., calendar, address book, phone/text log, or photo/video data created by a consumer that is stored on or accessed through a particular device) and precise location data (i.e., data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device).
As we discussed in two prior posts (here and here), the April 29, 2015, draft House 21st Century Cures bill would make several changes to federal health privacy law. This post focuses on provisions that would relax limitations on payment for PHI disclosed for research purposes and that would expand the purposes for which covered entities may disclose PHI to FDA-regulated entities without individual authorization. We also discuss several provisions included in a prior draft of the Cures bill that have been excluded from the April 29 draft. Continue Reading
As we discussed in a prior post, the April 29, 2015, draft House 21st Century Cures bill would make several changes to federal health privacy law. This post focuses on provisions that would allow remote access to PHI for purposes preparatory to research and that would permit individuals to make a one-time authorization of the use and disclosure of their PHI for research purposes.
The U.S. Court of Appeals for the Ninth Circuit on Tuesday asked the California Supreme Court to resolve a longstanding dispute over the interpretation of a retail privacy statute. If the state court rules on the issue, its decision could affect the ability of California retailers to collect information from consumers who make in-store payments using credit cards.
The Department of Justice (“DoJ”) recently issued new guidance for organizations on what it believes are best practices for managing cyber security incidents. As described further below, the guidance provides a broad overview on recommended steps to take to minimize the risk of an incident, as well as actions to take and avoid in the event of a cybersecurity incident.
In remarks to the Criminal Division’s Cybersecurity Roundtable, Assistant Attorney General for the Criminal Division Leslie Caldwell noted that this “guidance is built on our experience prosecuting and investigating cybercrime, and incorporates knowledge and input from private sector entities that have managed cyber incidents.”
On April 29, 2015, the U.S. House Energy and Commerce Committee released a revised discussion draft of the 21st Century Cures Act (“Cures”). The Cures bill would make several changes to existing federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. These changes would primarily affect the use and disclosure of protected health information (PHI) for “research purposes.” This post discusses a provision that would expand covered entities’ ability to use or disclose PHI for research purposes without authorization from the subject individual. Future posts will discuss provisions that would allow remote access to PHI for certain research purposes; allow a one-time authorization of the use and disclosure of PHI for research; eliminate limitations on remuneration for PHI disclosed for research purposes; and allow disclosure of PHI to FDA-regulated entities for research purposes such as comparative effectiveness analysis.
As we previously reported, on April 28, the FCC held a public workshop on protecting the privacy of consumers who use broadband Internet access services.