HHS Releases Unofficial Set of Combined HIPAA Regulations

Posted by Rachel Grunberger on June 17, 2013

On June 11, the Department of Health and Human Services released an unofficial version of all of the HIPAA regulatory standards in one document.  The combined regulation text includes the following HIPAA standards:

  • Transactions and Code Set Standards
  • Identifier Standards
  • Privacy Rule
  • Security Rule
  • Enforcement Rule
  • Breach Notification Rule

The document reflects the changes in the HIPAA Omnibus Rulemaking issued in January 2013, and therefore can serve as a helpful resource to covered entities and business associates as they work to come into compliance with the new standards by September 23, 2013.

HHS Settles HIPAA Privacy Case With California Medical Center

Posted by Rachel Grunberger on June 17, 2013

By Rachel Grunberger and Anna Kraus

The Department of Health and Human Services (HHS) announced on June 14 that it reached a settlement with Shasta Regional Medical Center (SRMC) in California over potential violations of the HIPAA Privacy Rule.  Under the settlement, SRMC agreed to pay $275,000 and implement a comprehensive corrective action plan (CAP).

HHS’s investigation was prompted by an article in the Los Angeles Times published in January 2012, which indicated that two of SRMC’s senior leaders met with the media to discuss the medical services provided to a particular patient without first obtaining a valid written authorization.  The investigation further revealed that:

  • SRMC impermissibly disclosed the patient’s protected health information to different media outlets on at least three occasions, without obtaining the patient’s authorization;
  • SRMC senior management sent an e-mail to the entire workforce that included details about the patient’s medical condition, diagnosis, and treatment; and
  • SRMC failed to sanction its workforce members for the impermissible disclosures pursuant to SRMC’s internal sanctions policy.

Continue Reading

FCC to Consider Ruling on Carriers' Use of Data Collected on Mobile Devices

Posted by Michael Beder on June 07, 2013

The Federal Communications Commission is scheduled to vote this month on a declaratory ruling stating that existing rules governing telephone carriers’ use of subscribers’ personal information also apply to data collected on mobile devices.

Existing regulations restrict telecommunications carriers’ ability to use or disclose Customer Proprietary Network Information (CPNI) that a carrier obtains in the course of providing service to the customer. CPNI includes information such as the locations where calls are made, the numbers called, the length of calls, and other information contained in a customer’s bill.

Continue Reading

FTC Holds Forum Addressing Mobile Security

Posted by Kurt Wimmer on June 05, 2013

Mobiel Security.PNG

By Chris Higby & Kurt Wimmer

Yesterday, the Federal Trade Commission held a forum on Mobile Security: Potential Threats and Solutions. The forum brought together academics, industry leaders, and security experts to discuss the security problems arising from the rapid adoption of mobile devices.

The first panel, consisting of security experts and researchers, gave a brief overview of mobile malware. They agreed that mobile malware infection rates are generally very low and that most malware accesses private information by using social engineering, rather than by exploiting technical flaws. Looking forward, Dan Guido, CEO of Trail of Bits, viewed the replacement of legitimate applications in app stores with malware versions as the most serious threat.

The second panel, consisting of security representatives from the major mobile operating systems (Microsoft’s Windows Phone, Google’s Android, Mozilla’s Firefox OS, Research In Motion’s BlackBerry, and Apple’s iOS), addressed how mobile platforms are designed with security in mind. Adrian Ludwig of Google advocated the use of install-time permissions, such as those found in Android, as a way to increase transparency to the user.  However, both Adrian Stone of Blackberry and Geir Olsen of Microsoft expressed skepticism as to the effectiveness of permissions for the average user. Ludwig also criticized Apple’s approach of restricting users to “curated” app stores as a restriction on user choice.

 

Continue Reading

Personalization of travel shopping

Posted by Nigel Howard on June 04, 2013

Personalization of the shopping experience is a hot topic in the travel industry.  It has also prompted privacy regulators to consider the implications for the consumer.  For example, the Article 29 Data Protection Working Party in April issued a letter to the International Air Transportation Association (IATA) on this topic and a Department of Transportation committee recently commenced discussions of privacy practices in the airline distribution chain.  IATA has today released a video that explains its New Distribution Capability and the type of personalization that it envisages.  It includes some interesting examples of in context notices that can be provided to consumers in relation to the data collection involved. (Note that the video has background music and the demonstration of the personalization options begin after the first minute).

FTC Announces Information about Upcoming Mobile Security Forum

Posted by Mike Nonaka on May 24, 2013

Today, the Federal Trade Commission released the agenda and panelists for the public forum it is holding on mobile security, Mobile Security: Potential Threats and Solutions, on June 4, 2013.  The forum will bring together technology researchers, industry members, and academics to explore mobile malware, the security of existing and developing mobile technologies, and the roles various members of the mobile ecosystem can play in protecting consumers from these types of security threats.  As the FTC has highlighted, mobile security is a critical issue of interest – in the FTC’s words, an “apple pie” issue – to businesses and customers alike as the mobile marketplace continues to grow.  The agenda features four panels: (1) Understanding Mobile Malware, (2) Building Security into Modern Mobile Platforms, (3) Extending Security Throughout the Mobile Ecosystem, and (4) Solutions for Consumers to Protect Themselves from Mobile Threats. 

The forum will be held on June 4, 2013, at the FTC Conference Center, 601 New Jersey Avenue, NW, Washington, DC.  The program begins at 9:00 am and will conclude at 4:30 pm.  The workshop is free, open to the public, and no registration is required.  The FTC will also provide a live webcast available at the forum’s website.

FTC Official Highlights FCRA Enforcement as a High Priority

Posted by Mike Nonaka on May 21, 2013

Earlier this month, Maneesha Mithal, Associate Director of the Federal Trade Commission’s Division of Privacy and Identity Protection, testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, and Insurance regarding consumer report accuracy and the FTC’s efforts to improve accuracy through education and enforcement.  Her testimony emphasized the impact that consumer report errors may have on a consumer’s ability to obtain credit or other benefits.  Ms. Mithal also reiterated that “vigorous enforcement” of the Fair Credit Reporting Act is a “high priority” for the agency. 

As described in Ms. Mithal’s testimony, the FTC has enforced many different aspects of the FCRA in the past decade, from imposing a $2.6 million civil money penalty against HireRight for providing employment background screening services without complying with the FCRA to a $2.5 million fine against Asset Acceptance, LLC for furnishing inaccurate information to consumer reporting agencies.  In addition, the FTC recently has sent letters to data broker companies and letters to operators of websites that share consumers’ rental histories with landlords informing the recipients that they may be subject to the FCRA.  

We expect the FTC and CFPB to continue to prioritize FCRA enforcement going forward.

FCC Confirms That Sellers Can Be Liable for Telemarketer TCPA Violations

Posted by Michael Beder on May 18, 2013

A seller who authorizes a third-party telemarketer to market the seller’s goods or services may be held vicariously liable if the telemarketer violates the Telephone Consumer Protection Act (TCPA), the Federal Communications Commission held in a May 9 declaratory ruling.

The FCC’s ruling interprets two subsections of the TCPA. The first subsection — 47 U.S.C. § 227(b) — includes several restrictions, including a general prohibition on making calls to landline or mobile telephones using a prerecorded message without  the recipient’s prior express consent. Section 227(b)(3) allows individuals or companies to bring private lawsuits “based on a violation of this subsection” or the FCC’s implementing regulations.

A separate portion of the TCPA — 47 U.S.C. § 227(c) — authorizes the FCC to set up a national Do Not Call registry, which the FCC did in coordination with the Federal Trade Commission several years ago. Section 227(c)(5) authorizes private lawsuits by individuals who receive “more than one telephone call within any 12-month period by or on behalf of the same entity” in violation of the Do Not Call rules.

Last week’s declaratory ruling came in response to questions referred to the FCC by two federal courts in two separate TCPA-based lawsuits.

Continue Reading

FTC Reminds Mobile App Developers To Comply With Revised Children's Privacy Requirements By July 1

Posted by Lindsey Tonsager on May 16, 2013

The Federal Trade Commission has sent letters to more than 90 different companies who develop mobile apps that the FTC claims may be directed to children.  The letters emphasize that the FTC has not evaluated the apps or the companies’ practices to determine if they comply with the current or revised COPPA Rule.  Instead, the letters remind these companies that if their apps collect, use, or disclose children's images and voices, mobile device identifiers, and other types of "personal information," they must bring their apps into compliance with the revised COPPA Rule by July 1, 2013.  

The letters were sent to US companies and foreign companies that the FTC claims direct their apps to children in the US.  The letters focus on the collection of persistent identifiers and photographs, videos, and audio containing a child’s image or voice.  The FTC did not identify the companies receiving the letters, but made templates of the different versions available on its website, including a letter to:  (1) US companies with apps that collect persistent identifiers; (2) US companies with  aps that collect videos, images, or audio of kids; (3) foreign companies with apps that collect persistent identifiers; and (4) foreign companies with apps that collect videos, images, or audio of kids.

The letters suggest that the FTC could continue to focus attention on kid-directed mobile apps once the revised COPPA Rule takes effect.  In February 2012 and December 2012, the FTC released reports analyzing hundreds of kid-directed mobile apps and concluding that many app developers could be doing more to provide clear and complete notice of their privacy practices.  And earlier this year the FTC entered into a consent decree with mobile app developer Path for alleged COPPA violations.  

Key Decision in Nike Song-Beverly Litigation

Posted by Steve Satterfield on May 13, 2013

Businesses should take note of this week’s decision in Gormley v. Nike, Inc., a lawsuit under California’s Song-Beverly Credit Card Act, in which plaintiffs allege that Nike violated the Act by requesting ZIP codes from them during credit card transactions in Nike’s retail stores.  Judge Susan Illston of the Northern District of California denied Nike's motion for summary judgment, holding that genuine issues of material fact existed as to whether the plaintiffs reasonably would have perceived Nike’s request for ZIP codes as suggesting that providing that information was a condition of being able to use a credit card.  

Nike argued that the specifications for its point-of-sale (“POS”) software, as well as store policies and procedures, showed that any request for ZIP codes would have occurred after a credit card transaction was complete; thus, no reasonable consumer would have believed that his or her ZIP code was being requested as a condition ofbeing able to use a credit card.  However, the court noted that the specifications for the POS software suggested that the software would prompt a cashier to request a ZIP code after the “receipt had started printing.”  The court therefore concluded that “under the POS system in place during the relevant time period, it was possible for a cashier to request a customer’s ZIP code prior to giving the customer his or her receipt and merchandise.” 

As businesses explore options for complying with Song-Beverly, they should consider the holding of the Nike case. 

Delta succeeds in dismissing California AG's first CalOPPA case

Posted by Nigel Howard on May 10, 2013

California Attorney General Kamala Harris failed in her first attempt to sue a company for failing to post a privacy policy on a mobile app.

Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app. The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004. 

On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.

Continue Reading

Cyber Theft Bill Introduced by Bipartisan Group of Senators

Posted by Kristen Eichensehr on May 08, 2013

On Tuesday, Senators Carl Levin (D-MI), John McCain (R-AZ), Jay Rockefeller (D-WV), and Tom Coburn (R-OK) introduced the “Deter Cyber Theft Act.”

The Act would require the Director of National Intelligence (“DNI”) to provide relevant congressional committees with an annual report on “foreign economic and industrial espionage in cyberspace.”  The report would require the DNI to identify “foreign countries that engage in economic or industrial espionage in cyberspace with respect to trade secrets or proprietary information owned by United States persons” and “priority foreign countries”—those countries that the DNI “determines engage in the most egregious economic or industrial espionage in cyberspace.”  The bill specifies that the DNI must identify foreign countries pursuant to the Act  if the foreign government “engages in economic or industrial espionage in cyberspace with respect to trade secrets or proprietary information owned by United States persons” or “facilitates, supports, fails to prosecute, or otherwise permits such espionage by” its citizens or residents or entities organized under its laws or subject to its jurisdiction.

Continue Reading

Craigslist wins first step against screenscapers - lesson for drafting TOUs

Posted by Nigel Howard on May 06, 2013

On April 29, Craigslist was successful in fighting off a motion to dismiss filed by three screenscraping sites (3Taps, Padmapper and Lovely) in its pending litigation in the Northern District of California.   In Craigslist Inc. v. 3Taps Inc., No. CV 12-03816 (N.D. Cal.), Craigslist sued these sites, alleging that their scraping of Craigslist content violated the federal Computer Fraud and Abuse Act (and the Act’s California analogue); the Copyright Act, and the Lanham Act, and constituted a trespass to chattels.  Although not all of Craigslist’s claims survived the defendant’s motion to dismiss, its claims under the Computer Fraud and Abuse Act, some copyright claims, the reverse passing off claim, and the trespass claim did satisfy the required facial plausibility standard.  

The decision adds to the growing case law around screenscraping, and serves as a timely reminder of the fact that the language of a Web site’s terms of use (TOU) is an important factor in such cases.  In this case, Craigslist faces questions over whether it has standing to sue for copyright infringement because of the drafting of the content license in the Craigslist TOU.  The license grant provision in the Craigslist TOU is arguably ambiguous as to whether it provides for an “exclusive” license from users to Craigslist.  Citing Ninth Circuit case law, the order noted, “[O]nly the owner of an exclusive right under the copyright is entitled to sue for infringement.”  TOUs are often drafted with a non-exclusive license to user created content or with ambiguity as to exclusivity, and thus some Web site owners  may lack sufficient standing to bring copyright infringement claims in relation to some of the content on their sites.  Of course, it may not always be appropriate to request an exclusive license from users, but it is a question that all Web site owners should consider when preparing or maintaining their TOU.

FTC Votes To Retain July 1 Compliance Date for Revised COPPA Rule

Posted by Shelton Abramson on May 06, 2013

The Federal Trade Commission (FTC) has voted unanimously to retain the July 1, 2013 effective date for its revisions to the rule implementing the Children’s Online Privacy Protection Act (COPPA).  As we previously wrote, the FTC adopted significant revisions to the COPPA rule in December 2012 and established a July 1, 2013 effective date.  In recent weeks, nineteen consumer groups signed a letter opposing any delay in the effective date, while approximately twenty industry associations signed a letter arguing in favor of extending the effective date.  In late April, the FTC published updated Frequently Asked Questions on its website to provide additional guidance for complying with the revised COPPA rule.

Today, the Commission responded to the industry associations’ letter and informed them that it would retain the July 1, 2013 effective date.  The Commission acknowledged that the revised rule “does impose new obligations on child-directed sites and services,” but explained that, “in selecting an effective date of July 1, 2013, the Commission determined that six months would be adequate time for such operators to assess whether third parties collect personal information through their site or service.”    

Although the Commission did not extend the effective date, it did pledge to “exercise prosecutorial discretion in enforcing the Rule, particularly with respect to small business that have attempted to comply with the Rule in good faith in the early months” following July 1.

DOT shifts consumer protection focus to privacy

Posted by Nigel Howard on May 03, 2013

The US Department of Transportation (DOT) announced today that the fourth in a series of public meetings of the Advisory Committee on Aviation Consumer Protection will focus on privacy issues.  This DOT Committee has been working on various rulemaking and enforcement initiatives affecting consumer protection in air travel, but this will be the first time that privacy practices and use of data have been made the central topic of a Committee meeting.  The DOT supervises airlines privacy practices because airlines are subject to sector-specific oversight (air carriers are among the businesses that are excluded from the FTC’s Section 5 authority). 

The announcement states that the meeting will address the treatment of personally identifiable information collected in connection with the purchase of air travel from airlines and travel agents.  Issues to be discussed include: 

  • what information is collected and by whom?
  • who retains information (airlines, travel agents, including on-line travel agents (OTAs), and global distribution systems (GDSs))?
  • what privacy policies are in place and is information used consistent with those policies?
  • what security measures are in place to protect against unauthorized access?  

Continue Reading

BYOD's Rapid Growth Presents New Legal Challenges

Posted by Jeff Kosseff on May 02, 2013

Companies are increasingly allowing employees to access work email and apps on their personal devices, according to a new Gartner survey of chief information officers.  But employers confront many tough policy and legal questions when they adopt Bring Your Own Device (“BYOD”) programs.

Thirty-eight percent of the CIOs said that their organizations will stop providing laptops, smartphones, and tablets to workers by 2016.  Those employees will have to access work networks via their personal devices through BYOD programs.  Forty-five percent of the CIOs expect to require BYOD by 2020.

“Everybody in every industry is looking at how they can leverage the Bring Your Own Device program,” David Willis, Gartner’s Chief of Research for Mobility and Communications, stated on a web conference today.

According to the survey, employers in the United States and Asia-Pacific region lead BYOD adoption, while Europe lags behind.

BYOD programs present substantial savings for employers, Willis said.  Although employers typically reimburse employees for part of their monthly smartphone bills, those payments are not nearly as high as the costs of employer-issued devices, he said.  Additionally, he noted that many employers offer BYOD programs to meet the “incredibly employee demand for using the device they prefer in work.”

Before offering BYOD, Willis said, employers should carefully examine all legal implications, including the taxation of device stipends, whether labor laws prohibit hourly employees from responding to work emails after-hours, and data security and privacy laws.  In particular, Willis noted that employees must be aware that if litigation arises, the employees may be required to turn over their devices during discovery.

Covington Files Comments on Cybersecurity Incentives

Posted by Kristen Eichensehr on April 30, 2013

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directs the National Institute of Standards and Technology (“NIST”) to develop a Cybersecurity Framework  of standards, methodologies, and processes for addressing cybersecurity risk.  It also charges the Department of Homeland Security with developing a Critical Infrastructure Cybersecurity Program to promote adoption of the Cybersecurity Framework by critical infrastructure entities.  To facilitate these initiatives, the Executive Order instructs the Secretaries of Homeland Security, Treasury, and Commerce to recommend incentives to promote participation in the Program.   

On March 28, the Department of Commerce, through the Office of the Secretary, NIST, and the National Telecommunications and Information Administration (“NTIA”), issued a Notice of Inquiry regarding “Incentives To Adopt Improved Cybersecurity Practices.”  Yesterday, representatives of Covington & Burling LLP and The Chertoff Group filed comments in response to the Notice of Inquiry.  The comments set out several principles for the Department of Commerce to consider in structuring incentives for participation in the Program.  The comments are based on the professional experience of the representatives and are not offered on behalf of any client of either firm or any other entity.

All of the comments submitted in response to the Notice of Inquiry are available on the NTIA website.

FTC's Current Enforcement Priorities: Infographic

Posted by Lindsey Tonsager on April 26, 2013

Speaking at a seminar hosted by the International Association of Privacy Professionals, Assistant Director Chris Olsen and Senior Attorney Peder Magee, both of the Federal Trade Commission's Division of Privacy and Identity Protection, provided a useful overview of the FTC's recent enforcement actions and current enforcement priorities.  Based on this discussion, the following infographic identifies the FTC's top four enforcement priorities, and recent and future activity that will inform its path forward:  

Slide1.JPG

ECPA Reform Bill Sails Through Senate Judiciary Committee

Posted by Kerry Monroe on April 26, 2013

Yesterday, a bill that would reform the Electronic Communications Privacy Act of 1986 ("ECPA") was approved by the Senate Judiciary Committee on a voice vote. Under ECPA, as it currently stands, police need only a subpoena, issued without approval by a judge, to access private e-mails that have already been opened or that are more than 180 days old. Under the reform bill, which was sponsored by Committee Chairman Patrick Leahy (D-Vt.) and Senator Mike Lee (R-Utah), police would have to obtain a search warrant before requiring providers of electronics communications services to provide them access to e-mails and other private online content, including Facebook messages.

Privacy advocates, including public interest organizations and Internet businesses, have long urged Congress to update ECPA to bring it in line with the myriad technological changes that have taken place since its enactment nearly 30 years ago, as well as consumers' evolving expectations of privacy in their electronic communications. A statement by Computer & Communications Industry Association president and CEO Ed Black reflects that widespread position: "This is a long overdue step toward bringing our online privacy laws closer to both our existing Fourth Amendment protections and our reasonable expectations for privacy. . . . Most people don't realize that six-month-old emails have different levels of privacy protection than newer emails." The Internet Association, an organization of prominent Internet businesses including Facebook, Google, and eBay, called the Senate Judiciary Committee's passage of the ECPA reform bill "a significant step in safeguarding the privacy of users' electronically stored content." The passage of the bill through the Judiciary Committee on a voice vote bodes well for its chances of being passed by the full Senate.

Boston Marathon Bombings Spark Renewed Debate Over Surveillance

Posted by Kerry Monroe on April 26, 2013

In the wake of the Boston marathon bombings and in response to the quick work of law enforcement officials who were significantly aided in their identification of the suspected bombers by videos from government- and privately owned surveillance cameras, there has been renewed public discussion regarding the privacy implications of the proliferation of security cameras. While many government officials advocate the deployment of more security cameras and law enforcement access to captured material, privacy advocates urge caution with regard to increased surveillance. In particular, privacy advocates voice concern with regard to the potential use of surveillance by law enforcement officers on "fishing expeditions" -- combing through video footage to identify individuals engaged in unusual behavior, without having any other evidence that those individuals are engaged in illegal activities. Below we have highlighted a few interesting pieces discussing the issues.

Continue Reading

Older Posts