Digital Health Checkup: Key Questions to Consider in the Digital Health Sector

Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle.

  • In the first part of the series, the Digital Health team answers key regulatory questions about digital health solutions.
  • In the second part of the series, the Digital Health team considers key commercial questions when contracting for digital health solutions.
  • In the third part of the series, the Digital Health team answers key regulatory and commercial questions about the Artificial Intelligence (AI), data privacy, and cybersecurity aspects of digital health solutions.

NIST Releases Updated Draft of Cybersecurity Framework

On December 5, 2017, the National Institute of Standards and Technology (“NIST”) announced the publication of a second draft of a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), Version 1.1, Draft 2. NIST has also published an updated draft Roadmap to the Cybersecurity Framework, which “details public and private sector efforts related to and supportive of [the] Framework.”

Continue Reading

English High Court Finds Supermarket Liable for Data Breach by Employee in First Successful Privacy Class Action

By Joseph Jones and Ruth Scoles Mitchell

On December 1, 2017, the High Court of England and Wales found the fourth-largest supermarket chain in the UK, Wm Morrisons (“Morrisons”), vicariously liable for a data breach caused by the intentional criminal actions of one of its employees, namely the leaking of payroll information online.

The breach affected almost 100,000 Morrisons employees and the action, brought by 5,518 former and current employees, is considered to be the first of its kind in the United Kingdom. The data compromised in the breach included personal data such as names, addresses, and bank account details.

Continue Reading

District Court Rejects Consent Revocation Claim Under TCPA

A recent District of New Jersey case emphasizes that while, under the FCC’s 2015 interpretation of the law, a customer has a broad right to revoke consent to receive automated calls and texts under the Telephone Consumer Protection Act (“TCPA”), the manner in which the consumer seeks to revoke his or her consent must be reasonable.

On November 27, 2017, a New Jersey federal judge dismissed a putative class action against Kohl’s, rejecting the plaintiff’s assertion that her sentence-long opt-out replies to automated text message “sales alerts” were reasonable when she was presented with other clear and simple opt-out mechanisms. Continue Reading

NIST Releases New Draft Publication Designed to Assist Contractors In Assessing Compliance with NIST SP 800-171

Ahead of the upcoming December 31, 2017 deadline for federal defense contractors to implement the security controls of National Institute of Standards and Technology (“NIST”) Special Publication 800-171 (“SP 800-171”), NIST has released a new draft publication designed to assist organizations in assessing compliance under SP 800-171, Draft Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information (“CUI”) (“SP 800-171A”).

Currently, there is no regulation or statute that imposes SP 800-171A on contractors. Rather, SP 800-171A is intended as guidance for organizations in developing assessment plans and conducting “efficient, effective, and cost-effective” assessments of the implementation of security controls required by SP 800-171. Similar to SP 800-171, SP 800-171A does not prescribe specific, required assessment procedures. Instead, SP 800-171A provides a series of “flexible and tailorable” procedures that organizations could use for conducting assessments with each security control in SP 800-171. SP 800-171A specifically recognizes three distinct methods for conducting assessments: examining and interviewing to facilitate understanding, achieve clarification, or obtain evidence and testing to compare actual results with expectations. Continue Reading

The Supreme Court Arguments in Carpenter Show that It May Be Time to Redefine the “Third-Party Doctrine”

On Wednesday, the Supreme Court heard oral arguments in Carpenter v.  U. S., a case that involved the collection of 127 days of Petitioner Thomas Carpenter’s cell site location information as part of an investigation into several armed robberies.  We attended the argument to gain any insights into how the Supreme Court may resolve this important case.

The central issue in the appeal is whether the government can access this type and amount of individual location data without a warrant.  But an equally important issue is whether the Supreme Court should reevaluate the “third-party doctrine” exception to the Fourth Amendment’s warrant requirement in light of dramatic changes in the way individuals interact with technology in the digital era.  The “third-party doctrine” provides that individuals have no expectation of privacy in any information that is voluntarily released to a third party—a mobile-phone provider, cloud service provider, and the like.  The Court’s decision will have major implications for technology companies’ ability to protect customer data against warrantless searches by law enforcement officials.

During the 80-minute, extended oral arguments, the Justices broadly acknowledged that technology has changed dramatically in the decades since the Court originally recognized the third-party doctrine.  Each Justice, however, appeared to place varying weight on the import of that change on current legal standards.  Justices Kennedy and Alito focused on the information itself, rather than the technology, asking whether location information should be considered more sensitive than the bank information that United States v. Miller permitted law enforcement to access without a warrant, suggesting that banking information might be considered more sensitive.   Continue Reading

Key Information Security Pointers from the FTC’s Stick with Security Guidance

Earlier this year, the FTC’s staff released a series of blog posts entitled Stick with Security that updated and expanded upon the prior Start with Security best-practices guide for information security practices.  The Stick with Security series draws from FTC complaints, consent orders, closed investigations, and input from companies around the country to provide deeper insights into the ten principles articulated in the Start with Security guide.  These guidelines serve as a set of minimum recommended standards for “reasonable” data security practices by organizations with access to personal data (i.e. information related to consumers and employees), although they can be applied to other types of data as well.  The recommendations are not legal requirements, of course, but it can be useful for companies to consider the views of the FTC’s staff on the practices that are likely to be seen by the FTC as “reasonable.”  This post summarizes the recommendations made by the FTC’s staff in the Stick with Security series. Continue Reading

FCC Poised to Release Draft Order on Net Neutrality Overhaul

FCC Chairman Ajit Pai announced today that at its December 14 open meeting, the FCC will vote on an overhaul of the net neutrality framework adopted by the prior Administration in 2015.  The full text of the draft order will be released tomorrow, but Chairman Pai has made certain key details known today.  The order envisions an expanded role in oversight of Internet Service Providers (“ISPs”) by the Federal Trade Commission—a move which Acting FTC Chairman Maureen Ohlhausen welcomed.

First, as anticipated, Internet Service Providers (“ISPs”) will again be classified as providers of “information services” under Title I of the Communications Act, rather than “telecommunications services” under Title II.  In many ways, in recent years the net neutrality debate in the U.S. has been as much—or some would say, more—about this statutory classification question than it has been about specific net neutrality rules.   Continue Reading

White House Releases Vulnerability Equities Policy and Processes

The White House released on November 15, 2017 the Vulnerabilities Equities Policy and Process for the United States Government (“VEP”) — the process by which the Government determines whether to disseminate or restrict information about new, nonpublic vulnerabilities that it discovers.  This release was motivated by criticism following the allegations that significant cyber-attacks have exploited vulnerabilities withheld by the Government, concerns that the Government is exploiting vulnerabilities instead of alerting vendors to fix them, and general calls for transparency in the process.

According to the newly-released documents, the VEP is overseen by an Executive Secretariat (a role filled by the National Security Agency) and the final decision about whether to disseminate or restrict vulnerability information is made by an interagency Equities Review Board (“ERB”).  The VEP is initiated when an agency submits a newly discovered and not publicly known vulnerability and provides its recommendation on whether to disseminate or restrict the information.  Any other agencies claiming an equity in the vulnerability must concur or disagree with the recommendation.  The ERB considers the opinions, renders a final decision, and the vulnerability is either disseminated or restricted.

The ERB’s determinations are based on the balancing of four groups of equities: (1) defensive; (2) intelligence, law enforcement, and operational; (3) commercial; and (4) international partnership.  Specific considerations include: whether and how threat actors will exploit the vulnerability, the potential harm caused by exploitation, the likelihood of effective mitigation, whether the vulnerability can be exploited to serve an intelligence or law enforcement purpose, and risks to the Government’s relationship with industry and international relations.

FTC Seeks Comment on Petition to Modify 2009 Sears Order Concerning Online Browsing Tracking

The Federal Trade Commission (“FTC”) is soliciting public comments on a petition filed by Sears Holdings Management (“Sears”) to reopen and modify a 2009 FTC order regarding the tracking of personal information on their software apps.  The petition is notable for a number of reasons.  First, the Sears consent order was a seminal order in the development of the FTC’s privacy jurisdiction, standing for the proposition that a company cannot “bury” disclosures that consumers would not expect in long privacy notices.  Second, the concept of modifying 20-year consent orders is an important one in light of changes over time.  Third, the petition seeks to correct the unintended consequences that a consent order can have on future technologies when such an order regulates present ones.

In the 2009 FTC order, Sears settled charges that it failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app.  As part of that 20-year consent order, Sears agreed to make certain disclosures and obtain consent in connection with its downloadable software app and future ones that “monitor, record, or transmit information.”  The petition argues that the 2009 FTC order should be modified to update its existing definition of “tracking application,” presently defined as:

any software program or application . . . that is capable of being installed on consumers’ computers and used . . . to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from or transmitted to the computers on which it is installed.

The petition seeks to modify this definition to exempt information about “(a) the configuration of the software program or application itself; (b) information regarding whether the program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.”  Continue Reading

LexBlog