By Mali Friedman and Simon Frankel With all eyes on the Affordable Care Act today, the United States Supreme Court also quietly dismissed a case that could have had a profound impact on a wide range of citizens’ rights litigation—First American Financial Corp. v. Edwards. Stating only that the writ of certiorari had been “improvidently … Continue Reading
By Anna Kraus The Department of Health and Human Services (HHS) has posted on its website the protocol for the HIPAA audits required under the HITECH Act. Section 13411 of the HITECH Act requires HHS to provide for periodic audits to ensure that covered entities and business associates are in compliance with the HIPAA standards for … Continue Reading
Sen. Pat Toomey (R-PA) recently introduced a bill in the United States Senate that would establish a federal breach notification requirement for certain companies and preempt state breach notification laws that are currently in effect for 46 states. The Data Security and Breach Notification Act of 2012, S.3333, would require companies that “collect and maintain … Continue Reading
By Anna Kraus The Department of Health and Human Services (HHS) announced yesterday that the Alaska Department of Health and Social Services, Alaska’s State Medicaid agency (Alaska Medicaid), has agreed to pay $1.7 million to HHS to settle potential violations of the HIPAA Security Rule. This is HHS’s first HIPAA enforcement action against a State … Continue Reading
By Anna Kraus The long-awaited final rule implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act has been delayed once again. Although the rule was expected by July, the Office of Management and Budget (OMB) has updated its website … Continue Reading
Recently, officials from the Office of the National Coordinator for Health Information Technology (ONC) in the Department of Health and Human Services stressed the need for data security in connection with providers’ use of mobile devices for health care delivery. Approximately 81 percent of physicians use smart phones or mobile devices. The need for data … Continue Reading
The House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet recently held a hearing entitled “New Technologies and Innovations in the Mobile and Online Space, and the Implications for Public Policy.” Much of the discussion focused on the relative merits of self-regulation versus the enactment of comprehensive federal privacy legislation. (Separately, the Senate Commerce Committee … Continue Reading
On 19 June 2012, the Article 29 Working Party (WP29), a group that gathers the data protection authorities of all twenty-seven EU Member States, published a working document that sets out a full checklist of the requirements that binding corporate rules (BCRs) for processors must meet. BCRs are internal rules applying to entities of a multinational … Continue Reading
Yesterday, Village View, Inc. reached a settlement with Professional Business Bank, a California state-chartered bank subject to regulation by the Federal Deposit Insurance Corporation (FDIC), over the company’s lawsuit against the bank arising from a data security breach. In March 2010, Village View lost nearly $400,000 after the company’s bank account was compromised by hackers. … Continue Reading
By: Shel Abramson The United States District Court for the Northern District of California recently dismissed with prejudice most claims asserted by consumer plaintiffs in In re iPhone Application Litigation, including causes of action under the Stored Communications Act (“SCA”), the Wiretap Act, and other federal and state laws. Plaintiffs asserted that Apple and a group … Continue Reading
By Brian Ryoo On May 30, National Labor Relations Board (“NLRB”) Acting General Counsel Lafe E. Solomon issued his third report on employer social media issues, focusing on “overbroad” employer social media policies. The report expresses concern about “ambiguous [policies] that contain no limiting language or context” and give employees insufficient notice of their protected … Continue Reading
Recently, Governor John Lynch of New Hampshire vetoed a bill (S.B. 175) that would have allowed an individual’s heirs to control the commercial use of the individual’s identity for 70 years following death. Not all states recognize the “right of publicity” — the right for an individual to control his or her commercial likeness — … Continue Reading
As we previously described, the White House recently released a landmark privacy report, entitled Consumer Data Privacy in a Networked World, which outlines key privacy principles in its “Consumer Privacy Bill of Rights” and calls on the National Telecommunications & Information Administration (NTIA) to work with industry and others to develop voluntary but enforceable codes … Continue Reading
Interesting questions are arising in relation to how to implement an "opt out" for smart meters. In many states, customer unease about the privacy and safety concerns associated with smart meters has resulted in new legislation or regulations that give customers the ability to decline the installation of a smart meter. However, smart meters enable energy efficiency and cost savings, so should customers that opt out have to pay more?
This question arose last month in the Maine Supreme Court in the case of Friedman v. Maine Public Utilities Commission and Central Maine Power Company. The court heard an appeal from the… Continue Reading
On Tuesday, June 12, the Article 29 Working Party (WP29), a group of European data protection authorities, published an opinion on the exemptions available to the new cookie rules introduced by the revised EU ePrivacy Directive. The opinion provides guidance on the implementation of the available exemptions to the requirement to obtain internet users’ informed … Continue Reading
As we reported, the Federal Communications Commission (“FCC”) recently announced that it is seeking comments on the protection of data stored on mobile devices by wireless phone carriers. The FCC has noted that the comments it previously received on the issue five years ago are already “badly out of date.” The Federal Register published the … Continue Reading
The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently released a one-page message from OCR Director Leon Rodriguez encouraging patients to exercise the right to access their medical records. Generally, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) grants patients the right to request and receive a copy … Continue Reading
Yesterday, the Federal Trade Commission entered into a consent decree with Spokeo, Inc., for violations of the Fair Credit Reporting Act. As reflected in the FTC staff blog post, the FTC’s action against Spokeo is the first FCRA case to address the sale of data collected from online sources, including social media, in the context of employee … Continue Reading
By Brian Ryoo The United States District Court for the Western District of Washington recently dismissed in part an online privacy lawsuit alleging that Amazon “circumvented” browser privacy controls in order to track users’ web browsing activities. The plaintiffs in Del Vecchio v. Amazon had alleged that Amazon “exploit[ed]” browser controls in Internet Explorer by … Continue Reading
The costs associated with a data security breach can be substantial. In addition to addressing the security issue that gave rise to the breach, companies often must assess notice obligations under federal and state law, manage public relations challenges, and work to rebuild consumer trust. The costs–in terms of time and resources–needed to accomplish these … Continue Reading
Last month, Vermont amended its breach notice requirements to add an obligation to notify the Vermont attorney general and an outside deadline to notify affected consumers. Under the amended Vermont law, businesses generally will be required to notify the Vermont attorney general within 14 business days of a security breach and to provide the attorney general … Continue Reading
By Brian Ryoo The Federal Trade Commission (“FTC”) reached separate settlements with two companies it had accused of exposing sensitive personal information through peer-to-peer (“P2P”) file-sharing software installed on their corporate networks. The complaints filed against the companies alleged that the companies failed to have in place adequate information security policies and procedures, risk assessment … Continue Reading
I recently published an editorial with the European Privacy Association regarding the concept of “consent” under the EU’s Framework Data Protection Directive that is available here. As the editorial explains, the concept is a fundamental fixture of the EU’s data protection regime featuring in data protection law in a variety of different ways, from “unambiguous” … Continue Reading
A federal district court in New Jersey ruled this week that an employer might have invaded an employee’s common-law privacy rights by coercing a co-worker into giving the employer access to the employee’s Facebook profile. The plaintiff, a nurse and paramedic employed by a non-profit hospital service corporation, alleges that her supervisor forced a co-worker … Continue Reading
