Photo of Jayne Ponder

Jayne Ponder is an associate in the firm's Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Last week, Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act (S. 1842), which would provide new privacy and security rules from the Department of Health and Human Services (“HHS”) for technologies that collect personal health data, such as wearable fitness trackers, social-media sites focused on health data or conditions, and direct-to-consumer genetic testing services, among other technologies. Specifically, the legislation would direct the HHS Secretary to issue regulations relating to the privacy and security of health-related consumer devices, services, applications, and software. These new regulations will also cover a new category of personal health data that is otherwise not protected health information under HIPAA.

Continue Reading Legislation Seeks to Regulate Privacy and Security of Wearables and Genetic Testing Kits

As policymakers weigh the implications of artificial intelligence (“AI”) and the Internet of Things (“IoT”), members of Congress have introduced a handful of measures focusing on Government support for and adoption of these emerging technologies.

In May, Senators Deb Fischer (R-NE), Brian Schatz (D-HI), Cory Gardner (R-CO), and Cory Booker (D-NJ) reintroduced the Developing and

This month, the Government Accountability Office (“GAO”) released a report recommending that Congress consider enacting a federal internet privacy law in the United States.  The 56-page independent report was requested by the House Energy and Commerce Committee, which has scheduled a hearing on data privacy on February 26, during which it plans to discuss the GAO’s findings.  The Senate Commerce Committee is scheduled to hold a similar hearing on February 27th.

According to the GAO, “Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.”  The GAO stressed the importance of striking an appropriate balance between the benefits of data collection and addressing consumer concerns.

Continue Reading GAO Report Calls for Federal Privacy Law

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that 2018 was an all-time record year for Health Insurance Portability and Accountability Act (“HIPAA”) enforcement activity.   Enforcement actions in 2018 resulted in the assessment of  $28.7 million in civil money penalties.  Enforcement activity focused primarily on breaches of electronic protected

Hospitals and other health care organizations are attractive targets for cyber-attacks, in part because their databases contain medical records and other sensitive information. Breaches of this information could have very serious implications for patients.  Moreover, electronics connected to a health care facility’s network keep people alive, distribute medicines, and monitor vital signs. As a result, disruption to the operations of health care facilities could pose a very real risk to health and safety.  Such risks are becoming more than theoretical.  For instance, the WannaCry attack disrupted a third of the United Kingdom’s Health Service organizations by cancelling appointments and disturbing operations.

In recognition of the imperative for cybersecurity in the health care sector, in late December 2018 the Department of Health and Human Services (“HHS”) released voluntary cybersecurity guidance, titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” (“HHS Cybersecurity Guidance”).  The HHS Cybersecurity Guidance is intended to shepherd healthcare organizations through the process of planning for and implementing cybersecurity controls. It was authored by the Health Sector Coordinating Council, comprised of more than 150 cybersecurity and healthcare experts from government and industry, and was required by Section 405(d) of the Cybersecurity Act of 2015.

Continue Reading HHS Releases Voluntary Cybersecurity Guidance

Vermont and the District of Columbia recently joined the growing list of states that have enacted automatic renewal statutes.  Automatic renewal clauses (“auto-renewals”) allow providers of goods or services to bill consumers periodically without obtaining express consent before each billing cycle.  These clauses are becoming increasingly common for a variety of goods and services.  Regulators