enforcement

Last week, the Federal Communications Commission announced plans to fine Dialing Services, LLC, nearly $3 million for making illegal “robocalls” to cell phones. The FCC has specific rules for automatic telephone dialing systems, also known as “autodialers,” that have the capacity to produce, store, and dial telephone numbers using a random or sequential number generator. The Telephone Consumer Protection Act (“TCPA”) prohibits the transmission of robocalls to mobile phones except for (1) calls made for emergency purposes, or (2) calls made with the “prior express consent” of the call recipient. (In 2012, the FCC promulgated a rule to require “prior express written consent” for such calls that contain a “telemarketing” or “advertisement” component.) The FCC alleged that Dialing Services transmitted automated or prerecorded voice messages on behalf of political campaigns and candidates without the prior express consent of the call recipients. Neither the TCPA nor the FCC’s rules contains a general exception from the autodialer prohibition for political calls.

This is not the first time that Dialing Services has heard from federal regulators. In March of last year, the FCC issued a citation to Dialing Services for making millions of calls to cell phones during the 2012 election cycle without authorization. The citation required Dialing Services to certify within fifteen days that it had ceased making robocalls without permission. It also came with a clear warning from the FCC Enforcement Bureau that, “These citations set the stage for significant monetary penalties if violations continue,” including fines up to $16,000 per call. Finding that Dialing Services failed to comply with the requirements of the citation and continued its practices by making 184 additional calls, the FCC last week announced plans to fine Dialing Services $2,944,000 – the maximum penalty for those 184 calls.Continue Reading FCC Fines Company $2.9 Million for Political Robocalls to Cell Phones

FDA has previously included claims made on Facebook or other social media platforms along with broader allegations of misbranding using a variety of sources in its enforcement letters . . . [b]y contrast, the present untitled letter focuses solely on a single statement on a Facebook page, and does not take issue with any statements outside the Facebook page.
Continue Reading FDA Issues Untitled Letter Focused On Promotional Claims On Facebook

Speaking at Berkeley’s Online Tracking Workshop today, Françoise Le Bail, Director-General of the European Commission’s DG Justice (the leading department regarding the EU data protection reforms) confirmed the European Commission’s vision that the EU needs stronger penalties in order to ensure effective enforcement of European data protection rules. Ms. Le Bail said that European privacy regulators should be able to impose “significant” sanctions on companies for violating EU privacy rules.

Under the current EU Data Protection Directive, dating back to 1995, each EU Member State autonomously decides on the sanctions for data protection violations, resulting in considerable differences throughout the EU. According to critics, the fines are “too small” in most Member States, particularly in comparison to the turn-over of the companies concerned. Frequently used examples are the fines imposed on Google last year by Spain and France (EUR 900,000 and EUR 150,000, respectively).Continue Reading Dissuading Companies from Violating Data Protection Rules: Senior European Commission Official Calls for ‘Significant’ Fines

Routine SEC examinations of investment advisers and investment companies this year will include scrutiny of these entities’ cybersecurity policies, an SEC official told attendees Thursday at a national agency-hosted compliance seminar.

The SEC’s Regulation S-P, which implements the federal Gramm-Leach-Bliley Act, requires brokers, dealers, investment companies, and registered investment

Continue Reading SEC Exams of Asset Managers to Include Focus on Cybersecurity

By Anna Kraus

On December 27, 2013, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced a HIPAA settlement with Adult & Pediatric Dermatology, P.C. (APDerm), a private dermatology practice with locations in Massachusetts and New Hampshire.  According to HHS, this is the first settlement based on a covered entity not having policies and procedures in place to address the breach notification requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Like other HIPAA investigations, this one began after HHS received notification of a breach of unsecured protected health information (PHI).  In October 2011, APDerm notified HHS that an unencrypted thumb drive, which contained electronic PHI relating to the surgeries of approximately 2,200 patients, was stolen from an employee’s vehicle and not recovered.  HHS found through its investigation that APDerm:

  • Did not conduct a proper risk assessment under the HIPAA Security Rule until one year later (October 2012);
  • Did not fully comply with the HIPAA Breach Notification Rule requirements to have written policies and procedures regarding breach notification, and to train workforce members on those policies and procedures, until February 2012; and
  • Committed an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule, when it gave an unauthorized individual access to the unencrypted thumb drive that was later stolen.

Continue Reading HHS Announces First HIPAA Settlement Based on Lack of Breach Notification Policies and Procedures

By Anna Kraus

The Department of Health and Human Services (HHS) announced on June 14 that it reached a settlement with Shasta Regional Medical Center (SRMC) in California over potential violations of the HIPAA Privacy Rule.  Under the settlement, SRMC agreed to pay $275,000 and implement a comprehensive corrective action plan (CAP).

HHS’s investigation was prompted by an article in the Los Angeles Times published in January 2012, which indicated that two of SRMC’s senior leaders met with the media to discuss the medical services provided to a particular patient without first obtaining a valid written authorization.  The investigation further revealed that:

  • SRMC impermissibly disclosed the patient’s protected health information to different media outlets on at least three occasions, without obtaining the patient’s authorization;
  • SRMC senior management sent an e-mail to the entire workforce that included details about the patient’s medical condition, diagnosis, and treatment; and
  • SRMC failed to sanction its workforce members for the impermissible disclosures pursuant to SRMC’s internal sanctions policy.

Continue Reading HHS Settles HIPAA Privacy Case With California Medical Center

Earlier this month, Maneesha Mithal, Associate Director of the Federal Trade Commission’s Division of Privacy and Identity Protection, testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, and Insurance regarding consumer report accuracy and the FTC’s efforts to improve accuracy through education and enforcement.  Her testimony emphasized the

Continue Reading FTC Official Highlights FCRA Enforcement as a High Priority

Speaking at a seminar hosted by the International Association of Privacy Professionals, Assistant Director Chris Olsen and Senior Attorney Peder Magee, both of the Federal Trade Commission’s Division of Privacy and Identity Protection, provided a useful overview of the FTC’s recent enforcement actions and current enforcement priorities.  Based on this discussion

Continue Reading FTC’s Current Enforcement Priorities: Infographic

The data protection authority in Hamburg, Germany, issued an administrative fine in the amount of € 145,000 against Google for its illegal WiFi data collection activities. This fine fell just short of the maximum amount for such fines under German data protection law, which is € 150,000 (in cases of

Continue Reading Google Fined by German Data Protection Authority Over WiFi Data Collection

BNA is reporting that Mexico’s data protection authority, the Federal Institute for Access to Information and Data Protection (IFAI), will issue a fine of $1 million against one of Mexico’s largest banks for violating the country’s Federal Law on the Protection of Personal Data in Possession of Private Parties.  The

Continue Reading Mexico’s DPA Begins Enforcing Data Protection Law