On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure
On February 28, 2018, the Federal Trade Commission (“FTC”) issued a report discussing security updates for mobile devices. The report stems from information the FTC collected from eight mobile device manufacturers — Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung — and from information the Federal Communications Commission (“FCC”) collected from mobile carriers in May 2016. …
Continue Reading FTC Issues Report on Mobile Device Security Updates
Last week, U.S. Customs and Border Protection (“CBP”) released a revised Directive governing searches of electronic devices at the border. These are the first official revisions CBP has made to its guidelines and procedures for devices since its 2009 Directive. The new Directive is intended to reflect the evolution of technology over the intervening decade, and CBP’s corresponding need to update its investigative techniques.
Notably (and as in previous CBP Directives), the new Directive does not require officials to obtain a warrant before conducting searches of travelers’ devices—even if the traveler being searched is an American—based on CBP’s position that searches and seizures at the border are exempt from the Fourth Amendment’s “probable cause” requirement. CBP nevertheless acknowledges that its searches must still meet the Fourth Amendment’s “reasonableness” requirement, which the self-imposed restrictions contained in the Directive are meant to achieve. …
Continue Reading CBP Revises Rules for Border Searches of Electronic Devices
In a speech delivered at the United States Naval Academy on October 10, Deputy Attorney General Rod Rosenstein waded into the public debate between data privacy and law enforcement interests. As part of a discussion moderated by former Covington cybersecurity attorney Jeff Kosseff, Rosenstein’s remarks discussed cyber issues facing law enforcement with a particular focus on the advent of “warrant-proof” encryption. In his view, warrant-proof encrypted data and devices are unable to be intercepted or unlocked by law enforcement, even with a court order.
Noting that “[p]rivate sector entities are crucial partners” in the fight against cyber threats, Rosenstein expressed concerns about the role played by tech companies in advancing warrant-proof encryption. While recognizing the need to balance important privacy interests against law enforcement priorities, Rosenstein argued that “[w]arrant-proof encryption defeats the constitutional balance by elevating privacy above public safety.” He emphasized the threat posed to public safety when technology developers deprive law enforcement of “crucial investigative tools.” Rosenstein advocated for “responsible encryption,” recognizing that this approach would not be one-size-fits-all and that solutions would likely look different depending on the company and technology at issue. …
Continue Reading Deputy Attorney General Rod Rosenstein Warns Against Warrant-Proof Encryption
By Meena Harris and Caleb Skeath
- Data Breaches
- Studies show increase. Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years. The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012. Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
- State laws. In April, Kentucky became the 47th state to enact a data breach notification law. Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements. California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
- Federal legislation. Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014. The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
- Federal enforcement. In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches. The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies. The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
- Continued attention in 2015. Legislative interest in data breach issues has only increased in early 2015. Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate. The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.
On November 25, 2014, the Article 29 Working Party (“WP29”) issued an opinion paper on device fingerprinting (the “Opinion”). The Opinion builds on existing guidance on cookies (Opinion 04/2012) and confirms that organizations wishing to generate “device fingerprints” by storing or accessing information on a user’s device must obtain user consent (unless an exemption applies). This is because Article 5(3) of the European e-Privacy Directive 2002/58/EC, known as the “cookie rule”, also applies to device fingerprints. The real-life impact of the new Opinion on technology businesses is difficult to predict at this stage, but the WP29’s motivation is clear — it aims to prevent companies from using device fingerprinting technology for data analytics or tracking purposes as an alternative to cookies and without the need to obtain consent under Article 5(3).
Continue Reading Have EU Privacy Regulators Just Spelled the End of Web Tracking?
The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information. The FTC specifically alleged that, although the companies made security promises to consumers that their information was adequately…