Privacy & Information Security Law Blog

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced that it intends to survey up to 1,200 covered entities and business associates to determine their suitability for a more fulsome HIPAA compliance audit. In a notice published in the Federal Register, OCR stated that the survey will collect information such as “number of patient visits or insured lives, use of electronic information, revenue, and business locations” to assess the organizations’ “size, complexity and fitness” for an audit.

On January 31, 2014, the Federal Trade Commission announced a settlement with GMR Transcription Services, Inc. (“GMR”) stemming from allegations that GMR’s failure to provide reasonable security allowed certain patients’ medical transcripts to be exposed to the public on the Internet. The FTC issued an accompanying press release stating it was the FTC’s 50th data security settlement.

On January 16, 2014, the Federal Trade Commission announced a settlement with TeleCheck Services, Inc., and its affiliated debt-collection entity, TRS Recovery Services, Inc. (collectively, “TeleCheck”). The settlement stems from allegations that TeleCheck violated various provisions of the Fair Credit Reporting Act (“FCRA”). According to the press release, the settlement is “part of a broader initiative to target the practices of data brokers, which often compile, maintain, and sell sensitive consumer information” and is similar to an FTC settlement with a different company in August 2013.

On January 15, 2014, the Federal Trade Commission announced a proposed settlement with Apple Inc. stemming from allegations that the company billed consumers for mobile app charges incurred by children without their parents’ consent. Specifically, the FTC’s complaint alleges that Apple violated the FTC Act by not informing account holders that, for a 15-minute window after entering their password to approve a single in-app purchase, their children could make unlimited purchases without further action by the parent.

On December 16, 2013, the French Data Protection Authority (“CNIL”) released a set of practical FAQs (plus technical tools and relevant source code) providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements (the “CNIL’s Guidance”). Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices. Article 32-II of the French Data Protection Act transposes this obligation into French law.

On December 5, 2013, the Federal Trade Commission announced a proposed settlement with mobile app developer Goldenshores Technologies, LLC (“Goldenshores”) following allegations that Goldenshores’ privacy policy for its popular Brightest Flashlight Free app deceived consumers regarding how the app collects information, including geolocation information, and how that information may be shared with third parties. Brightest Flashlight Free, developed for the Android operating system, allows its users to use their cell phones as flashlights.

On November 15, 2013, the Supreme Court of Canada declared the Alberta Personal Information Protection Act (“PIPA”) invalid because the legislation interfered with the right to freedom of expression in the labor context under Section 2(b) of the Canadian Charter of Rights and Freedoms (the “Canadian Charter”). The case arose in the context of a labor union representing employees of a casino in Alberta. During a lawful strike, the union recorded and photographed individuals crossing the union’s picket line near the main entrance of the casino. The union had posted a sign that the images of persons crossing the picket line might be placed on a website. A number of individuals who were recorded crossing the picket line filed complaints under PIPA with the Alberta Information and Privacy Commissioner, who appointed an adjudicator to determine whether the union had contravened PIPA by collecting and disclosing personal information about individuals without their consent. Under PIPA, organizations cannot collect, use or disclose personal information without the individual’s consent, unless an exception applies.

On October 22, 2013, the Federal Trade Commission announced a proposed settlement with Aaron’s, Inc. (“Aaron’s”) stemming from allegations that it knowingly assisted its franchisees in spying on consumers. Specifically, the FTC alleged that Aaron’s facilitated its franchisees’ installation and use of software on computers rented to consumers that surreptitiously tracked consumers’ locations, took photographs of consumers in their homes, and recorded consumers’ keystrokes in order to capture login credentials for email, financial and social media accounts. The FTC had previously settled similar allegations against Aaron’s and several other companies.

On September 4, 2013, the Federal Trade Commission announced a settlement with TRENDnet, Inc. (“TRENDnet”) stemming from allegations that TRENDnet’s failure to provide reasonable security for its Internet Protocol (“IP”) security cameras allowed hackers to publicly post online live feeds from approximately 700 customers’ cameras. As the FTC noted in its press release, “this is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the ‘Internet of Things.’”

On August 15, 2013 the Federal Trade Commission announced a settlement with Certegy Check Services, Inc. (“Certegy”) stemming from allegations that Certegy violated various provisions of the Fair Credit Reporting Act (“FCRA”). The settlement agreement includes a $3.5 million civil penalty for “knowing violations ... that constituted a pattern or practice of violations.”

The Centre for Information Policy Leadership at Hunton & Williams LLP is pleased to announce that Bojana Bellamy, global director of data privacy for Accenture, will be joining the firm as president of the Centre, effective September 2, 2013. Current Centre President, Marty Abrams, who is retiring on September 1, will stay on as an advisor to the Centre.

The Bavarian data protection authority recently updated its compliance initiative regarding online tracking tools to include Adobe’s online tracking product (Adobe Analytics (Omniture)). As with previous initiatives of this nature, the underlying analyses were carried out in an automated manner, using a program specifically developed by the Bavarian data protection authority to verify compliance.

The UK Information Commissioner’s Office (“ICO”) has published guidance on the application of the Data Protection Act 1998 (“DPA”) to social networking sites and online forums. The guidance emphasizes that organizations and individuals that process data for non-personal purposes must comply with DPA requirements in their use of social networking sites and online forums just as they would in any other context.

On May 29, 2013, a bill, accompanied by an explanatory memorandum, was proposed in the Australian Parliament that requires businesses and government agencies that experience a serious data breach to notify affected individuals and the Office of the Australian Information Commissioner (“OAIC”). The proposed legislation requires organizations to notify individuals only when they are “significantly affected” by a “serious” data breach. Breaches that merely pose a “remote risk” of harm would not require notification. The factors organizations should assess when determining whether a breach is “serious” include: (1) harm to a person’s reputation, (2) economic harm, (3) financial harm, and (4) physical and psychological harm. Additionally, the bill specifies that implementing regulations may identify other situations that would require notification even if the breach does not give rise to a risk of serious harm. Organizations should notify affected individuals through the normal method of communication they have previously used to communicate with those individuals. Absent a normal method of prior communication, organizations must take reasonable steps to notify the affected individuals via email, telephone or postal mail. If passed, the legislation would become effective in March 2014.

On May 20, 2013, the Irish Office of the Data Protection Commissioner (“ODPC”) published its annual report for 2012 (the “Report”). The Report summarizes the activities of the ODPC during 2012, including its investigations and audits, policy matters, and European and international activities.

The Department of Health and Human Services Office for Civil Rights (“OCR”) has posted an audit protocol on its website to provide information about the procedures currently being used by OCR as part of its new audit program.

The protocol is presented in a sortable table format listing the applicable sections of the relevant rules and the established performance criteria, key activities and audit procedures associated with each section. The audit protocol for the HIPAA Security Rule also lists whether the implementation specification is required or addressable pursuant to that Rule.

On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.

As reported in the Hunton Employment & Labor Perspectives Blog:

The U.S. Department of Justice has moved to intervene to defend the constitutionality of the Fair Credit Reporting Act (“FCRA”) against a consumer reporting agency accused of violating § 605 of the FCRA.

On November 23, 2010, Shamara T. King filed suit against General Information Services, Inc. (“GIS”) in Pennsylvania federal court claiming violations of the FCRA. (See, King v. General Information Services, Inc., No. 2:10-CV-06850 (E.D. Pa. Nov. 23, 2010). Specifically, King claims that when she applied for a job with the United States Postal Service, GIS performed a background check that included details about a car theft arrest that occurred more than seven years prior to the requested background check. According to § 605(a)(5) of the FCRA, consumer reporting agencies cannot provide adverse information, except for criminal convictions, “which antedates the report by more than seven years.”

On July 28, 2011, the International Association of Privacy Professionals (“IAPP”) hosted a webinar that addressed the upcoming audit program of the Department of Health and Human Services Office of Civil Rights (“OCR”).  Susan McAndrew, the Deputy Director for Health Information Privacy at OCR, provided an overview of the audit program, noting that it stemmed from Section 13411 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  That section of the HITECH Act authorized the Secretary of the Health and Human Services to “provide for periodic audits to ensure that covered entities and business associates” comply with the requirements of the HIPAA Privacy and Security Rules.

The German Data Protection Authorities of Berlin and North Rhine-Westphalia have issued a paper containing Frequently Asked Questions about the German statutory data breach notification requirement that went into effect on September 1, 2009.  The paper provides detailed information on key questions concerning the procedure for notification as required by Section 42a of the German Federal Data Protection Act.

As scrutiny and enforcement escalate in corporate privacy and data security, has your organization developed policies that meet local and global compliance requirements?

Lisa J. Sotto, head of the Global Privacy and Information Management practice at Hunton & Williams and a member of the SAI Global Law & Ethics Advisors, along with Jeff Kaplan, Kaplan & Walker, LLC and Chair of the SAI Global Law & Ethics Advisors, deliver an informative podcast reviewing the drivers for privacy and data security policy compliance, and they discuss the keys to a successful compliance program.

The Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”) has announced that it will more closely examine covered entities’ breach notification and risk mitigation plans.  OCR noted that small and medium sized covered entities have been particularly vulnerable to data breaches.  The National Institute of Standards and Technology (“NIST”) will publish a guide for covered entities that “outlines the steps to mitigate risks for data breaches, training for how to respond to breaches, and overall preparation in the event of a ...

David Holtzman, a health information privacy specialist at the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), stated at a health privacy conference on May 11, 2010, that OCR has been “vigorously” enforcing the Security Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”).  Prior to 2009, HHS divided civil enforcement responsibility for HIPAA between OCR, which enforced the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (“CMS”), which enforced the HIPAA Security Rule.  In July 2009, the Secretary of HHS delegated authority to enforce the HIPAA Security Rule to OCR to “facilitate improvements by eliminating duplication and increasing efficiency.”

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year.  In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

• ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
• verifying that data controllers comply with the technical recommendations defined in their registration forms; and
• assessing the effectiveness of data protection officers within organizations.

On January 25, 2010, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 10-06, Guidance on Blogs and Social Networking Web Sites (the “Guidance”) for securities firms, investment advisors and brokers.  FINRA, which is the largest non-governmental financial regulator, previously had issued guidance on other issues pertaining to interactive web sites, such as participation by securities firms and their employees in Internet chat rooms discussing stocks or investments.  The goals of the Guidance are to “ensure that—as the use of social media sites increases over time—investors are protected from false or misleading claims and representations” as well as “to interpret [the] rules in a flexible manner to allow firms to communicate with clients and investors using” blogs and social networking.

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

On Friday, October 23, 2009, the German Railways Operator Deutsche Bahn AG announced that they would pay a fine of over €1.1 million that was imposed on October 16, 2009 by the Berlin data protection authority.  This fine is the highest ever imposed by a German data protection authority.  The imposition of this fine follows a major data protection scandal that reportedly broke out within the company.  From 2002 to 2005, Deutsche Bahn had screened a large quantity of employee data and compared it to supplier data in an effort to combat corruption, but without specific suspicions related to ...

The new UK Information Commissioner, Christopher Graham, shared his vision for data protection regulation at his first conference speech in London yesterday.  As the keynote speaker at the 8th Annual Privacy and Data Protection Conference, chaired by Hunton & Williams partner, Bridget Treacy, Christopher Graham positioned himself as a fair, but tough, regulator who will not be afraid to use his strengthened enforcement powers.

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program.  In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed.  The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program.  The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action.

On August 17, the Federal Trade Commission ("FTC") issued a final rule ("FTC Final Rule") addressing security breaches of personal health records ("PHRs").  The FTC Final Rule applies to all breaches discovered on or after September 24, 2009, and to “foreign and domestic vendors of personal health records, PHR related entities, and third party service providers” that “maintain information of U.S. citizens or residents.”  The FTC Final Rule does not apply to covered entities or business associates as defined under regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  Full compliance is required by February 22, 2010.

On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”

On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program.  The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule.  The new enforcement deadline for creditors and ...

On July 3, 2009, the German Federal Parliament passed comprehensive amendments to the Federal Data Protection Act (the "Federal Act"). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law ...

On May 13, 2009, the Federal Trade Commission ("FTC") published a compliance template designed to assist financial institutions and creditors "at low risk for identity theft " in developing the Identity Theft Prevention Program required by the FTC’s Identity Theft Red Flags and Address Discrepancies Rule (the "Rule").  The template is entitled "A Do-It-Yourself Prevention Program for Businesses and Organizations at Low Risk for Identity Theft."

At the eleventh hour, the Federal Trade Commission announced that it will once again delay enforcement of the Red Flags Rule.  The Red Flags Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACTA").  The previous compliance date was May 1, 2009, which was an extension from the original deadline of November 1, 2008.  The new extension applies only to the provisions of the Rule requiring financial institutions and creditors to implement an identity theft prevention program.  The continuing enforcement delays respond to ongoing uncertainty about ...

On March 20, 2009, the Federal Trade Commission (“FTC”) published its long-awaited guide to the Red Flags Rule (the “Rule”), entitled “Fighting Fraud with Red Flags Rule:  A How-To Guide for Business.”  The guide applies to creditors and certain financial institutions (such as state-chartered credit unions and mutual funds that offer accounts with check-writing privileges) that are subject to the FTC’s jurisdiction and addresses the provision of the Rule that requires implementation of an Identity Theft Prevention Program.  For entities subject to the FTC’s jurisdiction, the relevant compliance deadline is May 1, 2009.  Financial institutions that are regulated by federal bank regulatory agencies or the National Credit Union Administration (which issues their own versions of the Red Flags Rule) were required to comply with the Rule as of November 1, 2008.

The Centre for Information Policy Leadership provides the following thoughts on the Obama Administration's views on privacy:
 
The themes of President Obama’s inaugural address not only conveyed a strong message to the nation, but reflected current concerns about data governance shared by privacy professionals and policymakers as well.  His speech captured the importance of individual responsibility in public and personal life as America faces challenging economic times.  In demanding accountability from government, he required that the nation’s work be conducted “in the light of day -- because only then can we restore the vital trust between a people and their government.”  Obama’s remarks about the potent values of responsibility and accountability apply in the information-intensive world of business.