Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.… More
Category Archives: Privacy
On June 21, 2017, the FTC updated its COPPA Compliance Guidance for businesses. The new guidance includes new descriptions of services and products covered by COPPA, and new methods for obtaining parental consent.
Though the guidance is new, the subjects of the guidance generally are not; for example, “internet-enabled location-based services” have long been within the ambit of COPPA because geolocation information has long been part of the definition of “personal information” of children that COPPA regulates.… More
In the wake of several executive orders on immigration, ICE—the federal agency responsible for enforcing the nation’s immigration laws—has ramped up enforcement activities. As a result, local public school districts and health care providers in Massachusetts have asked the Attorney General about their rights and obligations with respect to the undocumented students and patients they serve. On May 22, 2017, the AG issued comprehensive guidance to answer their questions.… More
Recently, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477, which aims to provide guidance and clarity to lawyers as they consider what level of security to give communications with clients. (I was recently interviewed by Massachusetts Lawyers Weekly on this topic, and you can read the full article here; please note that the article is behind a paywall.)
The bottom line? … More
Presented by Foley Hoag LLP and PwC
A data breach is a business crisis. What should you do?
Learn first-hand as Foley Hoag LLP and PwC walk you through the practical and legal aspects of responding to a data security incident. From understanding how to be prepared to thinking through best practices, this webinar is designed to help you get a handle on an emergency that every business must confront.… More
Held at the Courtyard Marriott in Boston on May 24 , this full-day conference will cover a wide range of topics from data breach response and litigation to compliance and transactional issues. Panelists will discuss new developments in the legal and regulatory landscape, while providing strategies to effectively prepare and respond to your client’s needs and offer insights into challenges and opportunities ahead.… More
(Part of a continuing series.)
BYOD, or “Bring Your Own Device,” is an umbrella term for policies that employers have concerning your smart phone, tablet, or laptop. Essentially, the questions that BYOD policies seek to answer are these: (1) Who owns your device? (2) Who owns the information on your device? (3) What happens if that information (or the device itself) gets lost or stolen? and (4) What happens to the device and information after you leave the employer?… More
Privacy advocates in both the United States and Europe are urging regulators to take a hard look at the privacy ramifications of internet-connected toys, which are often conventional toys augmented by companion mobile applications.
In December, the privacy advocacy group Electronic Privacy Information Center (EPIC), joined by several other organizations, filed a complaint with the Federal Trade Commission regarding two firms that manufacture, sell, and operate internet-connected dolls. … More
For internet-of-things watchers, some information to chew on: several news outlets have reported on a dispute between Amazon and law enforcement investigators in Bentonville, Arkansas. Arkansas police are investigating an apparent homicide that took place in November 2015, and have charged one suspect with murder. Searching the house where the crime took place, investigators uncovered an Amazon Echo device, a personal digital assistant that can be activated by voice commands.… More
We all assume that our genetic information is personal and private. This may not be totally correct, but that assumption goes completely out the window when you are an identical twin. This question is explored in an interesting article in the Journal of Genetic Counseling. The twins were interviewed in the MIT Technology Review. More
As part of the ongoing HHS OCR HIPAA audit initiative, it is conducting “HIPAA desk audits.” These audits don’t involve auditors coming in your facility. Instead, covered entities are being asked to submit documents on:
(1) their risk analysis and risk management plans under the HIPAA security rule;
(2) the content and timeliness for following the HIPAA breach notification rule; or
(3) the notice of the entity’s privacy practices for health information and patients’… More
The U.S. Department of Homeland Security says that all employees need to know the signs of a cyber-attack, not just those who work in the IT field. This is increasingly important as more companies move business operations online. The Department stresses employees should make passwords complex, beware of phishing emails and report all suspicious activity to their company’s IT department.
In Case You Missed It: The Federal Trade Commission has opened a public comment period to evaluate its Safeguards Rule (16. C.F.R. § 314.3). Under the Gramm-Leach-Bliley Act (GLBA), which regulates financial institutions, the FTC is empowered to promulgate regulations governing how financial institutions secure consumer information. The Safeguards Rule, as currently in force, does not have specific “how-to” requirements, but rather broad and flexible standards that financial institutions can use as guidelines in assessing risks to the data they maintain and in developing viable security plans. … More
This post originally appeared in Law360. Written by Allison Grande. Edited by Philip Shea and Brian Baresch
The rapid rise of the hit smartphone game “Pokemon Go” has opened the developer of the app up to heavy scrutiny from regulators and users, who may end up wielding a variety of privacy and consumer protection laws to address concerns over the type and quantity of data being collected.… More
- The Privacy Shield will now go into effect.
- The preliminary start date for companies to be certified under the Privacy Shield is August 1, 2016.
- Expect more challenges to the Privacy Shield before all is said and done.
Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case,… More
In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017. The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account. The definition is also expanded to include medical and health insurance information. … More
The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services.
The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. … More
After the European Court of Justice invalidated Safe Harbor on October 6, 2015, the Article 29 Working Party announced in an October 16, 2015 statement that US companies that were Safe Harbor certified had until the end of January 2016 to find alternative means to transfer data to the US and, if they failed to do so, EU Data Protection Authorities would pursue enforcement measures.… More
In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week. The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday. And, like the Shield, the Umbrella has drawn its share of critics,… More
Hedge Fund Association Symposium in Boston
The Securities and Exchange Commission has reiterated that cybersecurity threats and the adoption of sufficient policies and procedures will remain a compliance and examination priority for 2016. Please join us for a discussion of the primary threats facing managers of private funds, particularly emerging managers, and practical steps that they should be taking to protect their business from cybersecurity threats.
This event is complimentary for HFA members and friends of Foley Hoag. … More
Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.… More
On May 25, 2016, partners Catherine Muyl, Colin Zick and Daniel Schimmel participated in a panel discussion on how companies can transfer personal data and remain compliant. The event, co-sponsored by The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York, was part of the FACC’s “Tech, Media & Entertainment”… More
On May 11, 2016, President Obama signed the Defend Trade Secrets Act of 2016 (“DTSA”) into law. Previously, companies could only bring misappropriation of trade secrets claims under state law. (Unless they were able to convince federal prosecutors to bring criminal charges under the Economic Espionage Act, which rarely ever happens.) Now, companies have the option of pursuing a federal cause of action for misappropriation of trade secrets,… More
How Can Companies Transfer Personal Data and Remain Compliant?
The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York are pleased to invite you to a timely panel discussion and networking event.
Date: Wednesday, May 25
Time: 6:00 pm – 8:00 pm
Location: Consulate General of France
934 Fifth Avenue
New York,… More
As litigators, we help clients resolve conflicts that have matured into disputes. In the realm of cybersecurity, we defend claims brought by private parties or governmental entities against companies facing the fallout from a data breach.
In advising clients in the context of litigation, we have identified tools that are available to mitigate or prevent the types of breaches that we see in litigation. In the area of cybersecurity,… More
Written by Elizabeth Snell | This article was originally published on HealthITSecurity.com
The recently announced OCR HIPAA audits are not a cause for panic, according to experts, especially of organizations have proper documentation.
The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies. For example:
- data controllers (companies collecting and using personal information) will have a wide range of new obligations,…
Hospitals are increasingly the target of hackers, particularly in the form of “ransomware.” What follows is a primer on ransomware and how to avoid being a target of it.
What is ransomware?
Previously published in Law360, April 5, 2016. Posted with permission.
While eyes have been peeled on the U.S. Department of Justice’s efforts to obtain a court order to hack the iPhone of one of the San Bernardino killers, garnering far less scrutiny is law enforcement’s more routine use of powerful cellular tracking devices before a defendant is even charged. Called cell-site simulators,… More