Category Archives: Privacy

2023 is turning out to be the year of the state privacy law, including new laws in five states with the possibility of more to come.  Indeed, in recent days both Indiana and Iowa have likewise passed new statutes, which we will detail in a forthcoming blog.  These new laws, which are largely inspired by the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”),… More

In a very comprehensive post from the Federal Trade Commission’s Office of Technology, the FTC takes what it calls “[a] deep dive into the technical side of FTC’s recent cases on digital health platforms, GoodRx & BetterHelp.”

As most readers know, the FTC recently took enforcement action against GoodRx and BetterHelp, two digital healthcare platforms, for allegedly sharing user health data with third parties for advertising.… More

Foley Hoag is pleased to contribute to Lex Mundi’s report on global data privacy trends and topics.  Our Lex Mundi network gives us access to the best attorneys in data privacy in jurisdictions across the globe, who provide local expertise on anticipated regulatory risks to overcome related to cross-border data and cybersecurity challenges. To access the full report, click here. More

On August 22, 2022, the Federal Trade Commission (“FTC”) indicated through the Advanced Notice of Proposed Rulemaking its intent to limit commercial surveillance – the common corporate practice of collecting, analyzing, and monetizing consumers’ data. As slews of data breaches resulted in millions of dollars in settlement and countless consumers whose data had been jeopardized, 33 states, including Massachusetts, New York, and Texas, showed support for the FTC’s proposed rule through a comment letter dated November 17,… More

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies.  These online tracking technologies, like Google Analytics or Meta Pixel,… More

On September 19, 2022, a Massachusetts federal District Court denied Boston Globe Media Partners LLC’s motion to dismiss a consumer class action suit against it. This case is one of 47 proposed class actions filed since February 2022 against various companies, each based on a company’s use of Meta’s Pixel tracking tool.

Boston Globe Media Partners is a “multimedia organization that provides news, entertainment, and commentary across multiple brands and platforms”;… More

As we wrote in July 2020, the European Court of Justice issued a landmark decision that invalidated the Privacy Shield as untenable under the European General Data Protection Regulation (GDPR). The decision sparked negotiations between the United States and the European Union on a workable data privacy framework. And after a two-year long hiatus, the U.S. and the EU agreed on a replacement for the Privacy Shield.… More

Recently signed into law by California Governor Gavin Newsom on September 15, 2022, the California Age-Appropriate Design Code Act (“AADC”) changes the playing field for certain businesses that provide online services, products, or features accessible to children under the age of 18. Although California models its new law after the Children’s Code passed by the UK, the AADC is first state law of its kind in the US.… More

President Biden and EU leaders announced on March 25, 2022 an agreement in principle to craft a replacement for the Privacy Shield and expand options for trans-Atlantic data transfers in accordance with the General Data Protection Regulation (“GDPR”).

Background

The GDPR requires that transfers of personal data of EU residents to countries outside of the EU must take place pursuant to an approved transfer mechanism,… More

Ransomware payments continue to be a focus of the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As previously reported by Foley Hoag, on October 1, 2020, OFAC released an advisory regarding potential sanctions risks related to facilitating ransomware payments. Almost a year later, on September 21, 2021, OFAC updated its advisory to provide additional guidance regarding what OFAC considers to be mitigating factors if facilitating a ransomware payment results in an apparent violation of U.S.… More

On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. This made Virginia the second state to enact a consumer privacy and data security law, and follows hot the heels of California’s Consumer Privacy Act (CCPA) and the newly-enacted California Privacy Rights and Enforcement Act (CPRA). Virginia will not be the last to regulate the relationship between consumers and businesses holding their data;… More

Very interesting discussion in the most recent Journal of the American Medical Association, “Information Technology–Based Tracing Strategy in Response to COVID-19 in South Korea—Privacy Controversies.”

The sources of information are staggering in their breadth:  mobile phone carriers, immigration services, law enforcement, credit card companies, public transit companies, government agencies, health insurers and health care providers.  It is difficult to imagine this type of tracing in the United States.… More

Both legally and practically, there need not be an exclusive choice between health information privacy and using GPS and other technology to gather and provide information about COVID-19. Foley Hoag’s Jeremy Meisinger shares more in this GPS World article.

  More

Christopher Hart, Co-Chair of Foley Hoag’s Privacy and Data Security practice, discusses the data security risks of the present crisis and how to mitigate them in MassTLC’s Virtual Table Top Panel. Click here to listen to the full audio of the program. More

Companies that have already done the work to become GDPR-compliant are a step ahead, but all companies that collect California users’ personal information or just do business in California should check to see whether they are obligated to comply with the CCPA. Foley Hoag’s Privacy & Data Security practice group has more than a decade of experience and deep knowledge in domestic and international privacy law. Our CCPA team, with lawyers admitted to practice in California,… More

Terms of service and privacy policies form the primary legal agreement between your organization and anyone who visits your website, downloads your app, or subscribes to your platform. These agreements are ubiquitous, yet often overlooked by start-ups and established companies alike. And with new privacy laws like GDPR and CCPA affecting businesses globally, understanding how these laws affect your policies and terms is crucial for doing business.

Foley Hoag attorneys Christopher Hart and Jessica Turko present a webinar discussing how companies can mitigate risk when drafting terms of service and privacy policies.… More

When an electronic health record (EHR) is unavailable, health care organizations should have a plan of action ready to go. Partner Colin Zick tells For The Record Magazine that organizations should assume their EHR will go down at some point, necessitating a plan be in place. Quick, precise detection and an appropriate communication plan can reduce the effects of system downtime, he says, adding that practice runs are a must.… More

Foley Hoag partners Colin Zick and Janine Ladislaw joined Licata Risk Advisors for a discussion on how to improve awareness and understanding of a company’s key risk exposures and how to mitigate and insure them. Topics included privacy and data security law, cybersecurity risk threat vectors, preventing IP infringement claims, and more. Click here to download the materials. More

Partner Colin Zick recently spoke at the MaHIMA Dot Wagg Memorial Legislative Seminar on HIPAA updates. Click here to download the slides. Topics included: HIPAA FAQs on right of access, CMS interoperability and the patient access proposed rule, HIPAA enforcement trends, the proposed AKS safe harbors, and more. More

As data breaches are seemingly reported on a daily basis, cybersecurity has emerged as a top enforcement priority for federal and state regulators and a key concern for companies of all sizes in a diverse range of industries. For example, compliance with federal cybersecurity regulations is required by nearly every government contract and the New York Division of Financial Services adopted a vast set of regulations that is applicable to all entities operating under NYDFS licensure.… More

On October 1, 2019, China’s new regulation to protect personal data related to children – called the “Measures on Online Protection of Children’s Personal Data” – went into effect.

As we wrote in June, when a draft of the regulation was released by the Cyberspace Administration of China, the regulation contains elements similar to those found in both the United States’ Children’s Online Privacy Protection Act (“COPPA”) and the European Union’s General Data Protection Regulation (“GDPR”).… More

Shifting how businesses think about privacy.

Let’s stop thinking about privacy policies alone, and let’s start thinking about data governance plans.

For the ordinary business trying to generate revenue and minimize risk, having to think about data privacy can be both a nuisance and a headache.  Generally, it’s easy to want to think about privacy as something that can be dealt with using minimal resources—by updating a template privacy policy and posting it on a website,… More

The EU Commission issued today a “Communication to the European Parliament and the Council” which is entitled “Data protection rules as a trust enabler in the EU and beyond- taking stock”, which outlines the current state of EU data protection, with particular focus on the impact of GDPR.

1. The implementation of GDPR in the EU

The Commission notes that all EU Member States have updated their national data protection laws except for three (Greece,… More

In early June, the Cyberspace Administration of China released for public comment new draft regulations applicable to the collection of personal information relating to children under 14 by online service providers.

The draft regulations share many of the same structures as those utilized by the Children’s Online Privacy Protection Act (“COPPA”) in the United States:

• online service operators will have to obtain parental consent based on a comprehensive disclosure about the collection,…

More

Imagine this scenario:  you’ve had a productive and mutually advantageous ongoing contractual relationship of several years with another party.  You have built up quite a bit of trust over the years, and communicate regularly over email.  Your email communications include you receiving invoices and then confirming payment; your email messages might include a note about an upcoming shipment or provision of services, or even a note wishing the family well.… More

Bloomberg Law interviewed partner Colin Zick as part of a Special Report on how businesses are adjusting to recent data and privacy rules. Zick discusses why companies should be prepared to deal not only with GDPR requirements, but also a patchwork of state laws that may carry compliance requirements as well.

“We’re in the midst of a large public policy debate about what we’re going to do when it comes to data privacy laws,”… More

You probably are employed by an organization that has a website privacy policy. I am. That’s because most organizations process personal information through their websites in some way, such as through online forms that ask you to sign up for newsletters or marketing promotions.

What if your organization doesn’t process any personal information through its website? What if you run a B2B startup and just have an informational website that tells the public about what you do,… More

Partner Colin Zick and Associate Jeremy Meisinger presented to the Massachusetts Health Information Management Association on the legal issues presented by the continued development of voice technology in healthcare.  Click here to download the slides. More

Start-up companies know that, when potential investors kick the tires, they will look carefully at the company’s business model and IP portfolio.  These days, investors are also likely to look at whether the company is in compliance with privacy and data security laws.  Cybersecurity has become increasingly important for business of all sizes.  While identity thieves may focus on the target rich environments of large-scale enterprises,… More

Partner Colin Zick recently presented at the MaHIMA Dot Wagg Legislative Seminar discussing recent HIPAA violations, how GDPR will impact US companies and the Trusted Exchange Framework.

Click here to download the slides. More

In late September and early October, the Senate Commerce Committee held a pair of hearings with tech companies and consumer advocates to explore the possibility of federal data-privacy legislation.  The Committee invited representatives from tech giants such as Google, Amazon, and Twitter to testify in September, then in October invited Dr. Andrea Jelinek, Chair of the European Data Protection Board;… More

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the Golden State’s landmark Consumer Privacy Act (“CCPA”). California enacted the CCPA in June after legislators reached a last-minute compromise with a group of privacy activists who would have put a more stringent data protection measure on the November ballot. Given the hasty enactment of the law,… More

Partner Colin Zick will join Naomi Leach, Senior Associate, Data Protection at Stephenson Harwood, and Lana Gladstein, Vice President and General Counsel at Brammer Bio, for a MassBio program on July 31 entitled The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy?

Details

The GDPR Data Privacy Law has been in effect since May 25,… More

The California Consumer Privacy Act of 2018 (the “CCPA”) was signed into law on June 28, 2018. Although it is a state law, it has national and international ramifications. Here are some key aspects to be aware of.

1. Effective date

The law is slated to go into effect on January 1, 2020. However, the California State Legislature has the option of offering amendments to alter the law between now and its effective date,… More

Partner Colin Zick was recently invited to speak to the Union College Computer Science Department’s Seminar Series. His presentation addressed the difficulties in implementing encryption in the workplace, the challenges to encryption from law enforcement, and the future of encryption in light of U.S. v. Microsoft and the coming GDPR.

Click here to download the presentation.… More

Partners Colin Zick and Catherine Muyl joined the MassTLC’s CISO and CTO Peer Group Meeting this week to discuss the General Data Protection Regulation. Click here to download the presentation, which focused on setting security strategies and new obligations starting in May 2018. More

In the European Union (“EU”), “everyone has the right to the protection of personal data concerning him or her” under the Charter of Fundamental Rights. Intellectual property is also protected as a fundamental right under the Charter, as is freedom of speech. These rights can sometimes conflict. In two previous posts on cases about linking to Playboy pictures and the inspiration for Jeff Koons’ sculptures,… More

Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.

As in-house counsel,… More

As we previously said, the Equifax breach affects approximately 143 million Americans. While the hackers stole data that includes addresses, birth dates, full names and Social Security numbers, there are steps you can take today that will protect you from an identity theft worst-case scenario.

Assume the hackers stole your data

While no one wants to be in a situation where personal information was exposed,… More

A Massachusets court recently held that a defendant cannot be compelled to provide a cell phone PIN number to a cell phone that is seized in an arrest, because doing so would be self-incriminating.  In Commonwealth v. Jones, the Superior Court reasoned in part that

The fact that the LG Phone was found on Mr. Jones’ person at the time of his arrest is notable and helpful to the Commonwealth,… More

This is the third post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Two) 

GDPR Features that Apply Specifically to the Healthcare/Life Science Sectors

Even though the GDPR is a general regulation,… More

This is the second post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Three) 

New General Features of the GDPR

Some of the GDPR general features may be of particular interest for companies in the healthcare/life science sectors.… More

This is the first post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part Two and Part Three)

The clock is ticking: on May 25, 2018, in less than a year from now, the General Data Protection Regulation (“the GDPR”) will apply in all Member States of the European Union (“EU”) and will replace the Directive 95/46/CE (“the Directive”).… More

Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.… More

On June 21, 2017, the FTC updated its COPPA Compliance Guidance for businesses. The new guidance includes new descriptions of services and products covered by COPPA, and new methods for obtaining parental consent.

Though the guidance is new, the subjects of the guidance generally are not; for example, “internet-enabled location-based services” have long been within the ambit of COPPA because geolocation information has long been part of the definition of “personal information” of children that COPPA regulates.… More

In the wake of several executive orders on immigration, ICE—the federal agency responsible for enforcing the nation’s immigration laws—has ramped up enforcement activities. As a result, local public school districts and health care providers in Massachusetts have asked the Attorney General about their rights and obligations with respect to the undocumented students and patients they serve. On May 22, 2017, the AG issued comprehensive guidance to answer their questions.… More

Recently, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477, which aims to provide guidance and clarity to lawyers as they consider what level of security to give communications with clients.  (I was recently interviewed by Massachusetts Lawyers Weekly on this topic, and you can read the full article here; please note that the article is behind a paywall.)

The bottom line?  … More

Presented by Foley Hoag LLP and PwC

A data breach is a business crisis. What should you do?

Learn first-hand as Foley Hoag LLP and PwC walk you through the practical and legal aspects of responding to a data security incident. From understanding how to be prepared to thinking through best practices, this webinar is designed to help you get a handle on an emergency that every business must confront.… More

Partner Colin Zick speaks with BNA’s Health Care Daily Report™ on what providers and medical institutions can expect from the future of HIPAA audits and why self-auditing is so important. Click here to read the full article. More

Partner Colin Zick sits on the advisory committee for Boston Bar Association’s inaugural Privacy & Cybersecurity Conference.

Held at the Courtyard Marriott in Boston on May 24 , this full-day conference will cover a wide range of topics from data breach response and litigation to compliance and transactional issues. Panelists will discuss new developments in the legal and regulatory landscape, while providing strategies to effectively prepare and respond to your client’s needs and offer insights into challenges and opportunities ahead.… More

(Part of a continuing series.)

BYOD, or “Bring Your Own Device,” is an umbrella term for policies that employers have concerning your smart phone, tablet, or laptop.  Essentially, the questions that BYOD policies seek to answer are these:  (1) Who owns your device?  (2) Who owns the information on your device?  (3)  What happens if that information (or the device itself) gets lost or stolen?  and (4) What happens to the device and information after you leave the employer?… More

Privacy advocates in both the United States and Europe are urging regulators to take a hard look at the privacy ramifications of internet-connected toys, which are often conventional toys augmented by companion mobile applications.

In December, the privacy advocacy group Electronic Privacy Information Center (EPIC), joined by several other organizations, filed a complaint with the Federal Trade Commission regarding two firms that manufacture, sell, and operate internet-connected dolls. … More

For internet-of-things watchers, some information to chew on:  several news outlets have reported on a dispute between Amazon and law enforcement investigators in Bentonville, Arkansas.  Arkansas police are investigating an apparent homicide that took place in November 2015, and have charged one suspect with murder.  Searching the house where the crime took place, investigators uncovered an Amazon Echo device, a personal digital assistant that can be activated by voice commands.… More

Click here to download the presentation slides from a recent MaHIMA Webinar on the Massachusetts rate rule for hospitals and clinics.

  More

We all assume that our genetic information is personal and private.  This may not be totally correct, but that assumption goes completely out the window when you are an identical twin.  This question is explored in an interesting article in the Journal of Genetic Counseling.  The twins were interviewed in the MIT Technology Review. More

As part of the ongoing HHS OCR HIPAA audit initiative, it is conducting “HIPAA desk audits.”  These audits don’t involve auditors coming in your facility.  Instead, covered entities are being asked to submit documents on:

     (1) their risk analysis and risk management plans under the HIPAA security rule;

     (2) the content and timeliness for following the HIPAA breach notification rule; or

     (3) the notice of the entity’s privacy practices for health information and patients’… More

The U.S. Department of Homeland Security says that all employees need to know the signs of a cyber-attack, not just those who work in the IT field. This is increasingly important as more companies move business operations online. The Department stresses employees should make passwords complex, beware of phishing emails and report all suspicious activity to their company’s IT department.

Last week, attorney Chris Hart joined the Boston Business Journal’s Table of Experts program to provide insights into how to protect a company from a cyberattack,… More

In Case You Missed It:  The Federal Trade Commission has opened a public comment period to evaluate its Safeguards Rule (16. C.F.R. § 314.3).  Under the Gramm-Leach-Bliley Act (GLBA), which regulates financial institutions, the FTC is empowered to promulgate regulations governing how financial institutions secure consumer information.  The Safeguards Rule, as currently in force, does not have specific “how-to” requirements, but rather broad and flexible standards that financial institutions can use as guidelines in assessing risks to the data they maintain and in developing viable security plans. … More

This post originally appeared in Law360. Written by Allison Grande. Edited by Philip Shea and Brian Baresch

The rapid rise of the hit smartphone game “Pokemon Go” has opened the developer of the app up to heavy scrutiny from regulators and users, who may end up wielding a variety of privacy and consumer protection laws to address concerns over the type and quantity of data being collected.… More

Key takeaways:

• The Privacy Shield will now go into effect.
• The preliminary start date for companies to be certified under the Privacy Shield is August 1, 2016.
• Expect more challenges to the Privacy Shield before all is said and done.

The Details:

Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case,… More

In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017.  The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account.  The definition is also expanded to include medical and health insurance information. … More

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. 

The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. … More

After the European Court of Justice invalidated Safe Harbor on October 6, ‎2015, the Article 29 Working Party announced in an October 16, 2015 statement that US companies that were Safe Harbor certified had until the end of January 2016 to find alternative means to transfer data to the US and, if they failed to do so, EU Data Protection Authorities would pursue enforcement measures.… More

In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week.  The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday.  And, like the Shield, the Umbrella has drawn its share of critics,… More

Hedge Fund Association Symposium in Boston

The Securities and Exchange Commission has reiterated that cybersecurity threats and the adoption of sufficient policies and procedures will remain a compliance and examination priority for 2016. Please join us for a discussion of the primary threats facing managers of private funds, particularly emerging managers, and practical steps that they should be taking to protect their business from cybersecurity threats.

This event is complimentary for HFA members and friends of Foley Hoag. … More

Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.… More

On May 25, 2016, partners Catherine Muyl, Colin Zick and Daniel Schimmel participated in a panel discussion on how companies can transfer personal data and remain compliant. The event, co-sponsored by The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York, was part of the FACC’s “Tech, Media & Entertainment”… More

On May 11, 2016, President Obama signed the Defend Trade Secrets Act of 2016 (“DTSA”) into law.  Previously, companies could only bring misappropriation of trade secrets claims under state law.  (Unless they were able to convince federal prosecutors to bring criminal charges under the Economic Espionage Act, which rarely ever happens.)  Now, companies have the option of pursuing a federal cause of action for misappropriation of trade secrets,… More

How Can Companies Transfer Personal Data and Remain Compliant?

The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York are pleased to invite you to a timely panel discussion and networking event.

Date: Wednesday, May 25
Time: 6:00 pm – 8:00 pm
Location: Consulate General of France
934 Fifth Avenue
New York,… More

As litigators, we help clients resolve conflicts that have matured into disputes.  In the realm of cybersecurity, we defend claims brought by private parties or governmental entities against companies facing the fallout from a data breach.

In advising clients in the context of litigation, we have identified tools that are available to mitigate or prevent the types of breaches that we see in litigation.  In the area of cybersecurity,… More

Written by Elizabeth Snell | This article was originally published on HealthITSecurity.com 

The recently announced OCR HIPAA audits are not a cause for panic, according to experts, especially of organizations have proper documentation.

With the most recent round of OCR HIPAA audits announced just last month, many healthcare organizations are working to ensure that they are prepared should they be called for investigation.… More

After years of intense discussions, the EU General Data Protection Regulation (GDPR) was finally adopted on 14 April 2016.

The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies.  For example:

• data controllers (companies collecting and using personal information) will have a wide range of new obligations,…

More

Hospitals are increasingly the target of hackers, particularly in the form of “ransomware.”  What follows is a primer on ransomware and how to avoid being a target of it.

What is ransomware? 

Ransomware is a type of malware that limits users’ access to their computer systems. It functions by locking a user’s system and/or encrypting its files.… More

Previously published in Law360, April 5, 2016. Posted with permission.

While eyes have been peeled on the U.S. Department of Justice’s efforts to obtain a court order to hack the iPhone of one of the San Bernardino killers, garnering far less scrutiny is law enforcement’s more routine use of powerful cellular tracking devices before a defendant is even charged. Called cell-site simulators,… More