EU Regulators Allow One-Year Test of Privacy Shield

http://teekid.com/istockphoto/banner/banner3.jpg

The long-awaited US-EU Privacy Shield—the successor to the US-EU Safe Harbor which was declared invalid—is set to kick in on August 1, 2016. (See our July 8 post for detail.) One of the reasons it took so long to put the Privacy Shield in place was the opposition it encountered from consumer groups and the data protection authorities of the EU member states (i.e., the Article 29 Working Group). The Article 29 Working Group called the Privacy Shield inadequate and not in conformity with EU law. This, of course, took a lot of luster off the Privacy Shield for companies involved in transatlantic business.

Continue Reading

New, Stringent Cyber Supply Chain Standard Under Development

Power_Line

Just last week, the Federal Energy Regulatory Commission or “FERC” moved closer to regulating the supply chain management practices for energy companies that own and operate the physical assets that comprise the nation’s power grid. Specifically, on July 21, FERC directed the North American Electric Reliability Corporation or “NERC” to issue a new supply chain management standard that addresses risks to information systems and related bulk electric system assets.  Continue Reading

New Guidance Released by OCR on Ransomware

Male cybersecurity threat systems manager pushing RANSOMWARE on a transparent control interface. Computer crime concept for a hacking attack restricting file access to seek a ransom from a user.

In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in proactively preventing and efficiently responding to ransomware attacks. For example, the guidance addresses:

  • Implementing a security management process, including conducting a risk analysis and mitigating identified risks;
  • Implementing procedures to guard against and detect malicious software;
  • Training users on malicious software protection and reporting of malicious software detections;
  • Implementing access controls to limit access to ePHI; and
  • Maintaining an overall contingency plan.

Continue Reading

New EU Privacy Shield Approved

In October 2015, the European Court of Justice declared the EU-U.S. Data Privacy Safe Harbor invalid. For the 200+ U.S. companies which had relied on the Safe Harbor to transfer personal data from the EU to the U.S., this meant that such transfers were no longer legal. The U.S. and the EU almost immediately started working on a successor mechanism to replace the invalid Safe Harbor. In the meantime, however, the national data protection authorities of the EU member states started imposing fines on U.S. companies which relied on the Safe Harbor but failed to take corrective actions once it was declared invalid. Continue Reading

Don’t Expose Your ePHI by Using Vulnerable Third-Party Applications

Top SecretCovered entities (CEs) and business associates (BAs) beware—third-party application software security vulnerabilities are on the rise, according to the Health & Human Services (HHS) Office for Civil Rights in Action. In June 2016, the HHS Office for Civil Rights in Action published a newsletter reminding HIPAA CEs and BAs about the risks inherent in third-party application software and describing how CEs and BAs can secure their systems to mitigate vulnerabilities. Continue Reading

Data Breach Costs Rise to $4 Million Globally, $7 Million in the U.S.

iStock_000017413305SmallAccording to the Ponemon Institute 2016 Cost of Data Breach Study (sponsored by IBM), the total cost a company should expect to spend in response to a data breach has once again increased both globally and in the United States. The average cost paid for each lost or stolen record containing sensitive and confidential information is also on the rise.

Globally, the average total cost of a data breach for the 383 companies participating in the study increased from $3.79 million to $4 million. The average cost for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in this year’s study. In the United States, the average total cost of a data breach for the 64 companies participating in the study increased from $6.53 million to $7.01 million. The average cost for each lost or stolen record containing sensitive and confidential information increased from $217 in 2015 to $221 in this year’s study. Continue Reading

Is Your Company Complying with the SEC’s Safeguards Rule?

Exchange of information

The Securities and Exchange Commission (“SEC”) last week announced that Morgan Stanley Smith Barney LLC (“MSSB”) had agreed to pay a $1 million penalty to settle charges related to its failure to protect private customer information, some of which was hacked and actually offered for illegal sale online. The action involved MSSB’s violation of the so-called “Safeguards Rule,” Rule 30(a) of the SEC’s Regulation S-P, which requires broker-dealers and registered investment advisers to adopt written policies and procedures to safeguard client information. But the case is really a cautionary tale about what companies must do to protect confidential data from their own wayward employees. Continue Reading

OCR Provides Educational Tools about Individuals’ Rights to their Health Information Under HIPAA

Mobile phone with health application open with hand. Vector modern creative flat design. Vector illustration.

Covered entities and business associates should expect an increased number of individuals asking about their rights to access their health information given several consumer-friendly tools recently released by the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR), and the HHS Office of the National Coordinator for Health IT (ONC). After issuing a lengthy guidance document addressing an individual’s HIPAA rights to health information in January 2016, OCR has now released a series of easy-to-understand educational tools for consumers. Whereas the January guidance was directed at covered entities and business associates, these new tools are specifically designed for individuals to learn more about their rights under HIPAA. Continue Reading

FAA Establishes Drone Advisory Council

iStock_000073613977_FullOn May 3, the Federal Aviation Administration (“FAA”) announced the formation of a new UAS Advisory Committee, or Drone Advisory Council (“DAC”). The formation of the DAC continues the FAA’s emphasis on safety of unmanned aircraft systems (“UAS”) operating in the national airspace system.

The FAA, acknowledging the increasing commercialization of drones, has focused extensive attention on related safety concerns. Other stakeholders have been concerned with maximizing opportunities for the efficient integration of drones in the national airspace system.

The DAC will operate to identify and propose actions to the FAA intended to prioritize integration challenges and improvements. The DAC includes stakeholder participation, and builds on successful prior efforts to include stakeholder groups in developing drone regulations: the stakeholder-based UAS registration task force and the MicroUAS aviation rulemaking committee. Membership on the DAC will include a variety of UAS industry players, including industry, government, research, retail, and technology.

The goal of the DAC is to navigate the challenges of integrating UAS into the national airspace system in a way that is both efficient and safe, while having broad support from interested parties.

Supreme Court Decision Limits Right to Sue Without Actual Damages

Courthouse_imageThe Supreme Court’s recent decision in Spokeo, Inc. v. Robins casts doubts on a plaintiff’s standing to sue for statutory damages based upon merely procedural violations, posing additional hurdles for class-action claims under certain consumer protection statutes.

What it means for business:  it is now harder for potential plaintiffs to satisfy Article III standing requirements in privacy and consumer class actions. Class action complaints should now define the class only as those persons who suffered a concrete and particularized injury.

The focus on concrete injury affords class action defendants greater means to argue against class certification on the grounds that that plaintiffs cannot establish common questions of fact that predominate over individual questions, as the concrete harm each individual class member suffers may differ among the class members.

While Spokeo weakens standing for plaintiffs bringing claims based on bare statutory violations, it leaves open the possibility that some statutory violations in themselves will create sufficient injury in fact. Nonetheless, the decision’s focus on concrete injury warrants revisiting defense strategies in a host of consumer protection claims. For a detailed discussion of the matter and decision, read our client alert.

 

LexBlog