Is Your Company Complying with the SEC’s Safeguards Rule?

Exchange of information

The Securities and Exchange Commission (“SEC”) last week announced that Morgan Stanley Smith Barney LLC (“MSSB”) had agreed to pay a $1 million penalty to settle charges related to its failure to protect private customer information, some of which was hacked and actually offered for illegal sale online. The action involved MSSB’s violation of the so-called “Safeguards Rule,” Rule 30(a) of the SEC’s Regulation S-P, which requires broker-dealers and registered investment advisers to adopt written policies and procedures to safeguard client information. But the case is really a cautionary tale about what companies must do to protect confidential data from their own wayward employees. Continue Reading

OCR Provides Educational Tools about Individuals’ Rights to their Health Information Under HIPAA

Mobile phone with health application open with hand. Vector modern creative flat design. Vector illustration.

Covered entities and business associates should expect an increased number of individuals asking about their rights to access their health information given several consumer-friendly tools recently released by the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR), and the HHS Office of the National Coordinator for Health IT (ONC). After issuing a lengthy guidance document addressing an individual’s HIPAA rights to health information in January 2016, OCR has now released a series of easy-to-understand educational tools for consumers. Whereas the January guidance was directed at covered entities and business associates, these new tools are specifically designed for individuals to learn more about their rights under HIPAA. Continue Reading

FAA Establishes Drone Advisory Council

iStock_000073613977_FullOn May 3, the Federal Aviation Administration (“FAA”) announced the formation of a new UAS Advisory Committee, or Drone Advisory Council (“DAC”). The formation of the DAC continues the FAA’s emphasis on safety of unmanned aircraft systems (“UAS”) operating in the national airspace system.

The FAA, acknowledging the increasing commercialization of drones, has focused extensive attention on related safety concerns. Other stakeholders have been concerned with maximizing opportunities for the efficient integration of drones in the national airspace system.

The DAC will operate to identify and propose actions to the FAA intended to prioritize integration challenges and improvements. The DAC includes stakeholder participation, and builds on successful prior efforts to include stakeholder groups in developing drone regulations: the stakeholder-based UAS registration task force and the MicroUAS aviation rulemaking committee. Membership on the DAC will include a variety of UAS industry players, including industry, government, research, retail, and technology.

The goal of the DAC is to navigate the challenges of integrating UAS into the national airspace system in a way that is both efficient and safe, while having broad support from interested parties.

Supreme Court Decision Limits Right to Sue Without Actual Damages

Courthouse_imageThe Supreme Court’s recent decision in Spokeo, Inc. v. Robins casts doubts on a plaintiff’s standing to sue for statutory damages based upon merely procedural violations, posing additional hurdles for class-action claims under certain consumer protection statutes.

What it means for business:  it is now harder for potential plaintiffs to satisfy Article III standing requirements in privacy and consumer class actions. Class action complaints should now define the class only as those persons who suffered a concrete and particularized injury.

The focus on concrete injury affords class action defendants greater means to argue against class certification on the grounds that that plaintiffs cannot establish common questions of fact that predominate over individual questions, as the concrete harm each individual class member suffers may differ among the class members.

While Spokeo weakens standing for plaintiffs bringing claims based on bare statutory violations, it leaves open the possibility that some statutory violations in themselves will create sufficient injury in fact. Nonetheless, the decision’s focus on concrete injury warrants revisiting defense strategies in a host of consumer protection claims. For a detailed discussion of the matter and decision, read our client alert.


Managing Business Associate Security Incidents: OCR Cyber-Awareness Update

HiResThe Department of Health and Human Services Office for Civil Rights (OCR) sent out an email on May 3, 2016 providing the OCR Cyber-Awareness April Monthly Update. This update addresses the fact that, according to OCR, covered entities often believe business associates will not notify them of a breach or cyber attack, and that it is difficult for the covered entity to manage security incidents involving their business associates.

This update specifically highlights the following three provisions that a covered entity should include in its service-level or business associate agreements to help ensure that business associates and subcontractors adequately prepare for and respond to a security incident: Continue Reading

European Union Article 29 Working Party Responds to Privacy Shield

iStock_000019422828SmallThe European Union’s Article 29 Data Protection Working Party (WP29), put in place under a European Parliament directive to address personal information and its international movement, responded on April 13 to the Privacy Shield Data Transfer Agreement agreed upon by the United States and the European Commission earlier this year. The Privacy Shield was intended to fill the gap left by the invalidated Safe Harbor agreement.  While the WP29’s non-binding opinion takes note of the improvements to data protection set forth in the Privacy Shield, the WP29 expresses “strong concerns” regarding commercial aspects and the access by public authorities to transferred data. In light of the concerns, the WP29 has urged the Commission to address and clarify the concerns to ensure that the Privacy Shield provides comparable protection to the EU.

While the decision did not provide the clarity that companies were hoping for, it is widely expected that there will be modifications made to the Privacy Shield to address the concerns. In the meantime, the standard contractual clauses and binding corporate rules can still be used by companies transferring personal data to the U.S.

For more details, see the Article 29 Working Party’s 58-page opinion here and the corresponding two-page press release here. For background, see the European Commission’s February 2, 2016, press release on the Privacy Shield agreement here. For more information on the WP29 and its role and composition, see here.

European Parliament Votes to Enact Data Protection Reforms

Internet security concept open red padlock virus or unsecured with threat of hacking

Four months after the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) signed off to move ahead with the new regulations in December of last year and six days after the Council of the European Union voted to adopt them on April 8, the European Parliament voted to approve the General Data Protection Regulation (GDPR) in a plenary session in Strasbourg, France, on April 14. The GDPR allows individuals to access their own personal information more easily, grants them a right to erase their personal information (the “right to be forgotten”), requires “clear and affirmative consent” for the processing of personal information, and creates a right to know when an individual’s personal information has been hacked. The GDPR also addresses web site privacy policies and requires that Internet service providers attempt to verify that users under 16 years of age have parental consent to use online services.

See the press release issued by the European Parliament here and the full text of the GDPR here.


BREAKING: Data Breach Covered Under Traditional Policy, 4th Circuit Says

Breaking_NewsInsurance coverage for data breach incidents is a hot topic in the insurance world. Nowhere is it hotter than in the area of newly created specialty cyber policies designed specifically to cover such incidents—what do these policies cover, when should they be purchased and how much coverage should be obtained are questions we routinely encounter. But a Fourth Circuit decision decided April 11 serves as an important reminder that more “traditional” general liability policies should not be overlooked in the unfortunate event that one finds oneself facing liability for a data breach.

Continue Reading

Hospitals Experience an Alarming Rise in Ransomware Attacks This Year

bigstock-Information-25111Since we last updated our blog about ransomware attacks on hospitals in February, many additional health care entities have been publicly recognized as victims of similar attacks. Some of the ransomware programs involved in these incidents came through spam email or phishing campaigns, often disguised as invoices or other documents. Once the document was opened, the user received a message demanding payment in exchange for a digital key that would unlock the data. Certain other of the attacks utilized a new method that, rather than requiring an individual to click on a link in an email or browser page, infects systems via an unpatched server vulnerability.

For these reasons, it is critical for health care entities to educate staff about phishing emails, and to keep up with required software patching to reduce vulnerabilities.

Most of the affected hospitals have asserted that no patient information was lost during the incidents, as the aim of the ransomware attackers was to lock up, rather than access, the information in order to obtain a payout from the affected entity. The FBI continues to investigate this growing trend of ransomware attacks on health care organizations, and Senator Barbara Boxer of California recently asked the FBI to give details on its efforts to combat the increased use of ransomware on hospitals and other businesses.

The “Right to Be Forgotten” Proves Ironic for Google, But Not Expensive

iStock_000006450557_FullThe French administrative body known as the Commission Nationale de l’Informatique et des Libertés (CNIL) (France’s Data Protection Authority) exercised its powers recently when it fined Google €100,000 on March 24th for, in CNIL’s words, “fail[ing] to comply with the obligation to respect the rights of individuals to erase data and to object.” This right has also been referred to as “de-listing rights” and the “right to forget” and holds that Internet users have the right to ask controllers of their data to erase such data, especially if the data is incomplete or inaccurate.  Google took steps after the EU’s 2014 ruling establishing the right to comply with respect to the EU versions its site, but did not do so with respect to its U.S. site – and clearly didn’t just “forget” to do so. Pardon the pun. Continue Reading