Privacy and Data Protection

Preparing For and Responding to the Petya Ransomware Attack

2017-07-06T16:24:00.003-04:00

By Allen O'Rourke

While still reeling from last month’s WannaCry attack, organizations worldwide were hit with another global ransomware attack yesterday, June 27, 2017. The infection began inside the Ukraine but has quickly spread across four continents and over 65 countries, affecting many thousands of computers. The growing list of corporate victims includes a large Danish shipping company, the biggest advertising agency worldwide, a French construction material company, Russia’s largest oil producer, a major U.S. pharmaceutical company, and a multinational law firm. Numerous public and private institutions in the Ukraine are also affected, including everything from bank ATM’s to the Chernobyl Nuclear Power Plant.

Variously called “Petya,” “GoldenEye,” “Petrwrap,” and “NotPetya” by different cybersecurity researchers, the current cyberattack’s malware is an offshoot of earlier Petya ransomware that began circulating last year. The new Petya variant encrypts a computer’s hard drive – making it inoperable – and demands $300 in Bitcoin to regain access. Victims are instructed to make payment into a specified Bitcoin wallet and then email confirmation to wowsmith123456@posteo.net – although that email account has now been deactivated by German email provider Posteo. About 36 ransom payments were made on June 27, 2017 – according to Blockchain analysis – but by the following morning no one had reported regaining access to infected computers.

Petya ransomware appears similar to WannaCry but more resilient and destructive. It uses wormlike propagation to spread quickly across a computer network and has multiple attack vectors in addition to the “EternalBlue” exploit to Windows that WannaCry used, such as Word documents laced with malicious macros and compromised updates for accounting software called “MeDoc.” Unfortunately, Petya contains no known “kill switch” similar to what curtailed WannaCry’s spread. As Wired’s Lily Hay Newman put it, “while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.”

Petya’s ongoing threat reflects a new reality for businesses today. With periodic leaks of alleged NSA hacking tools such as EternalBlue, cheap “Ransomware as a Service” being offered on dark web forums, and well-funded cybercriminal groups linked to organized crime and foreign governments, we are just going to see more and more ransomware and other cyberattacks targeting business operations and infrastructure. In other words, today’s cybercrime targets not only sensitive data stored on computers but also the integrity of computer systems that we rely upon every day.

Accordingly, business leaders and corporate officials such as in-house counsel need to be informed and prepared. Even after weathering a ransomware attack, an organization may still face expensive regulatory enforcement actions and civil litigation, not to mention reputational damage and lost business. With that in mind, the following are some basic action items to consider in preparing for and responding to ransomware attacks:

Preparing for Ransomware

Maintain a backup copy of your organization’s computer system that can be used in the event that your system becomes encrypted by ransomware.
Identify operating systems and software in your network that may be vulnerable and install appropriate security patches. Also implement measures to ensure that new security patches are promptly installed going forward.
Deploy updated antivirus software and consider using automated software tools to detect and mitigate cyberattacks.
Develop or update your organization’s incident response plan to address ransomware. This includes not only planning for rapid investigation, containment, and remediation of an attack, but also planning for business continuity, public relations, cybersecurity insurance, and legal compliance implications.
Establish contacts with law enforcement, outside counsel, a cybersecurity remediator, your insurance company, and anyone else with whom you will need to coordinate when responding to a ransomware attack.
Implement ongoing training of computer users on basic cybersecurity hygiene, including not clicking on suspicious links or opening suspicious email attachments.

Responding to Ransomware

Wherever possible, incident response measures should be taken at the direction of counsel in order to preserve attorney-client privilege and minimize legal risk.
Work with a cybersecurity remediation company to rapidly contain and remediate the ransomware attack. Among other things, this might include disabling the infected computer, restoring backup files, or counteracting the ransomware.
Fully investigate the ransomware attack, engage with law enforcement as appropriate, and implement cybersecurity measures to defend against additional follow-up attacks.
Ensure that key stakeholders stay informed, including corporate executives and boards of directors.
Determine the extent of harm to data subjects and consumers, comply with applicable breach notification obligations, and take other steps to minimize legal risk.

Canadian Government Suspends Implementation of Private Right of Action Under CASL

2017-07-06T16:13:00.000-04:00

By Doug Bonner & Taylor Ey

Our previous alert regarding changes to Canada’s Anti-Spam Legislation (“CASL”) previewed two important changes that were to come into effect as of July 1, 2017:

The end of the transition period under CASL, during which companies could rely on implied consent for sending “commercial electronic messages” in certain instances; and
A private right of action for violations of CASL

On June 2, 2017, the Government of Canada suspended the implementation of the private right of action provision. The private right of action will not come into effect unless and until the government takes further action to implement it. According to its press release on June 7, 2017, the Canadian Government will ask a parliamentary committee to review the private right of action provision, and hopes to strike a balance between consumer protection and legitimate business marketing activity, that is, protecting Canadians from spam while allowing entities such as businesses, charities and non-profits to communicate with Canadians electronically.

The government’s action does not impact the termination of the transition period, which will become effective on July 1, 2017.

FCC Slams Serial Robocaller With $120 Million Proposed Fine for "Spoofing" Numbers

2017-07-06T16:09:00.001-04:00

By Rebecca Jacobs, Marty Stern & Doug Bonner

We all get them. Repeated marketing calls to our mobile and home phones with the incoming phone number altered to make it appear that it’s a local call, when in fact, the call is from a robo-scammer using IP technology to “spoof” the phone number. As it turns out, there’s a federal law that makes such spoofing illegal, the Truth in Caller ID Act of 2009 (“TICIDA”), and in its first enforcement action under TICIDA, the FCC hit an alleged serial robocaller, Adrian Abramovich and his companies (together, Abramovich) with a whopping $120 million Notice of Apparent Liability for allegedly originating nearly 100 million such calls.

The Commission also issued a Citation and Order to Abramovich for alleged violations of the Telephone Consumer Protection Act (“TCPA”) for making unauthorized prerecorded telemarketing calls to emergency phone lines, wireless phones and residential phones without obtaining the required prior express written consent from the called party. While TICIDA allows the Commission to directly fine first-time violators through its NAL authority, which it did here, in TCPA FCC enforcement actions involving entities and individuals that do not hold Commission authorizations, the Commission must first issue a citation, and then can only proceed with a fine if the recipient repeats the violation. That still leaves Abramovich open to potentially monumental TCPA class action exposure. The Citation and Order also notified Abromovich that he had violated the federal wire fraud statute by transmitting or causing to be transmitted, by means of wire, misleading or false statements with the intent to perpetrate a fraud.

According to the Commission, Abramovich ran a scheme where his spoofed calls appeared to originate from local numbers and offered, via a pre-recorded message, holiday vacations and cruises claiming to be associated with well-known American travel and hospitality companies. The pre-recorded messages would prompt customers to “press 1” to secure their reservation. Once a customer pressed “1”, the customer was transferred to a call center where live operators pushed vacation packages typically involving timeshare presentations, that were not affiliated with the well-known brands used in the recorded messages. The Commission characterized Abramovich’s schemes as “one of the largest – and most dangerous – illegal robocalling campaigns the Commission has ever investigated.” According to the Commission, in addition to defrauding consumers, the robocalling campaign also caused disruptions to an emergency medical paging service, which provides paging services for emergency room doctors, nurses, emergency medical technicians, and other first responders.

While significant in absolute terms, the $120 million proposed fine, according to the Commission, was significantly below the penalty that could have been proposed in the NAL. Rather than fine the statutory maximum of $11,052 for each spoofing violation, or three times that amount for each day of a continuing violation, the Commission calculated the base forfeiture amount at $1,000 per unlawful spoofed call, since this was the first time the Commission used its TICIDA forfeiture authority.

Mr. Abromovitz now has an opportunity to respond to both the NAL and Citation. Stopping illegal robocalling has been a key priority for Chairman Pai, and no doubt the Commission is expecting that the threat of huge monetary forfeiture penalties against the industry will provide a powerful incentive for roboscammers to look for other ways to make a buck. Given the Commission’s struggle with fashioning tools to go after serial robocallers that do not have the effect of increasing TCPA exposure for established companies engaging in legitimate customer communications, we do not expect the Commission to back down from its proposed penalty, and expect this to be the start of a new enforcement initiative using TICIDA and its direct penalty provisions.

Nadia Aram Examines Updates to COPPA Guidance, New Developments in Children’s Privacy Law

2017-06-28T10:11:00.001-04:00

Many of today’s toys contain Internet-connected technology alongside of molded plastic and foam stuffing. But while Internet-connected toys may increase the fun for kids, they create additional privacy risks for businesses.

With that in mind, the Federal Trade Commission just updated its guidance for complying with the Children’s Online Privacy Protection Act (COPPA). Womble Carlyle attorney Nadia Aram has written a client alert on the COPPA changes. Read the full alert at this link.

Important Steps to Prepare for the WannaCry Ransomware Attack

2017-05-15T15:21:00.001-04:00

By Ted Claypoole, Allen O'Rourke & Claire Rauscher

Your business may have been victim to the latest ransomware attack, or it may be caught in the next wave. Womble Carlyle can help manage the attack and can prepare you to beat the next one.

In May 12, 2017, the “WannaCry” ransomware attack compromised over 70,000 organizations in nearly 100 countries. The attack encrypted people’s computer files – making them inaccessible – and demanded a ransom of about $300 worth of Bitcoin to release them. The malicious software exploited a known vulnerability in Windows that Microsoft had patched two months ago. Microsoft has also issued emergency patches for unsupported, outdated versions of Windows.

If your organization runs Windows, it is important to make sure that all appropriate patches have been installed. Another important step is to create backups of your computer files that can be used in the event that your system becomes encrypted by ransomware.

Finally, if you do not have one already, this would be a good time to develop a cybersecurity incident response plan.

Womble Carlyle’s Cyber & Privacy Law attorneys are poised to help clients develop such incident response plans, implement cybersecurity preparedness measures, and respond to any incidents that may occur.

Rite Aid Wins Summary Judgment in TCPA Action Involving Prerecorded, Automated Call for Flu Shot Reminder

2017-04-27T10:08:00.003-04:00

By Doug Bonner

In an outright win for pharmacies, the U.S. District Court for the Southern District of New York, in the attached opinion, granted Rite Aid’s motion for summary judgment in a class action alleging violations of the TCPA.

The lawsuit arose from a single prerecorded, automated call made in 2014 by Rite Aid to the Plaintiff’s cell phone alerting him to the availability of flu shots at Rite Aid pharmacies.

The court ruled that under the FCC’s Health Care Rule exception to the Telemarketing Rule, even if a call is telemarketing, if it delivers a “health care message” on behalf of a covered entity or its business associate as defined under HIPAA regulations, it is exempt from the prior written express consent requirement for calls to cellular phones under the Telemarketing Rule. Therefore such a call could be made merely with “prior express consent” such as the plaintiff providing Rite Aid with his cell phone number, which was undisputed.

The court’s ruling confirms that whenever a call is made that conveys a health care message, even if it includes telemarketing or advertisements, it is exempt from the Telemarketing Rule, and can be made with merely prior express consent rather than the heightened prior express written consent requirement that generally applies for all automated or prerecorded calls to wireless numbers that include a telemarketing message.

Click here to read the Court's opinion in Zani v. Rite Aid.

Federal Banking Agencies Propose “Enhanced Cyber Risk Management Standards” For the Largest Banks

2016-11-02T14:36:00.003-04:00

By Doug Bonner, Steve Dunlevie and Richard Garabedian

In a major new cybersecurity initiative the federal banking agencies have issued an advanced notice of proposed rulemaking (“APNR”) seeking comment on enhanced cybersecurity standards for banking entities with $50 billion or more in total assets. The standards will apply to U.S. bank and savings and loan holding companies and their subsidiary institutions as well as to foreign bank holding companies with $50 billion or more in U.S. assets. The goal of the joint rulemaking by the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (the “Agencies”) is to establish standards making the largest banking entities, and the U.S. financial system itself, more operationally resilient in the event of a cyber attack or disruption experienced by any one such entity. The Agencies are also considering applying the standards to third party servicers that serve the covered entities. Comments on the APNR are due by January 17, 2017.

A cyber-attack or disruption at one or more of these entities could have a significant impact on the safety and soundness of the entity, other financial entities and the U.S. financial sector. The Agencies are considering applying the enhanced standards to these entities on an enterprise-wide basis because cyber risks in one part of an organization could expose other parts of the organization to harm as well.

Though the Agencies already supervise information security at banking organizations, which are required to implement information security programs under the "Interagency Guidelines Establishing Information Security Standards" established pursuant to the Gramm Leach Bliley Act, the Agencies are concerned that "opportunities for high-impact technology failures and cyber-attacks" are increasing as a result of growing reliance on technology in the financial sector. For example, depository institutions play an essential role in payment, clearing and settlement arrangements and provide access to credit to households and businesses. The Agencies are intent upon securing these sector-critical systems by imposing the most stringent standards on the largest covered entities in a tiered manner.

The enhanced standards would emphasize the need for covered entities to demonstrate effective cyber risk governance; continuously monitor and manage their cyber risk within the risk appetite and tolerance levels approved by their boards of directors; establish and implement strategies for cyber resilience and business continuity in the event of a disruption; establish protocols for secure, immutable, transferable storage of critical records; and maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis. The Agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or "sector-critical standards," applying to those systems of covered entities that are critical to the financial sector. The "sector-critical standards" would require covered entities to substantially mitigate the risk of a disruption due to a cyber event to their sector-critical systems.

The ANPR addresses five categories of new cyber standards: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. Among the more potentially significant proposed standards, the Agencies request comment on:

(1) Cyber Risk Governance - the enhanced standards would require the institution's Board of Directors, or an appropriate Board committee, to develop and approve a written, enterprise-wide cyber risk management strategy and to hold senior management accountable for implementing appropriate policies to effectuate the strategy. This would include requiring senior leadership with cyber risk oversight responsibility to have direct Board access and to be independent of business line management.

(2) Appropriate Cyber Risk Management – the enhanced standards would require the covered entities to integrate cyber risk management into at least three independent functions (such as the three lines of defense risk management model), with checks and balances. As part of this proposed enhanced standard, business units would be required to adhere to procedures and processes necessary to comply with the covered entity’s cyber risk management framework. The agencies are also considering a requirement that covered entities incorporate enterprise-wide cyber risk management into the responsibilities of an independent risk management function. In addition, the agencies are considering explicitly requiring the audit function to assess whether the cyber risk management framework of a covered entity complies with applicable laws and regulations and is appropriate for its size, complexity, interconnectedness and risk profile.

(3) Internal Dependency Management – the enhanced standards would require that covered entities have effective capabilities to be able to identify and address cyber risks associated with their workforce, data, technology, and facilities. These capabilities require ongoing assessment and improvement needed to reduce cyber threats. This could include a requirement to integrate an internal dependency management strategy into an overall strategic risk management plan.

(4) External Dependency Management - policies, standards, and procedures for external dependency management oversight would be required to be established and regularly updated, with appropriate controls, for due diligence, contracting and subcontracting, onboarding, ongoing monitoring, change management, and offboarding. This emphasis on third party access points appears to be in part a reaction to hackers gaining access to financial institutions such as a foreign bank through the Society for Worldwide Interbank Financial Telecommunication (SWIFT), and access to a major retailer's payment card systems through an HVAC vendor. These policies and procedures could introduce new tensions in dealings with third party vendors.

(5) Incident Response, Cyber Resilience, and Situational Awareness - covered entities would be required to be capable of operating critical business functions following cyber attacks and to maintain “enterprise-wide cyber resilience” and incident response programs, including, effective escalation protocols, cyber contagion containment procedures, and communication strategies. The Agencies are specifically considering requiring covered entities to establish a recovery time objective (“RTO”) of two hours for their sector-critical systems, validated by testing, to recover from a disruptive cyber attack.

Whatever action is adopted by the Agencies, whether in the form of a new banking regulation, guideline, or guidance, it will likely become a standard for liability, with the Board of Directors -- and third party vendors-- playing a very direct and active role in establishing, enterprise-wide, the banking entity's cybersecurity management framework.

A Fragile Shield? Managing the Risks of EU-U.S. Data Transfer

2016-07-27T15:39:00.001-04:00

By Doug Bonner

Following European Commission adoption of the Privacy Shield on July 12, 2016, and with Privacy Shield self-certification poised to open for business organizations on August 1, 2016 as a replacement for the invalidated EU-U.S. Safe Harbor mechanism, U.S. businesses are actively evaluating the commitments they will need to make to self-certify (and to annually re-certify) under the Privacy Shield in order to receive personal data from the EU. There are important considerations in evaluating self-certification under the Privacy Shield, including the financial and time costs for self-certification. For example, a Privacy Shield-compliant privacy policy statement must be effective and publicly available before certification, and other oversight and enforcement mechanisms must be in place to ensure compliance with the Privacy Shield’s privacy principles. Furthermore, U.S. organizations must have written agreements with onward recipients of personal data guaranteeing the same level of protection as they self-certify to under the Privacy Shield Principles, requiring negotiation of those separate agreements. A nine month grace period is available to organizations that self-certify within the first two months of the Privacy Shield effective date, a powerful incentive for organizations with a substantial number of pre-existing third party commercial relationships to self-certify early.

Still, despite the additional burdens imposed upon self-certifying businesses, the Privacy Shield is likely to face legal challenge from privacy advocates in the EU who consider the Shield inadequate protection for personal data in response to the European Court of Justice (“ECJ”) decision in October 2015 invalidating the Safe Harbor. In the meantime, the EU Standard Contractual Clauses (the “Model Clauses”), another mechanism by which personal data can be lawfully transferred outside the EU, are the subject of a complaint being reviewed by the ECJ. With that backdrop, should companies with Model Clauses already in place self-certify under the Privacy Shield? Should the Privacy Shield replace or instead buttress the use of Model Clauses? There are also steps EU organizations can take to protect themselves against a successful challenge, either to the Model Clauses or to the Privacy Shield. Finally, for businesses operating in the UK, the Brexit vote creates uncertainty about whether the Privacy Shield mechanism will be available to them depending upon when and how UK withdrawal from the EU occurs. Certain actions will likely need to be taken by the UK to benefit from the Privacy Shield on an ongoing basis following withdrawal from the EU.

Our Womble Carlyle Privacy and Data Protection Team experts have been discussing these issues with our counterparts in our U.K. strategic partner firm Bond Dickinson and highlight areas where specific, targeted advice and collaborative thinking will benefit our clients.

For the full version of this client alert please click here.

Future of U.K. Data Protection Regs Unclear

2016-07-05T17:34:00.002-04:00

As incoming British Prime Minister Theresa May assembles her Cabinet, including a newly appointed Secretary of State for Exiting the European Union following the June 23, 2016 Brexit referendum outcome, the U.K.'s march forward to leave the EU does create uncertainty about whether the U.K. will continue to follow EU data protection laws, including implementation of the EU's new General Data Protection Regulation (“GDPR”), scheduled to become effective on May 25, 2018. Furthermore, the recently negotiated U.S./EU Privacy Shield, approved by the European Commission on July 12, 2016 as a replacement privacy regime for the EU-invalidated Safe Harbor, may face an uncertain future in the U.K. as well if it is not an available framework for multinational businesses to do business in the U.K.

For example, Microsoft stated in an open letter in May, 2016 to its 5000 U.K. employees before the Brexit vote that the U.K.'s EU membership was one of the factors that attracted Microsoft to make investments in the U.K., including in a new data center. One important future signal will be whether the U.K. opts to join the European Economic Area, or otherwise maintains significant trade with the EU, in which case the U.K. would necessarily need to comply with EU privacy regulations. If not, the U.K. would still need to develop its own data protection network. However, until the British Government formulates its exit strategy from the EU, including passage of new U.K. privacy and other laws to replace those under the EU regime, and has its team in place to execute on that strategy, formal notice to the EU of Britain's exit is not likely to occur.

Because at least two years notice must be given before the U.K. can formally exit the EU under Article 50 of the Treaty of Lisbon, both the GDPR (in May 2018) and the Privacy Shield are likely to be in place in the U.K. before an actual exit from the EU occurs. And many observers believe that any law that Britain adopts will likely be similar to the GDPR, since a non-member country's data protection regime must be deemed “adequate” by the EU for businesses in that non-member country to exchange data and to do business within the EU.

In short, the status quo in the U.K. will not change in the short term, and because Brexit won’t likely be completed for years, the Privacy Shield will likely govern personal data transfers from the U.K. to the U.S. well before actual withdrawal is completed. It also may take years to negotiate and complete agreements, and enactment of alternative U.K. data privacy laws.

Top Twelve TCPA DOs and DON’Ts for businesses doing outbound automated or prerecorded calling

2016-03-29T18:23:00.001-04:00

We have assembled our “Top 12 TCPA Dos and Don’ts”. We’re certain others exist that could be added to this list, but this is an introductory sanity check for a company’s outbound calling practices under TCPA laws and regulations. (Of course, this is not intended as nor should be considered legal advice, and you should consult an attorney for specific legal advice involving your particular business practices.)

(1) Maintain an up-to-date, company-specific, written Do-Not-Call Policy to be produced on-demand?

(2) Need to know the different requirements applicable to autodialed and prerecorded calls to wireless numbers and residential landlines, identify wireless numbers, and ensure compliant call handling before dialing?

(3) Treat autodialed texts the same as any autodialed call to a wireless number?

(4) Keep records of “prior express written consent” to receive autodialed calls or texts, or prerecorded calls, with name and associated telephone number of consenting party, and consent language?

(5) Incorporate prior express written consent language to receive telemarketing calls and texts in your standard contract for services?

(6) Scrub your call list at least monthly against the National Do-Not-Call Registry?

(7) Maintain a current Company-specific Do-Not-Call List?

(8) Place a telemarketing call to someone on a Do-Not-Call list who contacts a customer service center and requests a call back?

(9) Discontinue placing calls to a requesting party no later than 30 days after receiving a Do-Not-Call Request?

(10) Okay to place autodialed or prerecorded debt collection calls to someone who leaves their cell phone number on an application for service or an admission form?

(11) Avoid calls to reassigned wireless numbers once reassigned even if intending to call the person to whom it was once assigned?

(12) Know whether your dialing equipment has the “capacity” to store or produce numbers using a random or sequential number generator and to dial those numbers, even if capacity isn’t utilized?

BONUS vicarious liability points: Manage your risk by outsourcing outbound telemarketing to an outside vendor and “lead generator” who guarantees TCPA compliance, works on a commission for sales basis, and will agree to indemnify for losses?

ANSWERS (We won't force you to turn to p. 73):

1. DO

2. DO

3. DO

4. DO

5. DON’T

6. DO, unless you have verified that calls are to someone with an established business relationship as defined in the TCPA Rules.

7. DO

8. DO (an express invitation under FCC rules).

9. DO

10. DO

11. DO

12. DO

BONUS: DON’T (without more protection, including demanding proof of adequate liability coverage covering TCPA liability)

Draft of Text of EU-U.S. Privacy Shield Released

2016-03-02T15:08:00.001-05:00

The U.S. and EU are one step closer to implementing the new EU-U.S. Privacy Shield. The European Commission and U.S. Department of Commerce yesterday announced the release of the legal texts that will put in place the EU-U.S. Privacy Shield, a new framework of rules governing transatlantic data flow.

Continue reading (WCSR.com).

Rebuilding Trust with the Europeans After Snowden: Obama Signs New Privacy Law

2016-03-02T15:04:00.000-05:00

The U.S. and E.U. are one step closer to entering into a new data transfer agreement. On Wednesday President Barack Obama signed into legislation the Judicial Redress Act, giving citizens of certain allied countries, including E.U. countries, recourse in U.S. courts to protect their personal data.

The Act allows foreign citizens to take legal action against some U.S. government agencies if the agency misuses their personal information. The Act would give European citizens procedural privacy protections similar to those available to U.S. citizens under the Privacy Act of 1974 for personal information transferred to the U.S. through international law enforcement channels.

Keep reading on WCSR.com...

Live From ‘Frisco…It’s Ted Claypoole!

2016-03-02T15:01:00.001-05:00

Live before a studio audience” works well for “Jeopardy” and “Saturday Night Live.” Now, Womble Carlyle attorney Ted Claypoole is going to see how the concept works for Internet privacy law. Claypoole will discuss “The Gasping Death of the ‘Reasonable Expectation of Privacy’ Standard” at the upcoming RSA Conference in San Francisco. The presentation will take place in front of a live audience at the RSA on-site recording studio and the video subsequently will be published at www.rsaconference.com.

The presentation takes place Wednesday, March 2nd.

FDIC "Framework for Cybersecurity" Highlights How Financial Institution Information Security Programs Can Better Respond to Evolving Cyber Threats

2016-03-02T14:38:00.001-05:00

Authored by Doug Bonner

Every regulated financial institution that needs to maintain an effective information security program under Gramm Leach Bliley should not only ensure that it is complying with all banking regulations, but regularly evaluating banking industry best practices for Cybersecurity. The FDIC in February 2016 published a "Framework for Cybersecurity" that provides financial institutions a valuable sanity check about what best practices, from the FDIC's perspective, should be followed, and what government and industry resources are available for banks, both large and small to counter cyber threats.

Our linked client alert discusses highlights of the FDIC's recent "Framework for Cybersecurity".

Privacy in the Age of Big Data

2014-07-18T11:01:00.001-04:00

Privacy in the Age of Big Data, the new book by Womble Carlyle attorney Ted Claypoole and former White House CIO Theresa Payton, is receiving lots of attention, including a guest spot on The Daily Show and a series of exclusive Womble Carlyle videos.

Digital data collection and surveillance gets more pervasive and invasive by the day; but the best ways to protect yourself and your data are all steps you can take yourself. The devices we use to get just-in-time coupons, directions when we're lost, and maintain connections with loved ones no matter how far away they are, also invade our privacy in ways we might not even be aware of. Our devices send and collect data about us whenever we use them, but that data is not safeguarded the way we assume it would be.

See one episode of this multi-part series. More videos at youtube.com/womblecarlyle

Jay Z Captured in a New Era of Private Video of Official Video

2014-05-21T11:33:00.002-04:00

Rapper Jay Z and his sister-in-law reminded us this week that, prior to revelations about NSA data collection efforts, it was the lives of the rich and famous that often sparked debate about privacy in our country. Surveillance video from a hotel elevator of the millionaire entertainment mogul being punched, slapped and kicked by his sister-in-law, Solange Knowles first appeared on the celebrity gossip website TMZ earlier this month. Pop music superstar Beyonce, Knowles’ sister and Jay Z’s wife, is also in the video along with a man believed to be Jay Z’s bodyguard.

What’s also in the video, and what has the legal industry abuzz, are a few green lines. Those green lines appear to be the borders separating several video feeds streaming on a single monitor. That detail and the unstable framing in the video make it obvious that this video, which has nearly two million views on YouTube, is actually a video of the surveillance video, likely recorded on a cellphone or other device. That brings up a great many legal questions.

“We are entering into an age of ubiquitous surveillance, not just with security cameras, but of personal pictures taken from security screens by hand-held smartphone/tablet cameras,” said Ted Claypoole, an attorney with Womble Carlyle who specializes in data management and tech-related privacy issues. “Now that everyone is carrying a camera, these personal tools can catch video and audio that are captured by security systems. No one is safe.”

Claypoole also noted that we are developing a culture of instant video gratification, where people expect interesting videos about celebrities and politicians to be posted online as soon as possible for consumption by the entire connected world. He feels that it is likely the person who took the now-famous Jay Z video was likely paid well for it.

The Standard hotel in New York City, where the fight occurred, told media last week it fired the employee who leaked the video to celebrity gossip website TMZ.

Ted Claypoole is an experienced privacy and data security attorney. Ted co-authored the book Privacy in the Age of Big Data; Recognizing Threats, Defending Your Rights and Protecting Your Family with former White House CIO Theresa Payton.

Privacy in Practice Webinar Series: Ted Claypoole Talks Customized Approaches to Privacy

2013-05-10T14:41:00.000-04:00

Privacy practices aren’t a one-size-fits-all solution. What works for a giant corporation may not be the best option for a mid-market company.

Womble Carlyle Privacy and Data Protection Team attorney Ted Claypoole discussed different types of privacy exposures and non-traditional approaches to minimizing exposures while maximizing the value of the data at May 8th Webinar.

Areas to be discussed include:

Privacy by design
Interactive and behavioral advertising
Customer profiles Employee privacy and
Health information compliance.

“The Myth of ‘Best Practices’: Meaningfully Limiting Privacy Exposures, Customized For Your Company” is part of Womble Carlyle’s Privacy in Practice Webinar series, presented on the second Wednesday of each month.

Click here for a complete list of upcoming webinar topics.

May Presentation Materials:

For more information on the Privacy in Practice Webinar series, please contact Katie Tedrow at KaTedrow@wcsr.com or (202) 857-4502.

Ted Claypoole is a senior member of Womble Carlyle’s Intellectual Property Practice Group and leads the firm's Privacy and Data Protection Industry Team. He negotiates and prepares data management, business process outsourcing and ecommerce agreements for his clients. Ted routinely talks to business and legal associations across the country on data security issues and is a frequent author on the topic.

Ted Claypoole, Eric Breisach, Isabel De Obaldia to Attend IAPP Global Privacy Summit

2013-03-01T15:48:00.002-05:00

WASHINGTON, D.C.—Womble Carlyle Privacy and Data Protection Team attorneys Ted Claypoole, Eric Breisach, and Isabel De Obaldia will attend the International Association of Privacy Professionals (IAPP) Global Privacy Summit, to be held March 6-8 in Washington, D.C.

The event will feature thousands of privacy industry professionals participating in dozens of educational sessions.

Read more...

Privacy Bulletin: Issue No. 62

2012-04-04T10:12:00.000-04:00

Proposed New U.S. Consumer Privacy Framework

On February 23, the White House released a white paper setting forth a proposed new consumer privacy framework. The framework consists of a set of Consumer Privacy Bill of Rights which would work together with business codes of conduct (to be voluntarily implemented by businesses). The Federal Trade Commission and state attorneys general would provide enforcement of the consumer privacy framework. The White House declared that the Consumer Privacy Bill of Rights would provide a baseline of clear protections for consumers and greater certainty for companies. The Consumer Privacy Bill of Rights principles outlined by the White House to protect U.S. consumers include the following:

-Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.

-Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

-Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

-Security: Consumers have a right to secure and responsible handling of personal data.

-Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

-Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

-Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Although release of the whitepaper is a noteworthy step towards developing a comprehensive consumer privacy framework in the U.S., it is important to point out that the proposed Consumer Privacy Bill of Rights are not final, and that the white paper asserts that the White House would work with Congress to enact such rights through legislation.

Google Privacy Suit

Two lawsuits have been filed against Google in U.S. federal courts in New York and California. The suits allege that Google’s storage and aggregation of user data under its new privacy policy violate the Electronic Communications Privacy Act, Computer Fraud Abuse Act and Federal Wiretap Act as well as state laws.

Plaintiffs in the lawsuits are aiming for approval of class-action status to represent individuals in possession of Google accounts or who used the Android operating system on their mobile phones some time between August 2004 through February 2012. According to the California suit, Google combined user data from a variety of Google products and services without acquiring users’ consent or allowing users the option to opt out. The courts’ treatment of these suits could prove significant as the courts and Government continue efforts to develop an acceptable consumer privacy framework.

Supreme Court Rules in U.S. v. Jones Privacy Case

On January 23, 2012, the U.S. Supreme Court ruled that the Government’s use of a GPS tracking device without a warrant constituted a Fourth Amendment violation. The Court supported its decision on the grounds that placing a GPS tracking device on an individual’s vehicle is a “physical intrusion” into constitutionally protected property (in this case, Jones’s car). In concurring opinions, Justices Alito and Sotomayor asserted, in determining whether there is a constitutional violation, the Court should place greater emphasis on to what extent an individual’s expectation of privacy is reasonable, noting that given today’s advanced technology, surveillance and data collection do not always require a physical intrusion. Justice Sotomayor asserted that she “would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.” (Sotomayor Concurring, 4) Justice Alito asserted that he “would analyze the question presented in this case by asking whether Jones’s reasonable expectations of privacy were violated by the long-term monitoring of the movements of the vehicle Jones drove.” Alito goes on to note that “The Fourth Amendment prohibits ‘unreasonable searches and seizures,’ and [in the Jones case at hand] the Court makes very little effort to explain how the attachment or use of the GPS device fits within these terms.” (Alito Concurring, 2)

As evidenced by concurring opinions by Justices Sotomayor and Alito, the Court’s reliance on what seems to be an antiquated physical intrusion rationale leaves unanswered the question of to what extent technologies that allow for surveillance and collection of information without any physical intrusion in the traditional sense are acceptable under the Fourth Amendment. With that in mind, we can anticipate the Court will be compelled to hear future cases that provide businesses and the Government with clearer answers to these questions. See further analysis of this case in context in Ted Claypoole and Richard Balough’s article Privacy Considerations Limit Geolocation Technologies, originally published in Business Law Today. The article is linked here: http://apps.americanbar.org/buslaw/blt/content/2012/03/article-02-claypoole-balough.shtml

For more information, please contact one of the following attorneys or any member of the Privacy and Data Protection Team.

Ted Claypoole: (704) 331-4910

Jonathan Gross: (704) 350-6370

Privacy Considerations and Geolocation Technologies

2012-03-29T17:46:00.001-04:00

The rise of GPS devices, Google Maps and other location-tracking technology has led to serious privacy concerns. Increasingly, courts are discussing putting boundaries on how such personal information can be tracked.

Womble Carlyle attorney Ted Claypoole writes on the intersection of location technology and the law in “Privacy Considerations Limit Geolocation Technologies.” The article is published in the American Bar Association’s Business Law Today.

The article is co-authored by Richard C. Balough of the Balough Law Offices, LLC, in Chicago. The authors are the co-chairs of the Mobile Commerce subcommittee of the Cyberspace Law Committee of the Business Law Section of the ABA.

Click here to read the full article.

Privacy Bulletin: Issue No. 61

2012-01-04T14:49:00.005-05:00

U.S. Supreme Court Deciding Extent of GPS Tracking

In the United States v. Jones, the Supreme Court will determine under which circumstances law enforcement agencies are permitted to use technology to collect and use a person’s GPS location information. The Circuit Court rejected the lower court’s conviction of Jones that resulted from law enforcement’s use of Jones’s GPS data on the basis that, with such GPS surveillance, the story told by the sum of information collected is greater than what is revealed by any one bit of information, and that the sum of a person’s location information is private information that is not exposed to the public.

In the November 8 oral argument before the Supreme Court, the Solicitor General of the United States, citing Supreme Court precedent, asserted that law enforcement agencies are permitted to track individuals on public roads, on grounds that people do not have a reasonable expectation of privacy when driving their cars on public roadways. During the argument, Jones’s attorney and the Court addressed whether there is a difference between a traditional police surveillance, such as a police car following a suspect, and police surveillance by GPS tracking, and Jones’s attorney asserted that GPS tracking is an unreasonable invasion of privacy because the human element of the surveillance has been removed. In essence, Jones’s attorney argued that the police could devote unlimited manned resources to surveillance, but that the invasion of privacy stems from the employment of GPS technology to perform unlimited surveillance, because society would not expect the human element (i.e. the physical police presence) would be removed from surveillance.

Ultimately, the decision will have significant bearing on the balancing of two conflicting matters: the extent of the public’s right to privacy versus law agencies desire (and, perhaps need) to effectively track potential criminals and conserve agency resources, an issue that has become increasingly relevant with today’s budget constraints. The future of Business monitoring and surveillance of employees will likely be affected by the outcome of this case, as the court establishes a standard for what society believes to be reasonable in electronic surveillance.

Did Microsoft Force a Stealth Monitoring System on Cellphone Users?

In Cousineau v. Microsoft Corp., W.D. Washington No. 2:11CV0438, a case where the use of cell phones has been used to determine a person’s location, the plaintiff is seeking class action status in a complaint against Microsoft. The case involves whether the Microsoft Windows Phone 7 application surreptitiously forced users into its non-stop geo-tracing program. The plaintiff alleges that even when a user turned off the tracking feature, the information still was sent to Microsoft. In response, Microsoft said there was a software error in the code. Microsoft has filed a motion to dismiss the case.

AccuWeather Accused of Using Weather Report to Pinpoint Customer Location

Goodman v. HTC America [referred to as the AccuWeather Case], filed in the United States District Court, Western District of Washington at Seattle, is one of the first cases to claim that intrusive and unprotected software is a consumer defect under the consumer protection laws filed in. The Plaintiffs alleged that a mobile phone manufacturer and application developer installed the AccuWeather application on their phones ostensibly to provide convenient weather reports, but subsequently used the application to transmit plaintiffs’ locations for other purposes (including “fine” geographic location data, which identifies the latitude and longitude of a particular device's location within several feet at a given data and time). Plaintiffs also claimed that defendants failed to meet accepted baseline information security standards (by transmitting the information in an unencrypted manner), and acknowledged a product defect but failed to alert purchasers, rectify the defect, investigate data usage and/or onward transfer of detailed geographic location data, or remediate the third-party retention of the data.

Medical Company Sued in Class Action After Huge Data Breach

The complaints of Class-action lawsuits filed (in Sacramento County Superior Court and Alameda County Superior Court) against Sutter Medical Foundation and Sutter Physicians Services allege that compromised patients’ data was not properly secured because it was unencrypted and stored in an unsecure location, and that Sutter failed to notify patients that their information had been compromised within the timeframe set forth under California law.

A Sutter company computer, containing the names, addresses, birth dates, phone numbers, and health insurance information of over 3.3 million patients, as well as detailed descriptions of medical procedures and/or diagnoses of more than 900,000 patients, was stolen in mid-October. Information on the computer was protected by password, however, it was not encrypted.

For more information, please contact one of the following attorneys or any member of the Privacy and Data Protection Team.

Ted Claypoole: (704) 331-4910

Jonathan Gross: (704) 350-6370

Privacy Bulletin: Issue No. 60

2011-06-30T11:58:00.002-04:00

U.S. Supreme Court strikes down Vermont law protecting prescription privacy

In a blow to medical privacy and a victory for the direct marketing industry, the Supreme Court ruled that Vermont’s Prescription Confidentiality Law violates the rights of data miners under the Free Speech Clause of the First Amendment. The Court found issue with the law’s provision that absent prescriber consent, pharmacies and similar entities may not sell or otherwise provide prescriber-identifying information for marketing purposes; yet, the same information may be disseminated and used for other purposes, such as education or research. On the surface, the decision is a victory for drug manufacturers and data marketing firms that use doctors’ prescribing history to create more informed and targeted marketing efforts. Many feel the Court’s ruling calls into question the constitutionality of prescription privacy legislation pending in other states, such as Massachusetts, Maine and New Hampshire.

So does this ruling finally answer the question of what the Supreme Court holds more sacred: corporate First Amendment rights or individual privacy concerns? The Center for Democracy and Technology argues no, and that from the beginning the Justices questioned whether the Vermont law was ever intended to protect patient privacy, especially given the federal protections already in place. “The Supreme Court explicitly states that a statute imposing a more comprehensive privacy regime ‘would present quite a different case than the one presented here.’ The court explained that had the state restricted all disclosure except in ‘a few narrow and well-justified circumstances,’ then the court would have viewed the challenge through a quite difference lens.”

Sony hit with additional lawsuits from mid-April breach

The mid-April data breach at Sony that exposed the personal data of over 77 million users of its PlayStation Network and Sony Online Entertainment network has prompted yet another class-action lawsuit–this time by three New York users of the game console. In their complaint, filed in the Southern District of California, plaintiffs allege Sony spent “lavishly” to protect its own data, while cutting costs and corners with respect to their customer’s data security. The 30-page complaint also alleges Sony did not encrypt customers’ personal data and laid off a substantial portion of its Sony Online Entertainment workforce just weeks before the breach.

Two geolocation bills introduced in Senate

In an effort to prevent government and industry abuse of location data, members of Congress recently announced two federal geolocation privacy bills. The Geolocation Privacy and Surveillance (GPS) Act, introduced by Representative Jason Chaffetz (R-Utah) and Senator Ron Wyden (D-Ore.), would require law enforcement to show probable cause and obtain a warrant to track location through mobile devices.

Addressing the geolocation issue with regard to the entities aggregating the actual data, a bill introduced by Senators Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) requires: (1) the express consent of users prior to sharing geolocation data, and (2) the deletion of user geolocation data upon request.

While both bills seek to protect citizens from unwanted physical tracking, they also both rely on the presumption that the geolocation privacy is in fact desired. At least one writer argues that the bills may be undermined by promotions, coupons and other incentives encouraging consumers to make available their personal geolocation data.

Illinois updates and adds teeth to Personal Information Protection Act

An amendment to Illinois’ Personal Information Protection Act (PIPA) has passed both houses and is now awaiting the governor’s approval to become law. The amendment specifies new minimum disclosure notices that data collectors must issue in the event of a breach, and also adds civil penalties for improper disposal of personal information. The new provision requires materials containing personal information to be disposed of “in a manner that renders the personal information unreadable, unusable, and undecipherable.” Furthermore, “any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance policies and procedures” to protect the information throughout the collection and disposal process.

Any person, business or government entity may be subject to a maximum $100 penalty for each individual whose personal information is disposed of in violation of the Act, with the total penalty not to exceed $50,000 per “instance” of improper disposal. Absent from the Act is a definition of what exactly constitutes an “instance.” We will likely have to wait for the first major violation to see how the Illinois Attorney General interprets the statute’s new language.

Help for small business website security

A joint effort among the Department of Homeland Security (DHS), SANS Institute, MITRE, and many top software security experts in the US and Europe has produced a detailed list of software vulnerabilities aimed at helping businesses set up a secure website and judge potential programming errors. While the federal program has been in development for years, the costs of programming oversight has been front page news with recent cyber attacks resulting in the theft of credit card and other personal information. Included in the publicly available research is the Top 25 List of programming errors that have been exploited in many of the recent attacks. For example, the top error is not preventing SQL-injection attacks on websites, an oversight exploited by hacking group LulzSec to retrieve user names and passwords from sites such as FBI’s InfraGard program and NATO’s online bookstore.

There is hope among IT security contractors that this latest guidance by the DHS team will prompt organizations to address the real and growing threat software security poses to their operations.

If you have any questions, please contact one of the following lawyers or any member of the Privacy and Data Protection Team:

Ted Claypoole: (704) 331-4910

Stephanie Shaw: (202) 857-4509

*Special thanks to Summer Associate Dan Tracey for his contributions to this edition of the Privacy Bulletin.

Privacy Bulletin: Issue No. 59

2011-06-16T14:42:00.010-04:00

Twitter’s OPT-OUT Confirmations May Violate TCPA

A lawsuit was filed in a California federal court that claims that Twitter violated the Telephone Consumer Protection Act (TCPA). The plaintiffs in this case are asking for class action certification. The suit alleges a violation of the TCPA’s requirement that a consumer give express consent before commercial text messages are sent to a consumer’s phone. Plaintiffs allege that Twitter sent a confirmation text message to them in response to their text messages opting out of receiving further text messages from Twitter. The plaintiffs argue that Twitter’s confirmation message violated the TCPA because it was sent without the plaintiffs’ prior express consent. The plaintiffs argue that their request to opt out of any further text messaging from the defendants revoked any express consent given prior to the opt out. Text message confirmations of a request to opt out of receiving further text messages are relatively standard in the industry. In fact, the Mobile Marketing Association’s U.S. Consumer Best Practices recommends that a confirming message should be sent to the consumer.

These cases could have an impact on companies that use text messaging to communicate with consumers or as a marketing tool. A court resolution of these cases should provide valuable guidance to similarly situated firms in the future.

Senator Introduces Legislation regarding National Standard for Notifications of Data Security breach

The recent rash of security breaches, including those at Sony and Lockheed Martin, have helped to galvanize the focus of the U.S. government towards business practices regarding safeguarding consumer data and notifying the general public about data breaches. Senator Patrick Leahy, a Vermont Democrat, said in a statement: “The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”

Senator Leahy introduced a bill, known as the Personal Data Privacy and Security Act of 2011, which would set a national standard for notifying consumers of a data-breach. Senator Leahy summarized the legislation in his press release:

- Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the breach causes economic damage to consumers;

- A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security;

- An update to the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense; and

- A requirement that the government ensure sensitive data is protected when the government contracts with third-party contractors.

The current state of the law regarding data breach notification requirements is unclear and difficult to comply with because most states have a slightly different reporting requirement. Robert Holleyman, the president of the Business Software Alliance, urged Congress to pass “a single, national standard to replace the unwieldy state patchwork we have today.” The Business Software Alliance represents software makers.

Co-sponsors of this bill are Senator Chuck Schumer (D-NY), Senator Ben Cardin (D-MD) and Senator Al Franken (D-MN). We will continue to monitor the progress of this legislation through the halls of Congress.

Leahy Introduces Legislation Regarding Email Privacy

Senator Patrick Leahy (D-Vt.) also introduced legislation to update the Electronic Communications Privacy Act (ECPA), a key source of legal protection for email privacy. Leahy was the lead author of ECPA, which was enacted in 1986 to protect the privacy of American’s electronic communications. However, the electronic world has changed dramatically since the law’s enactment and the law may not adequately protect the privacy of individuals in this new world.

Senator Leahy’s bill would require a government agency to obtain a search warrant from a court any time it wants to read an email. Further, Senator Leahy states that this legislation:

- Includes new protections for Americans’ location information that is collected, used or stored by service providers, smartphones and other mobile technologies.

- Includes a provision to enhance the cybersecurity of U.S. computer networks, by allowing service providers to voluntarily disclose content to the government that is pertinent to addressing a cyber-attack involving their computer network.

- Improves law enforcement tools, including a provision to allow the government to temporarily delay notification of its access of stored electronic communications, if notification would endanger national security.

Data Breaches

In a new section of our Privacy Bulletin, we will provide information we’ve come across about recent data breaches. The following breaches have been publicized since our last Privacy Bulletin:

- Lockheed Martin confirmed that its information systems network had been attacked by hackers on May 21. The Company does not believe the breach, which was thwarted following detection, resulted in the release of any personally identifiable or other private information from its customers or employees. Lockheed is continuing to investigate the incident, which may be related to a data breach that occurred at RSA Systems in March.

- Hackers breached a European server belonging to the computer manufacturing company Acer the weekend of June 4th. The incident may have compromised the data of approximately 40,000 customers from its Packard Bell unit in Europe.

- In early June 2011, Citigroup announced that during routine monitoring it uncovered that the data of approximately one percent of its 21 million North American credit card customers had been breached. Citigroup noted that its customers' account information (such as name, account number and contact information, including email address) was accessed, but the customers' social security number, date of birth, card expiration date and card security code (CVV) were not compromised. Accordingly, Citigroup does not believe that the data breach revealed sufficient information to perpetrate fraud, but the company will monitor accounts and re-issue credit cards to affected customers.

- On June 8, the International Monetary Fund told staffers that the organization’s computer network was subject to a sophisticated cyberattack. As reported by the New York Times, which cited unnamed IMF officials in its discussion of the significance of the incident, the scope of the attack is still being investigated and its full ramifications are unknown. The IMF has not publicly announced details of the attack, but confirmed an investigation was underway.

- Honda Canada announced in May 2011 that hackers had accessed a Web server that held the 2009 information for about 280,000 of its customers. Officials at Honda said they detected the breach after noticing “an unusual volume of usage in the myHonda and myAcura Websites.” It has been reported that a class action lawsuit, seeking $200 million in damages against Honda was filed in Oshawa, Ontario.

Upcoming Deadlines

HIPAA Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act

Interested individuals may submit comments on the Department of Health and Human Services’ Notice of Proposed Rulemaking to modify the Health Insurance Portability and Accountability Act of 1996 Privacy Rules standard for accounting disclosures of protected health information by August 1, 2011 to http://www.regulations.gov/ (search for Proposed Rule). For Womble Carlyle’s coverage on this Notice of Proposed Rulemaking, please review our Client Alert.

Proposed Changes to HIPAA Accounting of Disclosures Provision and Proposed New Access Report Requirement

2011-06-08T13:50:00.002-04:00

On May 31, 2011, the U.S. Department of Health and Human Services (“HHS”) published a proposed rule regarding the provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) concerning accounting of disclosures of electronic protected health information (“PHI”). The proposed rule contains two main parts: (1) modifications to the existing accounting of disclosures requirements and (2) a new “access report” requirement.

Under this proposed change, covered entities would be responsible for keeping track of which business associates have designated record set information; obtaining such information from business associates and incorporating it into the access report; and aggregating into a single access report all of the electronic designated record set information that covered entities may have in a number of distinct systems that maintain separate access logs. Comments regarding HHS’ proposed rule may be submitted until August 1, 2011.

Click here for a Womble Carlyle Client Alert with more background on this proposed change.

If you have questions regarding this proposed rule, please contact Sarah Crotts or Jill Girardeau.

No Place to Hide: First Amendment Protection for Location Privacy

2011-06-02T15:52:00.002-04:00

The place you stand on the earth can speak volumes about you. Are you at home or at work? Are you in a meeting of political radicals or dining at an expensive restaurant? Are you peeking into a neighbor’s window or accepting an award for your contributions to humanity? Are you deep in the woods or lost in a crowd? Given the lack of public discourse on the subject, it seems that most Americans are not concerned about the privacy of their location. But the ability of family, friends, employers and the government to know where you are at any given moment is increasing dramatically with modern technology, and this loss of location privacy is affecting your fundamental rights under the Constitution.

Click here to continue reading...

-- Ted Claypoole