Category: Privacy Law

Announcement of "Privacy Shield" Gives Hope for U.S. Companies Who Previously Relied on Safe Harbor

We have previously discussed the EU Court of Justice’s invalidation of the long-standing Safe Harbor program, previously relied on by many organizations as a means of authorizing transfers of EU citizens’ private data to the United States. U.S. companies eagerly awaited news of a replacement for Safe Harbor and kept a close watch as the January 31, 2016, grace period on enforcement announced by the EU Article 29 Working Party expired. News of a new framework  broke in early February and the European Commission released extensive documentation revealing the details of Safe Harbor’s proposed replacement – the EU-U.S. Privacy Shield program (Privacy Shield) – on February 29, 2016.

Privacy Shield encompasses seven principles for assuring adequate protection when transferring and processing personal data originating in the European Union. Similar to Safe Harbor, organizations can self-certify their compliance with these principles, provided they (1) commit to the U.S. Department of Commerce that they will adhere to the Privacy Shield Principles, (2) publicly declare their commitment to the Privacy Shield Principles, and (3) actually implement the Principles. Once compliance is certified, organizations may seek inclusion on the Department of Commerce’s list of certified organizations, effectively authorizing them to transfer the personal data of EU residents to the United States.

Privacy Shield Principles

  1. Notice. Privacy Shield requires organizations to provide notice regarding the type of data collected, the purposes for which it is collected, any third parties to which the data may be transferred, individuals’ right to access their data, and how individuals can limit use and disclosure of personal data. The organization also must provide notice of its participation in Privacy Shield, acknowledge applicable enforcement authorities and describe recourse mechanisms available.

  2. Choice. Organizations must provide clear, conspicuous and readily available mechanisms allowing individuals to opt out of any disclosure of their personal data to third parties, or use of their personal data other than the purpose(s) for which it was initially collected or subsequently authorized by the individual. Certain sensitive information will require individuals to opt in affirmatively.

  3. Security. As under Safe Harbor, participating organizations must take “reasonable and appropriate measures,” based on the risks involved and the nature of the personal data, to protect the data “from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

  4. Access. Privacy Shield–certified organizations must provide individuals with access to and the opportunity to correct, amend or delete inaccurate or improperly processed personal data. Individuals also must be allowed to confirm that their personal data is being processed. An organization may restrict access to data “in exceptional circumstances.”

  5. Data Integrity and Purpose Limitation. Privacy Shield requires not only that any data collected be “relevant for the purposes of processing” but also that organizations limit collection to relevant data only. Participating organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

  6. Accountability for Onward Transfer. Certified organizations’ contracts with third parties receiving personal data must require that such data “may only be processed for limited and specified purposes” consistent with the level of consent given by the data subject. Third-party transferees also must agree to “provide the same level of protection as the [Principles].” Certified organizations also must “take reasonable and appropriate steps” to ensure third-party agents adhere to the Principles, and are required to stop and remediate any unauthorized processing by third parties, if necessary. Importantly, with limited exceptions, certified organizations remain liable to data subjects for any vendor’s violation of the Principles.

  7. Recourse, Enforcement and Liability. Perhaps Privacy Shield’s most significant new features are its recourse and dispute resolution provisions. Complaint-handling processes must be implemented to obtain Privacy Shield certification. To ensure effective enforcement, Privacy Shield requires (1) procedures for verifying representations made about privacy practices, (2) recourse for data subjects and (3) remedies for failures to comply with the Principles. These newly required “independent recourse mechanisms” are empowered to provide remedies separate from regulators’ enforcement authority.

Legal Safeguards

Because the extent of U.S. government surveillance of personal data was a primary reason why the Safe Harbor program was invalidated, in support of Privacy Shield the U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have furnished letters outlining the legal safeguards that will limit U.S. government access to personal data transferred pursuant to Privacy Shield. In addition, the U.S. Secretary of State is set to appoint a Privacy Shield Ombudsperson, who will be responsible for handling European complaints regarding whether personal data transferred under Privacy Shield has been accessed by U.S. intelligence activities.

In addition, the Judicial Redress Act of 2015, signed into law on February 24, 2016, allows EU citizens to bring civil actions against U.S. government agencies under the Privacy Act of 1974 to access, amend or correct records about them or seek redress for the unlawful disclosure of those records.

Certification and Compliance

Privacy Shield is expected to be approved by the European Commission later this year and published in the Federal Register shortly thereafter. Organizations that self-certify within the first two months following publication will be given nine months to bring all third-party relationships into compliance. Two months after the effective date, the Principles become binding on an organization immediately upon certification. Privacy Shield will thereafter undergo annual joint reviews by EU and U.S. authorities.

All organizations that intend to become Privacy Shield certified are strongly encouraged to immediately begin updating their policies to meet Privacy Shield’s heightened obligations, including reviewing their third-party agreements to ensure compliance.

Article By Gregory Bautista & James F. Monagle of Wilson Elser Moskowitz Edelman & Dicker LLP
© 2016 Wilson Elser

More Than Family Affair: Six-Figure HIPAA Penalty Upheld for Unrepentant Home Care Agency due to PHI Access by Spurned Spouse of Employee

HIPAAIntroduction

The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations promulgated thereunder (“HIPAA”) should be now well-known to health care providers and health plans.  Under HIPAA’s “Privacy Rule,” covered entities must take steps to “reasonably safeguard” protected health information (“PHI”) from any “intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements” of the Privacy Rule.  What is also becoming painfully clear is the growing financial and reputational risks to covered entities (and business associates) from a breach of HIPAA’s Privacy or Security Rules stemming from unauthorized access or disclosure of PHI.

A recent ruling by a U.S. Department of Health and Human Services Administrative Law Judge (“ALJ”) in the case of Director of the Office for Civil Rights v. Lincare, Inc., (Decision No. CR4505, Jan. 13, 2016), underscores the substantial penalties that a health care provider can face, even for relatively small-scale HIPAA violations, particularly if the provider determines to not settle with the Office of Civil Rights (“OCR”) and instead contests the claimed violations.  In Lincare, a home care agency was found to have violated the Privacy Rule when an unauthorized person (the husband of a home health employee) was able to access patient records after the employee had removed records from the agency and taken them into the field as part of her job.  Specifically, the ALJ upheld a civil monetary penalty (“CMP”) of $239,800 imposed by OCR – only the second time the OCR has sought CMPs for violations of HIPAA’s Privacy Rule.  In a unique twist, OCR was alerted to the improper disclosures when the “estranged husband” of an employee of the home care agency complained to OCR that his wife allowed him to access documents containing PHI when she moved out of the marital home and left patient records behind.

Background

Lincare Home Care Agency.  The respondent Lincare, Inc., d/b/a United Medical (“Lincare”) supplies respiratory care, infusion therapy, and medical equipment to patients in their homes.  Lincare operates more than 850 branch locations in 48 states.  As Lincare explained, because its employees provide services in the homes of patients, they often remove patient records containing PHI from its branch locations.  Additionally, according to Lincare, managers of the various Lincare branch offices are required to maintain in their vehicles copies of Lincare’s “Emergency Procedures Manual,” which contains PHI of Lincare patients, so that employees could access patient contact information if an office was destroyed or otherwise inaccessible.

PHI at Issue.  Faith Shaw was a Lincare branch manager in Wynne, Arkansas from October 2005 until July 2009 and maintained the “Emergency Procedures Manual,” with PHI of 270 Lincare patients, as well as patient-specific documents of eight Lincare patients.  The patient records and Manual were apparently hard copies, and not electronically secured through encryption or authentication.

Disclosure of the PHI.  Ms. Shaw kept the records containing PHI in her car and in her marital home, where her husband lived.  After a falling out with her husband Richard in August 2008, Ms. Shaw moved out of the marital home and left the documents containing the PHI behind in her home and car.  In November of 2008, Mr. Shaw, who was concededly not authorized to access the Lincare PHI, reported to Lincare and OCR that he had in his possession the Emergency Procedures Manual and the eight patient files left behind by his wife.

OCR’s Investigation and Action.  Following its investigation, OCR determined that Ms. Shaw:  (a) kept the PHI either in her vehicle or home, to which Mr. Shaw had access; (b) maintained the PHI without proper safeguards, (c) knew or reasonably should have known that the manner in which she kept the PHI did not reasonably safeguard such PHI, and (d) knew or reasonably should have known that Mr. Shaw had ready access to the PHI.  While acknowledging that the provision of home care services may require providers to remove PHI from their offices, OCR found that Lincare’s policies and procedures did not adequately instruct its employees how to maintain PHI taken off the premises in a safe and secure manner and that Lincare did not properly record or track removed PHI.  Unlike the majority of HIPAA violations cited by OCR against providers, Lincare did not settle with OCR and instead determined to contest OCR’s charges.

In the absence of a settlement, OCR cited the following “aggravating” factors for imposing a substantial CMP against Lincare:

  • The length of time Lincare allowed employees to transport PHI away from the office without appropriate and reasonable safeguards; and

  • Lincare’s failure to promptly review and enhance its HIPAA policies for safeguarding PHI taken off premises even after it was notified of the improper disclosure.

Accordingly, OCR sought to impose a CMP totaling 239,800 for Lincare’s alleged violations of HIPAA’s Privacy Rule, broken down as follows:

  • Impermissibly disclosing PHI:  OCR determined that Lincare had improperly disclosed PHI of 278 patients in November of 2008, which then carried a penalty of $100 per patient.  OCR imposed a penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.

  • Failure to safeguard PHI:  OCR determined that the failure to safeguard the PHI lasted from February 1, 2008 through November 17, 2008, which carried a penalty of $100 per day.  OCR imposed an additional penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.

  • Failure to implement policies and procedures to ensure compliance with the Privacy Rule:  OCR determined that Lincare’s failure continued from (a) February 1, 2008 through December 31, 2008, at a penalty of $100 per day, with a maximum of $25,000 per calendar year, (b) January 1, 2009 through February 17, 2009, at a penalty of $100 per day, which totaled $4,800, and (c) from February 18, 2009 through July 28, 2009, during which time, penalty amounts were increased pursuant to the adoption of the HITECH Act, and which OCR determined to be $1,000 per day, totaling $160,000.

Significantly, in effectively stacking CMPs for separate HIPAA violations, one on top of another—although arising from the same breach or continued breach—OCR was able to multiply the aggregate size of penalties to $239,800.  At the same time, OCR determined that there was no basis to waive the imposition of the CMP because there was no evidence that the payment of a CMP would be excessive relative to the violations that it found.

Lincare appealed OCR’s determination before an ALJ.  OCR moved for summary judgment, arguing that there was no genuine issue of material fact concerning the HIPAA violations and that it was entitled to impose the aggregate CMP as a matter of law.

The ALJ’s Analysis

The ALJ granted OCR’s motion for summary judgment, finding that the evidence established that Lincare had violated HIPAA, and upheld the CMP of $239,800.

Theft is No Defense to Improper Disclosures:  In its defense, Lincare claimed that it was not responsible for the improper disclosure because it was the victim of a theft.  Specifically, Lincare claimed that Mr. Shaw “stole” the PHI from his wife and “attempted to use it as leverage to induce his estranged wife to return to him.”  The ALJ rejected this argument, concluding that Lincare was obligated to take “reasonable steps to protect its PHI from theft.”  The ALJ explained that Lincare violated this obligation when Ms. Shaw took documents out of the office and left them in in her car or home, allowing her husband to access them; and then completely abandoned them.

Lincare’s Policies Did Not Properly Address the Removal of PHI:  The ALJ also found that Lincare’s privacy policy failed to properly address the security of records removed from the office for use in the field, and monitor removed records to ensure their return.  When asked about specific guidelines for safeguarding PHI taken out of its offices, Lincare’s Corporate Compliance Officer replied that Lincare personnel “considered putting a policy together that said thou shalt not let anybody steal your protected health information.”  The ALJ did not “consider this a serious response.”

Key Takeaways

Consider Settling with OCR to Avoid a CMP:  The OCR’s imposition of a CMP, and the ALJ’s decision to affirm this penalty, represents only the second time a CMP has been imposed for a violation of the HIPAA Privacy Rule, and the first one in which an ALJ ruled on the merits.  Typically, OCR attempts to resolve HIPAA violations informally, but could not reach such a resolution with Lincare in this case.  Had a resolution been reached, the OCR would likely not have sought and secured such a substantial CMP based on “aggravating factors,” with the resultant fine likely to have been significantly lower.

Consider Encryption or other Means for Accessing PHI Remotely:  Employees of home care agencies often need to access PHI in the field when providing services.  However, the provider should consider restricting access only through electronic devices, with appropriate encryption and user authentication, to prevent unauthorized users from accessing these records.

Update Policies and Procedures:  Policies and procedures should detail for employees when patient records can be removed from the office and taken into the field, and under what circumstances; and identify how such records containing PHI should be safeguarded from disclosure.

Implement a System to Track Removed PHI:  Similarly, a system should be implemented to record and track the removal of records containing PHI so as to allow the health care provider to account for and maintain oversight over removed documents.

Regularly Train Employees:  Having detailed policies and procedures is not enough; all employees should be regularly trained on the HIPAA Privacy and Security Rules, and the agency’s corresponding HIPAA policies and practices.  To reinforce training, to the extent any PHI is removed from the premises, employees should be continually reminded not to allow unauthorized persons—including a spouse or other family or friends—to access the records.

Article By Jared Facher & Brian T. McGovern of Cadwalader, Wickersham & Taft LLP
© Copyright 2016 Cadwalader, Wickersham & Taft LLP

Rosa Parks Name and Likeness Free for Use?

Rosa and Raymond Parks Institute for Self Development v. Target Corp.

Addressing the balance between privacy rights and matters of public interest, the U.S. Court of Appeals for the Eleventh Circuit affirmed the district court’s dismissal of the plaintiff’s complaint, holding that the defendant was shielded by the First Amendment from a lawsuit claiming the retailer violated the publicity rights of civil rights icon Rosa Parks by selling various products that included the plaintiff’s picture.Rosa and Raymond Parks Institute for Self Development v. Target Corp., Case No. 15-10880 (11th Cir., Jan. 4, 2016) (Rosenbaum, J.).

Target Corporation (the defendant), a national retail chain, sold books, a movie and a plaque that included pictures of Rosa Parks, an icon of the civil rights movement who, in 1955, refused to surrender her seat to a white passenger on a racially segregated Montgomery, Alabama bus. The Rosa and Raymond Parks Institute for Self Development (the plaintiff) owns the right and likeness of Rosa Parks. The plaintiff filed a complaint against the defendant, alleging unjust enrichment, right of publicity and misappropriation under Michigan common law for the defendant’s sales of all items using the name and likeness of Rosa Parks. The plaintiff complained that by selling the products, the defendant had unfairly and without the plaintiff’s prior knowledge, or consent, used Rosa Parks’ name, likeness and image as used on the products. The plaintiff further argued that the defendant promoted and sold the products using Rosa Parks’ name, likeness and image for the defendant’s own commercial advantage. After the defendant filed a motion for summary judgment, the district court dismissed the complaint. The plaintiff appealed.

On appeal, the 11th Circuit, sitting in diversity, applied Alabama’s choice-of-law rules, which holds that the procedural law of the forum state should be applied, while the law of the state in which the injury occurred governs the substantive rights of the case. Accordingly, the 11th Circuit applied the procedural rules of Alabama and the substantive law of Michigan.

In Michigan, the common-law right of privacy protects against four types of invasions of privacy: intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; public disclosure of embarrassing private facts about the plaintiff; publicity which places the plaintiff in a false light in the public eye; and appropriation for the defendant’s advantage, of the plaintiff’s name or likeness. The right of privacy is not absolute, and Michigan courts have long recognized that individual rights must yield to the qualified privilege to communicate on matters of public interest.

Applying Michigan law, the Court affirmed the district court’s dismissal of the plaintiff’s complaint, concluding that “the use of Rosa Parks’ name and likeness in the books, movie, and plaque is necessary to chronicling and discussing the history of the Civil Rights Movement” and that these matters therefore are protected by Michigan’s qualified privilege. As the 11th Circuit noted, “it is difficult to conceive if a discussion of the Civil Rights Movement without reference to Rosa Parks and her role in it.”

Article By Ulrika E. Mattsson of McDermott Will & Emery

© 2016 McDermott Will & Emery

Private Email Woes Infect The Private Sector in Delaware

emailVice Chancellor J. Travis Laster’s ruling in Amalgamated Bank v. Yahoo!, Inc., C.A. No. 10774-VCL (Del. Ch. Feb. 2, 2016) should sound a tocsin to directors that their “private” emails may not be so private.  The ruling addressed Amalgamated Bank’s demand to inspect the books and records of Yahoo! pursuant to Section 220 of the Delaware General Corporation Law.  The bank sought to inspect, among other things, documents that reflect discussions or decisions of Yahoo’s full Board or Committee.  Documents covered by the demand included emails to and from the directors, from management or the compensation consultant, emails among the directors themselves, and documents and communications prepared by Yahoo officers and employees about the Board‘s deliberations.

Vice Chancellor Laster found that emails were records subject to inspection under Section 220 and that through Delaware’s jurisdiction over a corporation, a court can compel production of documents in the possession of officers, directors, and managing agents of the firm.  According to the Vice Chancellor, the court can impose sanctions or other consequences on the firm if the officer, director, or managing agent fails to comply. He further noted that if a personal email account was used to conduct corporate business, the email is subject to production under Section 220. Directors and corporate officers should therefore take heed that emails concerning corporate business may be subject to disclosure even if conducted using a private email address.

Article By Keith Paul Bishop of Allen Matkins Leck Gamble Mallory & Natsis LLP

© 2010-2016 Allen Matkins Leck Gamble Mallory & Natsis LLP

 

Department of Commerce Releases Fact Sheet on EU-U.S. Privacy Shield

As we reported yesterday, the United States and the European Commission have reached a political agreement on a new framework for transatlantic data flows, referred to as the EU-U.S. Privacy Shield.  The U.S. Department of Commerce (“Commerce”) released a fact sheet yesterday to coincide with the announcement of the agreement.

The fact sheet includes a series of bullet points listing ways in which the Privacy Shield (1) “significantly improves commercial oversight and enhances privacy protections,” and (2) “demonstrates the U.S. Commitments to limitations and safeguards on national security.”  On the first point, Commerce states that “EU individuals will have access to multiple avenues to resolve concerns,” including alternative dispute resolution at no cost to individuals.  In addition, Commerce “will step in directly and use best efforts to resolve referred complaints” using a “special team with significant new resources.”  On the second point, the fact sheet references President Obama’s executive actions to enhance privacy protections and oversight relating to U.S. government surveillance activities.  Finally, Commerce states that “the United States is making the commitment to respond to appropriate requests” regarding U.S. intelligence activity, in a manner that is consistent with national security obligations.

Article By David J. Bender of Covington & Burling LLP
© 2016 Covington & Burling LLP

Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

On February 2nd, 2016, the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.

The EU-U.S. Privacy Shield

According to the Commission press release, there will be several new elements to the EU-U.S. Privacy Shield, as compared with the invalidated EU-U.S. Safe Harbor framework.  For instance, in addition to subjecting participating U.S. companies to certain as-yet unspecified safeguards, the Privacy Shield will include:

  • An annual joint review of the program performed by the European Commission and U.S. Department of Commerce – to which European data protection authorities will be invited – to ensure its proper functioning.  This will include a review of access by U.S. intelligence agencies to EU-originating data.

  • Enhanced rights of redress for European data subjects, including (i) subjecting U.S. organizations to firmer deadlines when responding to complaints, (ii) allowing EU citizens and EU data protection authorities to refer complaints to the U.S. Department of Commerce and the U.S. Federal Trade Commission, (iii) establishing, as a last resort, a new binding alternative dispute resolution mechanism to resolve complaints that will be voluntary and free to data subjects, capable of issuing binding injunctive orders, and subject to judicial review consistent with the U.S. Federal Arbitration Act, and (iv) creating a new “Ombudsperson” within the U.S. State Department to handle complaints – channeled through EU Member State representatives – that relate to U.S. intelligence agencies’ access to data.  Disputes relating to human resources/employee data will remain subject to an alternative process that entails somewhat closer involvement of EU data protection authorities, similar to the current Safe Harbor.

Moreover, it is reported that the U.S. Director of National Intelligence will confirm by official letter to the EU that U.S. intelligence agencies do not engage in “indiscriminate mass surveillance” of data transferred under the new arrangement.

The Privacy Shield is expected to retain or enhance many of the elements contained in the original Safe Harbor framework, including substantive commitments made by U.S. companies on such matters as furnishing appropriate notices to EU citizens, maintaining the security of transferred data, and tightened restrictions on onward transfers.  The precise nature of these obligations is not yet known, but will become clearer in the weeks ahead.

Next steps

The EU College of Commissioner’s has mandated Vice-President Ansip and Commissioner Jourová to, over the coming weeks, prepare a draft Decision declaring the U.S. to ensure an adequate level of protection.  The adoption of such a Decision by the Commission must follow a “comitology” procedure which will involve:

  • a proposal from the Commission;

  • an opinion by EU Member States’ data protection authorities and the European Data Protection Supervisor (“EDPS”), in the framework of the Article 29 Working Party;

  • an approval from the “Article 31 Committee”, composed of representatives of Member States, under the comitology “examination procedure”;

  • the formal adoption of the Decision by the College of Commissioners;

  • at any time, the European Parliament and the Council may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the Directive.

The effect of such a Commission Adequacy Decision is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to the U.S. without any further safeguards being necessary.

Commissioner Jourová hopes for the new arrangement to be in force in approximately 3 months’ time.  The U.S. Government, in the meantime, will make the necessary preparations to put in place the new framework, monitoring mechanisms, and new Ombudsperson.

Tomorrow (February 3rd, 2016), Commissioner Jourová will attend the plenary meeting of the Article 29 Working Party to discuss the role of the EU data protection authorities under the EU-U.S. Privacy Shield.  The U.S. Department of Commerce is, in parallel, planning further briefings about the text.

Article By Daniel P. CooperPhilippe Bradley-Schmieg & Joseph Jones of Covington & Burling LLP
© 2016 Covington & Burling LLP

Government Forces Awaken: Rise of Cyber Regulators in 2016

As the sun sets on 2015, but before it rises again in the New Year, we predict that, in the realm of cyber and data security, 2016 will become known as the “Rise of the Regulators.” Regulators across numerous industries and virtually all levels of government will be brandishing their cyber enforcement and regulatory badges and announcing: “We’re from the Government and we’re here to help.”

The Federal Trade Commission will continue to lead the charge in 2016 as it has for the last several years. Pursuing its mission to protect consumers from unfair trade practices, including from unauthorized disclosures of personal information, and with more than 55 administrative consent decrees and other actions booked so far, the FTC (for now) remains the most experienced cop on the beat.   As we described earlier this year, the FTC arrives with bolstered judicial-enforcement authority following the Third Circuit’s decision in the Wyndham Hotel case.  Notwithstanding the relatively long list of administrative actions and its published guidance – businesses that are hacked and that lose consumer data, are at risk of attracting the attention of FTC cops and of proving that their cyber-related systems, acts and practices were “reasonable.”

But the FTC is not alone. In electronic communications, the Federal Communications Commission (FCC) in 2015 meted out $30 million in fines to telecom and cable providers, including to AT&T ($25 million) and Cox Communications ($595K). And this agency, increasingly known for its enforcement activism, may have just begun.  Reading its regulatory authority broadly, the FCC has asserted a mandate to take “such actions as are necessary to prevent unauthorized access” to customers’ personally identifiable information. This proclamation, combined with the enlistment of the FCC’s new cyber lawyer/computer scientist wunderkind to lead that agency’s cyber efforts, places another burly cop on the cyber beat.

The Securities and Exchange Commission (SEC) will be patrolling the securities and financial services industries. Through its Office of Compliance Inspections and Examinations (OCIE), the SEC is assessing cyber preparedness in the securities industry, including investment firms’ ability to protect broker-dealer and investment adviser customer information. It has commenced at least one enforcement action based on the agency’s “Safeguards Rule” (Rule 30(a) of Regulation S‑P), which applies the privacy provisions in Title V of the Gramm-Leach-Bliley Act (GLBA) to all registered broker-dealers, investment advisers, and investment companies. With criminals hacking into networks and stealing customer and other information from financial services and other companies, expect more SEC investigations and enforcement actions in 2016.

Moving to the Department of Defense (DoD), new rules, DFARS clauses, and regulations (e.g., DFARS subpart 204.73, 252.204–7012, and  32 CFR § 236) are likely to prompt the DoD Inspector General and, perhaps, the Defense Contracting Auditing Agency (DCAA) to examine whether certain defense contractors have the required security controls in place.  Neither the DoD nor its auditors have taken action to date.  But don’t mistake a lack of overt action for a lack interest (or planning).  It would come as no surprise if, by this time next year, the DoD has launched its first cyber-regulation mission, be it by the False Claims Act, suspension and debarment proceedings, or through terminations for default.

In addition to these cyber guardians, other federal agencies suiting up for cyber enforcement include:

  • The Consumer Financial Protection Board’s (CFPB) growing Cybersecurity Program Management Office;

  • The Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability, examining the security surrounding critical infrastructure systems;

  • The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services, addressing healthcare providers and health insurers’ compliance with health information privacy and security safeguard requirements; and

  • The Food and Drug Administration, examining the cybersecurity for networked medical devices containing off-the-shelf (OTS) software.

But these are just some of the federal agencies poised for action.   State regulators are imposing their own sector-specific cyber security regimes as well.   For example, the State of California’s Cybersecurity Task Force, New York’s Department of Financial Services, and Connecticut’s Public Utility Regulatory Agency are turning their attention toward cyber regulation. We believe that other states will join the fray in 2016.

At this relatively early stage of standards and practices development, the National Institute of Standards and Technology (NIST) 2014 Cyber Security Framework lays much of the foundation for current and future systems, conduct, and practices. The NIST framework is a “must read.” NIST, moreover, has provided additional guidance earlier this year in its June 2015 NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.  While addressing security standards for nonfederal information systems (i.e., government contractors’ information systems), it also provides important guidance for companies who do not operate within the government contracts sphere.  Ultimately, this 2015 NIST publication may serve as an additional general standard against which regulators (and others) may assess institutional cybersecurity environments in 2016 – and beyond.

But for now, the bottom line is that in 2016 companies now must add to its list of actual or potential cyber risks and liability, the hydra-headed specter of multi-sector, multi-tiered government regulation – and regulators.

Article By Dave ThomasAlexander W. Major & Melinda R. Biancuzzo
Copyright © 2015, Sheppard Mullin Richter & Hampton LLP.

Happy Holidays: VTech Data Breach Affects Over 11 million Parents and Children Worldwide

The recent data breach of Hong Kong-based electronic toy manufacturer VTech Holdings Limited (“VTech” or the “Company”) is making headlines around the world for good reason: it exposed sensitive personal information of over 11 million parents and children users of VTech’s Learning Lodge app store, Kid Connect network, and PlanetVTech in 16 countries! VTech’s Learning Lodge website allows customers to download apps, games, e-books and other educational content to their VTech products, the Kid Connect network allows parents using a smartphone app to chat with their children using a VTech tablet, and PlanetVTech is an online gaming site. As of December 3rd, VTech has suspended all its Learning Lodge sites, the KidConnect network and thirteen other websites pending investigation.

VTech announced the cyberattack on November 27th by press release and has since issued follow-on press releases on November 30th and December 3rd, noting that “the Learning Lodge, Kid Connect and PlanetVTech databases have been attacked by a skilled hacker” and that the Company is “deeply shocked by this orchestrated and sophisticated attack.” According to the various press releases, upon learning of the cyber attack, VTech “conducted a comprehensive check of the affected site” and has “taken thorough actions against future attacks.” The Company has reported that it is currently working with FireEye’s Mandiant Incident Response services and with law enforcement worldwide to investigate the attack. According to VTech’s latest update on the incident:

  • 4, 854, 209 parent Learning Lodge accounts containing the following information were affected: name, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted passwords;

  • 6,368,509 children profile containing the following information were affected: name, gender, and birthdate were affected. 1.2 million of the affected profiles have enabled the Kid Connect App, meaning that the hackers could also have access to profile photos and undelivered Kid Connect chat messages;

  • The compromised databases also include encrypted Learning Lodge content (bulletin board postings, ebooks, apps, games etc.), sales report logs and progress logs to track games, but, it did not include credit card, debit card or other financial account information or Social Security numbers, driver’s license numbers, or ID card numbers; and

  • The affected individuals are located in the following countries: USA, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand. The largest number of affected individuals are reported in the U.S. (2,212,863 parent accounts and 2,894,091 children profiles), France (868,650 parent accounts and 1,173,497 children profiles), the UK (560,487 parent accounts and 727,155 children profiles), and Germany (390,985 parent accounts and 508,806 children profiles).

Given the magnitude and wide territorial reach of the VTech cyber attack, the incident is already on the radar of regulators in Hong Kong and at least two attorneys general in the United States. On December 1, the Hong Kong Office of the Privacy Commissioner for Personal Data announced that it has initiated “a compliance check on the data leakage incident” of VTech Learning Lodge.  In addition, on December 3rd, two separate class actions have already been filed against VTech  Electronics North America, L.L.C. and VTech Holdings Limited in the Northern District of Illinois.  Since the data breach compromised personal information of children located in the United States (first and last name, photographs, online contact information, etc.), it is likely that the Federal Trade Commission (FTC) will investigate VTech’s compliance with the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (as amended, the “COPPA Rule”). If a COPPA violation is found, the civil penalties can be steep and go up to $16,000 per violation. In addition to civil penalties imposed by a court, the FTC can require an entity to implement a comprehensive privacy program and to obtain regular, independent privacy assessments for a period of time.

Article By Julia M. Siripurapu & Cynthia J. Larose of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2015 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Regulating Recording Features of Personal Wearable Technology in Workplace

With each passing day, personal wearable technology, like the Apple Watch and Google Glass, becomes more mainstream and technologically advanced.  Employers should be aware of the challenges posed by employees wearing their technology into the workplace.  Businesses have already had to consider decreased productivity, exposure to computer viruses, and potential data breaches caused by personal wearable technology in the workplace. In addition, employers are now wondering if personal wearable devices are being used to discretely and instantaneously record events and copy information in the workplace. Several employment laws are implicated when employers seek to regulate the recording features of personal wearable technology in the workplace.

Restrictions on personal wearable technology in the workplace are subject to Section 7 of the National Labor Relations Act, which prohibits workplace rules and policies that chill discussions among non-management employees about wages, working conditions, work instructions, and the exercise of other concerted activities for mutual aid or protection.  NLRB General Counsel Memorandum No. 15-04  contains examples of both over broad and lawful work rules restricting recording devices in the workplace.  These examples are instructive when drafting employment policies restricting personal wearable devices.

Under Section 7, employers may prohibit employees from copying or disclosing confidential or proprietary information about the employer’s business, using wearable technology or otherwise.  Employers may also prohibit employees from taking, distributing, or posting on social media pictures, video, and audio recordings of work areas while on working time, so long as the policy carves an exception for conduct protected by Section 7.  The exception should expressly cite specific examples of permitted recordings, such as “taking pictures of health, safety and/or working condition concerns or of strike, protests and work-related issues and/or other protected concerted activities.”  Existing employment policies restricting personal cell phone and camera use in the workplace should be updated to include restrictions on the use of recording features of wearable technology.

The recording features of personal wearable technology also provide new methods and means for employees to engage in unlawful workplace harassment and other workplace misconduct.  Employers should consider revising their anti-harassment and conduct policies to prohibit the use of wearable technology, including its recording features, in an unlawful manner.  As technology continues to evolve, so too should employment policies, to address the use of such personal devices in the workplace.

Article By Stan Hill of Polsinelli PC
© Polsinelli PC, Polsinelli LLP in California

Target to Pay Nearly $40 Million to Settle with Banks over Data Breach; Total Costs Reach $290 Million

A settlement filed Wednesday provides that Target Corp. will pay $39.4 million to the banks and credit unions who brought class action claims against the retailer for alleged losses the financial institutions suffered as a result of Target’s 2013 data breach.  The breach, which impacted as many as 110 million individuals, compromised as many as 40 million credit cards.

This most recent settlement comes on the heels of a $67 million settlement with Visa, and a $10 million settlement with consumers, both earlier this year.  The most recent settlement brings Target’s total costs to a staggering $290 million.  Target expects insurers to reimburse it for only $90 million of that total, and shareholder derivative lawsuits are still pending, as well as regulatory enforcement and investigation actions by the FTC and various state attorneys general.

While financial institution settlements now top $100 million, trade groups representing banks and credit unions have argued that the Target breach actually cost their members more than $200 million.

Many will recall that the Target breach began after an HVAC vendor was hacked, providing cyber criminals access to Target’s backend system through its vendor interface.  While the breadth and scope of Target’s losses are somewhat mind numbing, this settlement should serve as yet another reminder why a strong vendor management system including privacy and data security policies and audits is especially important in this day and age.

Article By Daniel L. Farris of Polsinelli PC
© Polsinelli PC, Polsinelli LLP in California