1. It’s Data Privacy Day! How Are You… Um… Celebrating?

    “Data Privacy Day is an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone’s priority… In our online world, data is free flowing.  All of us - from home computer users to the largest corporations - need to be aware of the personal and private data others have entrusted to us and remain vigilant and proactive about protecting it.” National Cyber Security Alliance 

    For the past five years, January 28 has been designated as Data Privacy Day, intended to raise awareness and promote greater understanding of the importance of protecting personal and private data.

    To celebrate, we’ve compiled a list of legal updates and commentary relating to data privacy in three areas of ongoing concern: health care, personal information, and privacy in the workplace. For your reference: 

    1. Health Care:

    New HIPAA Breach Notification Rule May Prove Costly for HIPAA-Covered Entities (Duane Morris LLP):

    “Every data breach is unique, and any assessment determining the probability that PHI was compromised will be highly fact-dependent and will incorporate a significant degree of subjectivity. However, the new low-probability standard is likely to be hard to meet and strongly indicates that HHS intends for the vast majority of breaches to be disclosed. Thus, with this heightened burden on risk-assessment analysis and notification, it is vital that all covered entities and business associates examine and update their current policies and procedures to ensure that they can detect and respond to potential data breaches in an appropriate and compliant manner.” Read on»

    U.S. Department of Health and Human Services Announces First HIPAA Breach Settlement Involving Fewer than 500 Patients (White & Case LLP):

    “On January 2, 2013, the U.S. Department of Health and Human Services (“HHS”) settled its first case involving the unauthorized disclosure of the electronic protected health information (“ePHI”) of fewer than 500 individuals…Pursuant to the HIPAA Security Rule, health plans, health care clearinghouses, and healthcare providers who transmit information in electronic form, collectively defined as ‘Covered Entities’ under the law, are required to ensure the confidentiality, integrity and availability of ePHI.” Read on»

    Hospitals Need To Focus On Data Privacy And Security (Michael Volkov):

    “The Department of Health and Human Services has mandated that hospitals (and other service providers) conduct a risk assessment for evaluating data security.  HHS has not defined what type of risk assessment or how such a risk assessment should be conducted. When it comes to data security, hospitals face external and internal risks.  External hacking incidents are rare.  Theft and unauthorized disclosures are the primary risks.  Administrative and physical protections often are the best way to minimize such risks.  Technological protections against a hacking incident may be needed but often are a lower priority solution.” Read on»

    2. Personal Privacy:

    Complying With COPPA Under The FTC’s New Children’s Online Privacy Protection Rules (Polsinelli Shughart PC):

    “On December 2012, the Federal Trade Commission (FTC) issued updated rules to the Child’s Online Privacy Protection Act (COPPA), … which governs the collection, use, and disclosure of personal information from children under 13 online, [and] requires operators of websites and online services that are directed to children or that have actual knowledge that they are collecting information from children to provide notice to and obtain consent from the child’s parents prior to collecting personal information from the child. The new rules – which are effective July 1, 2013 – broaden the type of information covered by COPPA, apply to a much wider group of website and online service operators, and impose new data security, protection, retention, and deletion requirements.” Read on»

    CA Attorney General’s Report Highlights Best Practices For Mobile App Developers (Pepper Hamilton LLP):

    “On January 10, 2013, California Attorney General Kamala D. Harris released a report that provided recommendations and guidelines for strong privacy practices for developers of smartphone and mobile device applications, systems, platforms, and networks. The report, ‘Privacy on the Go: Recommendations for the Mobile Ecosystem,’ was based on input from multiple large companies in the mobile application industry…As the attorney general’s report points out, one of the key challenges to consumer privacy mobile applications present stems from the fact that our mobile devices are ‘always-on,’ ‘always-on-us,’ and may store types of potentially sensitive personal information not typically found on our personal computers, such as call logs and location data.” Read on»

    Lame Duck Congress Acts on Privacy Bills, Mostly With an Eye Toward 2013 (BakerHostetler):

    “The Senate Judiciary Committee approved the Location Privacy Protection Act of 2012, S. 1223, on December 13. Sponsored by Sen. Al Franken (D-MN), the bill would require mobile device (phones, tablets, car GPS) service providers to get prior consent from customers before collecting their geolocation information or sharing it with third parties. It also includes provisions designed to prevent so-called ‘cyberstalking’: Service providers that fall into one of the bill’s exceptions (to help a parent locate a child, provide emergency services, protect customers from fraud, etc.) must nonetheless notify the individual about the tracking and how to revoke consent. Further, the bill makes it a crime to intentionally operate a stalking application and provides for a study of the use of geolocation data in violence against women.” Read on»

    3. Workplace Privacy:

    New State Laws Prohibit Employers and Academic Institutions from Requesting Usernames and Passwords to Monitor Social Media Activity, Creating Complications for Compliance with Federal Securities Regulations (Ropes & Gray LLP):

    “An increasing number of states are passing laws that prohibit employers and academic institutions from requesting or requiring employees, job applicants, students, and prospective students to turn over their social media usernames and passwords. To date, six states have enacted such legislation: California and Michigan laws apply to both employers and academic institutions, while Illinois and Maryland laws apply only to employers and Delaware and New Jersey laws apply only to academic institutions.” Read on»

    What Employers Need to Know About New York’s Beefed-Up Social Security Number Protection Law (Holland & Knight LLP) :

    “New York Governor Andrew Cuomo recently signed an amendment to the state’s Social Security Number Protection Law. The amendment — which is designed to strengthen consumer privacy and protect against identify theft — became effective on December 12, 2012. Before the amendment was passed, the law prohibited persons and entities, including employers, from intentionally making available to the public an individual’s Social Security number… The new amendment takes these protections one step further, imposing additional limitations on the ability of business entities to collect an individual’s Social Security number in the first place.” Read on»

    Criminal Background Checks? The FTC Knows There’s an App for That (Ifrah Law):

    “This month, the FTC took another major step in that direction with a groundbreaking settlement applying the Fair Credit Reporting Act (FCRA) to app developers Filquarian Publishing, LLC, Choice Level, LLC, and Joshua Linsk… The complaint against them cited numerous FCRA violations: (i) regularly furnishing reports to individuals who did not have a permissible purpose to use them, (ii) failing to maintain any procedures for assuring maximum possible accuracy of information provided in the reports, and (iii) failing to provide required notices to users of the consumer reports. The agency concluded that the disclaimers were not enough to absolve the company of FCRA liability, especially when the disclaimer directly contradicts express representations in the company’s advertisements.” Read on»


    See also: A Cautionary Tale for Data Privacy Day - Ifrah Law 


    Find more on data privacy at JD Supra»


  1. is-that-jdsupra posted this