HHS Releases Interim Guidance on Authorizations for Research

The Department of Health and Human Services (HHS) recently released interim guidance on sufficiency of authorizations for future uses or disclosures of protected health information (PHI) for research purposes.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits covered entities and business associates to use or disclosure PHI only as permitted by the Privacy Rule or as authorized in writing by the information’s owner or that person’s personal representative. The 21st Century Cures Act, enacted in 2016, sought, in part, to improve accessibility to medical information for research purposes. It mandated HHS issue guidance on how to allow for this improved access while still protecting patients’ rights under HIPAA.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Macy’s Faces Suit After Disclosing Data Breach

• Retail giant Macy’s notified its customers and state regulators of a data breach affecting the accounts of online shoppers. The breach occurred between April 26 and June 12, 2018.

• Only two days after receiving notice, online Macy’s shoppers filed a putative class action complaint in the U.S. District Court for the Northern District of Alabama against the retailer because of the breach.

• Alleging negligence and violations of Alabama’s Deceptive Trade Practices Act, the suit requests an injunction against Macy’s from its allegedly “wrongful conduct,” including “refusing to issue prompt, complete and accurate disclosures” as well as actual, compensatory and statutory damages, and statutory penalties.

Continue Reading

California Passes Groundbreaking Data Privacy Law Granting Consumers Expansive Privacy Rights

California has passed an unprecedented privacy law that protects consumers’ rights by providing them with a greater degree of transparency and choice with respect to their personal information online. On June 28, 2018, Assembly Bill 375 was signed into law by Gov. Jerry Brown as the California Consumer Privacy Act of 2018 (CCPA) just hours after it was passed by the California legislature. The CCPA makes significant changes to consumer privacy protection rights for Californians, marking the advent of a new era. Below is an overview of the new law.

Who Is Regulated by the CCPA:

The CCPA will regulate “Businesses,” defined as for-profit entities that have gross revenue in excess of $25 million; or that annually buy, receive for the business’ commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or, that derive 50 percent or more of its annual revenues from the sale of consumers’ personal information. Continue Reading

California Passes Law Protecting Consumers’ Online Privacy

On June 28, 2018, California lawmakers passed Assembly Bill 375 and Gov. Jerry Brown signed it into law as the California Consumer Privacy Act of 2018, a privacy law that grants consumers a range of rights with respect to their personal information online. This marks the advent of a new era of consumer privacy protection that will have the force of law in the U.S. As we previously reported here, AB 375 was proposed as an alternative to an initiative that was expected to be on the November ballot. Now that AB 375 has passed, the initiative has been pulled from the ballot. This outcome is a win for both industry and consumers. The initiative was well-intentioned but deeply flawed in many ways, and it would have hurt both consumers and industry. Digital media evolves, and the legislature needs to be free to regulate based on current facts. The initiative would have locked in concepts that do not work well today. With the passing of AB 375, there is the ability to work out the details of the law. This is not to say that the status quo will be maintained for industry; the Act changes the landscape of privacy practices in California markedly.

For a summary of AB 375, see our chart here. For more information, see our blog posts here and here.

California Legislative Effort to Avert Privacy Ballot Initiative a Race Against the Clock

On Thursday, June 22, 2018, a previously dead California Assembly bill, AB 375, was revised as a proposed alternative to the ballot initiative known as the California Consumer Privacy Act of 2018 (CCPA),[1] which is expected to be on the November ballot. It was read a third time and amended on June 25 and re-referred to the Senate Judiciary Committee. If the bill is passed and signed into law by June 28, 2018 – the deadline for finalizing what will be on the ballot – ballot initiative supporters have reportedly agreed to pull the ballot initiative. Below is a summary of key similarities and differences between AB 375 and the CCPA. If AB 375 is passed and signed by the governor this week in time for the CCPA to be withdrawn and we confirm it is withdrawn, we will provide greater detail on what AB 375 will require. The full text of the ballot initiative is here, and the full text of AB 375 is here.

The legislative approach in AB 375 will result in regulation of more for-profit entities than the ballot initiative would, as an entity with annual gross revenue in excess of $25 million is considered a “business” under the legislative approach, whereas under the ballot initiative, an entity is considered a business if it has annual gross revenue in excess of $50 million. Further, the definition of business is broader in the legislative approach in that it also applies to businesses that annually “sell” (broadly defined) personal information of “100,000 or more consumers or devices,” as provided by the CCPA, to include a business that “buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes [broadly defined] … personal information of 50,000 or more consumers, devices, or households.” In addition to the different threshold number of data subjects, a key distinction is that AB 375 explicitly covers the recipients of personal information from a third party, while the CCPA addresses only a business “that collects consumer’s personal information.”

Continue Reading

Privacy Advocates See Victory as Supreme Court Extends Fourth Amendment Protections to Historical Cellphone Location Information

On June 22, the Supreme Court issued its highly anticipated decision addressing privacy in the digital age, holding that the government generally must obtain a search warrant supported by probable cause to search a target’s historical cell site location information (CSLI), which can provide a detailed record of an individual’s whereabouts. In siding with the petitioner, Timothy Carpenter, who was convicted and sentenced to prison based largely on 127 days of CSLI that placed him near the scene of a string of armed robberies, the Court confirmed that individuals have an expectation of privacy in their historical CSLI that is protected by the Fourth Amendment. Writing for the majority, Chief Justice Roberts spurned mechanical applications of traditional Fourth Amendment doctrine, preferring instead to endorse a more flexible and nuanced approach to privacy in the digital age, where rapidly advancing technologies threaten to erode privacy protections.

Continue Reading

California Legislature Working Feverishly To Avert Privacy Ballot Initiative

We have previously reported a ballot initiative known as the California Consumer Privacy Act of 2018 (“CCPA”), that is expected to be on the November ballot.  If passed, it would make sweeping changes to consumer privacy protection rights for Californians, likely creating a new national standard.  On June 21st, the California Assembly amended AB- 375, formerly a bill that would have regulated privacy practices of Broadband Internet Access Service Providers in reaction to the FCC’s withdrawal of its BIAS privacy rule, to propose an alternative to CCPA.  It has been reported that the initiative’s sponsors will pull the initiative if AB-375 is passed and signed into law by the Governor.  However, the legislature will have to move fast, because after June 28 the November ballot will be set and the initiative cannot be withdrawn.  If AB-375 becomes law in time to kill the initiative much of what the initiative seeks to accomplish will become law, but notably not a private right of action and class action relief for most violations.  There would be a private right of action for a data breach incident resulting from security that failed to meet the California standards but only if the Attorney General declined to bring an action.  We will be tracking the legislative effort to avert CCPA and reporting on whether the June 28 deadline is met, as well as detail on what new standards AB-375 will mandate if it becomes law.

The Weekly Privacy Rewind

Class Actions

Finkly & Sons Co. Faces Illinois Biometric Information Privacy Act Class Action

• A former employee of steelmaker A. Finkly & Sons Co. filed a putative class action against the company in Cook County, Illinois, for violations of the Illinois Biometric Information Privacy Act (BIPA).

• The case alleges the company violated BIPA by inappropriately collecting biometric data in the form of handprints for a timekeeping program without obtaining prior consent of employees, and it seeks damages of up to $5,000 per violation.

Continue Reading

OCR Announces Intention to Move Forward With Development of Methodology to Distribute Enforcement Funds to Victims of HIPAA Violations

The Office for Civil Rights (OCR) updated its agenda, outlining proposed and final rules as well as pre-rule document releases for 2018. A notable, and highly anticipated, advance notice of proposed rulemaking included on the agenda indicates OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability Act (HIPAA) enforcement actions to individuals harmed by the underlying incident. This would fulfill a long-awaited and overdue requirement included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which required OCR to issue regulations about this methodology within three years of HITECH’s 2009 enactment date. The agenda indicates this advanced notice of proposed rulemaking will be released sometime in November 2018.

Continue Reading

11th Circuit Issues Opinion Vacating Order That Required LabMD to Overhaul Its Data Security Program

On June 6, the 11th Circuit issued its long-awaited decision on LabMD Inc. v. Federal Trade Commission, vacating as unenforceable the Federal Trade Commission’s (FTC’s) cease and desist order that required LabMD to create and implement a variety of protective measures with respect to data security. Notably, however, the decision did not address the most important issue in the case: LabMD’s contention that the FTC lacks jurisdiction to enforce allegations that inadequate data security constitutes an unfair act or practice under Section 5 of the FTC Act (15 U.S.C. § 45(a)).

In 2005, a billing manager at LabMD downloaded the peer-to-peer file-sharing application LimeWire, inadvertently enabling the sharing of some files, including one that contained the personal information of 9,300 consumers. In 2008, an entity specializing in data security found this file and attempted to use it to pitch its data security services to LabMD. After negotiations between the data security vendor and LabMD fell through, in 2009, the data security vendor shared the file with the FTC, prompting a lengthy investigation. In August 2013, the FTC issued an administrative complaint against LabMD, alleging that its failure to provide reasonable and appropriate security for personal information on its computer networks amounted to an unfair act or practice. Continue Reading