Advancing Digital Strategies (and Hello from the Future!)

The following story is one in a six-part series devoted to the pioneering teams that comprise the firm’s new Digital Asset and Data Management Practice Group.

A prime example of BakerHostetler’s preeminence in the legal industry is on display in its latest Practice Group, Digital Asset and Data Management (DADM), which offers holistic, enterprise-wide risk solutions to clients around “everything data.” The multidisciplinary new addition – led by Theodore J. Kobus III, chair of the DADM Practice Group – is a strategic outgrowth of the firm’s world-class Privacy and Data Protection and Advertising, Marketing and Digital Media teams, combined with the innovative legal technology R&D team, IncuBaker. It is comprised of more than 100 award-winning attorneys, technologists and support professionals from six diverse teams, enabling clients to better understand and navigate the intersection of digital business, emerging technologies and the law.

The following offers an introduction to one of those six teams.

Thoughts on Emerging Technologies and the tasks Legal Professionals are poised to perform.

Who: The team leads are Partner James A. Sherer and Director of Practice Services Katherine Lowry.

What: The Emerging Technology team addresses those new, often groundbreaking technologies transforming our clients’ operations and raising novel business challenges. These include data analytics, machine learning, natural language processing and other types of artificial intelligence (AI), smart contracts, the Internet of Things (IoT), digital and social media, blockchain, self-sovereign identity (SSI), cryptocurrencies, and financial technology (fintech) applications. The Emerging Technology team combines the practice of law with legal practice innovations to support clients considering, developing, implementing and using emerging technology.

Why: Quite simply, our clients and the bar are demanding it. Attorneys are now expected to maintain an informed, up-to-date understanding of new technologies as emerging solutions enter the market and offer new opportunities for our clients. Clients are asking us to help them address fundamental strategic considerations created by the effects of these technologies and their impacts on corporate and litigation issues, not to mention overall governance strategies. Our clients have always expected rigorous analysis of legal and market risks, and emerging technologies and their benefits and complications are directly affecting legal and market risks now more than ever before. Continue Reading

Key takeaways for app development and data protection by design from recent enforcement action

The Norwegian Data Protection Authority (DPA) recently announced a €200,000 fine against Oslo’s municipal education agency for several security flaws associated with an app the agency developed for communications between school employees, parents and pupils. At first, this may seem like an obscure case of only local importance, but the DPA’s rationale for the fine carries three important takeaways for all app developers about app security and privacy by design.

Design apps to discourage collection of unneeded sensitive data

The agency’s app was designed so parents could send messages to the school about their children’s absences. It included a free-text field for the communication, and the DPA found this design was likely to cause parents to input information about children’s illnesses, which is special-category personal data under Article 9 of the EU’s General Data Protection Regulation (GDPR). The DPA faulted the agency for failing to implement technical measures to prevent entry of this information or to include a warning in the app to not include this information. The DPA suggested that the app could have been designed with drop-down lists and tick boxes to prevent entry of sensitive data in free-form text fields.

Key takeaways: The DPA’s concern is well founded. In the breach investigations we conduct, we routinely find sensitive and unexpected data in free-form text fields. These unstructured data are not only difficult to search and catalog in a breach investigation, but may contain some of the most sensitive and problematic data that triggers breach notifications. The Norwegian DPA identified the unnecessary use of free-form fields in this app’s context as violating data-protection-by-design-and-default (DPbDD) principles. To avoid these issues, app developers should:

  • Avoid free-form fields when possible – and especially when context increases the likelihood that users will input sensitive data. Opt instead for drop-down lists, check boxes or other technical measures that limit a user’s ability to input unwanted and unexpected sensitive data.
  • Where free-form fields must be used, include a warning to discourage users from entering sensitive data in these fields. As a backstop, use a tool to regularly search databases for unexpected and unwanted sensitive data. Scrub unwanted data from the database and, if the searches reveal ongoing collection of unwanted data, consider new technical controls to limit the collection.
  • Apply these controls to both internal and customer-facing applications. Internal systems, like public-facing applications, should limit employees’ ability to capture unwanted sensitive data in free-form fields, especially for internal apps designed to capture information on interactions with customers and consumers.

Continue Reading

Entering the ’20s – A New Era for Data Breach Class Actions?

As we move into a new decade, it has become clear that data breach litigation is here to stay. Last year brought us several incremental developments in the data breach litigation landscape but no paradigm shift in the way data breach class actions are brought or resolved.

Federal courts in different circuits continue to disagree on the applicable standards to establish Article III standing. Both the Ninth and Seventh Circuits have issued decisions that have created a relatively low bar for Article III injury, at least at the pleading stage. Courts in other circuits, including the Third and Fourth Circuits, have been more rigorous in requiring a more substantial showing of present or future injury. Most courts agree that a person who has plausibly alleged a financial loss following a data breach has standing, but courts do not agree on how imminent a future injury has to be in order to support standing. In 2019, there were a few more decisions of note, most prominently the D.C. Circuit’s decision, by a 2-1 vote,  allowing for Article III standing, based on an alleged increased risk of identity fraud in the case filed following the Office of Personnel Management data breach. See In re United States Office of Personnel Mang’t Data Sec. Breach Litig., 928 F.3d 42, 56-58 (D.C. Cir. 2019), petition for rehearing en banc denied October 21, 2019. All eyes are now on the Supreme Court on this one, as the case presents the Court with the opportunity to finally weigh in on the circuit split over Article III standing in alleged data breach cases. The Solicitor General, however, is still weighing its decision as to whether to file a petition for certiorari in the case, twice moving to extend the time allowed for doing so. The government’s cert petition, if it is to be filed, is presently due on March 19, 2020. Continue Reading

Powerful Protection: The Healthcare Privacy and Compliance Team

The following story is one in a six-part series devoted to the pioneering teams that comprise the firm’s new Digital Asset and Data Management Practice Group.

A prime example of BakerHostetler’s preeminence in the legal industry is on display in its latest Practice Group, Digital Asset and Data Management (DADM), which offers holistic, enterprise-wide risk solutions to clients around “everything data.” The multidisciplinary new addition – led by Theodore J. Kobus III, chair of the DADM Practice Group – is a strategic outgrowth of the firm’s world-class Privacy and Data Protection and Advertising, Marketing and Digital Media teams, combined with the innovative legal technology R&D team, IncuBaker. It is comprised of more than 100 award-winning attorneys, technologists and support professionals from six diverse teams, enabling clients to better understand and navigate the intersection of digital business, emerging technologies and the law.

The following offers an introduction to one of those six teams.

Healthcare Privacy and Compliance

  • Who: The team lead is Partner Lynn Sessions.
  • What: The formation of the Healthcare Privacy and Compliance team “allows us to look at the needs of the firm’s healthcare clients from start to finish to ensure that they comply with the current and ever-changing state, federal and international laws related to health information,” said Sessions. In addition to leveraging emerging technologies, managing data and structuring data so it can be handled in a way that is compliant with healthcare-specific regulations, team members are also vigilant in defending against potential internal and external threats to clients. “I’m excited to help protect and foster the trusted relationship that healthcare organizations have with their patients and customers,” said Sessions, who focuses her practice on helping covered entities and business associates through data breaches and investigations with the Office for Civil Rights (OCR) and state attorneys general. The team has handled more than 1,500 healthcare data breaches, more than 500 OCR investigations and a dozen resolution agreements with the federal government. With this daily insight into the OCR’s current focus, the team is able to be at the forefront of issues that are important to OCR and advise clients of these risks, allowing our healthcare clients to address their own compliance absent a patient complaint or OCR investigation.
  • The team leverages its deep experience in the healthcare industry to not only work with healthcare clients through incident response and regulatory defense but also help healthcare organizations be compliant with HIPAA and with the ever-changing state and international regulations addressing health information. Recent examples include (1) preparing clients for the OCR HIPAA audits and ensuring proactive HIPAA compliance with the Privacy, Security and Breach Notification rules; (2) determining applicability of the GDPR to academic medical centers with an international reach; (3) advising on the intersection of HIPAA and the Common Rule in clinical trials and other healthcare research; (4) addressing de-identification of patient data to assist with efficiencies in treatment, payment and the curing of disease; and (5) advising on the unique privacy concerns with population health and patients’ access to their information.
  • The team works with DADM’s Emerging Technology team to address data analytics and the creation of data lakes to help monetize data aggregated across healthcare businesses. Technology contracting has become increasingly important to healthcare organizations, and this team is able to also bring in DADM’s Privacy Governance & Technology Transactions team to develop and enhance those contracts for healthcare entities.
  • The team works with technology companies and other business associates in addressing HIPAA compliance in a rapidly increasing area of risk for these companies, including developing policies and procedures and training, and advising on general HIPAA compliance.
  • Why: Patients’ and health plan members’ name, date of birth, Social Security number, prescriptions, medical diagnosis and procedure details – the data maintained by healthcare organizations – rank among these individuals’ most personal and private information. Healthcare providers and insurers as well as employee health plan administrators are particularly vulnerable to data security incidents due to the highly sensitive nature of that data. Healthcare clients also require skilled assistance to navigate extensive and constantly evolving regulations that define their industry. Companies that do business with healthcare entities may not appreciate their exposure as business associates and the information they receive and maintain on behalf of their customers.
  • How: With an increase in the amount of dedicated and focused resources that address healthcare clients’ privacy and information security needs, the new DADM Practice Group better synergizes the ways in which to address those risks – particularly for larger healthcare organizations with a national, and often international, reach – and across the various DADM teams.

California AG Releases Modified CCPA Regulations

UPDATE:  On February 10, the California Attorney General updated the modified regulations that were issued on February 7.  The updated modified regulations are available here. The public comment period has been extended by one day to February 25, 2020.

On February 7, 2020 the California Attorney General published a second version of the proposed regulations to implement the California Consumer Protection Act available here. A redline against the first draft is available here.  A new public comment period is now open until 5 pm Pacific on February 25, 2020. A summary of what is now proposed to change will be forthcoming. For more information on the CCPA generally, see our Consumer Privacy Resource Center.

The Privacy Governance and Technology Transactions Team

The following story is one in a six-part series devoted to the pioneering teams that comprise the firm’s new Digital Assets and Data Management Practice Group.

A prime example of BakerHostetler’s preeminence in the legal industry is on display in its latest Practice Group, Digital Asset and Data Management (DADM), which offers holistic, enterprise-wide risk solutions to clients around “everything data.” The multidisciplinary new addition – led by Theodore J. Kobus III, chair of the DADM Practice Group – is a strategic outgrowth of the firm’s world-class Privacy and Data Protection and Advertising, Marketing and Digital Media teams, combined with the innovative legal technology R&D team, IncuBaker. It is comprised of more than 100 award-winning attorneys, technologists and support professionals from six diverse teams, enabling clients to better understand and navigate the intersection of digital business, emerging technologies and the law. The following offers an introduction to one of those six teams.

Who: The team leads are Partners Janine Anthony Bowen and Melinda McLellan.

What: The Privacy Governance and Technology Transactions team provides clients with sophisticated and effective support for their most forward-thinking initiatives. Intellectual property has long been a significant value driver for many businesses. Now the focus is on data, and companies must grapple with how best to harness the power of their information assets while guarding against security risks. The ability to balance these considerations without stifling innovation offers a competitive edge in a crowded marketplace. Continue Reading

Steps to Develop a Mature Third-Party Risk Management Program With High-Risk Third Parties (Part 3)

Part 1Hacker using laptop. Lots of digits on the computer screen.

Part 2

This blog is the third in a series exploring how organizations can prevent or mitigate the severity of a third-party data breach or cyber exploit by implementing a variety of cybersecurity risk management controls, such as assessing compliance with regulations, vetting third-party security practices, and establishing data breach and cyber exploit incident response procedures. While the complexity of cyber risks intensifies, together with an increasingly challenging privacy and security regulatory environment, the overall maturity of third-party risk management programs is barely keeping up. Resource constraints, a lack of standardization of risk assessment processes and the difficulty of determining the “source of truth” of data held by third parties continue to dog many organizations.

Part 3 – Evaluating and Vetting Third Parties’ Security Practices

It’s not uncommon for organizations to have hundreds or thousands of vendors or third parties with access to personal and sensitive information, or that provide critical services. Attackers may not need to breach a well-protected internal server of your organization if the same information is not protected consistent with your organization’s security requirements. If a third party is given some level of trusted access to internal networks, it might be easier for a hacker to simply compromise the third party and then use its privileged access to break into a network containing the target data the hacker wants to steal, or to otherwise cause damage. For example, last year, Krebs on Security reported that hackers used the internal systems of Indian information technology (IT) outsourcing and consulting giant Wipro as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems. Continue Reading

Federal Court Invalidates 2013 HIPAA Omnibus Rule Regulations and HHS Guidance on Fees for Copies of Medical Records

In what is being seen as a strong rebuke to years of regulatory overreach, the United States District Court for the District of Columbia entered an order on January 23, 2020 that invalidates provisions of the 2013 Omnibus Rule to the Health Insurance Portability and Accountability Act (“HIPAA”) and 2016 guidance issued by United States Department of Health and Human Services Office (“HHS”) on the fees that may be assessed to patients for copies of medical records.

In 2017, CIOX Health, a provider of release of information and disclosure management services, filed suit against HHS alleging that portions of the 2013 Omnibus Rule and related guidance “unlawfully, unreasonably, arbitrarily, and capriciously” sought to restrict the fees that can be charged by healthcare providers and their business associates for providing copies of medical records, and violated the Administrative Procedure Act (“APA”).

Background

The rules and guidance at issue in the lawsuit expanded upon the provisions in the HIPAA Privacy Rule related to the fees that can be charged to patients who request copies of their medical records for their own personal use. Under the HIPAA Privacy Rule, healthcare providers are permitted to assess a “reasonable, cost-based fee” for copying a patient’s medical records, limited to just “the labor and supply costs of copying” those records and postage for mailing those records (if mailing was requested by the patient). Under the Privacy Rule, healthcare providers are prohibited  from passing on to patients any other costs associated with processing patient requests for copies of medical records. The Privacy Rule did not explicitly address the calculation of fees that could be assessed when copies of medical records are requested by third-parties, such as a patient’s attorney in a medical malpractice claim. Continue Reading

Following SCOTUS Cert Denial, Facebook Settles BIPA Case for $550 Million

One decision, two far-reaching effects. This aptly describes the Supreme Court’s Jan. 21, 2020, decision to deny Facebook’s petition for certiorari in Patel v. Facebook. The Supreme Court’s denial spelled an end to Facebook’s nearly five-year quest to dismiss this case, which began in August 2015 when three Facebook users filed a consolidated putative class action alleging that Facebook’s “Tag Suggestions Feature” violated the Illinois Biometric Information Privacy Act (BIPA).

On Jan. 29, 2020, the New York Times reported that Facebook had agreed to settle the case for $550 million.

BIPA BACKGROUND

Enacted in 2008, BIPA imposes restrictions on how private entities may collect and use the biometric information of Illinois residents. In general, the term “biometrics” may refer to a variety of measurements based on biological characteristics. Biometric identifiers, however, are specific, measurable characteristics used to identify individuals, such as fingerprints or retina scans. BIPA defines “biometric identifier” to mean “… a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” whereas the broader term “biometric information” is defined as “… any information … based on an individual’s biometric identifier used to identify an individual.” Continue Reading

Departments of Education and HHS Release Joint Guidance on the Relationship Between FERPA and HIPAA

Midsection of female nurse using digital tablet in hospital. Close-up of medical professional is touching screen in ward. She is wearing scrubs.At the end of 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and U.S. Department of Education Student Privacy Policy Office (ED) issued an update to their joint guidance on the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), in an effort to help clarify permissible disclosure and how the two statutes apply to student records.

While the update to the joint guidance does not represent a sea change in how OCR and ED interpret the interplay of the respective privacy regulations and student health information, it does provide an important reminder for institutions and entities to consider the nuance of their unique operational makeups as it relates to their handling and transmission of health and educational information for students and minors.

FERPA applies to educational agencies and institutions that receive federal funds under any program administered by ED. Generally, this applies to public elementary and secondary schools, school districts, and postsecondary institutions (including medical and professional schools). Any school subject to FERPA’s terms may not disclose a student’s educational records or any personally identifiable information (PII) from those records without the prior written consent of a parent or an “eligible student” or one of the exceptions to non-consensual disclosure. An eligible student is one who has reached the age of 18 years or attends a postsecondary institution. FERPA further distinguishes between an “education record” and a “treatment record.” A treatment record is a record for a student age 18 years or older or who is attending a postsecondary institution and which is made by a medical or mental health professional and maintained or used only in connection with the provision of treatment to the student and only available to appropriate professionals for that treatment. Continue Reading

LexBlog