Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

FCC’s Retroactive Solicited Fax Opt-Out Waiver Window Closing

Posted in Class Action Litigation

Written by Ernie Cooper

Businesses that engage in fax advertising and solicitation should pay careful attention to the recent ruling by the Federal Communications Commission clarifying that even fax advertisements sent with the prior express invitation or permission of the recipient must include an opt-out notice that: (1) is clear and conspicuous and on the first page of the ad; (2) states that the recipient may request the sender not send any future ads and that failure to comply with an opt-out request within 30 days is unlawful; and (3) contains a telephone number and fax number for the recipient to transmit an opt-out request.

Because there had been some confusion about whether the opt-out requirement applied to solicited fax advertisements, the FCC granted a retroactive waiver of the requirement to 24 companies that had asked for the clarification, allowing them until April 30, 2015, to come into full compliance with the opt-out requirement.

The FCC also said that it would entertain similar requests from other parties for retroactive waiver of the rule, but warned that it expected those parties “to make every effort to file such requests prior to April 30, 2015.”  It said that such requests would be adjudicated on a case-by-case basis.  The FCC recently asked for public comment on retroactive waiver petitions filed in November by eight additional fax advertisers.

There has been no confusion about the requirement to include an opt-out notice in unsolicited fax advertisements sent to persons with whom the sender has an existing business relationship or “EBR,” and the FCC window for waiver requests does not apply to any violation of those rules.  Sending an unsolicited fax advertisement to a person with no EBR remains prohibited.

Fax advertising and telemarketing calling campaigns have increasingly been the subject of class action suits filed under the Telephone Consumer Protection Act (TCPA), underscoring the importance of understanding and applying the rules – even where apparent permission to send the fax or make the call has been obtained.

On the Twelfth Day of Privacy, My True Love Gave to Me …. 12 Different Types of Wearables!

Posted in 12 Days of Privacy, Cybersecurity, Data Breach, Data Compliance & Security, Privacy Regulation, Security

And what will that new gadget be spilling about you??

 Written by Julia Siripurapu, CIPP

There is no doubt that wearable devices are among the hottest gifts of the season! From fitness bands and smart watches to wearable cameras and the Google Glass, there is definitely someone on your list (including you!) who may benefit from a wearable gadget. While wearable technology has great potential to improve our lifestyle, health, and even work productivity, it also causes concern for current and future users. Continue Reading

On the Eleventh Day of Privacy, the Drones Brought to Me…..

Posted in 12 Days of Privacy, Cybersecurity, Insurance, Privacy Regulation

 ..new insurance coverage endorsements

Written by Nancy Adams

A few days ago, media outlets released a video of a kangaroo knocking a drone out of the sky.

Apparently, this “privacy loving” kangaroo was less than pleased with the drone following her family.   While the drone obtained impressive footage of the kangaroos, it was clear that this kangaroo had had enough.   As new technologies enter the stream of commerce, companies using such technologies likewise face new risk and exposures – whether from a kangaroo or other source.    Continue Reading

On the Tenth Day of Privacy, OCR Gave to Me…..

Posted in 12 Days of Privacy, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation

……………..a cumbersome C-A-P

Written by Dianne Bourque 

The U.S Department of Health and Human Services Office for Civil Rights has received tremendous publicity in recent years for its upward-trending fines and aggressive enforcement of HIPAA violations.  Seven-figure fines are becoming the norm for serious violations, for example, in May of this year, OCR fined a hospital and university a combined total of $4.8 million dollars for their separate HIPAA violations.  While the risk of steep fines and bad publicity should be sufficient motivation for regulated entities to maintain a robust HIPAA compliance program, there is another aspect of HIPAA enforcement that receives far less media attention but can be just as onerous: the corrective action plan, or “CAP.”  

Much like a year-long membership in the Jelly of the Month Club, the CAP is the gift that keeps on giving – the whole year.  Actually, most CAPS spread the cheer for at least three years following an initial OCR settlement.  For the 10th Day of Privacy, we take a closer look at the CAP.   Continue Reading

On the Ninth Day of Privacy, my true love gave to me….

Posted in 12 Days of Privacy, Mobile Privacy, Privacy Regulation, Security

a tracking device in my car …. she is now my ex-true love….

Written by Jonathan Cain

A year ago, privacy and data security issues in the media were all about credit cards and identity theft.  Concerns about privacy related to location data were, at least among the general public and Congress, somewhere in a galaxy far far away.  Users of mobile devices had relatively few complaints about the scraping , aggregation and sale of location data, if they were even aware that it was occurring.

What a difference a year makes.

Continue Reading

On The Eighth Day of Privacy, Health Care Systems (Over)Shared Data

Posted in 12 Days of Privacy, HIPAA/HITECH, Privacy Regulation

When is “sharing” too much of a good thing?  And will it get worse for health care systems in 2015?  Read on…..

Written by Stephanie D. Willis

Data sharing has become a point of sharp focus in the efforts to improve the quality and efficiency of health services in the United States.  Given all that has happened in health care privacy (e.g., higher than ever penalties under the Health Insurance Portability and Accountability Act (HIPAA) and the involvement of more government agencies in the enforcement of privacy violations), next year promises to be an important one for health care and privacy, particularly for integrated health care systems.

So what are the challenges that integrated health care systems should anticipate in 2015 and beyond as they try to streamline the fragmented care model that has dominated for so long in the United States?   Continue Reading

On the Seventh Day of Privacy, federal agencies gave to me…..

Posted in 12 Days of Privacy, Cybersecurity, Data Breach Notification, Federal Trade Commission, Privacy Regulation

Questions of Authority – who will be the federal regulatory cop on the privacy beat?  FTC?   FCC?  Privacy, Data Security Jurisdiction Questions to the Forefront in 2015

Written by Christopher Harvie

As privacy and data security gain more visibility among policy-makers, questions of federal agency authority and jurisdiction are also gaining a higher profile.

Since 2002, the Federal Trade Commission (FTC) has brought 50 enforcement actions under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices,” against companies alleged to have put consumers’ personal data at unreasonable risk. Earlier this year, in response to a court challenge brought by Wyndham Hotels, a Federal court in New Jersey upheld the FTC’s authority under Section 5 to bring enforcement actions to remedy unreasonable data security practices that lead to data breaches that cause consumer harm.    The court ruled that Congress need not explicitly grant the FTC authority to bring Section 5 actions against companies that cause consumer harm through inadequate data security practices and that the FTC does not need to adopt prior data security regulations detailing permissible and impermissible data security practices.  Instead, the court determined that the FTC complaint against Wyndham adequately plead “substantial injury to consumers” caused by data breaches linked to Wyndham’s “failure to implement reasonable and appropriate security measures” – including the failure to require use of complex passwords, erect adequate firewalls to prevent access by 3rd parties and insecure devices to enterprise servers, utilize up-to-date operating systems that could receive security patches and upgrades, or adequately inventory its computers in order to readily locate compromised device.  Issued in response to a Wyndham motion to dismiss for lack of jurisdiction, the courts’ decision does not constitute a ruling on the merits of the FTC complaint.  The jurisdictional issue is the subject of an interlocutory appeal to the 3rd Circuit, which remains pending while the parties engage in court-ordered mediation. Read our posts here and here for more information on the Wyndham case. Continue Reading

On the Sixth Day of Privacy, the hackers gave to Sony……

Posted in 12 Days of Privacy, 201 CMR 17.00, Cybersecurity, Data Breach, Data Compliance & Security, Security

many more than six different hacks…….and headaches……

Written by Jonathan Ursprung

With the holiday season in full swing, many of us are struggling with that age-old question: “what do you get for the person who has everything?”  Well, if that person happens to be your supreme leader, the answer may very well be “a massive download of electronic dirty laundry on their sworn enemy”.

In late November of this year, the disturbing outline began to form of a massive data breach at Sony Pictures. Early indications suggested that the perpetrators may have been acting on behalf of, or to curry favor with, Kim Jong-un of North Korea; Sony Pictures had been promoting its upcoming film “The Interview”, which features a fictional assassination plot targeting the head of state. While North Korea has since denied involvement, the possibility that state-sponsored hackers had carried out this attack was both credible and, ultimately, unsurprising. Continue Reading

On the Fifth Day of Privacy, California (and Delaware) gave to me

Posted in 12 Days of Privacy, Children, Cloud Computing, Data Breach Notification, Legislation, Privacy Regulation

sing it with me now….

Five Golden Rules…….(well, five new privacy laws/requirements)

There are five significant new privacy laws/amendments that will be effective as of New Year’s Day — January 1, 2015 — and four are from California.    Pull up a chair, brew that cup of tea.  It’s time to review and prepare. Continue Reading

On the Fourth Day of Privacy, My Insurance Carrier Gave to Me…..

Posted in Cyber Risks Boardroom Series, Cybersecurity, Insurance, Privacy Litigation

gaps in my cyber liability coverage……………..

Written by Heidi Lawson and Danny Harary

What can companies and insurers expect in the new year when it comes to cyber liability insurance coverage?  While we wait for some court decisions interpreting these new stand-alone cyber liability insurance policies that are being heavily pushed in the market, there are some steps a company can take now to make sure the scope of their insurance coverage is consistent with their expectations.

With many insurers now entering the market looking to make a profit on this new coverage, the question is: how broad is this new coverage – really? Continue Reading