Two recent data breach incidents in the healthcare industry prove what readers of this blog have heard all too often:  KNOW THY VENDORS.

Last week, Phoenix-based Banner Health reported one of the year’s largest data breaches.  Banner reported that it had suffered a massive cyberattack potentially affecting the information of 3.7 million patients, health plan members and beneficiaries, providers.   This attack is notable for all companies and not just healthcare providers covered by HIPAA.   Reportedly, the attack occurred through the computer systems that process food and beverage purchases in the Banner system.  In the incident, according to reports, the hackers gained access to the larger systems through the point-of-sale computer system that processes food and beverage purchases.  The attack was discovered on July 13, and Banner believes hackers originally gained access on June 17. Continue Reading To Protect Data: Keep Your Network Access Close, and Your Vendors Closer

The certification forms for the new US-EU Privacy Shield Framework are now available online.   What is not easily discernible in the workflow is the fee structure.  One needs to refer back to the Federal Register’s implementation notice, published July 22. To save our readers the trouble, here is the “cost recovery program”:


Organization’s annual revenue Annual fee
$0 to $5 million $250
Over $5 million to $25 million 650
Over $25 million to $500 million 1,000
Over $500 million to $5 billion 2,500
Over $5 billion 3,250

On Friday, the heads of the Federal Trade Commission overruled the decision of the Administrative Law Judge (“ALJ”) in In the Matter of LabMd., Inc. The FTC concluded that the ALJ had erred in dismissing the Commission’s case against a lab testing company LabMD and misapplied the unfairness standard.  The key determination by the FTC was that the mere disclosure of sensitive medical information is cognizable harm under Section 5(c) of the FTC Act, 15 U.S.C. § 45(a), irrespective of whether there is further economic or physical harm.   What does this mean for privacy enforcement?   Read on. Continue Reading FTC Plants A Flag With LabMD Ruling: What This Means for Enforcement

The Article 29 Working Party (WP29) has released a brief updated statement on the final form of the Privacy Shield adequacy decision and supporting annexes.  WP29 is an important advisory group made up of representatives of each of the EU’s national data protection authorities.   In a nutshell, WP29 has said that Privacy Shield isn’t perfect, but it will wait until the first annual review to raise specific objections, which gives the Privacy Shield program enough time to get up and running.  The WP29 statement promises  that, during the first annual review of Privacy Shield, “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.”  WP29 goes on to say that “[t]he results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”

While WP29’s statement has been interpreted by at least one legal news source as a one-year moratorium on Privacy Shield litigation,  that seems rather unlikely.  The WP29 does not have  the legal power to deprive any EU data subject of his or her right to challenge Privacy Shield on human rights grounds, or to materially delay such a challenge.  If a national DPA refused to hear a complaint on the basis of the putative WP29 moratorium, the national courts would most likely find against the DPA.

A more modest — and realistic- – interpretation of the WP29 opinion would be that the DPAs themselves won’t seek to scupper Privacy Shield during its first year.  Instead, they will leave that to Max Schrems and other individuals who remain skeptical of the EU-US privacy deal.

The U.S. Court of Appeals for the Ninth Circuit recently issued a decision that could have far reaching implications for the relationships between companies that provide online services, their customers or users, and third parties. In Facebook v. Vachani, the Ninth Circuit found that Power Ventures violated the Computer Fraud and Abuse Act (“CFAA”) and California Penal Code Section 502.  Power Ventures did this by continuing to access Facebook’s computer system after receiving Facebook’s letter to cease and desist such activity.  Although Power Ventures had permission from relevant Facebook users, the users’ authorization had been revoked by Facebook itself through its letter.

Vachani’s Business Model

Power Ventures (“Power”), is a company founded by CEO Steven Vachani. As part of its business model, Mr. Vachani operated a social networking site,  The idea was that would act as a social network aggregator, by allowing users to see all of their social network contacts across different services on a single page. The user could then use the service to access the individual social networking sites.

Read on to understand what occurred in the case and what key takeaways it provides for senior decision makers and in-house counsel. Continue Reading Facebook v. Vachani – User Authorization Can Be Revoked By Service Providers

In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach.  The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors.  The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims.  The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors.  The SLC then moved to dismiss, as did Target and the defendant officers and directors.  Plaintiffs declined to oppose and the court’s order followed. Continue Reading Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases

The EU Commission has formally adopted Privacy Shield and the US Department of Commerce will go live with a new Privacy Shield registration website on August 1.  US companies that had been registered under Safe Harbor will need to complete a new internal review, self-certification and registration to take advantage of Privacy Shield.

Much of the negotiation of Privacy Shield has focused on enforcement and oversight of the program by US authorities (as well as on the US intelligence agencies’ own collection and use of EU personal data).  Companies that are already familiar with Safe Harbor will find Privacy Shield’s general privacy principles to be very similar.  However, companies will want to take note of the more stringent conditions for onward transfers to third parties, which are likely to require companies to review their contracts with service providers and business partners.  Companies will also need to scrutinize their data retention practices carefully.  Overall, annual data protection reviews will be necessary as part of continued self-certification. The Department of Commerce is expected to take a more active role in proactively monitoring compliance, so companies will need to be prepared for inspections even if no complaints have been made.

The final version of Privacy Shield and its appendices, along with a press release and FAQ, are available here.


The final version of Privacy Shield (which has not yet been officially published) passed the Article 31 Committee vote on July 8th and is being presented today to the LIBE committee of the European Parliament.  LIBE’s vote is advisory, but it may provide some early indications as to how well Privacy Shield will survive anticipated legal attacks once it is formally adopted and implemented.

Formal adoption of Privacy Shield is widely expected to happen this week.  Once that happens, the US Department of Commerce or FTC  should publish the final text and start processing registrations.  Companies considering certifying under Privacy Shield should note that it requires a greater degree of internal scrutiny and documentation than Safe Harbor did.

Companies that have put standard clauses in place following the demise of Safe Harbor will want to consider the pros and cons of participating in Privacy Shield rather than continuing to rely on the standard clauses.  Neither approach is guaranteed to be risk-free: The standard clauses have been sent to the Court of Justice of the EU for review under the second round of the Schrems case in Ireland, and Privacy Shield is virtually certain to end up before the Court of Justice at some point within the next year or two.

Not all the news coming out of Europe these days is about Brexit. In fact, the forces of unity and harmonization remain a top priority for European regulators hoping to combat digital security threats and create a safer and more secure environment for the entire online community.  To this end, on July 6, 2016, the European Parliament adopted the Network and Information Security (“NIS”) Directive in an effort to enhance cybersecurity and incident reporting at a national level across all of its member states (“NIS Directive”). This move followed an announcement the day before from the European Commission (the “Commission”) that it had launched a public-private initiative that will steer €1.8 billion of investment into cybersecurity by 2020.  Continue Reading EU Adopts Cybersecurity Directive: What US Companies Need to Know

According to several news reports, the Commission has sent a revised draft of the Privacy Shield adequacy decision to the Article 31 Committee.  One tech industry news source, Ars Technica, has made available a purportedly leaked draft of the version of Privacy Shield that is being reviewed by the Article 31 Committee.  The Commission has reportedly asked  the Committee to vote to adopt Privacy Shield on Monday.  Whether or not the Article 31 Committee will act swiftly remains to be seen, but we expect further news early next week.