Irma over the Southeastern U.S. – Courtesy of NOAA

As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.  OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.

OCR recently published a bulletin during Hurricane Harvey discussing how the HIPAA Privacy Rule applies to sharing protected health information (PHI) during natural disasters. Recirculated while Irma was looming, the guidance document reminds health care providers that HHS may waive sanctions and penalties against a covered hospital for certain activities (e.g., obtaining a patient’s agreement before speaking with family or friends involved in the patient’s care) during an emergency. However, the waiver is limited to certain hospitals located within an emergency area and for a specific period of time.  More importantly, OCR noted in the bulletin that the Privacy Rule still applies to covered entities and their business associates during such emergencies, but the Privacy Rule does allow the disclosure of PHI without the patient’s consent for the patient’s treatment or public health activities.  Covered entities may also share PHI with a patient’s family or friends identified by the patient as being involved in their care, but OCR recommends that the covered entities obtain verbal permission or otherwise confirm that the patient does not object to sharing the information with these individuals.

Similarly, OCR reminded covered entities and business associates that the HIPAA Security Rule is not suspended during a natural disaster or emergency. On the contrary, the Security Rule actually imposes additional requirements during emergencies to ensure that electronic PHI is available during and after the emergency.  Specifically, covered entities and their business associates must have contingency plans that include plans for data back-up, disaster recovery, and emergency mode operation.  Additional information on the HIPAA Security Rule can be found here.

Health care providers must remain vigilant that patient information is not compromised and that it remains secure and accessible at all times. Covered entities and their business associates should carefully review their policies and procedures to make sure that they can respond appropriately to such events.

Originally published in our sister blog, Health Law & Policy Matters

As data breaches dominate national headlines it remains important as ever for businesses to invest in security and to be ready to respond if a breach occurs.  Part of your preparedness program should be staying current on data breach legislation at the state level and we are here to help with a new installment of our “Mintz Matrix,” a detailed survey of U.S. state data breach notification laws.

There have been a few notable developments since we last published an update of the Mintz Matrix and below we have provided a snapshot of these changes.  Before reading on please download a copy of our September 2017 edition of the Mintz Matrix by clicking here. Continue Reading The Mintz Matrix – September 2017

 Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data….This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”  

–Acting Federal Trade Commission Chair Maureen K. Oldhausen, In the Matter of Uber Technologies, Inc., Consent Order

To read more about this important FTC Consent Order and its implications for all companies with respect to privacy policies and the promises made to users/consumers, check out this Mintz Levin Privacy Alert.

 

 

Mintz Levin continues to be at the forefront of issues related to contractual arbitration provisions, helping clients optimize their dispute resolution and risk mitigation processes. Check out our sister blog’s latest post, which pieces together a top-10 list of issues in-house counsel should consider when crafting these provisions.   These questions can also apply to the crafting of arbitration clauses in online terms of use and privacy policies.

Recently, the Electronic Privacy Information Center (“EPIC”) asked the FTC to begin an investigation into a Google program called “Store Sales Management.”  The purpose of Store Sales Management is to allow for the matching goods purchased in physical brick and mortar stores to the clicking of online ads, or as we refer to the practice, “Bricks to Clicks.”

The significance of this is immense.  No longer will advertisers have to wonder how much revenue can be tied to a specific campaign, instead the Store Sales Management will give them insight into how actual consumers who viewed advertisements purchased certain products.  Continue Reading FTC Asked to Investigate Google’s Matching of “Bricks to Clicks”

If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017. 

New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.

Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).

Under PIPPA, retailers will only be permitted to scan ID cards to:

  • Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
  • Verify the customer’s age when providing age-restricted goods or services to the customer.
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
  • Establish or maintain a contractual relationship.
  • Record, retain, or transmit information as required by state or federal law.
  • Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
  • Record, retain, or transmit information by a covered entity under HIPAA and related regulations.

PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers.   It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA.  In-store notice of any such practices will likely be required.

The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes.  Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages.   Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number.    Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.

And there are penalties.   PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices.   Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.

 


Decisions you make when founding and/or investing in an insurtech venture can dictate your regulatory obligations, tax liability, operational structure and, ultimately, profitability.

Here are five seemingly simple questions to ask when launching an insurtech venture (and do not miss question #3): Continue Reading Five Questions for Investors in Insurtech

Oregon’s legislature recently expanded the scope of statutory consumer protections by passing a bill to amend the state’s Unlawful Trade Practices Act (the “Act”). Recently, Oregon’s Governor Kate Brown signed H.B. 2090 into law after near unanimous passage by state lawmakers. The bill is particularly notable because it squarely targets online commerce and imposes liability on businesses for publishing false or misleading online privacy policies. Continue Reading Oregon Ramps up State Consumer Protections in an Era of Deregulation

Amid the flurry following former FBI Director James Comey’s firing last week, President Trump marked his 111th day in office on Thursday, May 11th by signing an executive order targeting national cybersecurity.

The long-awaited order is the first step in fulfilling Trump’s promise to address national cybersecurity concerns and it arrives as threats of international hacking and cyberattacks reach an all-time high. It establishes three overarching cybersecurity priorities for the United States: (1) protecting federal networks, (2) reinforcing critical IT infrastructure, and (3) protecting the American public in the online space. The full text of the executive order can be found here.

While the order includes few actionable items, it sets strict deadlines for government agencies to produce risk reports and recommendations for improving their data security practices, signifying an important call to action from the executive branch that places risk management at the forefront.

Modernizing & consolidating federal networks

Consolidating to the cloud will likely be the first major step toward overhauling the government’s administration-wide cybersecurity protocol. In a press briefing last Thursday, White House Homeland Security Advisor Tom Bossert addressed what he views as fractured, agency-specific IT security practices across the government, noting that “[if] we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts.”

The move to modernize is an extension of similar efforts from the Obama administration to bolster cybersecurity, an area in which Bossert says the administration made “a lot of progress … [but] not enough.” In line with advancing these efforts, the executive order requires federal agencies to use the Framework for Improving Critical Infrastructure Cybersecurity developed in 2014 by the National Institute of Standards and Technology (“NIST”) to manage cybersecurity risk. Coincidentally, the Framework may be revised soon as the NIST recently closed a comment period on an updated draft that it circulated in January 2017, and per the executive order any successor document to the Framework will become the operative version to be used by government agencies. Separately, Rep. Will Hurd (R-TX), Chairman of the House Information Technology Subcommittee, recently reintroduced H.R. 2227, the “Modernizing Government Technology Act,” which secures more efficient funding for the modernization of federal IT infrastructure and is expected to hit the floor of the House of Representatives within the next couple of weeks.

Reinforcing critical infrastructure

The second prong of the executive order requires the Secretary of Homeland Security to prepare an audit of potential vulnerabilities across the country’s infrastructure systems – from financial and telecommunications systems to utilities including water and electricity. Improving transparency about the security gaps in these systems is crucial, especially as traditional data breaches are losing ground to more devastating Distributed Denial of Service (DDoS) botnet attacks made possible by the growing Internet of Things, or “IoT” (see our blog post here for a discussion of the House’s efforts to address growing security concerns around the IoT).

Protecting the public online

Finally, President Trump’s executive order urges policies aimed at protecting U.S. citizens from domestic and foreign online threats. In addition to increasing the number of cybersecurity experts working with the White House, Bossert suggested that following through on such policies will require greater partnerships between the federal government and the private sector. Indeed, the government currently relies on technology from large, long-time vendors, many of which may not be prepared to grapple with the significant and evolving risks becoming apparent across the data security landscape. Independent technology startups are proving to be the heart of progress in new cybersecurity measures, and the government will need to cultivate solid relationships with these players if it wants to stay ahead in the cybersecurity arena.

President Trump’s executive order has received some criticism for its breadth, but overall has been commended by cybersecurity experts as a balanced step in the right direction. Time will tell whether the resulting policies will make a meaningful difference in the country’s ability to fend off attackers in the ever-evolving online battleground.