As was generally expected from informal comments by EU representatives, Privacy Shield has survived its first annual review.  Commissioner Jourova stated: “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.”  Specifically, the Commission highlighted the following in the press release today in which it announced its conclusions:

  • More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce. The U.S. Department of Commerce should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
  • More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
  • Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.
  • Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
  • To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).

It’s worth noting the recommendation regarding enshrining the protections for non-Americans under Presidential Policy Directive 28 in the reauthorization of Section 702 — while President Trump has not withdrawn PPD-28, it’s not a given that protection for foreigners will be built into FISA.

The full report is available here.

 

Irma over the Southeastern U.S. – Courtesy of NOAA

As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.  OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.

OCR recently published a bulletin during Hurricane Harvey discussing how the HIPAA Privacy Rule applies to sharing protected health information (PHI) during natural disasters. Recirculated while Irma was looming, the guidance document reminds health care providers that HHS may waive sanctions and penalties against a covered hospital for certain activities (e.g., obtaining a patient’s agreement before speaking with family or friends involved in the patient’s care) during an emergency. However, the waiver is limited to certain hospitals located within an emergency area and for a specific period of time.  More importantly, OCR noted in the bulletin that the Privacy Rule still applies to covered entities and their business associates during such emergencies, but the Privacy Rule does allow the disclosure of PHI without the patient’s consent for the patient’s treatment or public health activities.  Covered entities may also share PHI with a patient’s family or friends identified by the patient as being involved in their care, but OCR recommends that the covered entities obtain verbal permission or otherwise confirm that the patient does not object to sharing the information with these individuals.

Similarly, OCR reminded covered entities and business associates that the HIPAA Security Rule is not suspended during a natural disaster or emergency. On the contrary, the Security Rule actually imposes additional requirements during emergencies to ensure that electronic PHI is available during and after the emergency.  Specifically, covered entities and their business associates must have contingency plans that include plans for data back-up, disaster recovery, and emergency mode operation.  Additional information on the HIPAA Security Rule can be found here.

Health care providers must remain vigilant that patient information is not compromised and that it remains secure and accessible at all times. Covered entities and their business associates should carefully review their policies and procedures to make sure that they can respond appropriately to such events.

Originally published in our sister blog, Health Law & Policy Matters

Earlier this month, an appellate panel of the federal DC Circuit unanimously held that individuals affected by a healthcare insurer’s data breach in 2014 could pursue claims against the insurer stemming from the cyberattack. In the process, the panel deepened a circuit split on the question of whether data breach victims have standing to pursue claims based solely on exposure of their sensitive personal information, while also adding significant risk of cyber-liability for companies that collect and store medical records of individuals.

In Attias v. CareFirst, Inc., the plaintiffs asserted claims on behalf of a purported class of one million customers of CareFirst, Inc. (“CareFirst”), a healthcare insurer in the Washington, DC metro area. In the 2014 cyberattack, hackers penetrated 22 computers and compromised the identifying health data of one million customers, including customer names, addresses, email addresses, subscriber ID numbers, and Social Security numbers. The plaintiffs did not allege that they had suffered any direct financial injury as a result of their identifying health data being exposed, but did allege they suffered an “increased risk of identity theft” as a result of CareFirst’s alleged negligent conduct. The district court granted CareFirst’s motion to dismiss, which asserted that the plaintiffs lacked standing to bring their alleged claims because they had not asserted either a present injury arising from the data breach or a “high enough likelihood of future injury.” Continue Reading D.C. Circuit Holds Cyber-Theft of Customers’ Medical Identifying Information Created Sufficient Increased Risk of Harm to Establish Standing

The “business compromise email”  is what the FBI calls the “$5 billion scam,” but apparently an insurance company did not agree with an insured company that they had been the victim of a crime.

A federal court recently found that a crime policy afforded coverage for a $4.8 million wire transfer that an insured company was duped into making.  See Medidata Solutions, Inc. v. Federal Ins. Co., 15-CV-907 (SDNY July 21, 2017).   In this case, the thief took advantage of “real” facts, posing as the insured’s attorney for a corporate transaction.   More specifically, the insured was contemplating an acquisition and, as part of that process, the president instructed the finance department to be prepared, on an urgent basis, to assist with the transaction.  Continue Reading Court Holds Crime Policy Covers Business Email Compromise (BEC) Loss


Decisions you make when founding and/or investing in an insurtech venture can dictate your regulatory obligations, tax liability, operational structure and, ultimately, profitability.

Here are five seemingly simple questions to ask when launching an insurtech venture (and do not miss question #3): Continue Reading Five Questions for Investors in Insurtech

In another example of increased restriction on the rights of non-U.S. Citizens, last week the Department of Homeland Security (“DHS”) published a policy memorandum limiting the privacy rights of immigrants and foreign nationals under the Federal Privacy Act of 1974.  This new guidance was issued to bring DHS policy in line with President Trump’s January 25 executive order.

The Privacy Act was established to govern the collection, maintenance, use and dissemination of personally-identifiable information maintained by federal agencies.  The Privacy Act, with specific exceptions, prohibits disclosure of such records without the consent of the individual.  It also provides individuals a means to access and amend their records.

Previous DHS guidance stated that such personally-identifiable information would be treated the same, regardless of citizenship.  However, consistent with the January 25 executive order, the new guidance provides that immigrants and nonimmigrant foreign nationals may not utilize these provisions and may only access their information through a request made pursuant to the Freedom of Information Act (FOIA).  Additionally, they may not request amendments of their records.  Furthermore, in connection with the new guidance, DHS stated that it permits the sharing of such information about immigrants and nonimmigrant foreign nationals from agency records with federal, state and local law enforcement.

In response to the current Administration’s “citizen-centric” policies, we are seeing an increased interest in applications for naturalization by U.S. Lawful Permanent Residents.

Originally posted in Mintz Levin’s Immigration Law Blog on May 2, 2017

Today’s Guest Post courtesy of Bill Kyrouz, Mintz Levin’s CISO:

Have you come to the conclusion that you need a Managed Security Services Provider (MSSP) to support your small to medium sized enterprise but don’t know where to start?

Delegating elements of your security operations can be a scary prospect.  An entire school of thought says “If you don’t do all of your information security in house, you aren’t doing it right.”  While I’m sympathetic to that thinking, and caution against completely outsourcing security, this post is intended to help those who seek outside assistance.

Let’s dig in: Continue Reading From the CISO Corner: Your Most Important Security Relationship

“Don’t make promises that you don’t intend to keep” is an admonishment received by every child and delivered by every parent. This pithy maxim is equally applicable to consent orders entered into with regulatory authorities. Indeed, Upromise’s failure to abide by it is costing the company $500,000 in the form of a civil penalty from the Federal Trade Commission (FTC). Continue Reading More Broken Privacy Promises from Upromise: Key Takeaways From Upromise’s Latest Settlement with the FTC

The European Union’s General Data Protection Regulation (the “GDPR”) goes into effect in a little over fourteen months and from a quick glance at our bullet points analysis you can see there is a lot to consider.  One crucial aspect you need to be thinking about now is how your organization collects and manages consents from individuals for processing their personal information.  Without a strong understanding of what valid consent means under the GDPR, before long you may find yourself holding valuable data that you are not able to process as you need to for your business.

To this end, the Information Commissioner’s Office (the “ICO”), the data protection authority for the UK, last week published a consultation draft of its GDPR consent guidance.  This is a practical resource meant to help organizations get to grips with the GDPR’s consent requirements and align their internal procedures and processing activities, as well as their customer-facing websites, marketing materials, and product infrastructure.   Although the UK ICO cannot speak for the other EU data protection authorities, they have a good track record of producing practical guidance set out in accessible language, which makes the ICO website a good first stop for US companies seeking to understand their obligations in the EU.  We encourage you to review this helpful resource and provide feedback to the ICO using their comment form by March 31.  We also offer this high-level snapshot of a few key points: Continue Reading It’s Not Too Early! ICO Guidance Regarding Consent Under GDPR

Last week, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).

The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.

According to OCR, the login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by HIPAA. The health system also failed to regularly review records of information system activity for its applications that maintain electronic PHI and which are accessed by workforce users and users at affiliated physician practices. To make matters worse, the health system failed to review the audit information despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

While hacking incidents typically garner more media coverage, this case highlights the increasing threat posed by those inside a HIPAA-regulated organization. According to a Protenus report, nearly 60% of the breaches that occurred this past January involved insiders. Organizations would be well-served by reviewing recent OCR guidance on the importance of audit controls.

Originally posted in Mintz Levin’s Health Law Policy Matters