The influence of the Internet of Things (IoT) will undoubtedly be transformational with a total potential economic impact estimated to be $3.9 trillion to $11.1 trillion a year by 2025. In the race into the IoT marketplace, there are both known and unknown legal hurdles that will affect those who offer of goods and services during the proliferation of the Internet of Things.
St. Louis was named after Louis IX (born in 1214!), hosted a World Fair (technically, the 1904 Louisiana Purchase Exposition), the fleur-de-lis is ubiquitous, and we love soccer and football, although we have neither major league football nor soccer teams (St. Louis FC, our USL minor league soccer team, has a crest which features, you guessed it, a fleur-de-lis). However, St. Louis is known as the “Gateway to the West” – directionally away from Europe. Every once in a while, St. Louisans, like the rest of America, need to heed to what is going on over the pond, particularly when it comes to privacy and data security developments. Below is a brief update on a few foreign issues to begin the New Year.
It’s time for year-behind-us reminisces and year-before-us prognostications and, for those of us with nothing better to do during the last few days of 2017 and first few days of 2018, attention turns to HIPAA enforcement. So what happened and what can we look forward to? If past is prologue, expect the sound of silence as there was nominal Office for Civil Rights (OCR) activity in 2017 and, with the one noisy exception, no actions to cause your ears to burn.
In 2016, the U.S. Supreme Court in Spokeo, Inc. v. Robins, provided a potentially powerful Article III standing defense under F.R.Civ.P. 12(b)(1) seemingly applicable to a variety of privacy claims, including FCRA, FACTA, TCPA, and FDCPA statutory damage claims. The Court noted for a plaintiff to establish standing to sue in federal court, she must establish an “injury in fact” consisting of an invasion of a legally protected interest, which is both particularized and concrete.
Spokeo dealt with the “concrete” portion. To be concrete, an injury must be real but may also be intangible. Congress’ intent in creating a right is instructive, but not sufficient. Allegations of a bare procedural violation likely would not suffice to maintain standing. Some injuries create harm, others do not. Thanks for that.
Europe’s data protection rules will undergo their biggest change in two decades when the new General Data Protection Regulation (“GDPR”) goes into effect on May 25, 2018. The GDPR replaces the current Data Protection Directive and imposes uniform data security requirements on all EU members. While the GDPR is “an evolution, not a revolution” for data protection, there are several significant changes for which companies should be prepared.
There was a recent headline-making story involving a Wisconsin employer that announced it was offering its employees the option to be microchipped to replace security badges they use regularly at work. Of the 85 employees, 41 decided to have the small chip implanted in their hand. Husch Blackwell attorneys Laura Ferrari and Erik Eisenmann break-down the seemingly futuristic concept of “chipped” employees and the privacy concerns it brings in a post that originated on Husch Blackwell’s Technology, Manufacturing and Transportation Industry Insider blog.
With a few more weeks left in the hurricane season, it may be a good time to review HIPAA Privacy Rule protocols in emergency situations.
The Occupational Safety and Health Administration (OSHA), an organization created by Congress to assure safe and healthful working conditions for working men and woman, declared on Friday, August 25, 2017 that what was believed to be a data breach by the Department of Homeland Security, was incorrect. The false alarm breach was related to data included in Injury Tracking Applications (ITA), which organizations must submit electronically to report injury or illness. Husch Blackwell attorneys, Erik Dullea and Matt Diehr, provide insight into this issue and background on the whether the data in an ITA is properly protected.
The advice we always give to clients regarding privacy policies is: “say what you do and do what you say.” It seems simple, but simplicity can be deceiving. Companies want to reassure consumers that their personal data is safe and secure; however, in today’s world, no one can make fail-safe representations of security. Uber’s recent settlement with the FTC illustrates this problem.
These days a data security plan should be treated as a top priority for all businesses. In the United States, the law dictates that businesses must secure any non-public third-party data it possesses which makes data security no longer a choice, but rather a legal obligation. Andrew Schlidt, a member of Husch Blackwell’s Data Privacy, Security & Breach Response team, give tips on how to comply with data security laws by implementing a “Written Information Security Plan” or “WISP.” The resourceful information is outlined in the “Legal Login” piece by IB Madison.