Privacy

In 2016, the U.S. Supreme Court in Spokeo, Inc. v. Robins, provided a potentially powerful Article III standing defense under F.R.Civ.P. 12(b)(1) seemingly applicable to a variety of privacy claims, including FCRA, FACTA, TCPA, and FDCPA statutory damage claims. The Court noted for a plaintiff to establish standing to sue in federal court, she must establish an “injury in fact” consisting of an invasion of a legally protected interest, which is both particularized and concrete.

Spokeo dealt with the “concrete” portion. To be concrete, an injury must be real but may also be intangible. Congress’ intent in creating a right is instructive, but not sufficient. Allegations of a bare procedural violation likely would not suffice to maintain standing. Some injuries create harm, others do not. Thanks for that.

The advice we always give to clients regarding privacy policies is: “say what you do and do what you say.” It seems simple, but simplicity can be deceiving. Companies want to reassure consumers that their personal data is safe and secure; however, in today’s world, no one can make fail-safe representations of security. Uber’s recent settlement with the FTC illustrates this problem.

With the rise of innovations like cloud technology and software-as-a-service, clients are increasingly finding that it makes business sense to outsource computerized services, from payroll processing to the storage of electronic medical records. While doing so often cuts costs, routing (frequently confidential) data through third-party service providers also implicates serious cybersecurity concerns and, in some cases, may increase potential liability. Further, one of the pillars of a commercially reasonable information security program is selecting and retaining service providers capable of maintaining appropriate safeguards. To address these concerns, and to keep data safe, clients should require service providers to furnish them with Service Organization Control (“SOC”) Reports, particularly SOC 2 Reports.

SOC Reports were developed by the American Institute of CPAs (AICPA) to provide information about the robustness and quality of a service provider’s internal controls over certain types of data. There are three types of SOC Reports, each serving separate functions.

On April 24, 2017, the Office of Civil Rights (“OCR”) announced the first HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information by a wireless service provider. CardioNet, an ambulatory cardiac monitoring service, provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias, agreed to pay $2.5 million, and to implement a corrective action plan.

As reported by the OCR, in 2012 CardioNet reported to the OCR the theft of a workforce member’s unencrypted laptop containing electronic PHI (“ePHI”) of 1,391 individuals. OCR’s investigation revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.   Additionally, CardioNet’s provided the OCR draft policies and procedures implementing the HIPAA Security standards, and was unable to produce final policies or procedures implementing the security safeguards for ePHI, including mobile devices.

I recently decided to reread Dante’s The Inferno. One would not expect guidance on IoT privacy and data security (IotPDS) from a 700 year old text, but The Inferno, particularly Canto III, provides significant direction on consumer IoTPDS issues.  So,

“Abandon All Hope, You Who Enter Here.”

Ransomware. It is the word every corporate board and IT team fears. Ransomware is a type of malicious software that can quickly shut down an entire network of computers and compromise an enormous amount of critical data. Often, when a ransomware attack occurs, all connected systems are locked down and a message appears on the

Generally, one hears the term “big data” and, in the next breath, about the host of privacy issues implicated by that big data. Indeed, a quick google search confirms that in many of the top links appearing in a google search of “big data” include the word “privacy.”

There is a reason for this, of course: big data often contains a lot of information aggregated from different sources about individuals. Many times, consumer do not know in the first place that different pieces of information about them have been collected (or, if they know it has been collected, they do not know the information has been retained); they do not know that such information has been aggregated; and they do not know the aggregated information has been (and is being) further disseminated. Single pieces of information on their own pose a privacy risk. The aggregation of the information, which is then disseminated, poses a greater and different privacy risk.

As technology advances, the advertising world is keeping pace. Companies can now advertise more easily and effectively across the Internet. However, the risks associated with that convenience are becoming more and more apparent.

Many companies employ third-party advertising services that use online consumer data and automated software to place advertisements across millions of websites, thousands of apps, and different user-generated video services. Unfortunately, because of this wide-reaching marketing tool, organizations employing targeted ads risk having their advertisement and brand displayed alongside offensive content. (Some types and uses of targeted ads have even faced legal challenges.)