Privacy

As the shock of Trump’s surprise election win gives way to processing the consequences of a Trump presidency, one issue that has not gotten as much attention is privacy and data security.

Trump did not say much on this topic on the campaign trail and his “vision” for cybersecurity on his campaign website is relatively thin. But we can glean some information from his public comments. As always with Trump, unpredictability is his trademark, so it is anyone’s guess whether his actions going forward will be consistent with his past statements.

More and more frequently the following question arises: “What do we do about personal, sensitive, and business information owned by or residing with a financially troubled company?” Information is an intangible asset and often has significant value. Information increasingly resides with a party other than the owner and may need to be transferred in unexpected ways. Unfortunately, the thinking about this question often arises after financial distress is readily apparent, such as after a bankruptcy filing. Planning should occur much earlier, whether for the business in distress or in dealing with a business that could suffer financial distress (hint 1 – the latter is every business).

With all due respect to noted astrophysicist Stephen Hawking, this blog post will attempt to explain the bank privacy universe in a tiny package. Many tend to think “bank privacy” began with the Gramm-Leach-Bliley Act (“GLB” and technically The Financial Services Modernization Act of 1999). But this perspective misstates the origin of bank privacy and understates its breadth and depth.

Rather bank privacy is genetically coded into the customer relationship and has been since the beginning. Perhaps “privacy” is even the wrong word as “confidential” seems more apt. Protecting bank customer confidences has long been recognized on both state and federal levels, at common law and in numerous statutes pre-dating GLB. For perspective, in 1995 I revised my bank’s deposit agreement and made extensive reference to customer confidentiality and the bank’s information sharing practices, embodying almost all the concepts later enshrined in GLB.

Posting a terms of use document on your website or mobile application defines the terms that govern your customers’ use of your website or mobile application and greatly reduces your exposure to liability when providing goods or services through a web-based application. A privacy policy describes to your consumers what information you collect, how you collect

The European Union and United States differ greatly on law regulating the collection and transfer of personal data. For many years companies could rely upon the U.S.–EU Safe Harbor to lawfully make transatlantic data transfers and bridge the gap between the differing privacy frameworks. But in October 2015, the EU Court of Justice invalidated the U.S.–EU Safe Harbor on the grounds that it did not adequately protect personal data. This ruling jeopardized the continued flow of data from the EU to the United States and left many companies wondering how they could continue collecting and using data from the EU without violating the law.

Anytime we conduct a training, we can’t help but turn blue in the face repeating over and over again the importance of conducting an accurate and thorough risk analysis of electronic PHI (ePHI). In the event of a breach or an audit, one of the first items the Office of Civil Rights (OCR) will ask for is the risk analysis. The OCR has obviously lost its patience for entities that choose or fail to perform an adequate risk analysis. Earlier this month, Advocate Health Care Center (Advocate Health) agreed to pay a massive $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This settlement is the largest to-date against a single entity.

Those in the privacy and data security (or baseball) world should be familiar with the St. Louis Cardinals and Houston Astros hacking incident. Former St. Louis Cardinals’ scouting director, Chris Correa, was recently sentenced to 46 months and ordered to pay restitution after pleading guilty to five counts of unauthorized access of a protected (Astros) computer, bringing an end to the federal criminal investigation. Recapping the hacking highlights, Correa accessed the Astros’ proprietary player information database, Ground Control. Ground Control contained the Astros’ “collective baseball knowledge” drawn from player statistics, impressions and opinions of the team’s scouts, coaches, statisticians and doctors, and other sources. Correa also accessed the email accounts of several members of the Astros front office including “Victim A” (likely former Cardinals executive and present Astros general manager Jeff Luhnow), “Victim B” (likely former Cardinals and present Astros sabermetrician Sig Mejdal), and at least one other person. According to the Astros, Correa accessed Ground Control at least 60 times on 35 different days over a 15-month period; one can only speculate as to breadth and depth of Correa’s access to the Astros’ email system. The intrusions initially appeared to have emanated from a device housed in a condominium in Jupiter, Florida (the Cardinals’ spring training home), but given the lengthy period of time, likely involved other devices in other locations. Correa gained access to the Astros’ systems by having Luhnow’s Cardinals’ passwords which were “similar” to his Astros’ passwords. Correa both reviewed and downloaded Ground Control information.

Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. It provides medical professionals the resources they need to target the specific treatments of the illnesses that patients may encounter. Although the term “precision medicine” is relatively new, the concept has been a part of healthcare for many years. For example, a person who needs a blood transfusion is not given blood from a randomly selected donor; instead, the donor’s blood type is matched to the recipient to reduce the risk of complications.