Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Michael Epshteyn

Posts by Michael Epshteyn
Posted in Financial Privacy

CFPB Finalizes Rule to Ease GLBA Privacy Notice Requirements

The Consumer Financial Protection Bureau (CFPB) has finalized a proposed rule that will eliminate the need for certain financial institutions to mail annual privacy notices to their customers, so long as the institutions publish their privacy notices online and engage only in limited sharing of customer information.

Posted in Health Privacy/HIPAA

As Business Associate Agreements Amendment Deadline Approaches, OCR Discusses Upcoming HIPAA Audits

The 2009 HITECH Act mandated that the U.S. Department of Health and Human Services Office for Civil Rights conduct periodic audits of covered entities and business associates for compliance with HIPAA privacy and security requirements. In 2012, OCR conducted a pilot audit program involving 115 covered entities. In February 2014, the agency issued a notice in the Federal Register announcing its plan to survey up to 1,200 covered entities and business associates to select organizations for the next round of HIPAA audits.

Posted in Health Privacy/HIPAA

NIH Issues Rules on Genomic Data Sharing

On August 27, 2014, the National Institutes of Health issued a new Genomic Data Sharing Policy, which replaces the current genome-wide association study data policy that was instituted in 2007. The GDS Policy applies to all NIH-funded research that generates large-scale human or non-human genomic data as well as the use of that data for subsequent research. As discussed in this post, the Policy promotes the use of broad informed consent for future study and sharing.

Posted in Health Privacy/HIPAA

California Appeals Court Rules that Mere Possession of Medical Information by Unauthorized Person is Insufficient to Support Breach Claims Under the CMIA

In a ruling that was welcome news to health care providers, insurers, and others that maintain medical information of California residents, the California Court of Appeals recently held that the mere possession of medical information by an unauthorized person, without actual viewing of the information, is not sufficient to establish a breach of confidentiality under the California Confidentiality of Medical Information Act , Cal. Civ. Code §§ 56 et seq.

Posted in Financial Privacy

CFPB Announces Inquiry into Mobile Financial Services and Issues Consumer Tips on Use of Mobile Devices

The Consumer Financial Protection Bureau is exploring how consumers—particularly members of economically vulnerable and underserved communities—are using mobile technology to access financial services and manage personal finances. In a Request for Information announced earlier this week, the CFPB notes that a large percentage of unbanked and underbanked consumers, many of whom are low-income, have access to mobile phones, a significant number of which are smartphones, and that accessing financial products, services, and financial management tools via mobile devices has the potential to empower consumers to take more control over their financial lives, to increase savings and reduce debt.

Posted in Financial Privacy

CFPB Proposes to Alleviate GLBA Privacy Notice Requirements

The Consumer Financial Protection Bureau has issued a proposed rule that would eliminate the requirement for banks and other financial institutions subject to CFPB jurisdiction to deliver an annual privacy notice to their customers, provided the institutions take certain privacy-protective measures. The CFPB proposal demonstrates that the agency is following up on its 2011 streamlining initiative, in which it solicited comment on possible alternatives to delivering the annual privacy notice, and recognizes at least to some extent the online world that most consumers now embrace

Posted in Financial Privacy

CFTC Issues GLBA Security Guidelines

The Commodity Futures Trading Commission has issued guidance for CFTC-regulated financial institutions on compliance with the security safeguards provisions of Title V of the Gramm-Leach-Bliley Act. In a Staff Advisory, the CFTC recommends that futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants implement certain best practices to meet their obligations under GLBA, as well as the CFTC’s GLBA regulations at 17 C.F.R. Part 160, to adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.

Posted in Health Privacy/HIPAA

HHS Issues Guidance on Sharing Mental Health Information

HHS has issued new guidance addressing when it is appropriate under the HIPAA Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition. The guidance does not impose new obligations, but rather is intended to clarify the application of existing HIPAA requirements to the disclosure of mental health information. Covered entity providers that handle such information may find it helpful to review the guidance to ensure that their practices are consistent with regulatory expectations.

Posted in Social Media

Financial Regulators Finalize Social Media Guidance and Address Industry Questions

The Federal Financial Institutions Examination Council (FFIEC) has released final supervisory guidance on the use of social media by financial institutions. We last reported on the guidance when it was published in draft form in January 2013. The final guidance is substantially similar to the proposal (and we encourage you to read our prior post for more details on the elements of the guidance), but the FFIEC made certain revisions in light of the 81 public comments it received on the proposal.

Posted in Health Privacy/HIPAA

HIT Policy Committee Approves Accounting of Disclosure Recommendations, Including Removal of Proposed Access Report Requirement

Last week the Office of the National Coordinator’s Health IT Policy Committee approved recommendations from its Privacy and Security Tiger Team workgroup to scale back HHS’s proposed accounting of disclosures regulations. The Tiger Team developed its recommendations after months of work, including a September 30 virtual hearing in which the Tiger Team heard testimony from providers, payers, business associates, patient advocates, and other stakeholders.

Posted in Cybersecurity & Data Breaches

California Expands Breach Notification Law to Cover Online Accounts

California recently passed a law updating its breach notification requirements and making it the first state to expand the definition of personal information to expressly include login credentials for online accounts. Under the new law, companies would be required to notify individuals if and when their passwords, usernames, or security question and answers are compromised or stolen. The latest amendments become effective as of January 1, 2014.

Posted in Consumer Privacy, Financial Privacy

FTC Issues New Red Flags Rule Guidance

The Federal Trade Commission (“FTC”) recently issued a revised guidance (“Guide”) on the Red Flags Rule (“Rule”) (see “Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business”). The Red Flags Rule requires certain businesses to develop, implement and administer an identity theft protection program. The purpose of this Guide is to […]

Posted in Consumer Privacy, Financial Privacy, Social Media

Bank Regulators Propose Social Media Guidance; Comments Due March 25, 2013

The Federal Financial Institutions Examination Council (FFIEC) has released proposed guidance on the use of social media by financial institutions, including banks, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau.  The proposed “Social Media:  Consumer Compliance Risk Management Guidance” (“Proposed Guidance”) defines “social media” broadly to including micro-blogging sites (like Google […]

Posted in Consumer Privacy, Employment Privacy

Michigan Becomes Latest State to Enact Social Media Privacy Law

Last week, Michigan enacted a social media privacy law that prohibits employers and educational institutions from requesting access to the personal social media or other internet-based accounts of employees or students.  The new law, known as the Internet Privacy Protection Act, provides that employers or educational institutions (ranging from elementary schools through institutions of higher learning) may not […]

Posted in Consumer Privacy

Lawmakers Develop Mobile Privacy Legislation While California AG Files Privacy Suit Against Mobile App Developer

James Denvil, an associate in our Washington office, contributed to this entry.  This week, Washington lawmakers and California’s Attorney General focused their attention on mobile privacy.  The Senate Judiciary Committee is considering a measure that would establish legal requirements for apps that collect or share location information from mobile devices.  A Democratic congressman released for […]

Posted in Consumer Privacy, Cybersecurity & Data Breaches, Financial Privacy

FTC Amends Red Flags Rule to Adopt Narrower Definition of “Creditor”

The FTC has issued an interim final rule to amend the Identity Theft “Red Flags Rule,” which requires certain “financial institutions” and “creditors” to develop and implement a written identity theft prevention program to identity, detect, and respond to possible incidents of identity theft.  The interim rule amendment conforms the Red Flag’s Rule’s definition of […]

Posted in Health Privacy/HIPAA

California Adds Affirmative Defense to Medical Privacy Law

A new law that amends the California Confidentiality of Medical Information Act (CMIA) may provide some relief to HIPAA covered entities and business associates, some of whom have faced class action lawsuits seeking millions in statutory damages under the CMIA for large-scale data breaches. The changes to the CMIA are summarized in this entry.

Posted in Consumer Privacy

District Court Rules Online Video Streaming Subject to VPPA Restrictions

A federal magistrate has ruled that the Video Privacy Protection Act (“VPPA”), a federal statute that restricts “video tape service providers” from disclosing information about their customers’ viewing habits, applies to online streaming video providers. This is the first time that the VPPA, enacted in 1988 in response to the disclosure of Supreme Court nominee Robert Bork’s video rental records, has been found to apply to streaming video services.

Posted in Cybersecurity & Data Breaches

FTC Reaches Settlements Over P2P Data Breaches

The Federal Trade Commission yesterday announced settlements with two companies over security breaches caused by peer-to-peer (P2P) file sharing software. The settlements require the companies to establish and maintain comprehensive information security programs and to undergo data security audits by independent auditors every other year for 20 years.

Posted in Cybersecurity & Data Breaches

SEC and CFTC Propose Identity Theft Red Flags Rules

The FTC Red Flags Rules were not specific to the securities industry and there was some confusion as to which entities were subject to their requirements. This blog entry describes proposed rulesto applyRed Flag rules to certain broker-dealers, investment companies, investment advisers, futures commission merchants, commodity pool operators, introducing brokers, and other SEC- and CFTC-regulated entities

Posted in Cybersecurity & Data Breaches

House Subcommittee Holds Hearing on Breach Notification Proposal

A House subcommittee held a hearing yesterday on the SAFE Data Act, a draft data security and breach notification bill that, among other things, would require businesses to minimize the amount of personal information they maintain about consumers and notify law enforcement within a very short period of time — within 48 hours of discovering a breach.

Posted in Health Privacy/HIPAA

HIPAA Security Rule Oversight by HHS is ‘Insufficient’ According to the OIG

The U.S. Department Health and Human Services Office of the Inspector General issued two reports yesterday criticizing the Centers for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health IT (“ONC”) for doing too little to protect the security of patient health information. The first report, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services HIPAA Oversight, found that CMS oversight and enforcement “were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule.”