Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.
Hogan Lovells announced today that Edith Ramirez, the former Chairwoman of the US Federal Trade Commission, has joined the firm as a partner and will play an active role in Hogan Lovells’ Privacy and Cybersecurity practice. She will also co-head the firm’s Antitrust, Competition and Economic Regulation practice.
“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”. This is today’s strong statement by Her Majesty The Queen reflecting the level of priority given by the UK government to privacy and data protection. Aside from the political controversies surrounding the recent general Election and the prospect of Brexit, the Queen has confirmed that during this Parliament the government intends to pass a new Data Protection Act replacing the existing one.
As previously reported, on Thursday, March 9th, the Federal Trade Commission (FTC) hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. This is the second of two entries on the March 9th FinTech Forum and focuses on the discussions surrounding blockchain technologies, in which panelists reflected on the nascent stage of the technology, industry representatives expressed confusion over the applicability of current regulation, and regulators expressed a lack of clarity over jurisdictional questions.
On Thursday, March 9th, the Federal Trade Commission (FTC) hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. The FTC acknowledged the benefits of technological developments in AI and blockchain technologies, but stressed that advancements in these technologies must be coupled with an awareness of and active engagement in identifying and minimizing associated risks. This blog post focuses on the AI discussion, which addressed how the values of privacy, autonomy, and fairness are affected by the advent of AI systems as well as how to ensure safety and security in the development and deployment of individual and connected AI systems.
500 German companies will be asked in the coming weeks by 10 German data protection authorities to complete an extensive and detailed questionnaire about their transfers of personal data to third countries. Companies must indicate how they ensure an adequate level of data protection for such data transfers. The questionnaire also covers the use of cloud services provided by U.S. entities. The enquiry and the questionnaire (but not the list of targeted companies) were published by the German DPAs on 3 November 2016.
Please join us for our November 2016 Privacy and Cybersecurity Events.
We are proud to announce that the Hogan Lovells Chronicle of Data Protection blog has been nominated in The Expert Institute’s 2016 Best Legal Blog Contest for the award of Best AmLaw Blog of 2016. Our editors at The Chronicle strive to provide you with the most relevant and timely legal news, practical legal analysis, and business insights relating to privacy and cybersecurity. We appreciate the recognition for this work and your continued readership.
On August 29, 2016, the Federal Aviation Administration’s long-awaited small unmanned aircraft systems rule went into effect, for the first time broadly authorizing commercial drone operations. This is a positive step, as drones have great safety and efficiency benefits for the public. Nevertheless, the American public remains concerned about drone privacy issues.
The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
The Department of Health and Human Services released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.
The U.S. Department of Education and Department of Justice recently weighed in on the obligations of school districts, colleges, and universities to provide civil rights protections for transgender students. On May 13, 2016, the Departments issued a Dear Colleague Letter that summarizes the responsibilities of school districts, colleges, and universities that receive federal financial assistance under the Departments’ interpretation of federal law, including Title IX of the Education Amendments of 1972 and the Family Education Rights and Privacy Act. Here, we focus on the DCL’s guidance pertinent to compliance with FERPA.
The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.
As reported in The New York Times, Hogan Lovells represented a diverse group of 15 major technology companies, such as Google, Facebook, Microsoft, Snapchat, and Cisco in filing last week an amicus brief in In re Search of an Apple iPhone.
To what extent are the personal communications sent by an employee from their employer’s computer private? In Europe it has been accepted for some years that employees do not lose their right to privacy in the workplace. However a recent decision from the European Court of Human Rights confirms the rights of the employer to restrict employees from any personal use of the employer’s computer equipment and, consequently, rely on a contravention of the restriction (which is revealed through monitoring) as grounds for dismissal.
One of the most common devices in the emerging Internet of Things (IoT) was reportedly discovered to have a bug. According to the research firm Fortinet, a popular fitness tracker was vulnerable to wireless attacks through its unsecured Bluetooth port. A savvy attacker could install malware wirelessly within ten seconds—simply by coming within a few feet of the tracker. When the device’s owner returned home to sync daily activity with a computer, the malware could, in principle, infect the computer as well.
The need for proper and legitimate powers to enable intelligence and law enforcement agencies to do their job and to keep everyone safe requires little justification. However, in our data-rich and uber-connected way of life, those powers necessarily involve a substantial degree of intrusion into our digital comings and goings, and that makes things complicated. In a show of political awareness and legislative dexterity, in November 2015, the UK government presented its draft Investigatory Powers Bill—an attempt to strike a balance between intelligence and law enforcement needs with the protection of ordinary citizens’ privacy. The Bill seeks to adopt a comprehensive and sophisticated framework of modern law enforcement and intelligence gathering powers. It is currently being scrutinized by a parliamentary committee and subject to public consultation.
Data privacy and security regulators don’t always agree. Take a look at the Federal Trade Commission for example. In recent years, FTC commissioners have disagreed about the role that cost-benefit analyses should play and the types of consumer harms that should be considered in the FTC’s data privacy and security enforcement actions. For organizations that rely on the collection and use of consumer information, understanding the different viewpoints at the FTC and how those viewpoints may influence future enforcement is vital to evaluating risk. On Thursday, November 5, 2015, the Future of Privacy Forum will look at those issues as it celebrates its new home and its new partnership with Washington & Lee University School Law by hosting a panel discussion addressing the Future of Section 5 of the FTC Act. Panelists David Vladeck (former FTC Consumer Bureau Director David Vladeck) and James Cooper (former Acting Director of the Office of Policy Planning) will look at key Section 5 issues.
Tonight, the President’s State of the Union address covered, as he put it, “the tasks that lie ahead.” Among the policy initiatives that he proposed, he “urge[d]…Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.” What he was referring to is a set of cybersecurity and info sharing initiatives and privacy and data security proposals that the White House started rolling out last week. The President also alluded to a report to be released next month that will address the Administration’s actions to curtail domestic surveillance programs. We provide here excerpts of the President’s address that discuss cybersecurity, data security, and privacy.
The Federal Trade Commission recently submitted comments to the Federal Communications Commission in which it reminded broadband Internet service providers that they are subject to several data privacy and security laws enforced by the FTC. The FTC’s comments underscore why broadband providers – as well as their vendors and business partners – must keep a close watch on both FCC and FTC developments in the privacy and security space.
In a recent client alert, Hogan Lovells partners from the firm’s London and Washington, D.C. offices highlighted key takeaways for businesses following the European Data Protection Supervisor’s Workshop on Privacy, Consumers, Competition, and Big Data. The workshop, hosted by EDPS in the European Parliament in Brussels on 2 June 2014, discussed the technological advances and market for ‘big data’ analytics and the policy implications for the fields of data protection, competition and consumer protection of the rapidly expanding digital economy in the EU and in other regions, particularly the in US. Around 70 experts attended, including representatives from the European regulators and the US Federal Trade Commission.
In an August 13 letter to Commissioner Viviane Reding, Article 29 Working Party Chair Jacob Kohnstamm requested more information regarding the United States’ national security surveillance program, including the widely-publicized PRISM program.
On April 25, Hogan Lovells partner Harriet Pearson testified before the US House of Representatives on the relationship between cybersecurity and privacy in business. The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security held a hearing on “Striking the Right Balance: Protecting our Nation’s Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties” to examine existing privacy protections and learn more about potential improvements. Pearson first outlined several cybersecurity-related measures that may require access to personal information, and thus potentially implicate privacy concerns. Pearson then offered her views on steps business and government can take to incorporate respect for privacy into enhanced cybersecurity.
In Bloomberg BNA’s Privacy and Security Law Report, Hogan Lovells attorneys Des Hogan, Michelle Kisloff, and Chris Wolf have published an article addressing the increased litigation and regulatory risks that companies must address in the evolving privacy and data security landscape. After summarizing recent developments involving class actions and regulatory activities, the article offers guidance on how companies can reduce their financial and reputational exposure.