RSS Print Email

This blog is a service of Alston & Bird's Privacy & Data Security team and focuses on key data privacy and data security issues.


FTC Settles with TRUSTe Inc. Over Deception Claims

The Federal Trade Commission (FTC) and TRUSTe Inc. entered into a settlement agreement Monday over the FTC’s allegations that the internet privacy certifier deceived consumers about its privacy seal recertification program and allowed its customers to falsely advertise it as a nonprofit entity. Under the settlement, TRUSTe will pay a $200,000 fine and stop making certain claims.

Read More

Kim Peretti Addresses Cyber Risk with the National Retail Federation

November 11, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Cybercrime, Cyber Risk

The National Retail Federation featured a three-part series, “Talking Tactics,” that examined cybercrime in retail and how the industry is responding.

Read More

Law360 Quotes Dominique Shelton on CA Online Privacy Protection Act

November 5, 2014 | Posted by Privacy & Data Security Team | Topic(s): Mobile Technologies, California Online Privacy Protection Act (Cal-OPPA)

California Attorney General Kamala Harris reiterated her commitment to enforcing the state’s Online Privacy Protection Act following her re-election and to pursuing guidelines advising companies how she will interpret the act.

Read More

Data Protection Commissioners Adopt Resolution on International Cooperation

On October 14, the International Data Protection and Privacy Commissioners’ (“IDPPC”) conference adopted a resolution calling for increased enforcement cooperation among international data protection authorities. Data protection authorities from around the world participated in the IDPCC conference, including representatives from Europe, Asia, the United States (including the Federal Trade Commission), and South America.

Read More

Defendants to Pay FTC $9.3 Million to Settle Suit Over Alleged Text Messaging Scam

Three groups of defendants have agreed to pay the Federal Trade Commission (FTC) $9.3 million to settle claims that they operated a scam to send unsolicited and deceptive text messages to millions of consumers. The settlement is the result of a major campaign by the FTC targeting senders of unsolicited commercial messages using the promise of free gifts or products to get consumers to reveal “personal information for sale to marketers, their mobile numbers to cram unwanted charges on their bill, and to drive them to paid subscriptions for which the senders receive affiliate referral fees.” The FTC filed at least eight different complaints around the country charging 29 defendants with sending approximately 180 million unsolicited text messages to consumers. This settlement resolves FTC v. Acquinity Interactive, LLC, et al., No. 1:13-cv-05380 filed on July 29, 2013 by the FTC in the Northern District of Illinois.

Read More

EU’s Article 29 Working Party Releases Opinion on Internet of Things Protections

The European Union’s Article 29 Data Protection Working Party (WP29) adopted an opinion (the Opinion) on September 16, 2014 regarding data protection within the Internet of Things (IoT). Recognizing the rapid growth of the IoT, the Opinion responds to emerging data privacy concerns within the IoT, and provides recommendations for stakeholder compliance with EU data protection laws.

Read More

Alston & Bird's Dominique Shelton Presents Panel On Omnichannel Innovation At National Retail Federation's Summit 2014 In Seattle, WA

October 15, 2014 | Posted by Shah, Sheila | Topic(s): Online Privacy, Marketing, Privacy, Mobile Privacy, Big Data

On October 1, Alston & Bird Partner Dominique Shelton and entrepreneur Maria Fernandez presented a panel on Omnichannel retailing, a marketing method that mixes physical and digital channels to create an innovative and unified customer experience, at the National Retail Federation’s 2014 Summit in Seattle, Washington.

Read More

HIPAA/HITECH Act Accounting of Disclosures NPRM: Redux?

In May 2011, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) issued a proposed rule to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI). The proposed rule would have implemented the HITECH Act’s requirement for covered entities and business associates to account for disclosures of PHI to carry out treatment, payment and health care operations if the disclosures are through an electronic health record (EHR). HHS also proposed to expand the accounting provision to provide individuals with the right to receive an access report of all uses and disclosures of electronic PHI in a designated record set. Additionally, the proposed rule would have shortened the time period for which covered entities and business associates must account for disclosures (and provide an access report) to three years (instead of six years). However, the proposed rule would also have shortened the period of time which such entities have to respond to a request for an accounting (or for an access report) from 60 days to 30 days. We blogged about the proposed rule here, and issued an advisory which provides a section-by-section analysis of the proposed rule. The proposed rule generated significant comment, was criticized as impractical, and has not been finalized by OCR.

Read More

Alston & Bird’s Dominique Shelton Moderates Privacy Panel for Lex Mundi in Paris

October 3, 2014 | Posted by David Caplan | Topic(s): Advisories, Online Privacy, Privacy, Mobile Privacy

On September 26, 2014, Alston & Bird co-sponsored a privacy panel at the Lex Mundi IP conference in Paris, France. Moderated by Dominique Shelton, the panel featured speakers from Scripps Interactive Network, Roche Diagnostics, Jackel International, and GE.

Read More

Alston & Bird Health Care Advisory: HIPAA Audit Program Phase 2 Update

We have previously blogged about the U.S. Department of Health & Human Services HIPAA Audit Program, including the Audit Program pilot (November 30, 2011 and March 7, 2012), the release of the Office for Civil Rights (OCR) audit protocols (June 26, 2012), and the status of phase 2 of the Audit Program (February 26, 2014 and September 16, 2014).  Today, Alston & Bird issued a Health Care ADVISORY on the status of Phase 2 of the HIPAA Audit Program, in which we discuss recent guidance from OCR on the HIPAA Audit Program and its status and provide some basic compliance reminders that may be usefully in being prepared for a HIPAA audit.  The Health Care ADVISORY can be found on our website at: and as a pdf at: HIPAA Audit Program Phase 2 Update.

Written by Paula Stannard, Counsel, Health Care| Alston & Bird LLP

Read More

New California Law Expands Data Security Requirements, SSN Protections and Breach Notification Obligations

On September 30, 2014, the Governor of California signed Assembly Bill 1710, which made three small but important changes to the state’s privacy laws.  The bill:  (1) amended California’s breach notification law to require that the notifying entities offer identity theft protection services to affected individuals in certain cases; (2) required California businesses that “maintain” personal information on state residents to adopt reasonable security procedures to protect that personal information (a requirement that previously only applied to businesses that own or license such data); and (3) amended the state’s Social Security Number (“SSN”) protection law to prohibit the sale or advertisement for sale of such numbers, with limited exception.  The bill will become effective January 1, 2015.  Having been the first state to enact a breach notification law, California continues to be at the cutting edge of state efforts to deal with cybersecurity.  

Read More

Laboratories Must Comply with New HIPAA Patient Access Rules by October 6, 2014

September 28, 2014 | Posted by Dempewolf, Julia | Topic(s): Health Privacy, Privacy, Health Insurance Portability and Accountability Act (HIPAA), Regulation

HIPAA covered laboratories and hospitals with laboratories subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) must comply with changes to the HIPAA Privacy Rule that provide patients with direct access to laboratory test results by October 6, 2014.  Earlier this year, the Centers for Medicare & Medicaid Services, the HHS Office for Civil Rights and the Centers for Disease Control and Prevention published a final rule amending the CLIA regulations and the HIPAA Privacy Rule to provide patients with greater access to their lab test results.  As we previously blogged, patients may now request test reports directly from CLIA labs.  As amended, the CLIA regulations, which are now effective, permit a CLIA lab to provide, upon request, a patient and/or his/her personal representative (and any person designated by the patient) with access to completed test reports that, using the lab’s authentication process, can be identified as belonging to that patient.  Beginning October 6, 2014, the Privacy Rule amendments (which eliminated an exemption for PHI held by CLIA labs) require HIPAA covered CLIA labs to provide individuals and/or their personal representatives with access to protected health information (“PHI”) about the individual maintained in a designated record set under the Privacy Rule provisions establishing the individual’s right of access to PHI (“access rights”).  Thus, the combination of the two provisions now require most CLIA labs to provide test results (and any other PHI they maintain) when requested by the patient.  Labs that are not covered by HIPAA may provide a patient and/or his/her personal representative (and any person designated by the patient) with access to completed test reports, but are not required to do so.  (For more information on the final rule and how the new requirements interact with the Privacy Rule’s requirements for verification of the identity and authority of those exercising the access right, please see our February 6, 2014 blog post referenced above.)

Read More

WP29 Announces a Common “Tool-Box” Approach to Handling of Complaints under the Right to be Forgotten

September 18, 2014 | Posted by Maki DePalo | Topic(s): European Union (EU), International, Privacy, Data Protection

On September 18, 2014, the Article 29 Working Party (the “WP29”) issued a press release, announcing that the European data protection authorities agreed on a common “tool-box” approach to handling complaints lodged due to search engines’ refusal to remove complainant’s entries from their search results.

Read More

HIPAA Audit Program Phase 2: Delayed

A representative of the U.S. Department of Health and Human Services’s Office for Civil Rights (OCR) has recently revealed that OCR has delayed the start of phase 2 of its HIPAA Audit Program – and has revised its plans for phase 2.

Read More

FTC Announces Final Agenda for September Big Data Workshop

September 10, 2014 | Posted by Barringer, Ty | Topic(s): Events, Federal Trade Commission (FTC), Big Data

The Federal Trade Commission has released a final program for its September workshop, “Big Data: A Tool for Inclusion or Exclusion?” During the workshop, speakers with a wide range of experience and expertise in the privacy field will present on the various issues and opportunities that arise from the relationship between big data and consumers.

Read More