RSS Print Email

This blog is a service of Alston & Bird's Privacy & Data Security team and focuses on key data privacy and data security issues.


Kim Peretti to Speak on AllClear ID Webinar

July 28, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Cybersecurity, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, will be a featured speaker on a webinar addressing the cyber risk landscape and best practices on breach preparation and response. The webinar, titled “Confidence in the Breach Age: Risks, Preparation, Response & Recovery,” will feature a panel of industry professionals who will share their perspectives on:

  • Understanding the reality of cyber risk to your organization
  • Legal practices in preparedness and response
  • Managing the forensics investigation with confidence
  • Restoring trust with notification, call center & consumer protection

This webinar will be held on Wednesday, August 20 at 12pm EST. For more information about this webinar and to register, please click here.

Written by Security Incident Management & Response TeamAlston & Bird LLP

Florida Enacts One of Nation’s Most Stringent Data Breach Notification Laws; Includes 30-Day Notice Requirement

June 24, 2014 | Posted by Bruce Sarkisian | Topic(s): Legislation, Security Breach, US State Law, Data Breach

On June 20, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014, which updates Florida’s data breach notification law. The changes will take effect on July 1 of this year.

Read More

OCR Issues Two New Reports to Congress on HIPAA Compliance and Enforcement from 2011 to 2012

Last week the HHS Office for Civil Rights (“OCR”) presented certain findings regarding Health Insurance Portability and Accountability Act (“HIPAA”) compliance and enforcement to the National Committee on Health and Vital Statistics (“NCHVS”), an HHS advisory committee. The presentation reviewed OCR’s two recently issued reports to Congress. OCR is required to submit such reports under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The first report, “HIPAA Privacy, Security, and Breach Notification Rule Compliance,” examines the number and type of complaints received by OCR regarding HIPAA violations and the agency’s response. The second report, “Breaches of Unsecured Protected Health Information,” reviews breach notifications received by OCR and the agency’s response. The report also includes the agency’s first enforcement actions under the Breach Notification Rule.

Read More

Privacy Partner Dominique Shelton Authors Privacy Advisor Article on Hulu VPPA Case

Dominique Shelton, partner in Alston and Bird’s Privacy & Data Security practice and member of the Litigation and Trial Practice group, authored an article appearing on June 19 in International Association of Privacy Professionals' (IAPP) Privacy Advisor titled, “Court Denies Class-Action in Hulu Case, But There’s More." In the article, Shelton discusses the Hulu consumer class-action case that has been ongoing since July 2011. Shelton points out that any company that hosts video content on its website or mobile app and includes a “Like” button or other social networking plug-in should be following this case. The issue at-hand is whether or not the technology associated with the “Like” button constitutes a violation of the Video Privacy Protection Act (VPPA) by disclosing users’ viewing habits without their consent. Because this case touches so many companies, it is an important one to follow. The case resurfaced in the news this week because the court denied the plaintiffs’ putative class-action lawsuit, without prejudice.

Read More

West Virginia High Court Finds Standing without Harm for Invasion of Privacy Claim in State Data Breach Class Action

June 20, 2014 | Posted by Zach Neal & Alex Brown | Topic(s): Health Privacy, Data Security, Litigation, Class Action

The West Virginia Supreme Court of Appeals recently issued an important – but outlier – decision in a data breach class action. In a per curiam decision, the Court held that the plaintiffs had standing to bring their claims even though discovery revealed that not a single class member – much less the named plaintiffs – had suffered any property damage or economic losses. Tabata v. Charleston Area Med. Ctr., No. 13-0766, --- S.E.2d ---, 2014 WL 2439961 (W. Va. May 28, 2014). Indeed, the court found that, although some of plaintiffs’ personal information had accidentally been made available on a website, there was no evidence anyone had ever viewed that information. Despite this, the Court concluded that the plaintiffs had standing to bring two common law claims.

Read More

Angela Burnette and Julia Dempewolf Publish Article On Student Privacy and Preventing Campus Violence

Angela Burnette, Counsel at Alston & Bird, and Julia Dempewolf, an associate at Alston & Bird, have compiled practical guidance for schools and universities to consider regarding student privacy and the prevention of school violence.  Their recent article, published by LexisNexis in Health Care Law Monthly, is entitled “Clarity Instead of Confusion: Available Solutions Under the HIPAA Privacy Rule and FERPA To Prevent Student Violence.”

Read More

Hulu: The Northern District of California Denies Class Certification without Prejudice on Grounds Class Not Ascertainable

Data privacy practices and related class action litigation continue to be super-hot topics that require close attention from companies. Brand damage, governance shakeups and congressional inquiries because of data practices should provide sufficient motivation to stay up-to-the minute in these critical areas. This advisory examines the latest developments in the Hulu litigation involving alleged violations of the Video Privacy Protection Act. While a California federal district court has denied certification of a class of Hulu video service users, it left the door open for future class cases in this emerging area.

The full Cyber Alert is available here

Written by Kim Chemerinsky, Senior Associate, Privacy & Data Security | Alston & Bird LLP

ComScore Reaches $14 Million Settlement in Electronic Privacy Class Action

June 17, 2014 | Posted by Dominique Shelton & Kim Chemerinsky | Topic(s): Federal Trade Commission (FTC), Privacy, Class Action, Big Data

On May 30, 2014, comScore Inc. announced that it has reached a $14 million settlement in the largest class ever certified in an Internet privacy lawsuit, composed of users who claim that comScore installed analytics software on their computers and sold their personal data to media outlets without their knowledge or consent. ComScore, a publicly-traded company, faced upwards of $1 billion in liability under various federal statutes aimed at protecting consumer privacy. This made it one of the largest (if not the largest) privacy class action certified in the country.

Read More

FCC Chairman Outlines Industry-Led “New Regulatory Paradigm” for Cybersecurity Leveraging NIST Framework

FCC Chairman Tom Wheeler made remarks on Thursday, June 12 at the American Enterprise Institute where he explained the FCC’s vision of how it will improve the communications sector’s cyber readiness. He announced a “new regulatory paradigm” where the FCC “relies on industry and the market first while preserving other options if that approach is unsuccessful.” Wheeler recognized that industry-led action on cybersecurity can be “more dynamic than traditional regulation” but at the same time all stakeholders’ efforts must be “real and meaningful” for the paradigm to work. The FCC is developing a risk assessment tool, based on the NIST Cybersecurity Framework, to assist communications sector companies in assessing their cyber risk and developing methodologies to close any cybersecurity gaps. As part of the new regulatory paradigm, the FCC recognized that it will be responsible for ensuring there is “market accountability” among the industry as a whole. The FCC is working to develop a method of measuring how effectively companies are assessing, and managing, their cyber risk.

Read More

International Collaboration Disrupts GameOver Zeus and CryptoLocker

On June 2, 2014, in collaboration with the European Cybercrime Centre at Europolthe Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) announced a multi-national effort to disrupt the GameOver Zeus botnet, an extremely sophisticated type of malware designed to steal banking and other credentials from infected computers. The DOJ and the FBI also announced that command and control servers central to CryptoLocker, a form of “ransomware” that encrypts and locks the files on victims’ computers and demands a fee in return for unlocking those files, had been seized.

Read More

Kim Peretti Quoted in Bank Info Security

June 3, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Security Breach, Cybersecurity, Financial Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in a Bank Info Security article titled “Target Breach: Hold Board Responsible?

The article discussed a consulting firm’s report for shareholders in regard to Target Corp. stating that the company should replace seven of the ten members of its board of directors who served on the audit and corporate responsibility committees that should have provided better oversight into fraud and other cyber-risks when it came to Target’s major data breach.

“The study reinforces that boards need to address cybersecurity risks just as they deal with other types of enterprise risks,” Peretti said. "Boards need to be proactively engaged in understanding IT security risk and need to be asking probing questions in advance of a breach....A report from a consulting firm recommending that a company dismiss board members because of their handling of data security issues is unusual."

"It's the first that we're seeing [such] drastic or significant conclusions [like] in this report," she said.
"Companies are still struggling with appropriate cybersecurity governance."

Written by Security Incident Management & Response TeamAlston & Bird LLP

A+B Privacy Team Provides Analysis of California AG Privacy Report: New Best Practices Guidance Applies to all Businesses Collecting Personal Information from California Residents

In follow up to our previous blog, California AG Kamala Harris Issues Privacy Policy Guidance: Making Your Privacy Practices Public Contains Draft Tips for Website and Online Service Privacy Policies, regarding the release of the AG’s report, please see our recently released client advisory providing a detailed analysis of the new privacy guidance: California Attorney General Kamala Harris Releases Long-Anticipated Guidance Regarding Privacy Policy Notices . As conceived, the Report is designed to apply to all businesses, regardless of the country or state in which they operate, based on the California AG’s position that the California Online Privacy Protection Act (Cal-OPPA) applies to all companies that collect personal information about California residents through their websites, online services or mobile apps, even if the business has no other connection to California.

Written by Dominique Shelton, Partner, Privacy & Data Security and Litigation and Trial Practice and Paul Martino, Partner, Privacy & Data Security and Legislative & Public Policy| Alston & Bird LLP

Eleventh Circuit Paves the Way for the FTC’s Administrative Action to Proceed; FTC denies LabMD’s Motion for Summary Decision

Two decisions from last week have provided clarity – at least regarding which tribunal will first decide whether LabMD violated Section 5 – in the ongoing battle between the FTC and LabMD. In the first decision, the Eleventh Circuit refused to stay, pending appellate review, the FTC’s administrative action against LabMD. This decision came on the heels of the district court refusing to enjoin the FTC’s administrative action due to a lack of jurisdiction to do so. In the second decision, the FTC refused to grant LabMD’s Motion for Summary Decision. The net result of these decisions is twofold. First, the trial of the FTC’s administrative proceeding against LabMD is now in progress. Second, no federal court will likely address the merits of LabMD’s arguments until after the FTC’s administrative action concludes.

Read More

David Keating Quoted by The Associated Press

May 27, 2014 | Posted by Privacy & Data Security Team | Topic(s): Online Privacy, International, Data Protection, Regulatory Enforcement , Tracking

David Keatingpartner in the firm’s Technology and Privacy Group and co-leader of the firm’s Privacy & Data Security practice, was quoted in an article by The Associated Press titled “Europe’s Move to Rein in Google Would Stall in U.S.”

The article discusses a recent European Court of Justice ruling that some read to establish a “right to be forgotten” on the Internet. “There will be serious technological challenges,” Keating said. "It seems aspirational, not a reality, to comply with such a standard," he said. "The reengineering necessary to implement the right to be forgotten is significant."

To read the complete article, please click here.

Written by the Privacy & Data Security Team | Alston & Bird LLP

Transmitting PHI by Email

Email has become an important mode of communication for business operations, with approximately 100 billion business emails sent in 2013 alone. Included in these messages are patients’ personal and health information, such as test results, diagnoses, and social security numbers. The Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulate the transmission of this sensitive information, known as protected health information (“PHI”), by Covered Entities, and in some circumstances, Business Associates.

Read More