RSS Print Email


OCR Issues Two New Reports to Congress on HIPAA Compliance and Enforcement from 2011 to 2012

Last week the HHS Office for Civil Rights (“OCR”) presented certain findings regarding Health Insurance Portability and Accountability Act (“HIPAA”) compliance and enforcement to the National Committee on Health and Vital Statistics (“NCHVS”), an HHS advisory committee. The presentation reviewed OCR’s two recently issued reports to Congress. OCR is required to submit such reports under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The first report, “HIPAA Privacy, Security, and Breach Notification Rule Compliance,” examines the number and type of complaints received by OCR regarding HIPAA violations and the agency’s response. The second report, “Breaches of Unsecured Protected Health Information,” reviews breach notifications received by OCR and the agency’s response. The report also includes the agency’s first enforcement actions under the Breach Notification Rule.

Read More

Privacy Partner Dominique Shelton Authors Privacy Advisor Article on Hulu VPPA Case

Dominique Shelton, partner in Alston and Bird’s Privacy & Data Security practice and member of the Litigation and Trial Practice group, authored an article appearing on June 19 in International Association of Privacy Professionals' (IAPP) Privacy Advisor titled, “Court Denies Class-Action in Hulu Case, But There’s More." In the article, Shelton discusses the Hulu consumer class-action case that has been ongoing since July 2011. Shelton points out that any company that hosts video content on its website or mobile app and includes a “Like” button or other social networking plug-in should be following this case. The issue at-hand is whether or not the technology associated with the “Like” button constitutes a violation of the Video Privacy Protection Act (VPPA) by disclosing users’ viewing habits without their consent. Because this case touches so many companies, it is an important one to follow. The case resurfaced in the news this week because the court denied the plaintiffs’ putative class-action lawsuit, without prejudice.

Read More

Angela Burnette and Julia Dempewolf Publish Article On Student Privacy and Preventing Campus Violence

Angela Burnette, Counsel at Alston & Bird, and Julia Dempewolf, an associate at Alston & Bird, have compiled practical guidance for schools and universities to consider regarding student privacy and the prevention of school violence.  Their recent article, published by LexisNexis in Health Care Law Monthly, is entitled “Clarity Instead of Confusion: Available Solutions Under the HIPAA Privacy Rule and FERPA To Prevent Student Violence.”

Read More

Hulu: The Northern District of California Denies Class Certification without Prejudice on Grounds Class Not Ascertainable

Data privacy practices and related class action litigation continue to be super-hot topics that require close attention from companies. Brand damage, governance shakeups and congressional inquiries because of data practices should provide sufficient motivation to stay up-to-the minute in these critical areas. This advisory examines the latest developments in the Hulu litigation involving alleged violations of the Video Privacy Protection Act. While a California federal district court has denied certification of a class of Hulu video service users, it left the door open for future class cases in this emerging area.

The full Cyber Alert is available here

Written by Kim Chemerinsky, Senior Associate, Privacy & Data Security | Alston & Bird LLP

ComScore Reaches $14 Million Settlement in Electronic Privacy Class Action

June 17, 2014 | Posted by Dominique Shelton & Kim Chemerinsky | Topic(s): Federal Trade Commission (FTC), Privacy, Class Action, Big Data

On May 30, 2014, comScore Inc. announced that it has reached a $14 million settlement in the largest class ever certified in an Internet privacy lawsuit, composed of users who claim that comScore installed analytics software on their computers and sold their personal data to media outlets without their knowledge or consent. ComScore, a publicly-traded company, faced upwards of $1 billion in liability under various federal statutes aimed at protecting consumer privacy. This made it one of the largest (if not the largest) privacy class action certified in the country.

Read More

A+B Privacy Team Provides Analysis of California AG Privacy Report: New Best Practices Guidance Applies to all Businesses Collecting Personal Information from California Residents

In follow up to our previous blog, California AG Kamala Harris Issues Privacy Policy Guidance: Making Your Privacy Practices Public Contains Draft Tips for Website and Online Service Privacy Policies, regarding the release of the AG’s report, please see our recently released client advisory providing a detailed analysis of the new privacy guidance: California Attorney General Kamala Harris Releases Long-Anticipated Guidance Regarding Privacy Policy Notices . As conceived, the Report is designed to apply to all businesses, regardless of the country or state in which they operate, based on the California AG’s position that the California Online Privacy Protection Act (Cal-OPPA) applies to all companies that collect personal information about California residents through their websites, online services or mobile apps, even if the business has no other connection to California.

Written by Dominique Shelton, Partner, Privacy & Data Security and Litigation and Trial Practice and Paul Martino, Partner, Privacy & Data Security and Legislative & Public Policy| Alston & Bird LLP

Transmitting PHI by Email

Email has become an important mode of communication for business operations, with approximately 100 billion business emails sent in 2013 alone. Included in these messages are patients’ personal and health information, such as test results, diagnoses, and social security numbers. The Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulate the transmission of this sensitive information, known as protected health information (“PHI”), by Covered Entities, and in some circumstances, Business Associates.

Read More

Privacy, Innovation and Big Data Forum Hosted by Alston & Bird

May 15, 2014 | Posted by Privacy & Data Security Team | Topic(s): Mobile Technologies, Privacy, Social Media, Tracking, Big Data

On March 25, Alston & Bird hosted a forum titled, “Privacy, Innovation and Big Data: What Does the Future Hold.” David Keating, Partner and Co-Chair of the Firm’s Privacy and Security Practice, hosted a panel discussion that included Peter Swire, Nancy J. and Lawrence P. Huang Professor, Scheller College of Business, Georgia Institute of Technology, Jerry Jones, Chief Ethics and Legal Officer at Acxiom, Cindy Liebes, Federal Trade Commission Southeast Region, and constitutional lawyer Gerald R. Weber. Click here to view a video of the event.

Written by Privacy & Data Security | Alston & Bird LLP

DOJ Issues White Paper on Cybersecurity Information Sharing Under the SCA

On Friday, May 9 the Department of Justice (DOJ) released a white paper stating that under its interpretation of the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., communications companies are permitted to disclose “non-content information to the government” as long as that information is in its “aggregate form.” The lynchpin of the DOJ’s analysis is whether the shared information identifies or provides information regarding particular subscribers or customers. Under that standard, data that “is aggregated but still provides information about a particular subscriber or customer” is prohibited from disclosure under the SCA. In releasing its white paper, the DOJ recognized that “information sharing is a critical component of bolstering public and private network owners’ and operators’ capacity to protect their networks against evolving and increasingly sophisticated cyber threats.” As such, “the private sector would benefit from a better understanding of whether the electronic communications statutes [DOJ enforces] prohibit them from voluntarily sharing useful cybersecurity information with the government.”

Read More

Google Must Scrub its Search Engine of Individual’s Personal Data, Court Rules

May 13, 2014 | Posted by Michael Young | Topic(s): Online Privacy, Privacy, Regulatory Enforcement

The European Court of Justice (“ECJ”) ruled today that Google may be compelled to remove search listings of web pages containing information about individuals.

Mario Costeja Gonzalez, a Spanish national, complained in 2010 to Spain’s data protection authority (“Spanish DPA”) about the inclusion of a newspaper article in Google search results that appeared when searching his name. Mr. Gonzalez asked the Spanish DPA to order Google to remove its links to the 1998 story, which revealed Mr. Gonzalez’s connection with the forced sale of real-estate to recover debts. The Spanish DPA upheld Mr. Gonzalez’s complaint, taking the view that the failure to respect an individuals’ desire for anonymity on the internet could be a violation of fundamental rights under European Union law. Google objected to the decision before Spain’s National High Court, which then referred the case to the ECJ for its interpretation of E.U. law.

Read More

Kim Peretti Quoted in Law360 Article “Post-Target Breach Laws Ratchet Up Pressure On Companies”

May 13, 2014 | Posted by Privacy & Data Security Team | Topic(s): US State Law, Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in the Law360 article “Post-Target Breach Laws Ratchet Up Pressure On Companies.” The article discussed how Florida, Minnesota and several other states have moved to amend their data breach notification laws to tighten reporting timelines in response to the Target data breach and other high-profile intrusions. The amendments also expand on covered personal information, which adds pressure to companies that are trying to comply with a patchwork of state laws.

“We're definitely seeing the fallout from highly visible recent payment card breaches, especially the one at Target,” Peretti said. “States feel like they need to do something about it, and the developments are only continuing to fuel the already very active role that states are...taking in responding to data security concerns.”

Posted by Privacy & Data Security Team | Alston & Bird LLP

American Apparel Settles FTC Charge on Falsely Claiming Compliance with Safe Harbor Privacy Framework

On May 9, 2014, the Federal Trade Commission (the “FTC”) announced that American Apparel, Inc. (“American Apparel”) agreed to settle FTC charges that American Apparel falsely claimed it was compliant with the U.S.-European Union Safe Harbor (the “US-EU Safe Harbor Framework”).

The FTC’s complaint alleged that American Apparel, a clothing manufacturer and retailer with more than 200 stores worldwide, falsely represented that it was a “current” participant in the US-EU Safe Harbor Framework on its website when it was not a “current” participant from June 2013 until December 2013 as it had allowed its certification to lapse during that time.

Read More

U.S. Court Requires Microsoft to Produce Data Stored in Ireland Pursuant to SCA Search Warrant

On April 25, a federal magistrate judge ruled that Microsoft must disclose to U.S. federal investigators the contents of a customer’s email account stored outside of the United States. Microsoft had previously complied with portions of a search warrant seeking certain other information related to the targeted email account, but the company moved to quash the warrant with respect to the production of customer emails stored in Dublin, Ireland. In a 26-page memorandum and order, Judge James C. Francis IV (Southern District of New York) rejected Microsoft’s arguments and held that the enforcement of the warrant with respect to the Irish emails was not an improper application of U.S. law outside of American territory.

Read More

Mobile Apps in the Spotlight during Upcoming GPEN International Privacy Sweep

On May 6, the Office of the Privacy Commissioner of Canada (the “Commissioner”) announced mobile apps as the Global Privacy Enforcement Network’s (“GPEN’s”) focus area during the upcoming International Privacy Sweep (the “Sweep”). The Sweep will be held from May 12 to 18, 2014, involving 27 privacy enforcement authorities from around the world. The news release describes that this year’s Sweep will aim at “shedding light on the collection and use of personal information on mobile apps.”

Read More

The White House Releases Report on Big Data

May 5, 2014 | Posted by Sheila Shah | Topic(s): Privacy, Big Data

On May 1, the White House released its much anticipated report on the public and private collection and use of Big Data, “Big Data: Seizing Opportunities, Preserving Values." Authored by a group led by White House counselor John Podesta, the report emphasizes the benefits of Big Data while cautioning against uses of Big Data that could erode prevailing privacy principles. Although the report focuses primarily on state, federal and law enforcement uses of Big Data, the report also urges players in the private digital ecosystem to increase consumer transparency with respect to Big Data collection. More specifically, the report recommends that industry players consider the following items when making decisions regarding their Big Data regimes:

Read More