RSS Print Email


EU’s Article 29 Working Party Releases Opinion on Internet of Things Protections

The European Union’s Article 29 Data Protection Working Party (WP29) adopted an opinion (the Opinion) on September 16, 2014 regarding data protection within the Internet of Things (IoT). Recognizing the rapid growth of the IoT, the Opinion responds to emerging data privacy concerns within the IoT, and provides recommendations for stakeholder compliance with EU data protection laws.

Read More

Alston & Bird's Dominique Shelton Presents Panel On Omnichannel Innovation At National Retail Federation's Summit 2014 In Seattle, WA

October 15, 2014 | Posted by Shah, Sheila | Topic(s): Online Privacy, Marketing, Privacy, Mobile Privacy, Big Data

On October 1, Alston & Bird Partner Dominique Shelton and entrepreneur Maria Fernandez presented a panel on Omnichannel retailing, a marketing method that mixes physical and digital channels to create an innovative and unified customer experience, at the National Retail Federation’s 2014 Summit in Seattle, Washington.

Read More

HIPAA/HITECH Act Accounting of Disclosures NPRM: Redux?

In May 2011, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) issued a proposed rule to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI). The proposed rule would have implemented the HITECH Act’s requirement for covered entities and business associates to account for disclosures of PHI to carry out treatment, payment and health care operations if the disclosures are through an electronic health record (EHR). HHS also proposed to expand the accounting provision to provide individuals with the right to receive an access report of all uses and disclosures of electronic PHI in a designated record set. Additionally, the proposed rule would have shortened the time period for which covered entities and business associates must account for disclosures (and provide an access report) to three years (instead of six years). However, the proposed rule would also have shortened the period of time which such entities have to respond to a request for an accounting (or for an access report) from 60 days to 30 days. We blogged about the proposed rule here, and issued an advisory which provides a section-by-section analysis of the proposed rule. The proposed rule generated significant comment, was criticized as impractical, and has not been finalized by OCR.

Read More

Alston & Bird’s Dominique Shelton Moderates Privacy Panel for Lex Mundi in Paris

October 3, 2014 | Posted by David Caplan | Topic(s): Advisories, Online Privacy, Privacy, Mobile Privacy

On September 26, 2014, Alston & Bird co-sponsored a privacy panel at the Lex Mundi IP conference in Paris, France. Moderated by Dominique Shelton, the panel featured speakers from Scripps Interactive Network, Roche Diagnostics, Jackel International, and GE.

Read More

New California Law Expands Data Security Requirements, SSN Protections and Breach Notification Obligations

On September 30, 2014, the Governor of California signed Assembly Bill 1710, which made three small but important changes to the state’s privacy laws.  The bill:  (1) amended California’s breach notification law to require that the notifying entities offer identity theft protection services to affected individuals in certain cases; (2) required California businesses that “maintain” personal information on state residents to adopt reasonable security procedures to protect that personal information (a requirement that previously only applied to businesses that own or license such data); and (3) amended the state’s Social Security Number (“SSN”) protection law to prohibit the sale or advertisement for sale of such numbers, with limited exception.  The bill will become effective January 1, 2015.  Having been the first state to enact a breach notification law, California continues to be at the cutting edge of state efforts to deal with cybersecurity.  

Read More

Laboratories Must Comply with New HIPAA Patient Access Rules by October 6, 2014

September 28, 2014 | Posted by Dempewolf, Julia | Topic(s): Health Privacy, Privacy, Health Insurance Portability and Accountability Act (HIPAA), Regulation

HIPAA covered laboratories and hospitals with laboratories subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) must comply with changes to the HIPAA Privacy Rule that provide patients with direct access to laboratory test results by October 6, 2014.  Earlier this year, the Centers for Medicare & Medicaid Services, the HHS Office for Civil Rights and the Centers for Disease Control and Prevention published a final rule amending the CLIA regulations and the HIPAA Privacy Rule to provide patients with greater access to their lab test results.  As we previously blogged, patients may now request test reports directly from CLIA labs.  As amended, the CLIA regulations, which are now effective, permit a CLIA lab to provide, upon request, a patient and/or his/her personal representative (and any person designated by the patient) with access to completed test reports that, using the lab’s authentication process, can be identified as belonging to that patient.  Beginning October 6, 2014, the Privacy Rule amendments (which eliminated an exemption for PHI held by CLIA labs) require HIPAA covered CLIA labs to provide individuals and/or their personal representatives with access to protected health information (“PHI”) about the individual maintained in a designated record set under the Privacy Rule provisions establishing the individual’s right of access to PHI (“access rights”).  Thus, the combination of the two provisions now require most CLIA labs to provide test results (and any other PHI they maintain) when requested by the patient.  Labs that are not covered by HIPAA may provide a patient and/or his/her personal representative (and any person designated by the patient) with access to completed test reports, but are not required to do so.  (For more information on the final rule and how the new requirements interact with the Privacy Rule’s requirements for verification of the identity and authority of those exercising the access right, please see our February 6, 2014 blog post referenced above.)

Read More

WP29 Announces a Common “Tool-Box” Approach to Handling of Complaints under the Right to be Forgotten

September 18, 2014 | Posted by Maki DePalo | Topic(s): European Union (EU), International, Privacy, Data Protection

On September 18, 2014, the Article 29 Working Party (the “WP29”) issued a press release, announcing that the European data protection authorities agreed on a common “tool-box” approach to handling complaints lodged due to search engines’ refusal to remove complainant’s entries from their search results.

Read More

HHS OIG Releases Report Regarding ONC’s Oversight of Testing and Certification of Electronic Health Records

The HHS Office of Inspector General (OIG) recently issued a report regarding the Office of the National Coordinator for Health Information Technology’s (ONC) oversight of electronic health record (EHR) testing and certification, “The Office of the National Coordinator for Health Information Technology’s Oversight of the Testing and Certification of Electronic Health Records."

Read More

Kim Peretti authors Bloomberg BNA article on Cyber Threat Intelligence and Information Sharing

September 5, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Data Security, Cybersecurity, Privacy

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, authored (with contributions from associate Lou Dennig) the Bloomberg BNA article, “Cyber Threat Intelligence: To Share or Not to Share—What Are the Real Concerns?” In the article, Peretti discusses the importance of exchanging cyberthreat information and the concerns relating to information sharing, as well as provides guidance for companies in mitigating potential risks regarding this information sharing.

Posted by Security Incident Management & Response Team | Alston & Bird LLP

Alston & Bird Hosting Event: The Evolving Cyber Insurance Market: Key Issues and Challenges

September 3, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Data Security, Cybersecurity, Privacy, Department of Homeland Security (DHS)

Kim Peretti, partner and co-chair of the firm’s Security Incident Management and Response Team, will moderate a panel discussion during this September 11 event. The featured speakers are Tom Finan, Senior Cybersecurity Strategist and Counsel with the U.S. Department of Homeland Security, and Sean Hyatt, counsel in the firm’s Litigation & Trial Practice Group and a member of the Insurance Litigation & Regulation Team.

Read More

FTC seeks public comment on AgeCheq Inc.’s application for approval of proposed verifiable parental consent method

On August 25, 2014, the Federal Trade Commission (“FTC”) issued a Federal Register notice to be published, announcing the FTC’s request for public comment on a proposed verifiable parental consent method. The method has been submitted for approval by AgeCheq, Inc. under the Children's Online Privacy Protection Act and the rules promulgated thereunder.

Read More

Kim Peretti Interviewed by BankInfoSecurity

August 28, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Data Security, Cybersecurity, Privacy, Data Breach, Privacy Policy

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was interviewed on by BankInfoSecurity about what boards must know about security issues and how to keep directors risk-aware.

In the interview, titled “Cybersecurity: What Boards Must Know,” Peretti discusses what directors don't know about security, the pre- and post-breach responsibilities of boards, and how to educate the board - and when. "[Boards] have an awareness of the threat out there," Peretti said. "But what they're struggling with - what they don't know - is what is the risk that the [threat] has to any particular organization, how do you mitigate that risk, and how do you respond to it?"

Read More

CDD Urges FTC to Investigate 30 Companies for Alleged Safe Harbor Violations

The Center for Digital Democracy (“CDD”), a private consumer privacy advocate, recently filed a complaint and “request for investigation” before the Federal Trade Commission (“FTC”) accusing 30 U.S. companies of violating provisions of the Safe Harbor framework. The 118-page complaint, filed August 14th, urges the FTC to take legal action against the companies, including Adobe Systems, AOL, and Salesforce.

Read More

FTC Issues Study on Mobile Shopping Apps Reviewing Pre-download Disclosures

On August 1, 2014, the Federal Trade Commission (“FTC”) issued a study called “What’s the Deal? An FTC Study on Mobile Shopping Apps,” with recommendations concerning pre-download disclosures. FTC staff surveyed and reviewed 121 mobile shopping apps that fell into three categories: price comparison apps, deal apps, and in-store purchase apps. FTC staff focused their analysis on (1) the in-store purchase apps’ pre-download disclosures concerning payment disputes, and (2) all of the surveyed apps’ pre-download disclosures concerning how the apps collect and handle consumer data.

Read More

Dominique Shelton Named Most Influential Lawyer in Digital Media and E-Commerce Law by Los Angeles Business Journal

July 31, 2014 | Posted by Privacy & Data Security Team | Topic(s): Data Security, Privacy

Dominique Shelton, partner in the firm’s Litigation & Trial Practice and Privacy & Data Security Groups was recently included by the Los Angeles Business Journal in their inaugural, “Most Influential Lawyers: Digital Media and E-Commerce.”

The list recognizes 30 Los Angeles attorneys who have demonstrated outstanding achievements in digital media and e-commerce law. Shelton is noted as one of the top practitioners in her field, advising clients on “cutting-edge” legal issues and “representing companies in a variety of industries and service sectors, including digital sales and marketing, advertising, wireless/mobile Internet, lead generation, manufacturing and electrical, software, telecommunications and television.”

Posted by Privacy & Data Security Team | Alston & Bird LLP