Privacy and Data Security Archives - Page 10 of 22

HHS Office of Inspector General Calls for Increased Oversight and Enforcement of HIPAA

by Amy C. Pimentel, Edward G. Zacharias and Daniel F. Gottlieb | Nov 19, 2015 | Employment, Health and Welfare Plans, Privacy and Data Security

On September 29, 2015, the U.S. Department of Health and Human Services Office of the Inspector General (OIG), Office of Evaluation and Inspections, released two studies calling on the HHS Office for Civil Rights (OCR) to strengthen its efforts in both general enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Standards and enforcement of security breach reporting requirements. OIG commissioned both studies out of concern for the increased risk of an invasion of privacy and exposure to fraud, identity theft and other harm that patients face in an ever-expanding digital health environment.

Read the full On the Subject.

Safe Harbor Not Binding! European Court of Justice Bares Its Teeth

by Dr. Sandra Urban-Crell | Nov 11, 2015 | Privacy and Data Security

In its decision on October 6, 2015 (file-no. C-362/14), the European Court of Justice (ECJ) stated that the commonly used Safe Harbor Principles, which were previously deemed to be a safe way to legally transfer data to the United States, are non-binding for national data protection authorities. Thus, after this judgment, the harbor is not “safe” anymore. The court’s decision causes great difficulties for a wide range of internationally operating companies that regularly transfer personal data to their U.S. parents.

The Facebook Case

In this case, the ECJ had to decide whether the national Irish data protection authority could independently investigate and assess a complaint from an Austrian citizen who claimed that the Irish subsidiary of Facebook illegally transferred his personal data to the United States and illegally saved them on a U.S. server. The Irish data protection authority rejected the complaint on the grounds that Facebook submitted itself to abide by the Safe Harbor Principles. Based on a decision of the European Commission on July 26, 2000, data transfer to a company that submitted itself to the Safe Harbor Principles, on which the U.S. Department of Commerce elaborated, was considered under European law to be “safe” (i.e., an adequate level of data protection was guaranteed). As Facebook met these standards, the transfer to Facebook’s U.S. server should have been considered absolutely safe and thus legal, given the European Commission’s decision.

Reasoning of the Decision

This held true until October 6, when the ECJ clearly rejected the widely used and regarded as secure Safe Harbor practice, despite the European Commission’s decision in 2000. The judges criticized several aspects of the Commission’s decision.

First, the ECJ found that the European Commission lacked the authority to make a binding decision on behalf of the national data protection authorities about whether companies that submitted themselves to abide by the Safe Harbor Principles met the required standard for a legal transfer. In addition, the ECJ emphasized that the European Commission failed to properly consider in its decision that in case of a conflict of laws, U.S. law supersedes the Safe Harbor Principles. Last but not least, the European Commission did not consider the key fact that U.S. state authorities are basically granted un-restricted access to any data transferred to the United States (as has been proven by the National Security Agency (NSA) scandals that Edward Snowden exposed). The ECJ complained that state authorities were not covered, and even more importantly not bound, by the Safe Harbor Principles. Also, the court noted that the individuals concerned had no administrative or judicial means of getting informed about their saved data or enforcing the saved data to be deleted.

What Does This Ruling Mean – in the Facebook Case and in General?

For the reasons above, the ECJ required the Irish state authority to examine the Facebook complaint with due diligence and, at the conclusion of its investigations, to decide irrespective of the Safe Harbor Principles whether the transfer of the data of European Facebook users [...]

Continue Reading

Any Port in a Storm? EU-US Data Transfers After Schrems and Safe Harbor

by Katie Clark | Oct 16, 2015 | Employment, Privacy and Data Security

Last week, the Court of Justice of the European Union (CJEU) gave an important data privacy ruling, which any business transferring personal data between the EU and US should know about – particularly those that have made use of the “Safe Harbor” scheme for data transfer, which the CJEU has now ruled to be invalid.

Read the full UK Employment Alert.

Digital Due Diligence: Uncovering Violations in China

by Anthony A. Bongiorno | Sep 10, 2015 | Employment, Privacy and Data Security

China’s current compliance challenges are a continuous source of concern for multi-national companies operating in China. When conducting internal investigations, China has strong privacy protections for its employees. Overstepping legal limits can lead to a variety of issues, from inadmissibility of evidence to tort actions, to criminal penalties in extreme cases.

For more about the multiplicity of issues and how to correctly conduct internal investigations and digital due diligence in China, read the full article in International New: Focus on Private Equity.

With No Federal Law in Sight, States Continue to Refine Their Own Data Privacy Laws

by David Quinn Gacioch | Aug 26, 2015 | Employment, Privacy and Data Security

With no Congressional consensus to adopt a federal data privacy and breach notification statute, states are updating and refining their already-existing laws to enact more stringent requirements for companies. Two states recently passed updated data privacy laws with significant changes.

Read the full post here.

Privacy and Security Concerns for Employee Benefit Plans with Service Provider Relationships

by Anthony A. Bongiorno, Andrew Liazos and Amy C. Pimentel | Jul 21, 2015 | Benefit Controversies, Employment, Fiduciary and Investment Issues, Health and Welfare Plans, Labor, Privacy and Data Security, Retirement Plans

Recent cyber-attacks on health insurers have heightened awareness that sensitive participant and beneficiary information may not be adequately secure. There will undoubtedly be other attacks on databases maintained by service providers to employee benefit plans, which raises an important question for Employee Retirement Income Security Act of 1974 (ERISA) fiduciaries: what should be done now to protect participant and beneficiary information entrusted to service providers against future attacks and unauthorized disclosure? While the extent of a fiduciary’s responsibility to protect personal identifiable information of participants and beneficiaries is unclear, the fiduciary provisions of ERISA can be interpreted to impose a general duty to protect this information when it is part of a plan’s administration. In addition, plan fiduciaries also may have obligations under other federal and state laws governing data privacy and security that are not preempted by ERISA. This article addresses the nature of the problem, identifies the types of data breaches that can occur with employee benefit plans, provides an overview of relevant law that may apply, and sets forth practical steps that can be taken by plan fiduciaries with service providers to address privacy and security concerns.

Click here to read the full article from Benefits Law Journal.

Data Breach Insurance: Does Your Policy Have You Covered?

by Joshua D. Rogaczewski | Jul 14, 2015 | Privacy and Data Security

Recent developments in two closely watched cases suggest that companies that experience data breaches may not be able to get insurance coverage under standard commercial general liability (CGL) policies. CGLs typically provide defense and indemnity coverage for the insured against third-party claims for personal injury, bodily injury or property damage. In the emerging area of insurance coverage for data breaches, court decisions about whether insureds can force their insurance companies to cover costs for data breaches under the broad language of CGLs have been mixed, and little appellate-level authority exists.

On May 18, 2015, the Connecticut Supreme Court unanimously affirmed a state appellate court decision that an IBM contractor was not insured under its CGL for the $6 million in losses it suffered as the result of a data breach of personal identifying information (PII) for over 500,000 IBM employees. The contractor lost computer backup tapes containing the employees’ PII in transit when the tapes fell off of a truck onto the side of the road. After the tapes fell out of the truck, an unknown party took them. There was no evidence that anyone ever accessed the data on the tapes or that the loss of the tapes caused injury to any IBM employee. Nevertheless, IBM took steps to protect its employees from potential identity theft, providing a year of credit monitoring services to the affected employees. IBM sought to recover more than $6 million dollars in costs it incurred for the identity protection services from the contractor, and negotiated a settlement with the contractor for that amount.

The contractor filed a claim under its CGL policy for the $6 million in costs it had reimbursed to IBM. The insurer refused to pay. In subsequent litigation with the contractor, the insurer made two main arguments. First, it argued that it only had the duty to defend against a “suit,” and that the negotiations between the contractor and IBM were not a “suit.” Second, the insurer argued that the loss of the tapes was not an “injury” covered by the policy.

The Connecticut Supreme Court adopted both of the insurer’s arguments, and the decision highlights two key areas for any company considering whether it needs additional insurance coverage for data breaches: what constitutes an “injury” under a CGL, and when an insurer is required to reimburse a company for costs associated with an injury. First, the court held that the loss of the computer tapes was not a “personal injury” under the CGL, because there had been no “publication” of the information stored on the tapes. In other words, because there was no evidence that anyone accessed or used the stolen PII, the court found that the data breach did not constitute a “personal injury” under the policy—even though the contractor spent millions of dollars reimbursing IBM for costs associated with the data breach.

Second, the court found that the CGL policy only required the insurer to reimburse [...]

Continue Reading

OCR Launches Phase 2 HIPAA Audit Program with Pre-Audit Screening Surveys

by Edward G. Zacharias, Daniel F. Gottlieb and Ryan S. Higgins | May 26, 2015 | Health and Welfare Plans, Privacy and Data Security

HIPAA covered entities have reported that the HHS Office for Civil Rights recently sent pre-audit screening surveys to a pool of covered entities that may be selected for the previously delayed second phase of HIPAA compliance audits. This On the Subject describes the phase two audit program and identifies steps that covered entities and business associates should take to prepare for these audits.

Read the full article.

Update on State Breach Notification Laws

by Amy C. Pimentel | May 7, 2015 | Privacy and Data Security

In the first few months of 2015, a number of states have introduced data breach notification bills and proposed legislative amendments designed to enhance consumer protection in response to increasingly high profile data breaches reported in the media. This activity at the state level seems to indicate that protecting consumers from data breaches is one area where democrats and republicans can find common ground.

From the text of these bills, some of which have already become law, we see two emerging trends: (1) an expansion of the definition of personal information to include more categories of data that, if compromised, would trigger a notification requirement, and (2) the addition of a requirement to notify state agencies (such as attorneys general and state insurance commissioners) where none previously existed.

Here are developments in three states reflecting these emerging trends:

Wyoming

In late February, Wyoming passed two bills that amend its existing data breach notification law by specifying the content required in notices to Wyoming residents, modifying the definition of personal information, and providing for covered entities or business associates that comply with HIPAA to be deemed in compliance with the state individual notice requirements.

In particular, Wyoming’s definition of personal information will now include the following:

Shared secrets or security tokens that are known to be used for data-based authentication;
A username or email address, in combination with a password or security question and answer that would permit access to an online account;
A birth or marriage certificate;
Medical information (a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
Health insurance information (a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history);
Unique biometric data (data generated from measurements or analysis of human body characteristics for authentication purposes); and
An individual taxpayer identification number.

These changes to Wyoming law will become effective July 1, 2015.

Montana

Beginning October 1, 2015, amendments to Montana’s breach notification law will require entities that experience a data breach affecting Montana residents to notify the Montana Attorney General and, if applicable, the Commissioner of Insurance. Notification must include an electronic copy of the notice to affected individuals, a statement providing the date and method of distribution of the notification, and an indication of the number of individuals in the state impacted by the breach. Entities must provide notice to state regulators simultaneously with consumer notices.

The recent amendments to the Montana law also expand the definition of personal information to include medical record information, taxpayer identification numbers and any “identity protection personal identification number” issued by the IRS. The law specifies that medical information is that which relates to an individual’s physical or mental condition, medical history, medical claims history or medical treatment, and is obtained from [...]

Continue Reading

McDermott to Host Benefits Innovators Roundtable Series – May 19 in New York City

by rshankar | May 5, 2015 | Employment, Health and Welfare Plans, Privacy and Data Security, Retirement Plans

McDermott Will & Emery will be holding the next invitation-only Benefits Innovators Roundtable series in our New York office on May 19, 2015. These roundtables offer senior, experienced professionals an opportunity to discuss employer-provided benefits best practices with peers and experienced McDermott employee benefits lawyers. Previous events in this series have led to spirited discussions on a broad range of cutting-edge topics.

This session’s topics will include:

Lawsuits by health service providers
Hot issues in data privacy
Brainstorming sessions on: the U.S. Supreme Court’s 2015 term (including King v. Burwell), legislative proposals, 401(k) issues and recent U.S. Department of Labor actions.

If you are interested in attending, please contact Donna Baker.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS