Privacy and Data Security Archives - Page 6 of 22

Background Checks: The Advent of the New California Employment Class Action

by Chris Braham, Yesenia M. Gallegos, Maria C. Rodriguez and Marjorie C. Soto Garcia | Jul 28, 2020 | Employment, Privacy and Data Security

Class action litigation brought under the Fair Credit Reporting Act (FCRA) is on the rise—particularly in California—after the US Court of Appeals for the Ninth Circuit issued a 2017 decision applying a hypertechnical approach to the FCRA’s disclosure requirements. Background checks are an integral part of the hiring process, but they open employers up to lawsuits for noncompliance with disclosure or adverse action requirements. Plaintiffs’ firms are turning their attention to these cases because of the potential for statutory and actual damages, punitive damages, costs and attorneys’ fees.

Please join us for a complimentary webinar Thursday, July 30 as we discuss strategies to help employers avoid and defend these claims.

Learn more and register.

Worker Safety, Privacy Clash as Temperature Checks Become Norm

by Michael J. Sheehan | Jun 18, 2020 | Employment, Privacy and Data Security

Employers are poised to collect health data from their workforces daily as they adopt temperature checks and other screening protocols to fight the coronavirus, triggering concerns about workers’ privacy and whether the practices will continue beyond the pandemic.

“The temperature checks give employees and customers the feeling of safety and the idea that the company is doing everything possible, even if the screenings don’t protect the workplace,” said Michael Sheehan, a partner with McDermott Will & Emery, in a recent Bloomberg Law article.

Access the full article.

COVID-19: FAQs on Employees Experiencing Symptoms and Employee Absences

by Michelle S. Strowhiro | Jun 8, 2020 | Employment, Health and Welfare Plans, Privacy and Data Security

With rapid developments in local, state and federal guidance and law, the appropriate approach for each employer in relation to COVID-19 will vary depending on the nature of their work, the industries served and their location and size, among other considerations. This article outlines what employers need to know about employees experiencing symptoms and employee absences.

Access the full article.

Five Reasons Why Telehealth Is Here to Stay (COVID-19 And Beyond)

by Lisa Schmitz Mazur | Jun 2, 2020 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

Telehealth is no longer just a nice-to-have, but instead a must-have for patients and healthcare professionals alike during the COVID-19 pandemic. Lisa Mazur, partner at McDermott Will & Emery specializing in the digital healthcare space, is quoted in a recent Forbes article about why telehealth is here to stay: “Telehealth was already experiencing significant momentum and growth prior to this public health emergency, and its continued trajectory has been solidified by the vital role it is playing in care delivery today.”

Access the full article.

The Rise of Facial Recognition Technology: Mapping the Legal Framework

by Ashley Winton | Mar 10, 2020 | Privacy and Data Security

In January 2020, the Supreme Court decided it would not hear the issue of whether Facebook broke the law in Illinois when it instituted a photo-tagging feature that honed in on users’ faces and tagged them without their consent, and Facebook has now settled with the users for $550 million. The Illinois law is part of a patchwork of laws applicable to facial recognition technology (FRT).

McDermott’s Ashley Winton contributes to the second installment of a three-part article series on FRT. This article examines the applicable legal framework and regulatory guidance, including intellectual property rights, general privacy legislation, specific state biometric data laws and more.

Access the full article.

Originally published on Cybersecurity Law Report, February 2020

HIPAA Boss Sees ‘Low-Hanging Fruit’ Ripe For Enforcement

by Edward G. Zacharias | Feb 18, 2020 | Health and Welfare Plans, Privacy and Data Security

Healthcare providers and insurers are still making tons of rookie mistakes on patient privacy, turning themselves into easy enforcement targets, according to Roger Severino, director of the US Department of Health and Human Services.

Severino made headlines in 2017 for expressing interest in punishing a “big, juicy, egregious” privacy breach, and seemingly followed through with a $16 million settlement stemming from Anthem Inc.’s megabreach involving 79 million patients. But, an emphasis on smaller violations makes sense in light of the OCR’s recent acknowledgement of limits on its penalty powers, said Edward G. Zacharias, a McDermott partner.

Access the full article.

Originally posted on Law360, February 2020

4 Ways to Manage Retirement Plan Data in New Era of Cybersecurity

by Mark E. Schreiber | Jul 9, 2019 | Employee Benefits, Privacy and Data Security, Retirement Plans

IBM estimated last year that data breaches cost companies $148 per stolen record. Given that, not surprisingly, many employers have grown increasingly concerned about the potential impact of such breaches, including breaches that may affect employer-sponsored benefit plans.

Courts have not yet formally addressed whether ERISA requires benefit plan fiduciaries to manage cybersecurity risks. However, a federal district court recently rejected a motion to dismiss filed by defendants seeking to avoid liability for fraudulent distributions from a plan caused by cyber criminals. There, the court held that the defendants were plan fiduciaries and that the plaintiffs had pled facts sufficient to allege that the defendants breached their fiduciary duties. Although this decision only relates to a motion to dismiss, the case underscores the potential for plaintiffs to assert, even in the absence of clear guidance, that plan fiduciaries are not doing enough to protect plan participants from cybersecurity risks.

As a result, with cybersecurity concerns on the rise, plan fiduciaries are continuing to enhance their focus on the best ways to protect employee data. Recently, on Law360, McDermott’s Mark E. Schreiber discussed four helpful tips for handling cybersecurity risks.

Access the article.

2018 Digital Health Data Developments – Navigating Change in 2019

by McDermott Will & Emery | Feb 14, 2019 | Privacy and Data Security

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.

EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.

GDPR 6 Months After Implementation: Where are We Now?

by Amy C. Pimentel and Mark E. Schreiber | Nov 13, 2018 | Privacy and Data Security

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). (more…)

7 Tips to Avoid Compliance Missteps During Open Enrollment

by Jacob Mattinson and Megan Mardy | Nov 6, 2018 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

One of the busiest times of year for an employee benefits professional is open enrollment. It is a crucial and yet stressful time of year that typically results in numerous employee questions and complaints and is a time of year with high potential for both employer and employee mistakes. Despite the stress and potential for problems, open enrollment provides an opportunity for a company to set itself up for success for the following year.

The Employee Retirement Income Security Act (ERISA) does not require an annual opportunity for employees to change benefit plan elections. However, because of compliance issues that can spring from not offering a regular enrollment period, most companies choose to offer an “open enrollment” period, usually taking place in mid- to late fall for calendar-year health and welfare benefit plans.

Employee attention to employer communications during this period is often high, and attention to detail in participant communications behooves an employer during this period. Well-written and timely notices may be relied upon to satisfy many compliance obligations. Inaccurate or incomplete open enrollment materials, however, can create employee confusion and result in legal liability under the complex network of federal laws governing employer-sponsored benefit programs.

Read the full article here for a sampling of key issues to consider to help you avoid compliance missteps during this year’s open enrollment period.

Originally published in BenefitsPRO.com, October 2018.