Privacy & Security
On March 12, 2019, the Department of Justice (“DOJ”) announced revisions of the Corporate Enforcement Policy in the Foreign Corrupt Practices Act. The changes now require company oversight of ephemeral messaging apps used by any employee, stock holder, or agent who discusses business records via the messaging platform. Publicly traded companies must now establish internal compliance policies to review use of ephemeral messaging services, provide ongoing oversight of the messaging services, and may want to completely prohibit the use of such messaging apps for business purposes.
Cook County General Administrative Order 18-1 pertains to the Standard HIPAA Qualified Protective Orders (QPO) that will be permitted in Cook County. These orders will only be allowed for cases that are in litigation where the Plaintiff and Plaintiff’s counsel authorize disclosure of a litigants’ protected health information (PHI). It also requires all entities who received PHI to either return the documents to the Plaintiff or destroy them at the end of the case. These changes mean that Plaintiff’s attorneys will see a change in the handling of Plaintiff’s medical records and other documents covered under the QPO containing PHI.
The Federal Trade Commission (“FTC”) recently proposed two amendments to the Privacy Rule and Safeguards Rule under the Gramm-Leach-Bliley Act (“GLBA”). The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security system. This rule went into effect in 2003. The Privacy Rule requires financial institutions to inform customers about its information-sharing practices and allows customers to opt out of having their information shared with certain third parties. This rule went into effect in 2000. The recent amendments to these two rules are intended to further protect consumers’ data from third parties. However, the changes could also adversely affect businesses.
On March 1, 2019, the College of Healthcare Information Management Executives (“CHIME”) sent a six-page letter to Congress which discussed how technology has impacted health care costs. CHIME believes that too much money is being allocated towards making sure that health care organizations are complying with the Office of Civil Rights (“OCR”) and the Department of Health and Human Services (“HHS”) requirements, while not enough resources are being given towards actually protecting against cybersecurity attacks. The letter contains multiple suggestions in which patient data could be better protected, such as incentivizing health care organizations to implement more cybersecurity safety measures. However, many of CHIME’s proposals would require Congress to amend multiple provisions in acts, such as the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).
In 2014, Congress passed the Sunscreen Innovation Act in the hopes of encouraging innovation for new sunscreen ingredients. Recently, the United States Food and Drug Administration (FDA) proposed new regulations regarding over-the-counter sunscreens to keep up with recent scientific and safety information. This proposal will be available for ninety days from its announcement on February 21, 2019, and addresses safety concerns of common sunscreen ingredients. Further, the proposal addresses the labeling of sunscreen, trying to make it easier for consumers to identify the product information. While this proposal seeks to alleviate safety concerns, the regulation could potentially make it more difficult for new ingredients to be approved.
In March 2019, Rush University Medical Center (“Rush University”) sent out breach notification letters to approximately 45,000 patients. The letter advises patients that a privacy incident occurred that may have involved the patients’ personal information. The privacy incident was caused by an employee of a third-party financial services vendor. The employee released a file that contained patient information to an unauthorized person. According to the breach notification letter, law enforcement and regulatory officials were involved in the investigation of the privacy incident. Rush University sent the breach notification letter in compliance with the Health Insurance Portability and Accountability Act’s privacy and security rules.
On January 29, 2019, TechCrunch released an investigation finding that Facebook had been paying users as young as 13 for unlimited access to their data. Facebook marketed the application, not available through the iOS app store, to users aged 13-to-35 by offering to pay $20 per month plus referral fees for downloading and using a “Facebook Research” app. The app, once downloaded, provided Facebook with unrestricted access to all private data on the users iPhone including messages, photos and videos, and website usage. This was not the first app launched by Facebook to track user’s data, Apple removed a similar app called Onavo from the app store in 2018. This app is a clear violation of the 2011 consent decree Facebook signed with the Federal Trade Commission.
Ever since the Facebook and Cambridge Analytica scandal, concerns surrounding data privacy and protection have been growing. Both government agencies and individual users have particularly been concerned on how their data is being collected and used on social media websites such as Facebook. Germany has taken action in response to such concerns and recently took a step against Facebook’s collection of data in a decision that outlawed Facebook’s entire advertisement regime.
With the recent change of New York’s abortion law, legislators granted women the affirmative right to abortions under the state’s public-health law. Under the Reproductive Health Act, restrictions on abortion past twenty-four weeks are removed legalizing abortion up until the day of birth. This bill was passed on the 46th anniversary of the Roe v. Wade decision. The new bill comes as a reaction to the confirmation of conservative Supreme Court Justice Brett Kavanaugh, giving protection to women’s access to abortion if Roe v. Wade is overturned. Proving to be very controversial, the change has advocates and critics at odds with its potential future effects.
New data privacy regulations entail questioning both current and future technologies. Recently, Amazon has introduced a store concept that eliminates everyone’s least favorite things about shopping, long lines and small talk. Amazon Go is the grocery store of the future and these stores allow consumers to walk in, pick up the items that they need, and then walk right back out. That’s it. No long lines, no cashiers, no shopping carts. However, as great as this concept seems, there are still concerns from a data privacy standpoint as Amazon needs to collect personal data from its consumers in order to be able to lawfully execute these checkout-less stores.