Sei Unno Associate Editor Loyola University Chicago School of Law, JD 2019 Facial recognition has become mainstream, whether the laws are ready or not. Video games are using facial recognition to check the ages of their users and cars are being equipped with technology to identify drivers who are fatigued or distracted. In the U.S., states …
In a world where our reliance on technology and the cloud is increasing exponentially, data security’s growth has stagnated. The European Union (EU) passed the General Data Protection Regulation (GDPR) in hopes of ensuring that consumer data is protected and not harbored by businesses. The effects of the GDPR, however, have passed the borders of the European Union. In a world where our actions extend internationally with just the click of a button, the GDPR’s impact circles the globe as well. The GDPR has pushed for a shift in data privacy and regulation for companies within and outside of the EU as it holds to protect European citizens, no matter where they are in the world. This international reach has not only created forces to drive U.S. companies to comply, but states within the U.S. are now creating GDPR-inspired laws to protect their own citizens. The GDPR has started a trend that will soon become the norm and finally push compliance to keep up with the exponential growth of technology.
The IRS has decided to shutdown its Offshore Voluntary Disclosure Program (OVDP) on September 28, 2018. The program offers amnesty from criminal prosecution and a set penalty structure for those who have previously failed to disclose foreign bank accounts and other foreign assets, including those held through undisclosed foreign entities. Failure to disclose could include failure to file the annual FinCEN Form 114,most commonly referred to as the foreign bank account report or “FBAR”, as well as the failure to report income from such accounts and assets on tax returns and the failure to provide various other foreign information forms and returns.
Compliance standards in the United States come from the laws and policies enacted by the government and its related agencies. Administering U.S. standards on foreign institutions, public or private, poses a unique challenge. Our public and private companies are held accountable by federal, state, local, or agency rules, as well as the guidelines providedby the United States Sentencing Commission. But foreign organizations, in theory, have no real obligation to follow our lead. There have been several notable attempts in recent years to enact legislation on foreign organizations and impose sanctions for noncompliance, and it is likely a continuing trend as the compliance industry grows.
It happens in every emergency department: a law enforcement officer comes into the ER at two o’clock in the morning and demands to test the blood alcohol levels of a patient brought in after an auto accident. The officer pulls an exhausted nurse to the side in the hopes that the nurse will forget his or her training, or become anxious enough to give up the information for fear of being arrested. Yet no matter the specific facts, the question remains: can a hospital give law enforcement officers a patient’s PHI without authorization from the patient? In some situations, is it even required?
There is a provision under the HIPAA Privacy Rule that allows, and in some cases, requires, entities to disclose patient’s PHI to law enforcement without the patient’s authorization. However, state law can complicate this picture with more restrictive regulations and guidance.
On October 26, 2017, the United States government released files relating to the assassination of President John F. Kennedy and the investigation that followed. The majority of the documents generated by the investigation – about 88% of all FBI, CIA, and other agencies’ files – have been available for years, but the rest of the documents were due to be released this year. On the recommendation of the investigatory agencies, President Trump decided to keep some of this remaining information redacted due to “national security, law enforcement, and foreign affairs concerns.” Speculation as to the contents of these documents and the reasons for redacting secure information have renewed a continuing discussion about what information the public should be privy to and how this information can be accessed.
Google answered Amazon’s Echo Dot by recently launching their own pint-sized smart speaker, the Google Home Mini. Recently, Google was forced to disable one of the features on the Home Mini after it was discovered that a technical glitch led to near 24/7 audio recording. Google responded quickly and appropriately, investigating the cause and quickly releasing an update to disable the hardware responsible for the glitch. The Equifax hack – a breach of personal data including social security numbers, driver’s license information, and other credit details – exposed nearly half the country and waited months to respond. Upcoming European legislation that can significantly impact American companies with European Union clients may be part of the reason for their drastically different responses.
In the last month, multiple large-scale data breaches were reported by various entities, with 3 breaches reported in the past week alone. Unfortunately, even the most well-known entities do not stand a chance against increasing technological abilities of bad actors. Since the Equifax breach in early September, Whole Foods, Sonic, Deloitte and the Securities Exchange Commission, among others, had similar large-scale breaches affecting consumers across the country.
Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows the United States government to obtain access to the communications (e.g. emails) of non-U.S. citizens without a warrant. The rationale behind the law is its potential for use in gathering intelligence on potential terrorists and potential terrorist activity. The law has become controversial because intelligence on U.S. citizens has incidentally occurred as well, as emails and phone calls from U.S. citizens have been contained in intelligence-storing databases. As the law expires at the end of 2017, Congress is considering changing the ways intelligence is collected pursuant to the collection procedures stipulated under the law.
The internet of things (IoT) holds promise for new ways to interact with and leverage technology; however, ever-expanding connectivity brings increased vulnerability. Addressing security and privacy issues is necessary for the continued growth of the IoT—and, as the U.S. Federal Trade Commission’s case against D-Link Corporation demonstrates, one of vital interest to regulatory lawmaking bodies as well.