Privacy & Security
In a world where our reliance on technology and the cloud is increasing exponentially, data security’s growth has stagnated. The European Union (EU) passed the General Data Protection Regulation (GDPR) in hopes of ensuring that consumer data is protected and not harbored by businesses. The effects of the GDPR, however, have passed the borders of the European Union. In a world where our actions extend internationally with just the click of a button, the GDPR’s impact circles the globe as well. The GDPR has pushed for a shift in data privacy and regulation for companies within and outside of the EU as it holds to protect European citizens, no matter where they are in the world. This international reach has not only created forces to drive U.S. companies to comply, but states within the U.S. are now creating GDPR-inspired laws to protect their own citizens. The GDPR has started a trend that will soon become the norm and finally push compliance to keep up with the exponential growth of technology.
The EU General Data Protection Regulation (“GDPR”) is now in effect as of May 25, 2018, and has been a prominent topic of international debate across multiple sectors as companies look to adjust to new stringent regulations in data management. With a wide scope (the GDPR now applies to all organizations possessing personal data of individuals based in the EU) and steep penalties for companies that fail to comply, companies across the globe are spending millions of dollars in preparation.
While the legal community has spent much of the last year exhaustively dissecting the European Union’s new General Data Protection Regulation (GDPR), nearly half of businesses in the United States are still not compliant with standards governing the collection, storage, and disposal of payment (credit/debit) card data. Businesses of all sizes should work to ensure that they understand and are in compliance with these standards, or risk significant exposure in the event of a payment card data breach traced back to their organization.
With the increased integration of laptops, cellphones, and tablets in both work and personal life, many companies have started adopting a “bring your own device” (BYOD) policy into employment protocols. BYOD policies allow employees to use their personal device for work, removing the need for employers to provide work devices. Although BYOD policies allow for easy transition from home to work, they increase security risks for employers. BYOD policies create differing advantages and disadvantages for employees and employers; thus, it is important that they are carefully assessed before implementation. If a BYOD policy is adopted, strict regulation and oversight of company policies and procedures is required.
An increasing number of companies are providing fitness trackers for their employees as a part of their benefits package. The use of fitness trackers has been steadily growing over the past few years, and is predicted to hit a shipment size of 240.1 million devices by 2021. Even though the popularity of these fitness trackers has boomed, their compliancy with HIPAA has not kept up with them as quickly. A few companies that make fitness trackers have become HIPAA compliant, such as Fitbit and Apple. However, some companies have remained silent as to whether they are or plan on becoming compliant. While fitness trackers have been shown to have an overall positive effect in corporate wellness programs, corporations should remain up to date with how to keep their employees’ health information secure as well as ensure that the fitness tracker that they are providing is HIPAA compliant.
Recently, Google added new functionality to the Google Arts & Culture app that allows users to snap a selfie and find artwork from around the world that resembles the user. The app very quickly rose to the top of the charts as users around the United States took plenty of photos. Almost everywhere around the United States at least. Illinois and a few other states have laws that prohibit the collection or use of biometric (iris, fingerprint, etc.) data by businesses except under certain circumstances. The Google Arts & Culture app uses biometric data to compare a user’s image to the Mona Lisa (or any other portrait).
The Trump administration has established a new division within the Department of Health and Human Services (HHS) called the Conscience and Religious Freedom Division. The stated purpose of this office is to “restore federal enforcement of our nation’s laws that protect the fundamental and unalienable rights of conscience and religious freedom.”
One day after the creation of this division, HHS proposed a new rule, providing further protections to healthcare workers who object to providing certain types of care to patients—including elective sterilization, gender reassignment surgery, or emergency contraception—based on their personal religious beliefs. Additionally, the Trump administration issued a new directive, reversing an Obama administration directive which prohibited states from refusing to send federal funds to qualified providers. This new division, new rule, and new directive serve to ensure the already-existing rights of physicians, nurses, and healthcare staff at the expense of their patients.
The disclosures of major security breaches in 2017 such as Verizon, Equifax, Uber, the National Security Agency and the Transportation Safety Administration increased consumer concern about the safety of their personal and financial data. These disclosures also contributed to renewed Congressional analysis of data security standards in the financial services sector and review of current federal and state regulatory regimes. Insider cyber threats have become security remains a threat as well. In August 2017, the Securities and Exchange Commission (“SEC”) announced insider trading charges against seven individuals who gained access to confidential merger and acquisition data through a technology consultant’s misuse of an investment bank’s new computer system. State actions, governmental agencies and the financial services industry are actively combatting the growth of cyber-security threats.
It happens in every emergency department: a law enforcement officer comes into the ER at two o’clock in the morning and demands to test the blood alcohol levels of a patient brought in after an auto accident. The officer pulls an exhausted nurse to the side in the hopes that the nurse will forget his or her training, or become anxious enough to give up the information for fear of being arrested. Yet no matter the specific facts, the question remains: can a hospital give law enforcement officers a patient’s PHI without authorization from the patient? In some situations, is it even required?
There is a provision under the HIPAA Privacy Rule that allows, and in some cases, requires, entities to disclose patient’s PHI to law enforcement without the patient’s authorization. However, state law can complicate this picture with more restrictive regulations and guidance.
Google answered Amazon’s Echo Dot by recently launching their own pint-sized smart speaker, the Google Home Mini. Recently, Google was forced to disable one of the features on the Home Mini after it was discovered that a technical glitch led to near 24/7 audio recording. Google responded quickly and appropriately, investigating the cause and quickly releasing an update to disable the hardware responsible for the glitch. The Equifax hack – a breach of personal data including social security numbers, driver’s license information, and other credit details – exposed nearly half the country and waited months to respond. Upcoming European legislation that can significantly impact American companies with European Union clients may be part of the reason for their drastically different responses.