The Children’s Online Privacy Protection Act (“COPPA”) prohibits unfair or deceptive collection, use, and disclosure of the personal information of children on the internet. COPPA covers both website operators and app developers, and prevents collection of personal information without verified, written consent of parents. On February 27, 2019, the Federal Trade Commission (“FTC”) filed a complaint in U.S. District Court against TikTok, previously known as Music.ly. The complaint alleged that Music.ly knowingly violated COPPA when it collected data from children without written consent of parents. Music.ly settled for $5,700,000.00, the largest civil penalty obtained by the FTC for violations of COPPA.
On March 12, 2019, the Department of Justice (“DOJ”) announced revisions of the Corporate Enforcement Policy in the Foreign Corrupt Practices Act. The changes now require company oversight of ephemeral messaging apps used by any employee, stock holder, or agent who discusses business records via the messaging platform. Publicly traded companies must now establish internal compliance policies to review use of ephemeral messaging services, provide ongoing oversight of the messaging services, and may want to completely prohibit the use of such messaging apps for business purposes.
Cook County General Administrative Order 18-1 pertains to the Standard HIPAA Qualified Protective Orders (QPO) that will be permitted in Cook County. These orders will only be allowed for cases that are in litigation where the Plaintiff and Plaintiff’s counsel authorize disclosure of a litigants’ protected health information (PHI). It also requires all entities who received PHI to either return the documents to the Plaintiff or destroy them at the end of the case. These changes mean that Plaintiff’s attorneys will see a change in the handling of Plaintiff’s medical records and other documents covered under the QPO containing PHI.
During Governor-elect J.B. Pritzker’s election campaign, he heavily advocated for Illinois to be more accommodating to recreational marijuana usage. In Illinois, medical marijuana has already been legalized, and new bills are being introduced to make it more accessible. If recreational marijuana is legalized, Illinois will join ten states, and the District of Colombia, in its authorization.
From Siri to Alexa, to deep learning algorithms, artificial intelligence (AI) has now become commonplace in most peoples’ lives. In a business context, AI has become an indispensable tool for businesses to utilize in accomplishing their goals. Due to the complexity of the algorithms required to make quick and complex decisions, a “black box problem” has emerged for those who utilize these increasingly more elaborate forms of AI. The “black box” simply refers to the level of opacity that shrouds the AI decision-making process. While no current regulation explicitly bans or restricts the use of AI in decision making processes, many tech experts argue that the black box of AI needs to be opened in order to deconstruct not only the technically intricate decision-making capabilities of AI, but the possible compliance-related problems this type of technology may cause.
On March 10, 2019, Ethiopian Airlines Flight 302 en route to Nairobi, Kenya crashed shortly after take-off leaving no survivors. It became the carrier’s most deadly crash and its first fatal crash since January 2010. Most notably, however, it was the second fatal crash involving Boeing’s new 737 MAX jet in less than five months after the Lion Air Flight 610 accident in October 2018. The day following the tragedy, Ethiopian Airlines grounded all of its Boeing 737 MAX 8 fleet until further notice. Many other airlines suspended operations of the aircraft as well and countless countries banned the 737 MAX from airspace.
The Federal Trade Commission (“FTC”) recently proposed two amendments to the Privacy Rule and Safeguards Rule under the Gramm-Leach-Bliley Act (“GLBA”). The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security system. This rule went into effect in 2003. The Privacy Rule requires financial institutions to inform customers about its information-sharing practices and allows customers to opt out of having their information shared with certain third parties. This rule went into effect in 2000. The recent amendments to these two rules are intended to further protect consumers’ data from third parties. However, the changes could also adversely affect businesses.
In a time where much of the healthcare industry has shifted to incorporate telehealth and telemedicine, health care organizations and providers are faced with the upkeep of the growing influx of patient data and the challenges associated with their obligation to maintain patient privacy. These challenges increasingly more burdensome as providers strive to keep up to date with the advancement of technology. Healthcare organizations must maintain patient privacythrough close monitoring of clouds, employee use of mobile devices, patient access to medical information and scheduling, and access to the provider networks through non-organizational devices. Maintaining the multiple platforms is costly and the industry remains at risk due to the rising volumes of cybersecurity attacks and breaches. UConn Health recently experienced a data breachthat necessitated notifying 326,000 people of potential impact to their protected health information (PHI) including names, dates of birth, address, billing information, and even social security numbers due to potential access by an unauthorized person.
Theranos, the health-tech and medical lab startup, was once one of the most hyped companies to come out of Silicon Valley. In 2014, after catching the attention of high-profile investors, the company reached a valuation of $9 billion. Following several employee and journalistic leaks in 2015, however, the public began to see the company for what it was, a fraud. An October 3, 2016 Inside Compliance article titled “Theranos: New Compliance Program Hopes to Save the Company,” was written following Theranos’ appointment of two outside executives to oversee regulatory, quality, and compliance standards. It is now clear that these efforts to save Theranos were too little too late, but we see some useful takeaways from Theranos’ downfall. This article will explore the key lessons learned as it relates to leadership, ethics, and compliance.
Ever since the enactment of the General Data Protection Regulation in the European Union, data privacy and data protection have become a hot topic for businesses and countries around the world. In the digital age where personal data is constantly collected, processed, and used, the need for strong data collection regulations has never been more important. Many countries have begun to enact data protection laws, and the most recent addition to a comprehensive data protection act is seen in Thailand. On February 28th, 2019 Thailand’s National Legislative Assembly approved the very first comprehensive data protection law in the country, the Thailand Personal Data Protection Act, which will be effective after a one-year transition period to help ensure compliance.