Privacy Law and Regulation

Filefax, Inc., a health care records moving and storage company that served as a business associate, went into receivership in 2016.  But its receivership did not put an end to an OCR investigation into a HIPAA violation from 2015. Now, the receiver for Filefax has agreed to pay a fine of $100,000 and to properly store, inventory, and dispose of the medical records remaining in its possession under HHS supervision.

The investigation began with a complaint that OCR received about the exposure of a large volume of documents containing protected health information.  The investigation confirmed that an individual had left medical records of approximately 2,150 patients at a shredding and recycling facility and that Fllefax had either left the PHI in an unlocked truck in the Filefax parking lot or granted permission to a person to remove the PHI from Filefax and left the PHI, unsecured, outside the Filefax facility for that person to collect. Continue Reading Closure of Business Does Not Foreclose HIPAA Liabilities

Lyft recently confirmed that it is investigating whether its employees were accessing its customer database without appropriate authorization to obtain personal information, including rides taken by Facebook CEO Mark Zuckerberg. The investigation was announced less than six months after Uber entered into a Federal Trade Commission (FTC) consent order to resolve allegations of similar behavior by its own employees.

The investigation demonstrates the importance of revisiting internal compliance measures in the wake of legal developments that may be relevant to a particular company or industry. Companies need to maintain comprehensive privacy programs to ensure the confidentiality of the personal information that they collect.  Such programs should include, at a minimum: Continue Reading Lyft Employees Demonstrate Need for Privacy Compliance Management

In the second part of a podcast series on autonomous driving vehicles, Philip N. Yannella, Co-Practice Leader of Ballard Spahr’s Privacy and Data Security Group, speaks to Joe Raczynski, a legal technologist and futurist for Thomson Reuters Legal, about the security and regulatory issues affecting driverless vehicles. Continue Reading Check Out Our Podcast on Autonomous Driving Vehicles

The lawsuit by Austrian lawyer and serial plaintiff, Max Schrems, against Facebook suffered a setback in a ruling by the Court of Justice of the European Union (CJEU) last week. Schrems sought to bring class action-type claims on behalf of 25,000 participants worldwide in his home country of Austria, alleging that Facebook violated European Union privacy law when it assisted the United States National Security Agency’s PRISM surveillance program. Specifically, Schrems alleged that there is no adequate level of protection of European citizens’ Facebook data when it is transferred to the United States, because it could be accessed by US authorities without individualized suspicion. According to Schrems, Facebook’s collaboration with US authorities violated the Austrian data protection law of 2000, the Irish Data Protection Act of 1998, and Directive 95/46/EC of the European Parliament. Continue Reading CJEU Issues Mixed Ruling for Schrems’ Class Action Against Facebook

For those of you heading to Legaltech in New York next week, please join me and a great panel for what promises to be a lively discussion of hot topics in IoT and Mobile Discovery.  I’ve been fortunate enough to have been included in Relativity’s session on this topic at a number of conferences, and this next iteration is shaping up to be our best yet.  Here’s our session description:

From the Iron Rooster to Amazon Alexa: Mobile Discovery and the Internet of Things

Whether it’s missing mobile data (Montgomery v. Iron Rooster-Annapolis, LLC), digital data in a truck (Below v. Yokohama Tire Corp.), Fitbit data (State v. Dabate), or data from an Amazon Alexa (State v. Bates) mobile discovery and data from the Internet of Things (IoT) devices present challenges, not only for litigants and their lawyers, but for corporate organizations, paralegals, and technologists as well. In this session, lawyers and consultants, including a former Department of Justice cybercrime coordinator, a prominent discovery attorney, a corporate information governance expert, and a leading legal industry analyst, will address the legal, technical, and practical considerations of mobile, social, and IoT data, including preservation requirements and data privacy limitations.

Here’s the link to the Legaltech page, in case you haven’t registered yet.  Hope to see you in NYC!

Welcome to CyberAdviser! We are pleased to introduce this new blog, which will focus on the latest news and developments in privacy and cybersecurity law. We will be providing regular updates and insightful analysis on the pressing cyber issues facing businesses and individuals. Privacy and cybersecurity is a constantly evolving area—you can count on us to provide you with the timely information you need to stay informed.

Please subscribe to CyberAdviser to get the latest news delivered right to your inbox. You can also find the news you need on a specific topic by choosing from the dropdown menu on the right side of this page.

This blog is produced by members of Ballard Spahr’s Privacy and Data Security Group, a nationwide team of more than 50 cyber advisers who provide a wide range of legal services to help clients identify, manage, and mitigate cyber risk.

2018 is shaping up to be a potentially momentous year for data privacy, with a number of pending cases whose impact could fundamentally alter the scope of future privacy lawsuits and criminal investigations. This post will take a look at some of these cases and their potential impact.

Carpenter v. United States

We’ll start with Carpenter, which is pending in the U.S. Supreme Court and focuses on whether the Fourth Amendment requires the government to secure a search warrant to obtain a criminal defendant’s cell phone records from his or her cellular service provider. Continue Reading Data Privacy Cases to Watch in 2018

The Colorado Division of Securities made national headlines last year when it promulgated cybersecurity rules applicable to broker-dealers and investment advisors. Since the rules went into effect in July 2017, the Division has published a compliance checklist containing additional requirements for covered entities. Colorado-based members of Ballard Spahr’s Privacy and Data Security Group, who participated in drafting the cybersecurity rules, have now published a guide for covered entities that will help them understand their obligations under the Division’s rules and how to comply with them. Click here to view the guide.

The Arizona legislature is considering legislation that would significantly change its data breach notification statute. The proposed legislation would expand the statute’s definition of personal information, modify the timing requirements for providing notice to affected individuals, and specify what information must be provided in the notice. To read more about this proposed legislation, click here.