Header graphic for print

Password Protected

Data Privacy & Security News and Trends

Cybersecurity: FINRA Guidance through 2018 Priorities and Recent Exam Findings

Posted in Cybersecurity, Financial Services Information Management, Information Management, Notification, Privacy

The Financial Industry Regulatory Authority (FINRA) is ramping up on their commitment to assist the industry in its cybersecurity compliance efforts. Recent guidance to the industry from FINRA includes:

  1. an Examination Findings Report, detailing observations from recent broker-dealer examinations with the goal of assisting broker-dealers in enhancing their compliance programs and better anticipating potential areas of concern (FINRA included compliance areas to highlight based on the frequency of deficiencies and the potential impact on investors and markets); and
  2. the 2018 Regulatory and Examination Priorities, in which, notably, FINRA instructed firms to review the priorities in conjunction with the Examination Findings Report.

FINRA called out cybersecurity, in its Examination Findings Report, as one of the “principal operational risks facing broker-dealers.” While acknowledging the increased threats today, FINRA noted that firms have generally increased their focus on cybersecurity issues and some firms examined are at the forefront of developing “cutting-edge cybersecurity programs.”

FINRA detailed areas in which they observed in the examinations that firms’ cybersecurity programs were either effective or deficient. Reviewing the positives and negatives provides valuable information for firms looking to shore up their cybersecurity programs.

Examples of Effective Practices Include

  • Escalation Protocols: Have an escalation process that ensures appropriate level at the firm is apprised of issues to ensure attention and resolution.
  • Plans to Resolve Issues: Implement detailed resolution steps and time frames for completion.
  • Routine Risk Assessments: Conduct regular risk assessments, including vulnerability and penetration tests.
  • Routine Training: Conduct training for firm employees, including training tailored to different functions, in addition to generic cross-firm training.
  • Branch Office Reviews: Include cybersecurity focused branch exams to assess risks and identify issues.
  • Additional Practices: Implement security information and event management practices, use system usage analytics, and adopt data loss prevention tools.

Examples of Deficient Practices Include: 

  • Failure to Follow Access Management Steps:
    • Not immediately terminating access of departing employees.
    • Failing to have processes to monitor or supervise “privileged users” to identify unusual activity (e.g., assigning extra access rights, unauthorized work outside business hours, or logging in from different geographical locations at or about the same time).
  • Infrequent or No Risk Assessments:
    • No formal risk assessment practices.
    • Unable to identify critical assets or potential risks.
  • Informal Processes for or Lack of Vendor Management:
    • Failed to have formal processes to assess vendor’s cybersecurity preparedness;
    • Failed to include required notification of breaches involving customer information in vendor contracts.
  • Noncompliant Branch Offices:
    • Failed to manage passwords.
    • Failed to implement security patches and software updates.
    • Failed to update anti-virus software.
    • Lacked control of employee use of removable storage devices.
    • Use of unencrypted data and devices.
    • Failed to report incidents.
  • Segregation of Duties:
    • Failed to segregate duties for requesting, implementing, and approving cyber-security rules and systems changes.
  • Data Loss Prevention:
    • Lack of rules to ensure all customer sensitive information is covered.
    • Permitted or failed to block large file transfers to outside or untrusted recipients.
    • Failed to implement formal change-management processes for data loss prevention systems changes.

FINRA’s 2018 Examination and Regulatory Priorities also include cybersecurity as a priority area. In addition to the areas noted above, which FINRA also calls out in the Priority Letter, FINRA noted two additional themes.  One, they will evaluate the effectiveness of firms’ cybersecurity programs in protecting sensitive information. Two, FINRA also reminds firms that they need policies and procedures to determine when a Suspicious Activity Report should be filed regarding a cybersecurity event. (See, FinCEN’s Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, Oct. 25, 2016.)

Conclusion

FINRA reminds firms that, while exam deficiencies must be addressed, firms often benefit from “proactively” remediating issues before the exam is completed. Acting proactively strengthens firms’ programs and enhances regulatory protections. Our observation, as outside counsel, is that when firms take proactive steps to get ahead of issues, it demonstrates to the regulators that the firm has a commitment to a strong compliance program and, in the right circumstances, may have a material impact on how FINRA decides to resolve an issue.

The information FINRA provides in the Examination Report and Priorities Letter provide roadmaps to enhancing overall compliance, supervisory, and risk management programs. With regard to the focus on cybersecurity, by using this resource, firms can effectively prepare for examinations and potentially prevent program gaps and avoiding cybersecurity incidents.

France: Pragmatism and Flexibility for the GDPR Implementation

Posted in Data Protection and Competition, EU Data Protection, Legislation

The GDPR (General Data Protection Regulation) will be applicable as of May 25, 2018. The (high) level of penalties under the GDPR will become one of the core issues for companies. Indeed the GDPR is based on the European fundamental rights to privacy and data protection and could potentially apply outside the European Union.

In order to reassure companies and as a first step, the French Data Protection Authority (DPA), the CNIL, assured that the application of the GDPR in France will be flexible. This declaration was made on its website this Monday, February 19, 2018.  The CNIL also assured companies that it will provide some assistance to companies in the first months after the entry into application of the GDPR. In this way, an accompanying information guide will be published by the CNIL (co-edited with the French public investment bank) to help companies.

Finally, the CNIL assured companies that it will not sanction by any means each company that does not comply with the GDPR. The approach will be pragmatic with a distinction between the existing fundamental principles (existing under the current law) and the new requirements that need adjustments within companies.

The existing principles for which there will be no flexibility or tolerance are, for example, the obligation to process in a lawful, fair and transparent manner, the obligation to collect data for an explicit and legitimate purpose, the principles of accuracy and data retention and the principle of ensuring appropriate security when processing data. For these principles, the CNIL will control the companies and will apply the GDPR sanctions as of May 25, 2018. The CNIL announced strong verifications of company compliance with these principles.

However concerning new principles, such as the right to data portability, the requirement to nominate a Data Protection Officer (DPO) and the requirement of maintaining a record of processing activities, the goal of the first verifications will be to assist companies and help them in understanding and implementing  these new principles. The French DPA’s intention will not be to take sanctions immediately on each infringement. Indeed, if a company is acting in good faith and cooperate with the CNIL, these verifications will not lead to procedure of sanctions.

This tolerance only concerns the year 2018 at this time.

The CNIL emphasized that the GDPR will lead to the disappearance of the duty of notification to the national DPA. These notifications will be replaced by the record of processing activities and, where the processing is likely to result in a high risk, by the Data Protection Impact Assessment (DPIA).

In this way and as a first step, it will exist as a tolerance for implementing a DPIA for current processing. This tolerance will be time limited. Indeed, the GDPR will impose a reassessment of risks in a dynamic way. As a result, this DPIA will be carried out within a reasonable time of three years.

A few days before this statement, the French National Assembly adopted the draft law on personal data protection, effective on May 25, 2018.

eCall: Privacy and Data Protection Implications

Posted in EU Data Protection

From April 1, 2018, all new cars in the European Union (EU) must be equipped with eCall technology.

What is eCall?

eCall is a service designed to provide quick emergency response. In the event of a serious accident, the in-vehicle eCall system automatically communicates to the emergency services; the vehicle’s exact location; the time of incident; and the direction of travel (most important on motorways), even if the driver is unconscious or unable to make a phone call. An eCall can also be triggered manually by pushing a button in the car, for example, by a witness of a serious accident.

How does eCall work?

When activated, the eCall system establishes a voice connection directly with the relevant national or local governmental Public Safety Answering Point (PSAP).

The eCall device fitted in the car automatically sends a ‘Minimum Set of Data’ (MSD) to the PSAP in the event of an emergency. The MSD will include the exact location of the crash site, the triggering mode (automatic or manual), the vehicle identification number and current and previous positions.

Who governs eCall?

The eCall system is governed by EU regulations. The European Commission has also published various detailed administrative and technical requirements that eCall technology and systems must comply with.

The legislation in place leaves room for third party service supported eCall systems (TPS) to co-exist with the mandatory public eCall system. This creates extensive opportunities for third party service providers in the private sector to provide not only the eCall emergency services but also a plethora of private value added technology-based services.

What are the privacy and data protection concerns?

The introduction of eCall systems raise obvious concerns in relation to privacy and data protection, in particular misuse of data, surveillance, constant tracking, etc. To deal with such concerns, in addition to complying with general data protection regulation laws, including the principle of privacy by design, EU’s eCall regulations require manufacturers and service providers to comply with detailed and prescriptive technical rules and test procedures on personal data processing, including implementation of appropriate safeguards.

2018 Tax (Fraud) Season: IRS Warns Tax Professionals, Employers About New and Old Phishing Scams

Posted in Data breach, Data Security, Identity Theft

Tax season is here, which means tax fraud season is here, too.  This year, the Internal Revenue Service (IRS) is warning tax practitioners about a new phishing scam targeted at them and reminding all employers about fraudsters’ continued use of a scam to collect Form W-2 from entire companies.

Cybercriminals have traditionally targeted taxpayers, in an attempt to obtain their personal information, through phone or email scams.  Perhaps due to advances made in educating the public about identity theft, cybercriminals are now shifting tactics and targeting tax professionals to obtain the same sensitive, personal information.

Here is how the scam targeting tax preparers works:  Fraudsters send introductory emails to tax professionals posing as potential clients to gain access to the professionals’ computer systems and collect the personal information of clients.  Some emails reported to the IRS include:

  • “Happy new year to you and yours. I want you to help us file our tax returns this year as our previous CPA passed away in October.  How much will this cost us?  Hope to hear from you soon.”
  • “A friend of mine introduced you to me regarding the job you did for him on his 2017 tax. I tried to reach you by phone earlier today but it was not connecting, attached is my information needed for my tax to be filed.  If you need more details please feel free to contact me.”

The email may contain a phishing URL or an attachment containing a phishing URL claiming the individual’s tax data is enclosed.  Once the recipient clicks the link, malware is secretly downloaded that allows the cybercriminal to track keystrokes or gain remote access to the recipient’s computer and steal personal information.  That information can then be used to file fraudulent tax returns or sold on the Dark Web.

In a twist, a few cases have seen fraudulent returns deposited in taxpayers’ real bank accounts.  Then, a person posing as a debt collection agency official contacts the taxpayer, says a refund has been deposited in error, and asks the taxpayer to forward the funds to the caller.

One scam that is not new about which IRS officials are again warning employers is a phishing scam targeting payroll or human resources departments in an attempt to obtain employees’ Forms W-2.  This scam first appeared in 2016, and the IRS does not expect it to slow down in 2018, calling it “one of the most dangerous phishing emails in the tax community.”

As we reported last year, here is how the Form W-2 scam works:  Cybercriminals pose as an executive in a company in an email to payroll or human resources and request copies of Forms W-2 for all employees.  Fraudsters have even used an executive’s signature block in the email to increase legitimacy.

The initial email to the employee may be a simple “Hi, are you working today?” before the fraudster requests employee information.  Emails typically include language such as:

  • “Kindly send me the individual 2017 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “I want you to send me the list of W-2 copy of employee’s wage and tax statement for 2017. I need them in PDF file type, you can send it as an attachment.  Kindly prepare the lists and email them to me asap.”

During the last two filing seasons, cybercriminals have targeted at all types of employers, including large and small businesses, public schools and universities, hospitals, tribal governments, and charities, meaning that all employers should take steps to educate their employees and safeguard employees’ personal information.  Employers may also want to consider limiting those employees who handle Form W-2 requests and requiring additional verification procedures before emailing Forms.

Regardless of the phishing method, the IRS has recommended a number of basic steps all employers should take—whether it be a small tax preparer or a large business:

  • Educate all employees about phishing emails and train them to not click on pop-ups or suspicious links.
  • Use strong, unique passwords.
  • Never take an email from a familiar source at face value.
  • Consider verbal confirmation by phone with the sender of an email before sending further information or accessing links or attachments.
  • Notify the IRS of all suspicious tax-related phishing emails (phishing@irs.gov for all phishing emails, and dataloss@irs.gov for Form W-2 scam emails).

Additional federal resources:

“Don’t Take the Bait” Security Awareness Campaign

Report Phishing and Online Scams

Tax Scams and Consumer Alerts

Child’s Play: VTech Settles FTC Lawsuit Over Data Security in Connected Toys

Posted in Consumer Privacy/FTC, Data breach, FTC enforcement, Privacy

On January 8, 2018, the FTC announced that VTech, maker of electronic toys for children, agreed to settle charges that it violated the law by collecting personal information without parental consent.

When Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998, it directed the FTC to create a rule implementing the goal of protecting the privacy and safety of children.  The regulations are imposed on services made for children under 13, prohibiting covered entities from collecting personal information from children without properly disclosing how the information will be used to parents and getting verifiable consent.  A privacy policy must be clearly linked on the platform.  The information that covered entities do collect should also remain secured and protected.

In the complaint made public along with the settlement, the FTC alleged that VTech violated COPPA by collecting personal information on children without parental consent through the Kid Connect and other applications sold with its internet-connected toys, since there wasn’t a mechanism in place to verify that the parent registering for a Kid Connect account was actually a parent. The FTC also alleged that VTech failed to provide direct notice of its information collection practices to parents and failed to take reasonable steps to protect the information it had collected, which included full names, email addresses, mailing addresses, usernames, and passwords.  Finally, the FTC alleged that VTech violated the FTC Act by falsely stating that personal information submitted by users would be encrypted when in fact none of the information, except for photo and audio files, was encrypted.  In November 2015, VTech learned through a journalist that hackers had accessed its computer network and stolen personal information about parents and children. Decryption keys for the photo and audio files were included in the hacked database.

Hong Kong-based company VTech Electronics Limited and its US subsidiary agreed to pay $650,000 to resolve the charges brought by the FTC.  This settlement marks the FTC’s first privacy case involving internet-connected toys.

Since its passage, COPPA has been actively enforced by the FTC, with recent settlements including a mobile advertiser tracking children’s locations and app developers that allowed third-party advertisers to collect children’s information.

Putting Lawyers in Charge of Investigations Does Not Assure Privilege Protection

Posted in Data breach

Corporations’ investigations generally deserve (1) privilege protection only if the corporations are primarily motivated by their need for legal advice; and (2) work product protection only if they are motivated by anticipated litigation, and the company would not have created the investigation-related documents in the same form but for that anticipated litigation.

In In re Premera Blue Cross Customer Data Security Breach Litigation, Case No. 3:15-md-2633-SI, 2017 U.S. Dist. LEXIS 178762 (D. Or. Oct. 27, 2017), Premera claimed privilege and work product protection for its data breach investigation.  The court rejected both claims.  Among many other things, the court assessed Premera’s work product claim for documents created by its consultant Mandiant.  Premera had hired Mandiant to review its claims data management system in October 2014.  On January 29, 2015, Mandiant discovered malware on the system.  Premera quickly hired an outside lawyer, and on February 21, 2015, “Premera and Mandiant entered into an amended statement of work that shifted supervision of Mandiant’s [later] work to outside counsel.”  Id. at *22.  Premera predictably argued that Mandiant’s later work was protected, because Mandiant was then working “on behalf of an attorney.”  Id. at *23.  But the court rebuffed the argument — bluntly explaining that the “flaw in Premera’s argument . . . is that . . . [Mandiant’s] scope of work did not change [from the October 2014 agreement] after outside counsel was retained.”  Id.  As the court noted, the “only thing that appears to have changed involving Mandiant was the identity of its direct supervisor.”  Id.

Companies seeking to maximize privilege and work product protection for internal corporate investigations should carefully document the primary motivations, showing that the corporation did something different or special because of its need for legal advice or because of anticipated litigation.  The documentation of course should start with law firms’ and consultants’ retainer letters – but all documents created before, during, and after investigations should help evidence the necessary motivational elements under the privilege and (if appropriate) the work product doctrine.

Virginia General Assembly to Tackle a Variety of Privacy Related Bills

Posted in Legislation

The Virginia General Assembly is underway and several privacy related bills are on the legislative agenda for 2018. The Virginia legislature will consider approximately 3,000 bills during its 60-day session that will end in early March. Several of these pending bills have privacy implications in a variety of substantive areas.

Tax Return Data

In an attempt to further address the growing problem of criminals filing fraudulent tax returns after stealing the identities of unsuspecting taxpayers, companion bills are pending in the House of Delegates and Virginia Senate that impose a breach notification duty on state tax return preparers, as defined in Va. Code Ann. § 58.1-302. This legislation follows the adoption last year of a requirement that employers and payroll service providers provide a breach notification to the Attorney General of Virginia when such entities experience an unauthorized access or acquisition of unredacted and unencrypted data containing a taxpayer’s identification number and certain payroll information. Virginia Code Ann. § 18.2-186.6(M).

The bills this year appear to be a further expansion of the Department of Taxation’s attempt to combat criminals filing fraudulent tax returns. Specifically, the bills require state tax return preparers to notify the Virginia Department of Tax “without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted return information that compromises the confidentiality of such information and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person and that causes, or such preparer reasonably believes has caused or will cause, identity theft or other fraud.” In such circumstances, the tax return preparer is required to provide the Department of Tax with certain information about the preparer and the taxpayer. (HB183 (pending); SB271 (pending)).

Net Neutrality at the State Level

While the debate concerning “net neutrality” rages at the federal level, one Virginia lawmaker has introduced two bills aimed at instituting a state-based approach to neutrality. The first bill prohibits companies providing broadband internet access services in the Commonwealth from blocking, throttling, engaging in paid prioritization and interfering or unreasonably disadvantaging a user’s ability to access broadband internet access. The bill also limits broadband service providers’ disclosure of personally identifiable information about consumers to circumstances involving certain court orders, subpoenas or for authorized law-enforcement activities. (SB948)

The second bill on the same topic takes a more targeted approach. The bill proposes to limit state contracts for internet access services only to those services providers that agree to protect certain personally identifiable information and adhere to certain internet neutrality provisions. Specifically, SB949 prohibits internet access service providers that provide such service to a public body from blocking, throttling or providing preference to entities that pay for the optimization of data transfer rates. Additionally, the bill prohibits such service providers from knowingly disclosing personally identifiable information about users unless such disclosure is pursuant to certain court orders, subpoenas or for authorized law enforcement activities.

Additional bills related to privacy include (partial listing):

  • Requiring consumer reporting agencies to disclose within 15 days a breach of the security of a computerized data system, when such disclosure is required by Virginia’s data breach notification statute, § 18.2-186.6. The bill provides that failure to report is a violation of the Virginia Consumer Protection Act. HB1588 (pending)
  • Prohibiting state agency employment applications, under certain circumstances, from inquiring whether a prospective employee has been arrested or charged with, or convicted of, any crime (a.k.a. “ban-the-box”). SB252 (pending); HB1357 (pending)
  • Prohibiting a prospective employer (i) from requiring a prospective employee to disclose his wage or salary history or (ii) attempting to obtain such information from the person’s current or previous employers. HB240 (pending)
  • Allowing the use of drones by law enforcement without obtaining a warrant under certain circumstances. HB1290 (pending)
  • Prohibiting the disclosure under Virginia’s open record laws information contained in engineering and construction drawings and plans for single-family residences that are submitted to local governments for building code purposes. HB683 (pending)
  • Prohibiting a provider of electronic communication or remote computing service from disclosing location data to an investigative or law enforcement officer except pursuant to a search warrant. HB604 (defeated)
  • Eliminating the ability of credit reporting agencies to charge a consumer a fee to place a security freeze on the consumer’s credit report. HB6; HB86; HB1232; SB16; SB18; SB22; SB95 (pending; partial listing)
  • Clarifying that certain student directory information held by institutions of higher education may only be released in limited circumstances in response to Freedom of Information Act requests. HB1 (pending); HB147 (pending)
  • Directing a legislative commission to study how local governments report data breaches, identify ways to promote efficient and timely reporting of such breaches by local governments and to develop best practices to assist localities with cyber security. HJ39 (pending)

While the largest number of privacy related bills this legislative session concern the ability of consumers to freeze their credit reports without a fee, there are a host of other bills to monitor that have important consequences for consumers and privacy professionals.

HIPAA Breach Reporting: 2017 Trends and Mends

Posted in Data breach, Health Information, Notification

With 2017 having drawn to a close, it is once again time for HIPAA covered entities to complete their annual breach reporting obligations to the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”). Whereas covered entities must report breaches involving 500 or more individuals no later than 60 calendar days from the discovery date, for breaches affecting less than 500 individuals, entities have the option of submitting the year’s incident notifications 60 days after the end of the respective calendar year.[1]

Even as entities work to meet this deadline, certain trends are becoming apparent. To assist with identifying trends and mitigating risks, this post explores a brief overview of current OCR activity and 2017 breach reports. Because breaches can be reported until February 28, 2018, the figures herein are not yet final. Nevertheless, the 2017 statistics to date provide insight into the healthcare industry’s current challenges, general trends in data security, and considerations for 2018 OCR compliance.

To date, the annual figures of HIPAA privacy breaches of unsecured protected health information (“PHI”) reveal network servers, emails, and other information technology (“IT”) events continued to challenge the healthcare industry in 2017. OCR data shows that HIPAA privacy breach reports affecting 500 or more individuals remained relatively stable when compared to 2016, increasing slightly from 327 to 345. Hacking and IT incidents, however, rose by 25%, with 142 in 2017 compared to 113 in 2016. Other events, such as unauthorized access/disclosures, theft, and improper disposal saw more modest fluctuations. Breaches occurring via portable electronic devices in the workplace (e.g., smartphones and tablets) remained stable, with 22 in 2017 and 21 in 2016. The increase in email based breaches, however, rose by 60% — up to 85 in 2017 from 50 in 2016.

The healthcare industry obviously still has work to do, particularly with larger data sets. The numbers show an increase in hacking and email related breaches, which makes the need for email and software safety measures more apparent.

There are several key lessons gleaned from the 2017 statistics on protection measures that a covered entity may take in 2018 to help mend current gaps and minimize risk of the increasingly commonplace hacking and email incidents:

  1. Work force training and education that emphasizes the identification of suspicious emails and links that may allow hackers into a covered entity’s network remain vital compliance tools.
  2. From an administrative and management perspective, as well as OCR enforcement perspective, updating risk analyses of systems is more important than ever.
  3. Following a management plan, created from the identification of threats to PHI through the risk analysis, can significantly minimize risk exposure and avoidable attacks.
  4. Investment and implementation of advanced intrusion detection systems can identify malicious activity or software more quickly, creating real-time alerts.
  5. Continued auditing and monitoring of systems and the workforce further assist entities with identifying abnormalities or weak points in its safeguards.
  6. Software updates can help shut out malicious and expansive attacks. As seen with the global “WannaCry” security breach and the most recent “Meltdown” and “Spectre” hardware glitches, potential hacks, phishing schemes, and viruses may be easily mitigated with the appropriate patches and operating system updates.

The 2017 numbers regarding data breaches show the need for HIPAA entities to remain vigilant against large breaches, especially as they are growing increasingly malicious and difficult to anticipate. Large and small solutions exist, each of which can make a significant impact on protecting against breaches in the coming year.

[1] 45 C.F.R § 164.408(b),(c); Submitting Notice of a Breach to the Secretary, U.S. Dep’t Health & Human Servs. (Jan. 5, 2015), https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html;

Big Brother is a Pill: Digital Tracking Drugs

Posted in Consumer Privacy/FTC, Health Information, Surveillance

Drug adherence programs have significantly evolved over the last few years with drug companies, health plans, and providers taking steps to monitor patient medication compliance. Drug adherence is the degree to which a patient complies with medication administration advice for treatment of chronic disease. Beyond the obvious benefits to patients’ health and health entities’ bottom lines, drug adherence can have a large effect on public health and social communities. Therefore, although it is no surprise that the health care industry has turned its focus to adherence in a big way, it may be surprising that in an industry where confidentiality is king, the most recent strategy may be turning to big brother.

U.S. Food & Drug Administration Announcement

This past November, the U.S. Food & Drug Administration (“FDA”) announced approval of a new solution to medication noncompliance – digital tracking. The FDA has not broadly blessed the practice, which has been around since 2012, but rather took a large leap in that direction by approving the digital drug Abilify MyCite – a collaboration between drug manufacturer Otsuka and technology company Proteus Digital Health. The drug is used for the treatment of schizophrenia, episodes associated with bipolar I disorder, and certain depression diagnoses in adults, and Abilify MyCite, specifically, uses an ingestible sensor embedded in the drug tablet to trigger an electrical signal upon reacting with stomach acids. The signal is sent to a wearable patch and a mobile application, which records that medication was taken. The medication compliance can be tracked by patient relatives and caregivers so that they may directly access the information through a similar application or web-based portal.[1]

Privacy Concerns and Obtaining Consent

As the industry looks to improve public health and reduce health care costs (medication noncompliance is estimated to cost $100 billion/year in the U.S.), it works to balance the need to uphold patient rights, including patient privacy, especially where disease increases patients’ vulnerability. While HIPAA and state laws generally allow the access to and disclosure of patient information with consent as well as for treatment purposes,[2] regulation regarding this kind of monitoring by third parties and resulting use of the data is less explicit. Just as states are beginning to take a stronger stance on protection of biometric and genetic information, digital drugs and medication compliance may be next to receive additional scrutiny and increased protections. Continue Reading

No Written Consent, But Still No Harm: TCPA Class Certification Denied Where Spokeo Creates Individualized Questions of Consent

Posted in Consumer Privacy/FTC, Privacy, Retail

Earlier this year, the Northern District of Illinois declined to certify a Telephone Consumer Protection Act (TCPA) class action even though the key issue in the case – whether class members had provided prior express written consent to receive prerecorded telemarketing calls – appeared to be a common question. In Legg v. PTZ Insurance Agency, Ltd., it seemed apparent “that none of the proposed class members” provided prior express written consent in the form required by the TCPA and its accompanying regulations. Nevertheless, the Court held that Article III standing concerns rendered class members’ consent an individualized issue that predominated over any common class questions.

The defendants in Legg were pet adoption and pet insurance companies that provided pet adopters with a 30-day free gift of pet health insurance. During the adoption process, shelters gathered information from pet adopters for the purpose of providing this free gift. To receive the free gift, adopters had to opt in to email communications from the defendants. Adopters also provided their telephone numbers. Thereafter, the defendants made prerecorded calls to pet adopters to remind them of their free gift.

The plaintiffs sought to certify a class of individuals who received such calls without providing signed “prior express written consent,” which must be obtained prior to making prerecorded calls with a telemarketing or advertising purpose.  The plaintiffs argued that determining whether class members had provided prior express written consent was a common question that could be answered on a class-wide basis.

Although the court seemed to agree, its analysis did not end there. Instead, the court reasoned that if class members had verbally agreed to receive calls from the defendants, they could not have suffered a concrete injury under Spokeo, Inc. v. Robins when they ultimately received such calls – even if the defendants failed to obtain such consent in the written, signed form required by the TCPA. Indeed, the defendants supplied affidavits from pet adopters declaring that they agreed and expected to receive calls from the defendants regarding pet insurance. Reasoning that the Congressional purpose of the TCPA was to prevent unsolicited calls, the court rejected the idea that a mere failure to abide by the TCPA’s procedural requirements gave rise to an Article III injury. Instead, it found that insofar as “the class members agreed to receive the calls, they lack[ed] a ‘genuine controversy’” and denied class certification because determining whether each individual class member consented – and hence whether they were injured – would involve “hundreds, if not thousands, of mini-trials on the issue of consent alone.” Last month, the Seventh Circuit denied the plaintiffs’ petition to appeal this ruling.

In TCPA cases, the ability to certify a class frequently depends upon whether the issue of consent is a common question or whether it is individualized. Legg demonstrates that even where consent appears at first blush to be a common question, defendants in TCPA actions may be able to defeat class certification by relying upon Spokeo to establish that the question of consent is individualized.