A recent letter from researchers at the Mayo Clinic to the editor of The New England Journal of Medicine outlined a new challenge in de-identifying, or preserving the de-identified nature of, research and medical records. The Mayo Clinic researchers described their successful use of commercially available facial recognition software to match the digitally reconstructed images of research subjects’ faces from cranial magnetic resonance imaging (“MRI”) scans with photographs of the subjects. MRI scans, often considered non-identifiable once metadata (e.g., names and other scan identifiers) are removed, are frequently made publicly available in published studies and databases. For example, administrators of a national study called the Alzheimer’s Disease Neuroimaging Initiative estimate other researchers have downloaded millions of MRI scans collected in connection with their study. The Mayo Clinic researchers assert that the digitally reconstructed facial images, paired with individuals’ photographs, could allow the linkage of other private information associated with the scans (e.g., cognitive scores, genetic data, biomarkers, other imaging results and participation in certain studies or trials) to these now-identifiable individuals.
In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR. Continue Reading Unencrypted Mobile Devices Cost Medical Center $3 Million In HIPAA Settlement
The EU-US Privacy Shield (Privacy Shield) has passed its third annual review by the European Commission. A framework constructed by the US Department of Commerce and the European Commission to enable transfers of personal data for commercial purposes, the Privacy Shield enables companies from the EU and the US to comply with data protection requirements when transferring personal data from the EU to the US.
The Privacy Shield was approved by the European Commission on 12 July 2016, and was subject to annual reviews to try and avoid failures that resulted in the downfall of the Safe Harbor Principles, which it replaced. The reviews evaluate all aspects of the functioning of the Privacy Shield framework. Continue Reading EU-US Privacy Shield Passes its Third Annual Review
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has collected over $2.15 million in civil penalties from Miami-based Jackson Health System (JHS) for multiple violations of the Security and Breach Notification Rules under HIPAA. JHS is a nonprofit academic medical system that serves approximately 650,000 patients a year in six major hospitals and a network of affiliated healthcare facilities. This is the first publicized imposition of civil monetary penalties under HIPAA in recent years, in contrast to the many publicized settlements of alleged violations, indicating that JHS’ violations were severe. Continue Reading Jackson Health System Slammed With $2.15 Million Penalty for Privacy Breaches
National Cybersecurity Awareness Month (NCSAM) is coming to a close, but diligent cybersecurity efforts must continue. In honor of another successful NCSAM, below we have gathered some of our most popular cybersecurity content you can use as a quick reference for all of your cyber-related interests.
Recent headlines have detailed foreign-state actors targeting utilities and independent power producers in the United States to gain access to critical infrastructure at the nation’s utilities and military installations. Cybersecurity practices within the independent power industry vary widely depending on the asset type and the operator’s sophistication. Despite this risk, purchase agreements and credit agreements for renewable energy facilities do not typically address compliance with cybersecurity standards. Generic representations and covenants relating to compliance with law or maintenance of project assets in compliance with prudent industry practices inadequately protect acquirers and lenders from cybersecurity risks. The overwhelming majority of renewable power projects are considered low impact under NERC’s Critical Infrastructure Protection standards and, thus, not subject to significant regulation.
FINRA issued their 2019 Report on Examination Findings and Observations ahead of prior years’ reports.
FINRA Changes Approach in Communicating Exam Results
This most recent report, issued on October 16, 2019, starts by highlighting a recently implemented distinction on their part as to how they communicate exam results to firms. That is, FINRA stated that they now report “findings,” which are violations of the rules, and “observations” (f/k/a “recommendations”), which are “suggestions to [the] … firm about how it could improve its control environment in order to address perceived weaknesses that elevate risk, but do not typically rise to the level of a rule violation or cannot be tied to an existing rule.” Continue Reading Cybersecurity Best Practices: FINRA’s 2019 Exam Observations
Continuing our coverage of cybersecurity issues during National Cybersecurity Awareness Month (NCSAM), we have identified 5 important cybersecurity questions and talking points you can use to start a meaningful cybersecurity conversation at your business.
Counsel and business executives take note: cybersecurity is not just an IT problem, robust cybersecurity starts with a healthy dialogue between legal, business, and IT. The chart below illustrates how failure to engage in meaningful oversight of your company’s data and systems security will create costly, significant, and unnecessary risk.
The good news is that you need not be an IT expert to oversee your company’s cybersecurity risk. You do not need to be able to write code, or to know exactly what software is needed to keep the company’s data secure. The first step is to open a healthy dialogue with your IT professionals – a dialogue that will allow you to assess more capably your company’s readiness to counter a broad range of exploitation techniques.
Try calling your CISO or CIO and asking these questions:
Welcome back to our three-part series providing an overview of CIPA, recent CIPA class actions, and class action defenses. In Part I we provided an overview of CIPA and its recent resurgence in the age of smart speakers. In Part II we highlighted recent class actions alleging CIPA violations involving the use of smart speakers. Here, we address potential defenses in response to a motion to certify a CIPA class.
Defenses to a CIPA Class Action
These recent lawsuits are good reminders of the real privacy concerns with new developing technologies. Below is an overview of practice pointers and lessons learned from CIPA lawsuits if you are named in CIPA litigation. Continue Reading The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part III)