U.S. Senator Schumer Calls for Increased Regulation of Wearable Electronic Devices to Avoid Data Privacy Issues

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on the recent phenomenon of wearable electronic devices and the legal issues that may arise from these gadgets. "Wearable Device Privacy - A Legislative Priority?," written by Reed Smith attorneys Frederick Lah and Khurram Gore, discusses a recent press release issued by U.S. Senator Chuck Schumer of New York expressing concern that personal health data collected by wearable devices and fitness apps, including medical conditions, sleep patterns, calories burned, GPS locations, blood pressure, weight, and more, will be provided to third parties without the user knowing it. Schumer, citing this as a threat to personal privacy, has urged the Federal Trade Commission to mandate that device and app companies provide users with an explicit “opt-out,” allowing them to block the distribution of this information to any third parties.

As the authors note, with the rising popularity of these types of devices, we expect regulators, legislators, and companies to start paying closer attention to the data security and privacy risks associated with their use.

Recent Data Breaches Serve as Warning for Companies to Assess Their Cybersecurity Insurance Coverage

Earlier this week, numerous media outlets reported on the Russian crime ring which had managed to steal more pieces of Internet data than any other group of hackers in history – a whopping collection of at least 1.2 billion user name and password combinations and over 500 million email addresses. The magnitude of data that this group has managed to accumulate, coupled with several other recent high-profile hacking incidents, is a wake-up call for businesses that cybersecurity has become a major contemporary concern. Data breaches are increasing in frequency, severity, and cost, and the potential consequences for an affected company can be devastating.

This trend and its insurance implications are discussed in a client alert by Reed Smith partners Doug Cameron, David Weiss, Andy Moss, and Cristina Shea, who point out that companies must start being proactive with their cybersecurity efforts. Businesses should take the time to assess their current cybersecurity insurance coverage as well as their coverage needs. Cyber-related insurance is an evolving area, so extensive research and consulting with counsel may be necessary before a company can select an insurance policy that maximizes its coverage.
 

Navigating the Complicated, Yet Rewarding, World of Social Media

The social media phenomenon has radically transformed the ways in which commercial businesses promote their services and products. However, as a result, companies must consider potential legal risks from an entirely new angle. To become a successful user of social media, a company must draft, review, disseminate and enforce a social media policy that addresses potential legal issues while at the same time emphasizing positive exposure for the business.

For more information on how your business can utilize social media to maximum effect while exercising compliance with legal guidelines, see Reed Smith’s newly published Third Edition of its white paper on social media, “Network Interference: A Legal Guide to the Commercial Risks and Rewards of the Social Media Phenomenon (3rd Edition).” This updated guide now covers practical, action-oriented guidelines as to the state of law in both the United States and Europe, and is an invaluable resources for companies navigating the social media world.

Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

This post was written by Brad Rostolsky, Nan Bonifant and Jillian Riley

We have heard this story before: unencrypted laptop containing electronic protected health information (ePHI) is stolen. The covered entity’s subsequent breach self-report triggers not only an incident investigation by the Department of Health and Human Services, Office for Civil Rights (OCR), but a de facto HIPAA compliance audit as well. While the covered entities involved change, the consequences and enforcement message remain the same.

Now, two more covered entities have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of $1,975,220, and agreeing to continued oversight by OCR through Corrective Action Plans (CAPs). In both instances, the breaches were self-reported and the settlements resulted from OCR’s subsequent investigations.

On December 28, 2011, Concentra Health Services (Concentra), a national health care provider and subsidiary of Humana Inc., reported to OCR that an unencrypted laptop was stolen from one of its facilities. OCR’s subsequent investigation revealed that while Concentra previously recognized that a lack of encryption on laptops, desktops, medical equipment, and tablets presented a critical risk to ePHI, Concentra failed to fully implement necessary steps to address those vulnerabilities. OCR’s investigation further found that Concentra had insufficient security management processes in place to ensure proper safeguarding of patient information. Concentra paid OCR $1,725,220 to resolve these alleged HIPAA violations and will adopt a CAP to evidence their remediation efforts.

The second settlement, which resulted in a $250,000 payment to OCR, stemmed from the theft of an unencrypted, stolen laptop from an employee’s car on October 8, 2011. The laptop, belonging to a workforce member of QCA Health Plan, Inc. of Arkansas (QCA), contained the ePHI of 148 individuals. While QCA instituted company-wide device encryption following discovery of the breach, OCR’s subsequent investigation revealed that QCA had failed to comply with multiple requirements of the HIPAA Security Rule, beginning from the Rule’s compliance date in April 2005. In addition to the monetary settlement amount, QCA agreed to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce risks to vulnerabilities of its ePHI. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

Unfortunately, as the proliferation of portable devices in the health care industry increases, the question for most covered entities is not if a laptop or mobile device will be stolen, but when. Encryption not only provides a safe harbor under the Breach Notification Rule, but it has also become a practical necessity to HIPAA compliance. Failure to address encryption of portable devices in Security Rule risk analyses and, in most cases, failure to implement some form of encryption, will continue to expose covered entities (as well as business associates) to significant compliance risk.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector; NHS Advocates Selling Confidential Patient Data For Secondary Purposes

Reed Smith’s Global Regulatory Enforcement Law blog features two posts of interest to those in the life sciences industry, both written by Reed Smith partner Cynthia O’Donoghue. “EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector” discusses the opposition of a lobbying group, led by the Wellcome Trust, to amendments to the proposed General Data Protection Regulation – amendments that they believe could severely inhibit future growth of the life sciences sector in the European Union. “NHS Advocates Selling Confidential Patient Data For Secondary Purposes” discusses the criticism of the UK’s Health and Social Care Information Centre and NHS England’s new initiative known as ‘care.data,' which involves the extraction, anonymization, and aggregation of patient data from GP practices in a central database for sale to third parties such as drug and insurance companies.

Launch of the New French State Portal Allows for Electronic Information Disclosure by Health Care Companies

Reed Smith’s Global Regulatory Enforcement Law blog features a post on the recent launch of the new state portal in France. "The implementation of the French transparency regulation: first good news?," written by Reed Smith partner Daniel Kadar, discusses how the portal will allow health care companies to more easily disclose transparency information to the French government as required by the French Sunshine Act. The portal is thought to be “more customer friendly” for health care companies in that it provides three possible methods for the disclosure and transfer of information.

How to Mitigate Compliance Requirements and Code of Conduct Obligations with Data Protection Regulation: Reed Smith Paris Provided Some Illustrative Examples

As reported on our Global Regulatory Enforcement Blog, Reed Smith Paris partner Daniel Kadar and counsel Séverine Martel hosted on 25 October 2012, a new edition of the conference cycle organized by Reed Smith Paris with the European American Chamber of Commerce, dedicated to the mitigation of Compliance obligations, particularly as set forth in Codes of Conduct, with data protection requirements.

The panel, which included compliance directors of French health care giant SANOFI and General Electric Health, brought examples of how to mitigate compliance obligations, in particular as set forth in Codes of Conduct most International organisations have now adopted, with applicable data protection regulation.  The first example was dedicated to the New French Health Care Regulation and its transparency and disclosure requirements as to the existence (and the financial range) of agreements between the health care and cosmetics industry with health care professionals (including Medicine students), showing that the disclosure of financial and private information (such as the home address for the medicine students) had to be managed carefully with respect to the data owner’s information and access rights.  To read the full post, click here.

Reed Smith Gearing Up For "Big Data Monetization" Conference

Next week, Reed Smith will host a conference on “Big Data Monetization” at the Quadrus Conference Center in Silicon Valley (8:30-11:30 a.m. PDT). Big Data is a term used to characterize the accumulation of data. Virtually every company, in every industry, is now an information and technology company. Companies run on Big Data, whether it be customer information, employee information, or competitive intelligence. Companies store, share, and use that information in increasingly complex ways, taking advantage of cloud-based solutions and revolutions in analytics, and finding ways to turn these massive databases into revenue. There is no doubt a plethora of opportunities in Big Data, however, using it comes with its own set of risks. The key with monetizing Big Data is striking the balance between risk and reward.

View a preview of the types of issues we’ll be tackling at the conference over on our Global Regulatory Enforcement Law Blog.