Regulatory Enforcement and Litigation

Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

The European General Data Protection Regulation (GDPR) comes into force on May 25, 2018.  This gives companies only two months to prepare for and comply with the GDPR. Companies should be conducting data mapping to identify all cross-border transfers of personal data so that they can determine the best way to comply with the GDPR requirements.

Illustration of binary code rippling out from the European Union flag, in relation to GDPRThe GDPR has been, perhaps, the most widely talked about privacy regulation for the past year and a half after it was approved by the EU Parliament on April 14, 2016 because of the sweeping changes it will bring to how the global digital economy operates with regard to processing personal data. GDPR will apply to all EU-based companies, irrespective of whether personal data is processed inside or outside of the EU. The GDPR will also apply to companies outside the EU that offer goods or services to individuals in the EU and/or that monitor or track the online behavior or activities of individuals in the EU.

Any transfer of personal data to a third country can take place only if certain conditions are met by the data exporter and the data importer. If a company is transferring EU personal data outside of the EU, that company must identify a valid transfer mechanism to legally transfer that personal data.  The most widely used transfer mechanisms are: (1) transfers within the EU and adequacy rulings; (2) appropriate safeguards; and (3) derogations.

Transfers Within the EU and Adequacy Rulings

Under GDPR, personal data can be moved between EU member states (and Norway, Liechtenstein, and Iceland) without restriction.

Cross-border transfers may also take place without a need to obtain further authorization if the European Commission determines that the third country’s body of national law ensures an adequate level of protection for personal data. The European Commission considers several factors when determining if the country has an adequate level of protection, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order and criminal law.

Appropriate Safeguards

In the absence of an adequacy determination, cross border personal data transfers are permitted if the controller and processor use EU-approved safeguards. The most widely used transfer mechanisms are binding corporate rules, model contractual clauses, and certification mechanisms (e.g. Privacy Shield).

Binding corporate rules (BCRs) are internal codes of conduct adopted by multinational companies to allow transfers between different branches of the organization. BCRs are a favored mechanism because of their flexibility, ability for tailored customization, and a lower administrative burden once implemented.

Model contractual clauses are legal terms contained in a template data processing agreement drafted and ratified by the EU. Model contractual clauses can be burdensome because companies are required to enter new model contractual clauses to cover each new third party and each new purpose for processing or transfer.

Because the European Commission does not recognize the U.S. as an adequate third country, U.S. companies can comply by certifying under the EU-U.S. Privacy Shield that they meet the high data protection standards set out in the Privacy Shield.  The Privacy Shield remains subject to the same criticism that ultimately resulted in the downfall of its predecessor (Safe Harbor), that it does not fully protect the fundamental rights of individuals provided under EU privacy laws.

Derogations

In the absence of either an adequacy decision or the implementation of an appropriate safeguard, a cross-border transfer can still take place in limited circumstances, where an exception applies. These circumstances include situations where the individual explicitly consents after having been informed of the risks of data transfer in the absence of an adequacy decision and appropriate safeguards, the transfer is necessary for the performance of a contract between the parties, or if the transfer is necessary for important reasons of public interest. The permitted derogations are fact-specific and are generally not intended to be relied upon as a company’s primary transfer mechanism.

Guidance for GDPR Compliance

Transferring personal data out of the EU without a valid transfer mechanism can result in significant fines and increased regulatory oversight.  Beginning on May 26, 2018, compliance with the GDPR will be essential for companies engaging in cross-border transfers of personal data.

To comply with the GDPR, companies should first identify and map all cross-border data flows.  Companies should then examine and assess for each of these flows whether the receiving country is in the EU (and Norway, Liechtenstein and Iceland) or is otherwise deemed adequate.  If not, the company should consider whether any appropriate safeguards have been put in place, and/or whether any specific derogations apply.

Roger Severino, director of the Department of Health and Human Services’ Office of Civil Rights, told HIMSS18 conference attendees this week that he plans no slowdown in HIPAA enforcement.

“I come from the Department of Justice Office for Civil Rights; I bring that mindset to OCR. We’re still looking for big, juicy egregious cases” for enforcement, Severino said, according to this report in Data Breach Today. That doesn’t mean smaller companies should assume they are off the radar, he added.

He said 2017 was OCR’s second biggest year for HIPAA settlements with $19.4 million collected, second only to 2016 in which OCR collected nearly $25 million.

Last year saw multiple high-profile data breaches, enough to place cybersecurity atop any in-house attorney’s 2018 priority list.

But the threat posed by hackers isn’t the only cyber concern on the minds of in-house counsel this year, reports Corporate Counsel magazine.

In the regulatory realm, complying with the European Union’s General Data Protection Regulation, which takes effect in May,  is expected to be companies’ top data privacy task of 2018. But it’s not the only one. The Chinese government also plans to impose new, below-the-radar data privacy regs that will make companies jump through another set of legal hoops.

The legal implications of new technologies, such as fitness devices that blur the line between medical and personal data collection, are also expected to challenge corporate counsel. And groundbreaking legal cases could change the law regarding who has standing to sue following a data breach in the U.S. and whether companies can use standard contractual clauses to transfer personal data out of Europe.

Ransomware, data breaches, and emerging artificial intelligence — these are some of the cybersecurity trends that executives expect to spill into the coming year with some newer challenges, according to eWeek.

The 2017 data leaks, hacks and attacks that alarmed industries across sectors will only grow more common. Cybersecurity leaders say they expect businesses to continue to innovate practices that bolster their privacy and create consumer products that offer a more comprehensive package of protections against malware, credit theft and identity fraud.

Looking ahead to 2018, regulators are raising the bar for data protection standards for corporations. For example, the EU will enforce General Data Protection Regulations (GDPR), which obligate organizations to comply with specific security improvement practices and approaches. Smaller businesses are expected to leverage multifactor authentication systems for password-protected accounts.

Read more about 2018 cybersecurity trends.

The Federal Trade Commission is investing nearly $3 million in technology to support an increasing need for e-discovery driven by massive data breaches such as the one disclosed recently by Equifax.

The news comes from the National Law Journal, which reports that the FTC awarded a one-year contract to Innovative Discovery LLC of Arlington, Virginia for a secure litigation support service. The agency awarded the contract without competitive bids because it “faces usual and compelling circumstances that require the immediate initiation of this pilot,” the Law Journal reported.

“The FTC is entering into an unprecedented year of investigations and litigation, including its investigation into the Equifax data breach and an usually high number of forensic data acquisitions in fraud cases,” agency officials wrote. The contract, they added, “is essential to enabling the FTC to successfully conduct investigations and litigation to stop consumer harm, thus enabling the agency to accomplish its mission.”

One way to measure the increasing importance of cybersecurity to American businesses is to track how often the issue arises as a risk factor in corporate filings with the Securities and Exchange Commission.

A recent analysis by Bloomberg BNA charted a dramatic rise over the past six years, with only a tiny fraction of businesses citing cybersecurity risks in 2011 SEC filings compared to a substantial percentage in the first six months of 2017.

The report notes that a likely reason for the increase was SEC guidance issued in 2011 that clarified when cyber incidents should be disclosed in financial filings, leading to cybersecurity’s being “elevated into the general counsel’s office [and onto] the board’s agenda.”

Read more at Bloomberg BNA’s article Corporate Cyber Risk Disclosures Jump Dramatically in 2017.

Acting Federal Trade Commission (FTC) Chairman Maureen K. Ohlhausen made it clear that she expects the FTC’s enforcement role in protecting privacy and security to encompass automated and connected vehicles. In her opening remarks at a June 28, 2017 workshop hosted by the FTC and National Highway Traffic Safety Administration (NHTSA), she said the FTC will take action against manufacturers and service providers of autonomous and connected vehicles if their activities violate Section 5 of the FTC Act, which prohibits unfair and deceptive acts or practices.

Such concern is warranted as new technologies allow vehicles to not only access the Internet, but also to independently generate, store and transmit all types of data – some of which could be very valuable to law enforcement, insurance companies, and other industries. For example, such data can not only show a car’s precise location, but also whether it violated posted speed limits, and aggressively followed behind, or cut-off, other cars.

Acting Chairman Ohlhausen noted that the FTC wants to coordinate its regulatory efforts with NHTSA, and envisions that both organizations will have important roles, similar to the way the FTC and the Department of Health and Human Services both have roles with respect to the Health Insurance Portability and Accountability Act (HIPAA).

Traditionally, NHTSA has dealt with vehicle safety issues, as opposed to privacy and data security. Thus, it may mean that the FTC will have a key role on these issues as they apply to connected cars, as it already has been a major player on privacy and data security in other industries.

Acting Chairman Ohlhausen also encouraged Congress to consider data breach and data security legislation for these new industries, but speakers at the workshop (video available here and embedded below) noted that legislation in this area will have difficulty keeping up with the fast pace of change of these technologies.

Part 1:

Part 2:

Part 3:

Specific federal legislation, or even laws at the state level, may be slow in coming given the many stakeholders who have an interest in the outcome. Until then, the broad mandate of Section 5 may be one of the main sources of enforcement. Companies who provide goods or services related to autonomous and connected vehicles should be familiar with the basic FTC security advice we have already blogged about here, and should work with knowledgeable attorneys as they pursue their design and manufacture plans.

In one of the best examples we have ever seen that it pays to be HIPAA compliant (and can cost A LOT when you are not), the U.S. Department of Health and Human Services, Office for Civil Rights, issued the following press release about the above settlement.  This is worth a quick read and some soul searching if your company has not been meeting its HIPAA requirements.

FOR IMMEDIATE RELEASE
April 24, 2017
Contact: HHS Press Office
202-690-6343
media@hhs.gov

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet

HHS has gathered tips and information to help protect and secure health information when using mobile devices:  https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

New leadership at the Federal Trade Commission could be good news for businesses with concerns about the agency’s enforcement methods in the realm of cybersecurity.

The relief comes in the form of President Donald Trump’s appointment of Commissioner Maureen Ohlhausen to the position of acting FTC Chair. She is the lone Republican on what is soon to be a two-person body following the announced February 10 resignation of former Chair Edith Ramierez. The other remaining member of the five-member board will be Democrat Terrell McSweeney.

Businesses hope Ohlhausen’s appointment signals a shift in the agency’s enforcement philosophy and priorities in the area of privacy and data security. “In the cybersecurity and privacy realm, I believe acting Chair Ohlhausen will be more exacting in her standards for enforcement actions, ensuring that any case that moves forward is founded on demonstrable and tangible harms,” said former FTC Commissioner Julie Brill.

That’s a key distinction. Since the second Bush Administration, the FTC has been considered the nation’s leading privacy and data security regulator, focusing its enforcement on allegedly deceptive trade practices. Ohlhausen is expected to shift that focus toward more identifiable, tangible harms suffered by consumers.

Most FTC privacy and data security actions fall under Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45). It provides the agency authority to police unfair and deceptive trade practices. In most cases, the FTC has prosecuted entities for making allegedly untrue or misleading statements about their privacy and data security practices. Ohlhausen was appointed by Barack Obama in 2012, and has been a critic of government regulation, including the Federal Communications Commission’s net neutrality rules. She contends the FTC should focus on preserving “America’s true engine of prosperity: a free, honest, and competitive marketplace.”

A supporter of economic liberty, she has challenged government overreach, suggesting that the FTC should adopt “a philosophy of regulatory humility . . . and be mindful of the private and social costs that government actions inflict.”

Ohlhausen’s record on the commission supports a shift toward a tangible harm standard to bring enforcement actions under Section 5’s unfairness provisions, whereas her predecessors have directed the FTC to investigate companies that have harmed consumers through “unreasonable” data security practices. The “tangible harm” requirement creates a higher threshold of harm for the FTC to launch an investigation or initiate a lawsuit. In the past, the agency has investigated and prosecuted claims involving potential threats to consumers.

Her more than decade-long record on the FTC bears that out. She often dissents on suits involving allegations of what were in her opinion intangible or insufficient harms. Most recently, she disagreed with the FTC complaint against D-Link Corporation which alleged the company failed to property secure wireless routers, putting consumers’ privacy at risk. She also dissented on the agency’s $20 million settlement with Uber for using unrealistically high earnings estimates to entice new drivers, and the FTC’s lawsuit against Qualcomm over its use of market power to secure a monopoly on certain semiconductors.

Ohlhausen outlined her vision of the FTC under the Trump administration in a recent speech to the conservative Heritage Foundation, saying that she would take an “evidence-based solution to all issues” and speaking against creeping over-regulation and the costs it imposes on business. In practice, the FTC under Ohlhausen would likely revise its approach to intervention decisions and narrow the scope and expense of the compulsory process itself.

Will Ohlhausen be offered the chairmanship permanently? That’s unknown. Some have reported that billionaire venture capitalist Peter Thiel is leading the search for a permanent FTC chair. Ohlhausen’s term on the FTC extends through September 2018.