What s trending on NP Privacy Partner

Transcription

1 NP PRIVACY PARTNER Nixon peabody LLP What s trending on NP Privacy Partner January 30, 2015 Beware private drone operators, the FTC issues an Internet of Things report, hackers use stolen passwords to steal airline miles, a state HIPAA violation settlement and social media does not equal personal jurisdiction. Here s what s trending in Data Privacy and Security this week. Data Privacy FTC releases Internet of Things report to address consumer privacy and security On January 27, 2015, the Federal Trade Commission (FTC) released Internet of Things: Privacy & Security in a Connected World, to address the growth of connected devices, but also the privacy and security risks for consumers who are connected to this web of technology. In the report, the FTC provides a list of steps for businesses to take that will protect consumers privacy and security. Here are the FTC s recommendations: Build security into devices at the outset, rather than as an afterthought in the design process; Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization; Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers; When a security risk is identified, consider a defense-in-depth strategy whereby multiple layers of security may be used to defend against a particular risk; Consider measures to keep unauthorized users from accessing a consumer s device, data, or personal information stored on the network; Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks. The FTC further recommends that businesses consider data minimization and only collect and retain consumer data for a specific time period (as necessary), and to allow consumers choice in how their information is used and shared. This newsletter is intended as an information source for the clients and friends of Nixon Peabody LLP. The content should not be construed as legal advice, and readers should not act upon information in the publication without professional counsel. This material may be considered advertising under certain rules of professional conduct. Copyright 2015 Nixon Peabody LLP. All rights reserved.

2 The FTC said in its press release, The Internet of Things is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications. Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, among other potential benefits. So what s the concern? Connected devices raise huge privacy concerns for consumers, and without consumer trust, this innovative technology can t reach its true potential. The FTC hopes to remedy that problem by encouraging businesses to truly protect consumer privacy. Kathryn M. Sylvia Enforcement & Litigation First ever FAA settlement with private drone pilot for airspace violation On January 22, 2015, pilot and videographer, Raphael Pirker, reached a landmark settlement with the Federal Aviation Administration (FAA) in the agency s first-ever enforcement action for the pilot s refusal to pay a $10,000 fine for violating FAA regulations and flying a drone over the University of Virginia s airspace. Pirker agreed to pay $1,100 without admitting any regulatory violations, and the FAA in turn agreed to drop several other allegations that the agency brought against the pilot back in This case was first heard back in March 2014, when a Federal Administrative Law Judge determined that Pirker s plastic-foam drone model aircraft was not regulated by the FAA. The FAA announced only a few months after that decision that it would allow commercial operators of unmanned aircrafts to apply for exemptions to fly their aircrafts. However, the FAA also appealed the Federal Administrative Law Judge s decision to the National Transportation Safety Board (NTSB), and the NTSB narrowly ruled that model aircraft operators are subject to one FAA regulation careless or reckless operation. Pirker s attorney says, The discussion triggered by the case encouraged the FAA to look for ways to allow progress to be made, and what they came up with was the exemption process, which has had a beneficial impact for the industry. Without that discussion about what regulations apply, if any, I think there would have been far less pressure for the path forward. Surely, as the use of private drones becomes more prevalent, the FAA will weigh in on an individual s use of airspace and whether the FAA regulations apply. The use of these drones really comes down to the issue of an individual s privacy and protecting citizens from unwanted invasions into their private lives. We ll watch as more drone talk surely exudes in the media. Kathryn M. Sylvia Data Breach Medical device manufacturer alerts patients of data breach caused by vendor Medical device company, DJO Global, recently notified some of its patients that an unencrypted laptop of an employee of one of its contractors was stolen from the employee s car. The laptop was in the employee s backpack in the back seat of his locked vehicle. He went into a coffee shop to grab a cup of coffee, and a thief smashed the window of his car and stole the backpack and laptop. The stolen patient data included patient names, phone numbers, diagnosis codes, surgery dates, health insurer and clinic and doctor names, as well as several Social Security numbers.

3 This is another important warning to medical device manufacturers and contractors to implement encryption technology on any laptops that are used in the field. Linn Foster Freedman Hackers use stolen user names and passwords to steal miles from American and United Airlines customers Cybercriminals who previously stole or bought compromised user names and passwords from other websites, were able to use those same user names and passwords to steal airline miles from customers of American and United Airlines. Please note that the airline servers weren t hacked. What happened was that the cybercriminals used previously stolen user names and passwords to impersonate the customer by using the same user name and password to get into the American and United Airlines sites. This is a perfect example of why it is so important for consumers not to use the same user name and password for different websites. The hackers were able to use the customer s name and password to book flights and trips and use mileage for a free trip or upgrade. American Airlines admitted that up to 10,000 accounts were affected. Linn Foster Freedman Credit union regulator agrees to pay costs associated with lost thumb drive The National Credit Union Administration Board recently admitted that it failed to follow its own security policies when it downloaded the data of Palm Springs Credit Union (PSCU) onto an unencrypted thumb drive during an examination of PSCU. An examiner lost the thumb drive, which included account numbers, but did not include passwords or PINs. PSCU has provided notification and will offer credit monitoring for its affected members. The National Credit Union Administration Board has agreed to pay up to $50,000 to PSCU to reimburse it for the staff time and attorneys fees associated with the data breach, as well as credit monitoring costs. Linn Foster Freedman Social Media An Illinois resident s Facebook posting does not create personal jurisdiction to support a lawsuit against him in California In Burdick v. Superior Court of Orange County (No. G049107, filed January 14, 2015), the California Court of Appeal, Fourth Appellate District, addressed whether an Illinois resident may be sued in California because he posted alleged defamatory statements on his publicly available Facebook page. The Appellate Court held that posting defamatory statements about a person on a Facebook page, while knowing that the person resides in California, is insufficient itself to create the minimum contacts necessary to support personal jurisdiction in a California lawsuit arising out of that posting. The non-resident must not only intentionally post the statements on the Facebook page, but must also expressly aim or direct his intentional conduct at the forum state for the lawsuit (California), rather than at a plaintiff who happens to live there. The focus must be upon the forum-related acts personally committed by the non-resident, not upon the plaintiff s contacts with the forum. This case offers important analysis regarding the jurisdictional scope of Internetbased defamation claims.

4 The lawsuit was filed by two bloggers who questioned a skin care company s quality of products and operations. The skin care company and its executives allegedly responded with a campaign of harassment and defamation against the bloggers. One of its representatives, Douglas Burdick, posted on his Facebook page an announcement that scandalous information would be revealed regarding the bloggers. Burdick alluded that one of the bloggers uses multiple Social Security numbers and was charged with domestic violence on multiple occasions. In response to the bloggers lawsuit, Burdick challenged California s jurisdiction over him, claiming that he has lived in Illinois for over four decades, never lived in California, and never had any meaningful contacts with California. Burdick declared that he made and later removed the allegedly defamatory social media posting from his personal Facebook page while he was in Illinois. A California Trial Court rejected Burdick s jurisdictional challenge, finding that the effects of his posting reached California. In reversing the ruling, the California Appellate Court held that the plaintiffs failed to demonstrate that the Facebook post was expressly aimed at California, rather than the plaintiffs, such that the forum was the focal point of the allegedly tortious conduct. There was insufficient evidence that Burdick s Facebook page focused on California, that the allegedly defamatory posting was directed specifically at California residents, or that the persons or institutions to whom or which the posting was directed (Burdick s Facebook friends) resided in California. The Appellate Court vacated the Trial Court s Order finding of jurisdiction, and it directed the Trial Court to rule on whether plaintiffs should be allowed to conduct jurisdictional discovery to support a lawsuit against Burdick in California beyond his mere posting on Facebook. Steven M. Richard HIPAA Dentist pays $12,000 fine to Indiana AG for HIPAA and state law violations Dentist, Joseph Beck s license to practice dentistry was revoked by the Indiana Board of Dentistry in December of In March of 2013, he hired a private company to dispose of his patient records, spanning from , which included patients names, birth dates, Social Security numbers, medical records, insurance cards and information, and state ID numbers. Less than a week after the company retrieved the patient records from his office, a total of 63 boxes of his patient records were found in a dumpster in Indianapolis. The Indiana Attorney General s office retrieved the records and filed suit against Beck for improperly disposing the records. The AG stated that this file dump was an egregious violation of patient privacy and safety. The AG s suit against Beck alleged that he failed to protect the information, which, according to the Complaint, violated state privacy laws and HIPAA. Beck settled the case with the AG for $12,000. Just another example of why you can t throw sensitive paper records in the trash. Best practice is to shred paper records! Linn Foster Freedman

5 For more information, please contact: Linn Foster Freedman, Privacy & Data Protection Group Leader, at or Kathryn M. Sylvia at or Steven M. Richard at or NP Privacy Partner Blog Staying ahead in a data-driven world: insights from our Data Privacy & Security team.