What s trending on NP Privacy Partner



Similar documents
GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Massachusetts Identity Theft/ Data Security Regulations

NOT TO BE PUBLISHED IN OFFICIAL REPORTS IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA FOURTH APPELLATE DISTRICT DIVISION THREE

Subscribe to Credit Monitoring and/or Submit a Claim Form to get benefits. EXCLUDE YOURSELF

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

SUPERIOR COURT OF THE STATE OF CALIFORNIA COUNTY OF SANTA CLARA

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Smart Policies for Workplace Technologies , Blogs, Cell Phones & More

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

Understanding Professional Liability Insurance

Case: 1:15-cv Document #: 1 Filed: 01/21/15 Page 1 of 5 PageID #:1

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

SMALL CLAIMS. Superior Court of New Jersey Law Division Special Civil Part Small Claims Section

Data Breach and Senior Living Communities May 29, 2015

Defense of State Employees: LIABILITY AND LAWSUITS. UNCW Office of General Counsel January 2010

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Managing Cyber & Privacy Risks

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

FfLED Superior Court Of California, Ii/21/20H

If You Shopped at Target from November 27 through December 18, 2013 or Received Notice That Your Personal Information Was Compromised,

Data Breach Response Basic Principles Under U.S. State and Federal Law. ABA Litigation Section Core Knowledge January

Data Breach Response Planning: Laying the Right Foundation

A&E Briefings. Indemnification Clauses: Uninsurable Contractual Liability. Structuring risk management solutions

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Reflections on Ethical Issues In the Tripartite Relationship

Security Breaches. There are unscrupulous individuals, like identity thieves, who want your information to commit fraud.

HIPAA Compliance: Efficient Tools to Follow the Rules

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Recent Developments in Privacy/Security Litigation

Identity Theft. What it is and How to Protect Yourself

Cyber Self Assessment

CSR Breach Reporting Service Frequently Asked Questions

HIPAA and Privacy Policy Training

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

Security Is Everyone s Concern:

HIPAA: Bigger and More Annoying

-1- SECOND AMENDED COMPLAINT

Responding to New Identity Theft Laws

Consumers and Businesses May Claim Microsoft Settlement Benefits

Attorney for Plaintiff SUPERIOR COURT OF THE STATE OF CALIFORNIA LOS ANGELES COUNTY CENTRAL DISTRICT STANLEY MOSK COURTHOUSE

Insurance Coverage In Consumer Class Actions

Cyber-Crime Protection

Creditor Lawsuits Handbook

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

BIG DATA AND INSURANCE SYMPOSIUM

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

EARLY CARE & EDUCATION LAW UNIT WHAT YOU NEED TO KNOW ABOUT SMALL CLAIMS COURT

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Employee Relations. Howard S. Lavin and Elizabeth E. DiMichele

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Brief. The BakerHostetler Data Security Incident Response Report 2015

IN THE COURT OF APPEALS OF INDIANA

NOTICE OF CLASS ACTION SETTLEMENT GRECO V. SELECTION MANAGEMENT SYSTEMS, INC. San Diego Superior Court Case No CU-BT-CTL

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA Richmond, Virginia Tel. (617) Tel. (804)

B. Terms of Agreement; Google Terms of Service; Conflicting Provisions

SUPERIOR COURT FOR THE COUNTY OF ALAMEDA

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

NEW JERSEY JUDICIARY SMALL CLAIMS. Superior Court of New Jersey Law Division Special Civil Part Small Claims Section

D.C., A MINOR V. HARVARD-WESTLAKE SCH., 98 Cal. Rptr. 3d 300. Plaintiff D.C., a student, appealed a Los Angeles Superior Court decision in favor of

(1) It was something fairly and naturally incidental to the employer's business assigned to the employee; and

2013 IL App (1st) U. No IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT

If You Paid Overdraft Fees to M&T Bank, You May Be Eligible for a Payment from a Class Action Settlement.

If You Were Sent a Text Message from The Western Union Company, You May Be Entitled to a Payment from a Class Action Settlement.

Sangamon County Circuit Clerk s Office. Small Claims Court Manual. Updated March 2008

Transcription:

NP PRIVACY PARTNER Nixon peabody LLP What s trending on NP Privacy Partner January 30, 2015 Beware private drone operators, the FTC issues an Internet of Things report, hackers use stolen passwords to steal airline miles, a state HIPAA violation settlement and social media does not equal personal jurisdiction. Here s what s trending in Data Privacy and Security this week. Data Privacy FTC releases Internet of Things report to address consumer privacy and security On January 27, 2015, the Federal Trade Commission (FTC) released Internet of Things: Privacy & Security in a Connected World, to address the growth of connected devices, but also the privacy and security risks for consumers who are connected to this web of technology. In the report, the FTC provides a list of steps for businesses to take that will protect consumers privacy and security. Here are the FTC s recommendations: Build security into devices at the outset, rather than as an afterthought in the design process; Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization; Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers; When a security risk is identified, consider a defense-in-depth strategy whereby multiple layers of security may be used to defend against a particular risk; Consider measures to keep unauthorized users from accessing a consumer s device, data, or personal information stored on the network; Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks. The FTC further recommends that businesses consider data minimization and only collect and retain consumer data for a specific time period (as necessary), and to allow consumers choice in how their information is used and shared. This newsletter is intended as an information source for the clients and friends of Nixon Peabody LLP. The content should not be construed as legal advice, and readers should not act upon information in the publication without professional counsel. This material may be considered advertising under certain rules of professional conduct. Copyright 2015 Nixon Peabody LLP. All rights reserved.

The FTC said in its press release, The Internet of Things is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications. Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, among other potential benefits. So what s the concern? Connected devices raise huge privacy concerns for consumers, and without consumer trust, this innovative technology can t reach its true potential. The FTC hopes to remedy that problem by encouraging businesses to truly protect consumer privacy. Kathryn M. Sylvia Enforcement & Litigation First ever FAA settlement with private drone pilot for airspace violation On January 22, 2015, pilot and videographer, Raphael Pirker, reached a landmark settlement with the Federal Aviation Administration (FAA) in the agency s first-ever enforcement action for the pilot s refusal to pay a $10,000 fine for violating FAA regulations and flying a drone over the University of Virginia s airspace. Pirker agreed to pay $1,100 without admitting any regulatory violations, and the FAA in turn agreed to drop several other allegations that the agency brought against the pilot back in 2011. This case was first heard back in March 2014, when a Federal Administrative Law Judge determined that Pirker s plastic-foam drone model aircraft was not regulated by the FAA. The FAA announced only a few months after that decision that it would allow commercial operators of unmanned aircrafts to apply for exemptions to fly their aircrafts. However, the FAA also appealed the Federal Administrative Law Judge s decision to the National Transportation Safety Board (NTSB), and the NTSB narrowly ruled that model aircraft operators are subject to one FAA regulation careless or reckless operation. Pirker s attorney says, The discussion triggered by the case encouraged the FAA to look for ways to allow progress to be made, and what they came up with was the exemption process, which has had a beneficial impact for the industry. Without that discussion about what regulations apply, if any, I think there would have been far less pressure for the path forward. Surely, as the use of private drones becomes more prevalent, the FAA will weigh in on an individual s use of airspace and whether the FAA regulations apply. The use of these drones really comes down to the issue of an individual s privacy and protecting citizens from unwanted invasions into their private lives. We ll watch as more drone talk surely exudes in the media. Kathryn M. Sylvia Data Breach Medical device manufacturer alerts patients of data breach caused by vendor Medical device company, DJO Global, recently notified some of its patients that an unencrypted laptop of an employee of one of its contractors was stolen from the employee s car. The laptop was in the employee s backpack in the back seat of his locked vehicle. He went into a coffee shop to grab a cup of coffee, and a thief smashed the window of his car and stole the backpack and laptop. The stolen patient data included patient names, phone numbers, diagnosis codes, surgery dates, health insurer and clinic and doctor names, as well as several Social Security numbers.

This is another important warning to medical device manufacturers and contractors to implement encryption technology on any laptops that are used in the field. Linn Foster Freedman Hackers use stolen user names and passwords to steal miles from American and United Airlines customers Cybercriminals who previously stole or bought compromised user names and passwords from other websites, were able to use those same user names and passwords to steal airline miles from customers of American and United Airlines. Please note that the airline servers weren t hacked. What happened was that the cybercriminals used previously stolen user names and passwords to impersonate the customer by using the same user name and password to get into the American and United Airlines sites. This is a perfect example of why it is so important for consumers not to use the same user name and password for different websites. The hackers were able to use the customer s name and password to book flights and trips and use mileage for a free trip or upgrade. American Airlines admitted that up to 10,000 accounts were affected. Linn Foster Freedman Credit union regulator agrees to pay costs associated with lost thumb drive The National Credit Union Administration Board recently admitted that it failed to follow its own security policies when it downloaded the data of Palm Springs Credit Union (PSCU) onto an unencrypted thumb drive during an examination of PSCU. An examiner lost the thumb drive, which included account numbers, but did not include passwords or PINs. PSCU has provided notification and will offer credit monitoring for its affected members. The National Credit Union Administration Board has agreed to pay up to $50,000 to PSCU to reimburse it for the staff time and attorneys fees associated with the data breach, as well as credit monitoring costs. Linn Foster Freedman Social Media An Illinois resident s Facebook posting does not create personal jurisdiction to support a lawsuit against him in California In Burdick v. Superior Court of Orange County (No. G049107, filed January 14, 2015), the California Court of Appeal, Fourth Appellate District, addressed whether an Illinois resident may be sued in California because he posted alleged defamatory statements on his publicly available Facebook page. The Appellate Court held that posting defamatory statements about a person on a Facebook page, while knowing that the person resides in California, is insufficient itself to create the minimum contacts necessary to support personal jurisdiction in a California lawsuit arising out of that posting. The non-resident must not only intentionally post the statements on the Facebook page, but must also expressly aim or direct his intentional conduct at the forum state for the lawsuit (California), rather than at a plaintiff who happens to live there. The focus must be upon the forum-related acts personally committed by the non-resident, not upon the plaintiff s contacts with the forum. This case offers important analysis regarding the jurisdictional scope of Internetbased defamation claims.

The lawsuit was filed by two bloggers who questioned a skin care company s quality of products and operations. The skin care company and its executives allegedly responded with a campaign of harassment and defamation against the bloggers. One of its representatives, Douglas Burdick, posted on his Facebook page an announcement that scandalous information would be revealed regarding the bloggers. Burdick alluded that one of the bloggers uses multiple Social Security numbers and was charged with domestic violence on multiple occasions. In response to the bloggers lawsuit, Burdick challenged California s jurisdiction over him, claiming that he has lived in Illinois for over four decades, never lived in California, and never had any meaningful contacts with California. Burdick declared that he made and later removed the allegedly defamatory social media posting from his personal Facebook page while he was in Illinois. A California Trial Court rejected Burdick s jurisdictional challenge, finding that the effects of his posting reached California. In reversing the ruling, the California Appellate Court held that the plaintiffs failed to demonstrate that the Facebook post was expressly aimed at California, rather than the plaintiffs, such that the forum was the focal point of the allegedly tortious conduct. There was insufficient evidence that Burdick s Facebook page focused on California, that the allegedly defamatory posting was directed specifically at California residents, or that the persons or institutions to whom or which the posting was directed (Burdick s Facebook friends) resided in California. The Appellate Court vacated the Trial Court s Order finding of jurisdiction, and it directed the Trial Court to rule on whether plaintiffs should be allowed to conduct jurisdictional discovery to support a lawsuit against Burdick in California beyond his mere posting on Facebook. Steven M. Richard HIPAA Dentist pays $12,000 fine to Indiana AG for HIPAA and state law violations Dentist, Joseph Beck s license to practice dentistry was revoked by the Indiana Board of Dentistry in December of 2011. In March of 2013, he hired a private company to dispose of his patient records, spanning from 2002-2007, which included patients names, birth dates, Social Security numbers, medical records, insurance cards and information, and state ID numbers. Less than a week after the company retrieved the patient records from his office, a total of 63 boxes of his patient records were found in a dumpster in Indianapolis. The Indiana Attorney General s office retrieved the records and filed suit against Beck for improperly disposing the records. The AG stated that this file dump was an egregious violation of patient privacy and safety. The AG s suit against Beck alleged that he failed to protect the information, which, according to the Complaint, violated state privacy laws and HIPAA. Beck settled the case with the AG for $12,000. Just another example of why you can t throw sensitive paper records in the trash. Best practice is to shred paper records! Linn Foster Freedman

For more information, please contact: Linn Foster Freedman, Privacy & Data Protection Group Leader, at lfreedman@nixonpeabody.com or 401-454-1108 Kathryn M. Sylvia at ksylvia@nixonpeabody.com or 401-454-1029 Steven M. Richard at srichard@nixonpeabody.com or 401-454-1020 NP Privacy Partner Blog Staying ahead in a data-driven world: insights from our Data Privacy & Security team.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information