TCPA Rules for VoIP Demands Fresh Approach to FCC Regulatory Principles

Eduardo Guzmán has written an article for Law360 regarding the Telephone Consumer Protection Act (TCPA) with relation to voice over internet protocol (VoIP) services.

Much like the explosion in the use of mobile devices dramatically changed how the TCPA has been enforced and applied, emerging technologies like VoIP threaten to alter the TCPA landscape in ways that would have been unpredictable when the statute was enacted in 1991. The TCPA does not mention VoIP or VoIP calls, but the proliferation of VoIP services and their ability to mirror traditional telephony has made them a favorite target of the TCPA plaintiffs’ bar. Continue Reading

Supreme Court Hears Arguments on Cloud Security

On February 27, 2018 the Supreme Court heard arguments surrounding the privacy of data stored abroad and the reach of U.S. search warrants to retrieve such data.  While the Supreme Court decides the merits of United States v. Microsoft, Congress will debate on overhauling the Stored Communications Act (“SCA”) to reflect technological advances that were not contemplated back in 1986 – the year of SCA’s enactment. For a fuller examination of the arguments see the post on the Anticorruption blog.  The SCA governs the proper disclosure of electronic communications to third parties and provides civil and criminal penalties for improper disclosure.  This decision involves the data privacy expectations of U.S. and non-U.S. citizens alike and could impact a number of companies that store or facilitate the transmission of electronic communications.

Recent HHS Settlement Showcases that Alleged HIPAA Liability Attaches Even After a Business Closes its Doors

The HHS Office of Civil Rights announced earlier this month that a court appointed receiver for Illinois moving and storage company, Filefax, has entered into a resolution agreement and corrective action plan to settle alleged violations of the HIPAA Privacy and Security Rules.  The receiver for Filefax, which went out of business during OCR’s investigation, has agreed to pay $100,000 for alleged mishandling and improper disclosure of medical records containing protected health information for approximately 2,150 patients. OCR Director Roger Severino has pointed to the settlement agreement as a reminder to companies that HIPAA still applies regardless of whether a covered entity is opening or closing its doors.  For more information, please see our Triage Health Law blog post.

SEC Emphasizes Cybersecurity as a Focus Area for the Coming Year

Last week, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations released its enforcement priorities for 2018.  Making the list for the fifth year in a row, cybersecurity was emphasized as a focus for the SEC in the coming year.

In a recent post on Squire Patton Boggs’ anticorruption blog, Coates Lear, Tara Swaminath, and Elizabeth Weil Shaw discuss the announcement, as well as the implications of the SEC’s recent and continued emphasis on cybersecurity. Click here to read the post.

The GDPR’s Impact on CCTV and Workplace Surveillance

What is CCTV?

CCTV means closed-circuit television, also known as video surveillance. Video surveillance systems monitors the behavior, activities, or other changing information, usually, of people from a distance by means of electronic equipment.

Video surveillance can include anything from closed circuit television or automatic number-plate recognition systems, to any other system for recording, storing, receiving or viewing visual images for surveillance purposes.

In 2016, it was estimated that there were approximately 350 million video surveillance cameras installed worldwide. Continue Reading

Security and Privacy: A View from Asia and the Middle East

As 2018 picks up steam from its start, we are beginning to see traction in relation to various new regional data privacy and cybersecurity laws.  Many of the provisions seem designed to enable countries to seek an EU Adequacy Finding, which is akin to the Privacy Shield provisions between the EU and the US.  This would allow the easier transfer of EU data between the countries. Continue Reading

HHS Office for Civil Rights Issues Updated HIPAA and Research Guidance in Response to 21st Century Cures Act Mandate

Last month, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two helpful new HIPAA guidance documents regarding research uses and disclosures of PHI, fulfilling a mandate in the 21st Century Cures Act (Public Law 114-255) (the “Act”).  Although the documents merely reaffirm prior guidance in many places, the documents also contain helpful new information and serve to collect prior guidance spread in numerous places into a single location.  The first document focuses on research authorizations and revocations: Continue Reading

A Week Later, Early Predictions about Meltdown and Spectre Largely Hold True

The two attacks affect nearly 90 percent of the world’s computers.

Recent reports suggest that computers – personal, business, and cellular alike – are susceptible to two newly discovered major security flaws. These flaws, colloquially known as “Meltdown” and “Spectre,” could open the door for hackers to access the contents of almost any computer.

Meltdown could provide hackers the ability to become squatters on cloud-based services, but more importantly provide them access to other consumers’ information, including passwords. In cloud-based services where consumers generally share servers, there are protocols in place to protect each customer’s information from being accessible to the others.  Meltdown provides a way for hackers to circumvent those protocols, read sensitive data or gain access to other applications running on a shared server. Continue Reading

How to Find Official Guidance on the EU General Data Protection Regulation (GDPR)

Happy New Year!  With 2018 off to a rapid start, companies now have fewer than five months to become GDPR-compliant.

Although the basic principles and obligations enshrined in the GDPR are not new, the GDPR contains a complex, interlinked series of requirements whose practical application to real world situations is often very unclear.  The Article 29 Working Party, a body consisting of EU national data protection authorities, has issued several important opinions and guidelines intended to help data controllers and processors interpret the new rules. These guidelines, while not legally binding, are influential and are likely to be given considerable weight by reviewing courts. Continue Reading