FTC Settles with Four Companies over Privacy Shield Certification

In the wake of the determination by the European Commission that the EU-US Safe Harbor Framework was insufficient to protect EU citizens’ personal information, the Privacy Shield Framework was implemented by the Department of Commerce.

Companies who apply for Privacy Shield certification are required to file an application, which requires the companies to attest to certain things that they are doing to protect personal data of individuals before personal information of EU citizens are transferred to the U.S.

Although the Department of Commerce administers the Privacy Shield Framework, the Federal Trade Commission (FTC) enforces it, which recently settled with four companies it alleged falsely claimed that they participated in Privacy Shield.

According to the FTC, IDMission, LLC, mResource LLC d/b/a Loop Works, LLC, SmartStart Employment Screening, Inc. and VenPath, Inc. falsely claimed that they were Privacy Shield certified. The allegations included that the companies listed participation in the Privacy Shield Framework on their websites and they either failed to complete their applications and certification, or failed to renew their certification.

The settlements require the companies to stop misrepresenting Privacy Shield status on their websites and comply with FTC reporting requirements.

These settlements are an important reminder to companies participating in the Privacy Shield Framework to monitor the status of their certification and not allow it to lapse, as well as keeping their websites accurate about certification. The FTC has been open about the fact that it continuously monitors company websites about Privacy Shield Certification.

ULC’s Reliance on 1946 Supreme Court Case for Drone Innovation

Over 100 years ago manned aviation revolutionized transportation. However, it is less well-known that it also sparked a big change in property rights.

In the 1946 Supreme Court case, United States v. Causby, the court determined that although historically owning land was thought to convey a property right “to the periphery of the universe,” this concept had “no place in the modern world.” That is, Congress recognized that as far back as the Air Commerce Act of 1926, “navigable airspace” (i.e. the airspace above minimum safe altitudes) had to be subject to a “public right of freedom of foreign and interstate air navigation.” This resulted in the idea that “the air is a public highway” from the Causby court.

Now, with the rise of unmanned aerial systems (UAS or drones), the well-settled concept of navigable airspace as a public good and air navigation as a federal right are facing scrutiny. UAS are unique (and vastly different from manned aircraft) because they fly low, in the interstitial spaces. UAS can operate almost anywhere; this means that UAS have expanded the safe altitude for flight dramatically. Under Federal Aviation Administration (FAA) rules for the operation of UAS, UAS are authorized to fly below 400 feet (and above, with the appropriate FAA waiver).

Now, the Uniform Law Commission (ULC), a publicly funded organization with state-appointed members from around the country that encourage uniform state-law approaches to all sorts of issues, has established a committee for drafting tort laws relating to drones. The committee’s draft proposal would restrict drone operations by allowing property owners a right to exclude all drones from the airspace up to 200 feet above any structure or the ground. Essentially, drones would be restricted from flying below 200 feet without express individual permission from the landowner, establishing a “per se” trespass tort law. The act of the flight itself would be an injury that could lead to a lawsuit against the drone operator without any actually physical injury caused.

There is a practical problem with this proposal –it would cut the usable airspace in half. That is, the FAA allows UAS operations below 400 feet (and in accordance with Part 107 UAS regulations), but a 200-foot minimum altitude may be a bit unworkable because it would be hard to negotiate a right of transit in that limited space. Additionally, because the FAA has authority to regulate navigable airspace, it would seem that state law restricting drone flights to above 200 feet, FAA regulations would preempt state law. Of course, this issue of preemption has been debated when it comes to drones as well lately because of the FAA’s push to get states and state law enforcement involved in the regulation of these devices.

We will follow this ULC draft as it progresses; for now, many in the drone industry turn to Causby and believe that the idea that property owners have the right to exclude drones flying above their property simply “has no place in the modern world.”

President Trump Signs the FAA Reauthorization Act: What Does it Mean for Drones?

On October 5, 2018, President Trump signed the Federal Aviation Administration (FAA) Reauthorization Act which establishes new conditions for the recreational use of drones and immediately repealed the Special Rule for Model Aircraft. The FAA is currently evaluating the impact of this change and how the organization will implement these changes.

In addition to continuing to support the $36 million NextGen program and paying the FAA’s 14,000 air traffic controllers, the FAA is instructed to provide greater regulation of drones—that is, the Act allows the government to shoot down or take down by other counter-UAS means a drone that is “identified as high-risk and a potential target for unlawful unmanned aircraft activity.”

Specifically, Subtitle B of the Act (which deals with drones) sets forth the following:

  • The FAA is tasked with developing regulations to expand the operation of small unmanned aerial systems (UAS) (currently operating under Part 107) to operations beyond-visual-line-of-sight, at night and over persons;
  • Requires the FAA to update existing regulations within one year to permit the carriage of packages by small commercial UAS operators within the United States;
  • The development of a framework to establish a standard for regulating UAS operations, whether operated for commercial purposes or for recreation. Drone hobbyists will now have to complete aeronautical knowledge testing and comply with other operating requirements currently applicable only to commercial drone operators;
  • The Government Accountability Office (GAO), the Department of Transportation (DOT) and the National Telecommunications and Information Administration (NTIA)to review the privacy issues and concerns associated with the operation of UAS; and,
  • Requires the FAA to consult with the Department of Homeland Security (DHS) and the Department of Justice (DOJ), which are authorized to take countermeasures against a UAS posing a danger to federal facilities and assets (see above).

We will follow the FAA’s implementation of the new Act and any guidance related to these changes.

The Reality of Self-Driving Cars and the Regulatory Hurdles

The National Highway Traffic Safety Administration (NHTSA) says in its guidelines for automakers and state regulators regarding autonomous vehicles that “‘automated’ or ‘self-driving’ vehicles are a future technology rather than one that you’ll find in a dealership tomorrow or in the next few years,” because “a variety of technological hurdles have to be cleared, and other important issues must be addressed before these types of vehicles can be available for sale in the United States.” However, the NHTSA also says that “fully automated cars and trucks that drive us, instead of us driving them, will become a reality.”

So, where does that leave us? Well, it leaves a lot of work for the federal government, states and automakers and their suppliers. For example, currently, as written, federal auto regulations require that all vehicles have a steering wheel and brakes, so if automakers want to test autonomous vehicles without people-centric controls, they have to obtain waivers. States, on the other hand, have to regulate how vehicle operators are licensed in these autonomous vehicles, as well as the ‘new’ rules of the road and how insurance is regulated. Right now, there is a lot of different legislative activity among the states related to autonomous vehicles, but it is a patchwork. To alleviate some of this confusion, the Uniform Law Commission (ULC) has been working to develop legislation for automated vehicles that states can use. As it stands, the draft version of these rules from the ULC state that automakers must self-certify to NHTSA that their vehicles meet safety requirements and that the vehicle will abide by the rules of the road. People riding in self-driving cars would not have to have driver’s licenses.

On the Federal side, the U.S. House of Representatives has approved a bill relating to autonomous vehicles, and the Senate has its own version, although it has not yet been provided to the Senate Commerce Committee.

For now, automakers and passengers alike are left with the patchwork of rules and regulations. As the technology progresses and automakers prove that these vehicles are safe for the roads, we will likely see a clearer path of legislation. We will continue to monitor this evolving space.

OIG Announces New Multidisciplinary Cybersecurity Team

The Office of Inspector General (OIG) recently announced the creation of a cybersecurity team focused on combating threats within the Department of Health & Human Services (HHS), and within the health care industry. The team includes auditors, evaluators, investigators, and attorneys with experience in cybersecurity matters, and its work is intended to build on the cybersecurity priorities the OIG has previously identified in its annual assessments and reports. Continue Reading

Protecting the Privacy of Children Online – More Updates on COPPA

Last week, two Senators, Senator Edward J. Markey of Massachusetts and Senator Richard Blumenthal of Connecticut sent a letter to the Federal Trade Commission (FTC) regarding apps designed for children and whether they are in compliance with the Children’s Online Privacy Protection Act (COPPA), See 15 U.S.C. 6501 and regulations at 16 C.F.R. Part 312 et. seq.  The Senators stated that they are concerned that thousands of apps may “improperly track children and collect their personal information.” The Senators requested a response from the FTC by October 31. The letter also asked that the FTC “investigate whether these apps, and the advertising companies they work with, are in fact tracking children with persistent identifiers and collecting their personal information in violation of COPPA…” Continue Reading

FDA Announces Playbook for Medical Device Cybersecurity

On October 1, 2018, the Food and Drug Administration (FDA) issued its “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook” to address continued threats to medical devices that could affect patient safety.

The 32 page playbook, developed by MITRE Corp., states that “the purpose of the playbook is to serve as a tool for regional readiness and response activities to aid [healthcare delivery organizations] in addressing cybersecurity threats affecting medical devices that could impact continuity of clinical operations for patient care and patient safety.”

The objectives of the framework are to:

  • Provide baseline medical device cybersecurity that organizations can incorporate into their emergency preparedness and response
  • Assist with clarifying lines of communication and outline roles and responsibilities for internal and external responders
  • Offer a standardized approach to response efforts across organizations and regions
  • Provide enhances coordination activities among stakeholders
  • Provide information regarding decision making for escalated responses
  • Identify resources that can be leveraged for preparedness and response
  • Serve as a response tool that can be customized for regional preparedness that can be broadly implemented.

The playbook emphasizes that cybersecurity is a “team sport” and that patient safety is maximized with regional collaboration and information sharing. Part of the playbook recommends that regional partners must build trust relationships and share best practices with each other, develop mutual aid agreements, exchange point of contact information, conducting joint exercises, identify regional incident command/coordination center, and share cybersecurity advisories and alerts.

The playbook could also be a guide for states and municipalities on how to prepare for and respond to a cybersecurity threat beyond threats to medical devices as it outlines basic preparedness and response strategies. It is a virtual “how to” that can assist governmental and private entities alike. The playbook can be accessed here.

Proposed New Rules Submitted to OMB on Information Blocking

On September 17, 2018, the federal Office of the National Coordinator for Health Information Technology (ONC) submitted proposed new rules to the Office of Management and Budget (OMB), entitled, “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.” https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201804&RIN=0955-AA01 [View related post].

The 21st Century Cures Act was signed into law in December 2016, and a critical requirement of the Act was to publish regulations that will ultimately set forth the framework for regulatory investigations by the Office of the Inspector General. The new rules set forth provisions that provide guidance on what measures can and can’t be taken to block information sharing.

From a Health IT standpoint, protecting health data and prohibiting information blocking are critical steps in the transformation to a patient centered health care system. What is information blocking?

Information blocking means a practice that:

(A) except as required by law or specified by the Secretary pursuant to rulemaking under paragraph (3), is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information; and

(B) (i) if conducted by a health information technology developer, exchange, or network, such developer, exchange, or network knows, or should know, that such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information; or (ii) if conducted by a health care provider, such provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information. 42 U.S.C. §300jj-52(a)(1).

The ONC states that information blocking ”occurs when a person or entity- typically a health care provider, IT developer, or EHR vendor – knowingly and unreasonably interferes with the exchange and use of electronic health information…” See https://www.healthit.gov/topic/information-blocking. The ONC further cites examples of information blocking that include fees that make data exchange cost prohibitive or organizational policies or contract terms that prevent sharing information with patients or health care providers. Id.

These regulations will be important in defining the practices, parameters and regulatory enforcement framework that will allow the “trusted exchange” of data, while prohibiting practices that inappropriately restrict or inhibit that data exchange, and set forth a regulatory framework if entities do engage in data blocking.

Hacker Hits Toyota Industries N.A.

Toyota Industries North America (TINA) has discovered that a hacker was able to access its corporate email system, compromising the personal and protected health information of approximately 19,000 individuals, apparently most of whom were employees.

The data that was potentially compromised included health insurance information, names, addresses, dates of birth, financial information, Social Security numbers, photographs of Social Security cards, and more than 12 additional data elements.

The access is reported to have occurred through the email system, which is common these days, particularly if multi factor authentication is not implemented.

TINA noted that it will enhance data security training, implement multi-factor authentication, improve security monitoring and implement mandatory password protections.

Sunrun Settles Robocall Suit for $5.5 Million

Although it denies liability or wrongdoing, Sunrun Inc. has agreed to pay $5.5 million to settle a potential class action case alleging it of calling numbers on the Do Not Call Registry. Sunrun, a solar company, is alleged to have made unsolicited, automatic, pre-recorded voice calls to people on the Do Not Call Registry and also on its own do not call list to promote its solar energy products.

Sunrun agreed to pay the putative class $5.5 million, which includes $250,000 for settlement administration costs and establishing a toll-free numbers for class members to call for information. It also agreed to oversee the telemarketing efforts of its subsidiary for the next four years and implement procedures to prevent unsolicited robocalls.