Privacy Archives - Page 26 of 31

Protecting Students’ Online Privacy: An FTC & ED Joint Workshop on EdTech

On Friday, December 1, the Federal Trade Commission and the Department of Education hosted a workshop examining student privacy in the burgeoning field of “EdTech.” Both agencies regulate certain educational technology aimed at K-12 students. However, FTC rules implementing the Children’s Online Privacy Protection Act (“COPPA”) are not identical to ED regulations implementing the Family Educational Rights and Privacy Act (“FERPA”). To better understand how both rules interact in practice, the agencies solicited public comment and convened panels of experts and stakeholders – including vendors, schools, parents, and regulators.

The workshop explored several key issues, including when a school may provide consent on behalf of participating students; how record retention (and deletion) should be noticed and executed; and what limits to impose on vendors collecting personal student information. In closing, both agencies expressed a desire to provide clear, workable regulatory oversight while meaningfully protecting student privacy.

Continue reading “Protecting Students’ Online Privacy: An FTC & ED Joint Workshop on EdTech”

Another State-Lead Data Breach Action Results in High Fines and Strict Compliance Requirements

Massachusetts Attorney General Maura Healey and Multi-State Billing Services (MSB), a Medicaid billing company that provided processing services for 13 public schools, signed a no-fault consent judgment settling a 2014 data breach resulting from a stolen laptop that put 2,618 children at risk for identity theft and fraud. The MSB laptop contained unencrypted personal information, including names, social security numbers, Medicaid identification numbers and birth dates.

The settlement requires MSB to pay $100,000 and implement improved security practices after an investigation by the attorney general’s office determined it violated state consumer protection and data security laws. More specifically, the judgment requires MSB to continue to develop, implement and maintain a written and comprehensive information security program and review and update its existing policies and procedures for compliance with data security laws. It must also train its staff on how to protect personal information and regularly report on its compliance with such requirements to the state attorney general’s office.

Continue reading “Another State-Lead Data Breach Action Results in High Fines and Strict Compliance Requirements”

Smartwatch News: Privacy Edition

As smartwatches gain in popularity, innovative uses for the wearable technology, along with privacy concerns, continue to pop up. In this roundup, we look at a new app that can help in atrial fibrillation studies and privacy concerns regarding smartwatches for children.

New app identifies irregular heartbeats for medical study

Apple recently launched the Apple Heart Study App, described as a “first-of-its-kind research study using Apple Watch’s heart rate sensor to collect data on irregular heart rhythms and notify users who may be experiencing atrial fibrillation.” Atrial fibrillation is a leading cause of stroke and other heart conditions.

Apple Watch users will be able to enroll in a joint study with Stanford University School of Medicine, which will use the device’s heart rate monitor to check for an irregular heart rate. If an irregular heart rhythm is identified, the participant will receive a notification on his Apple Watch and iPhone, a free consultation with a study doctor, and an electrocardiogram patch for additional monitoring. This is the first study that Apple itself is sponsoring. Apple will run the study and submit data to the U.S. Food and Drug Administration for approval as a regulated software.

Continue reading “Smartwatch News: Privacy Edition”

Limits of the VPPA: Ninth Circuit Panel Upholds Dismissal of VPPA Claim in Eichenberger v. ESPN, But Creates Low Bar for Satisfying Article III

A federal circuit court recently rules that there was no actionable violation of the Video Privacy Protection Act (VPPA) when ESPN shared a user’s movie streaming device serial number with a third party.

A three judge panel of the U.S. Court of Appeals of the 9th Circuit unanimously affirmed a district court decision dismissing a claim alleging a violation of the VPPA, holding that the serial number of a Roku movie streaming device is not “personally-identifiable information” under the statute in Eichenberger v. ESPN, Inc., No. 15-35499 (9th Cir.). In so doing, however, the Ninth Circuit also joined the Third and Eleventh Circuits in holding that, when alleging a violation of the VPPA, allegations of additional consequences stemming from the violation are not necessary to meet Article III’s standing requirement.

Continue reading “Limits of the VPPA: Ninth Circuit Panel Upholds Dismissal of VPPA Claim in Eichenberger v. ESPN, But Creates Low Bar for Satisfying Article III”

Investigation Continues After Massive Data Breach at Henry Ford Health System

An unknown hacker gained access to 18,470 patients’ personal health information via employee emails at Detroit-based Henry Ford Health System (HFHS).

According to the press release, HFHS first learned of the incident on October 3, 2017, after becoming aware that the email credentials of a group of employees were compromised. Even though the emails were name and password protected by encryption, they remained vulnerable to such illegal access. The email accounts contained patient health information, including:

Patient name
Date of birth
Medical record number
Provider’s name
Date of service
Department’s name
Location
Medical condition
Health insurer

Continue reading “Investigation Continues After Massive Data Breach at Henry Ford Health System”

Agenda and Panelists Announced for FTC’s Information Injury Workshop in December

The Federal Trade Commission released the agenda and panelists for the Information Injury Workshop which will be held on December 12.

As we covered in a previous DBR on Data post, the goal of the workshop is to explore how to characterize information injuries, how to accurately measure such injuries, and their prevalence. In addition, panelists will discuss what factors businesses and consumers consider when evaluating the tradeoffs between providing information and potential exposure to injuries.

The panelists come from a variety of fields and disciplines, including information technology, privacy and data security, business, academia, legal and nonprofit fields.

The full agenda and list of panelists is available at this link. The workshop is free and open to the public and will also be available via live webcast through the FTC’s website.

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

Category: Privacy