Telecommunications carriers must take precautions to protect call and location data stored on customers’ devices, according to the Federal Communications Commission (FCC).1 As discussed in a prior WSGR Eye on Privacy article,2 the FCC reacted to the carriers’ use of Carrier IQ to collect customers’ call information, despite its data security vulnerabilities. The FCC sought public comment on whether this type of data collection should fall within the agency’s authority under the Communications Act of 1934, as amended. After reviewing public comments, the FCC issued a Declaratory Ruling concluding that carriers must provide safeguards for certain types of data that carriers cause to be stored on their customers’ devices directly or through their agents. This security requirement applies to data transferred to carriers’ systems as well as data stored on the consumers’ devices.
Continue Reading FCC Actions Clarify That Mobile Data Security Rules Apply to Data on Devices
Wendell Bartnick
Clapper v. Amnesty International USA: The U.S. Supreme Court Strengthens Defendants’ Shield Against Privacy Class Actions
By Tonia Klausner & Wendell Bartnick on
Posted in Privacy
One of the most common and effective defenses raised by privacy class action defendants has been lack of standing. Federal courts have jurisdiction over cases only when the plaintiff has standing to sue. Therefore, courts will dismiss a case when the plaintiff does not meet the requirements for standing. For standing to exist, the plaintiffs’ injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”1 In other words, the plaintiff must have suffered some actual harm, or face an imminent risk of suffering a concrete injury. Frequently, class action plaintiffs have been unable to establish standing based on alleged injuries from the unauthorized exposure of personal information. The recent U.S. Supreme Court case of Clapper v. Amnesty International USA2 may have strengthened the standing shield for defendants even more.
Continue Reading Clapper v. Amnesty International USA: The U.S. Supreme Court Strengthens Defendants’ Shield Against Privacy Class Actions
Cloud Storage Providers Storing Protected Health Information May Be Obligated to Comply with HIPAA Regulations
By Wendell Bartnick on
Posted in Privacy, Regulatory
A recently issued government rule may unknowingly create significant liability and legal risk for many technology enterprises. The expanded definition of “business associates” and related interpretations by the Department of Health and Human Services (HHS) suggest that many companies should revisit how they provide services and ask whether they are providing their services to health care providers, health plans, or health care clearing houses (collectively, “covered entities”). HHS seeks to implement the mandates of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) by modifying its regulatory scheme (the “HIPAA Rules”) that implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 Two of the most important changes involve “business associates,” defined as entities that perform functions or activities on behalf of covered entities or other business associates that involve the use or disclosure of protected health information (PHI). Among many other changes, the omnibus rule:
- expanded the definition of “business associate” and
- placed the obligation of HIPAA compliance directly on business associates.