On April 8, 2022, the U.S. Food and Drug Administration (“FDA”) released a draft guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The draft guidance, if finalized, would replace FDA’s 2014 final guidance document titled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” adding significant
If 2021 is any indication, the Federal Trade Commission (FTC) shows no signs of slowing down in its pursuit of enforcement actions to address a wide variety of alleged privacy and cybersecurity issues. Under the leadership of new chair, Lina Khan, the past year has seen the FTC engage is a variety of new and expanding enforcement actions exhibiting an increasing interest in regulating data privacy and security, as well as other consumer protection areas.
While the FTC has become the de facto regulator for entities that are not subject to other sector-specific regulations, the Commission’s assertion of authority over privacy and cybersecurity matters is limited by its statutory powers under section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices” that injure consumers. The FTC’s expansion of that authority to cover privacy and cybersecurity matters has only grown more aggressive in recent years but has also become the subject of close judicial review. Notably, in 2018, the Eleventh Circuit ruled, in LabMD, Inc. v. FTC, that the FTC did not have unlimited authority to dictate the details of companies’ privacy and cybersecurity protections. Earlier this year, the Supreme Court, in AMG Capital Mgmt., LLC v. FTC, held that Section 13(b) of the FTC Act does not allow the FTC to obtain monetary relief in federal court. The FTC has asked Congress to use its authority to remedy this ability, and claims that this constitutes a loss of its “best and most efficient tool for returning money to consumers who suffered losses as a result of deceptive, unfair, or anticompetitive conduct.”
The FTC has pushed for a more expansive view of its authority for several years, and this has only intensified over the last year. Even before the AMG decision, the FTC had been advocating for Congress to address the gap in Section 13(b), which only explicitly provides for the FTC’s ability to order injunctive relief and is silent on monetary relief. While waiting on Congress to address the issue, we expect for the FTC to continue to bring enforcement actions and order restitution and disgorgement via their Section 19 authority, which provides for these types of relief, but only after a final cease-and-desist order, which can be challenged and is subject to review of appellate courts.…
Modern smartphones, wearables and internet-enabled devices are capable of monitoring heart rate, blood oxygen levels, steps taken, prescription adherence, and other vital health-related activities. Contrary to popular belief, HIPAA does not cover many of these applications and devices. On September 15, 2021, the Federal Trade Commission issued a Policy Statement attempting to assert authority to police that gap. The Policy Statement explains the FTC’s view that the Health Breach Notification Rule applies to mobile health applications. This Policy Statement signals increasing FTC scrutiny designed to safeguard sensitive health data on a variety of modern technologies that consumers use to monitor and improve their health.
Continue Reading FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule
Law360 (October 4, 2021, 5:30 PM EDT) —
On June 29, Florida Gov. Ron DeSantis signed into law H.B. 833, known as the Protecting DNA Privacy Act.
The act took effect on Oct. 1, and applies to the collection, use, retention, maintenance and disclosure of a DNA sample collected from an individual in Florida as well as the results of any subsequent DNA analysis. The act is self-executing and took effect without the need for creation of implementing regulations.
The act clarifies the extent to which individuals own their genetic information, and it creates new crimes for the unlawful collection, retention, analysis, disclosure or sale of an individual’s DNA sample and the results of a DNA analysis, subject to certain limited exemptions, such as use for specified clinical or research purposes.
The act also has important implications for secondary uses of data by health care providers and others that perform genetic testing and analyze genetic information.…
The FTC’s recent settlement with Flo Health, announced on June 22, 2021, offers insights into what practices could invite FTC investigation, especially when companies that collect sensitive information make specific promises about high levels of health privacy and data security. More than 100 million consumers use Flo, an app developed by Flo Health Inc., to help women track their periods and fertility. Although the settlement contains no admissions by Flo, the agency alleged that Flo shared users’ health information with outside data analytics providers; an arrangement that is not uncommon for apps that deal with less-sensitive data, but one which contradicted the company’s promise to keep users’ personal information private.
Continue Reading Recent FTC Settlement with Flo Health Focuses on Notice and Consent for Companies Sharing Sensitive Data
The debate surrounding vaccine passports to assist with the easing of lockdown restrictions and controlling the spread of COVID-19 continues to raise a number of concerns in the UK.
Although the use of such passports is apparently under consideration, such proposals raise a number of different ethical, scientific and legal issues. A recent Royal Society report sounded a note of caution, suggesting that 12 tests should be met by any such proposal. Among other things, vaccine passports would need to meet various ethical and legal standards, including in respect of data protection.
Continue Reading Possible Use of COVID Vaccine Passports Raises Data Protection Concerns
As we stand at the beginning of 2021 and a new presidential administration, we look back on the year behind us. Hindsight is always 2020, and 2020 may be best viewed in hindsight. We saw rapid changes in the privacy space, prompted in part by the global COVID-19 response. Infrastructure and services across multiple sectors continue to rely on data and digital platforms to function. Five prominent developments shaped the data privacy environment in 2020.
Continue Reading Privacy Year in Review: 2020’s Hottest Topics
UPDATE July 17, 2020: Representatives of the U.S., British and Canadian governments reported yesterday that Russian hackers affiliated with known hacking group APT29 (or “Cozy Bear”) are targeting attacks on health care organizations researching COVID-19 vaccines. Cozy Bear, previously involved in the 2016 hacking of the Democratic National Committee, has reportedly been using spear-phishing and malware in an effort to steal the research. This announcement comes on the heels of a spate of attacks against research universities and health care organizations in recent months, described below.”
While the pandemic has brought economic downturn to many industries, a recent uptick in data security breaches suggests business is booming for cybercriminals. Universities and health care institutions dealing with the coronavirus have been particularly targeted by hackers attempting to exploit the current climate of confusion, urgency, and stress. In this post, we discuss the attacks and provide steps organizations can take to prevent and respond to breaches. …
Continue Reading Universities and Hospitals Facing Increased Cyber Attacks
On April 21, the European Data Protection Board (“EDPB”) released guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (“Guidelines”).
The Guidelines note that the GDPR includes various provisions which permit health data to be collected and processed for scientific research purposes connected with COVID-19 and also envisages specific derogations to the prohibition on processing certain special categories of personal data, such as health data, where necessary for scientific research purposes.
Continue Reading European Guidelines Adopted on Health Data Processed in the Context of the Covid-19 Outbreak
On March 19, 2020, Governor Pritzker issued Executive Order 2020-09 (the “Executive Order”), expanding access to health care services for all Illinois residents provided through remote means during the term of the COVID-19 Gubernatorial Disaster Proclamation, which declares a state of disaster in Illinois. The Executive Order expands the technologies that may be used to deliver telehealth services and creates a coverage requirement for all medically necessary services delivered through telehealth. The Executive Order is followed by the recent CARES Act, which expands access to telehealth for Medicare beneficiaries, and the filing of an 1135 Waiver under the Social Security Act by the Illinois Department of Health and Family Services (“IDHS”) to expand its already broad Medicaid coverage of telehealth services.
Continue Reading Illinois’s Expansion of Access to Health Care via Telehealth Executive Order 2020-09 & Medicaid Emergency Rulemaking