All posts by Paul E. Paray

OCR Snags $3 Million HIPAA Settlement For Insecure Web Server

On May 6, 2019, the Office for Civil Rights (OCR) announced that Tennessee-based Touchstone Medical Imaging agreed to pay $3,000,000 and adopt a corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and additional comprehensive policies and procedures applying HIPAA Rules. Touchstone – which provides diagnostic medical imaging services, was notified in May 2014 by the FBI that one of its FTP servers allowed uncontrolled access to protected health information (PHI).  This uncontrolled access “permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”

During OCR’s investigation, Touchstone acknowledged that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  OCR’s investigation found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach”.  As a result, Touchstone’s notification to individuals affected by the breach was considered untimely.   

Given last year’s summary judgment win by OCR and the facts presented by the Touchstone incident, it is not surprising that this significant settlement – which was one of the largest to date, was reached.  FTP servers have long been a threat vector – even if set up and run properly, so not unlike the clarion calls initiated for encryption and social engineering training, back office IT support should be sophisticated enough to adopt a means of file transfer that applies state of the art security.

Is Facebook Dead Man Walking?

Whether Facebook survives as a social media platform may eventually hinge on a metric that has not been widely reported – which is ironic given what has recently been reported is hardly good news.   

On April 24, 2019, Facebook, Inc. estimated that it would incur a loss in the range of $3.0 billion to $5.0 billion as a result of privacy violations investigated by the Federal Trade Commission – which does not even take into account other pending privacy investigations including a report released on April 25, 2019 by Canadian privacy regulators.  Also, paying the FTC up to $5 billion will not save the company from the onslaught savvy class action lawyers will unleash the day after the FTC settles.  

Almost comically, on April 29, 2019, Facebook, Inc. announced what it likely thought was a successful PR coup, namely the funding of privacy research shepherded by two partner organizations, Social Science One and the Social Science Research Council.  Not surprisingly, there was no mention that Facebook would be provided specific recommendations from these organizations let alone have such recommendations eventually adopted by the company.  

Facebook’s privacy regulatory threats are not limited to those found in North America – Germany is attacking the core of Facebook, Inc.’s advertising business model and there are several potentially ruinous GDPR complaints that were filed against it the day that privacy regime became effective.   As previously stated with regards GDPR:  “Facebook will soon be in uncharted and unpredictable privacy waters where disclaimers and popup consent forms may not easily tread.”  

A different sort of threat to Facebook can be found in the decentralized Internet currently being built by start-ups such as Blockstack– which recently filed a SEC Reg A+ offering for $50 million by way of a subsidiary.  Blockstack looks to leapfrog centralized platforms such as Facebook by building tools for a “decentralized computing network and app ecosystem” that includes decentralized storage allowing for porting of app data across social media platforms as well as self-sovereign user IDs that would allow for single user identities and passwords across every online application.  

More than likely, however, the most damaging threat to Facebook in the near term is the platform’s continued drop in customer engagement.  As recognized by Lou Kerner:  “On April 24th, 2019, Facebook reported Q1 ’19 earning, and once again, Wall street applauded, sending the shares up 8%, adding another $45 billion in value. While some saw triumph, and others saw further reason to break Facebook up, all I saw was continued decline in the only metric that matters, engagement.”  

Kerner’s graphic on the steady decline of daily and monthly active Facebook users is ominous:

Notwithstanding its many privacy transgressions and current regulatory/litigation challenges as well as the future advent of a decentralized Internet, what likely will be the most direct cause of Facebook’s downfall as a platform stems from the simple fact users have been steadily moving away from using it.

Apparently, users have taken the advice of WhatsApp co-founder Brian Acton and have chosen to “delete Facebook.”  Even though Facebook, Inc.’s present cash reserve and its other popular applications would likely allow the company to continue as a viable entity for many years even without its eponymous platform, those present users who spend hours each day on Facebook – and have no desire to ever abandon it, might just not be enough to sustain the Facebook platform in the long term.  

Simply put, with shrinking levels of engagement the Facebook platform will eventually go from a MySpace to Vine.

SEC Issues First No-Action Letter for an ICO

The SEC on April 3, 2019 issued a No-Action Letter to an ICO offeror – demonstrating that its Chairman’s prior promise to devote sufficient SEC resources toward better understanding initial coin offerings has been kept. In the April 2, 2019 no-action request to the SEC, TurnKey Jet proposed, “to offer and sell blockchain-based digital assets in the form of “tokenized” jet cards.”  TurnKey plans to be the program manager for a membership program based on this token platform.  The tokens would be pegged at the US dollar “throughout the life of the Program”.  Apparently, the sole purpose in issuing tokens is to avoid financial transaction costs to the extent a credit card is used to book jet travel.  

Even though there is certainly value in eliminating the middleman in high-cost transactions – card brands, Venmo, and Paypal take note, this is not the sort of blockchain-implemented ecosystem envisioned by the early ICO issuers.  Nevertheless, this sort of use case provides a readily apparent benefit to its participants and is exactly what the blockchain/DLT community needs to move forward.  As previously argued, it is certainly not the case that all ICOs are securities so this no-action move by the SEC should be welcome by all. 

In a related positive move from the SEC, on April 3, 2019 the SEC released its Statement on “Framework for ‘Investment Contract’ Analysis of Digital Assets”.  Doing an excellent job of parsing the existing statutory interpretation of what constitutes a security, i.e., the now famous Howey test, the SEC’s FinHub Framework is a must-read for those looking to issue a digital asset.  

Notwithstanding some criticism of the SEC Framework, this release is a natural progression that should not be discounted.  More importantly, by launching this Framework the same day of its No-Action Letter, the SEC has sent a clear message that blockchain ecosystems remain open for business and the SEC will not hurl unnecessary impediments to the implementation of those use cases that actually comply with regulatory law.  

Google Cy Pres Fund Case Goes Back to District Court

On March 20, 2019, the Supreme Court deferred ruling on the settlement of a class action brought against Google.  The underlying action was based on Google’s transmission of a users’ search terms, i.e., “referrer headers”, to its actual clients.   Class counsel argued that the transmission and storage of these referrer headers was in violation of both federal and state law given those conducting the searches never gave proper consent.  

In remanding the case to address a potential lack of standing, the Court ruled “[b]ecause there remain substantial questions about whether any of the named plaintiffs has standing to sue in light of our decision in Spokeo, Inc. v. Robins, 578 U. S. ___ (2016), we vacate the judgment of the Ninth Circuit and remand for further proceedings.”  This was obviously the correct ruling given a court cannot even hear a matter unless there is proper standing to sue. Given that the Supreme Court only decides matters properly on appeal and the question of standing was not put before it, the matter required a remand.

Disregarding the tortious procedural history of this near-decade old case or the reasons why standing may not exist, this case will hopefully substantively address the court-approved settlement that would require “Google to include certain disclosures on some of its webpages and would distribute more than $5 million to cy pres recipients, more than $2 million to class counsel, and no money to absent class members.”  In other words, the Court will hopefully decide whether the lower court improperly approved the settlement given the individuals purportedly harmed would not have received a penny and the alleged improper conduct described in the complaint would have still continued unabated.  

In his Dissent, Justice Thomas believed the bare minimum threshold of standing was met and the case should have been reversed on substantive grounds because the cy pres fund settlement was violative of the Rules as it offered no compensation to the certified class.  As previously discussedcy pres fund settlements – which can provide millions to advocacy groups approved by the defendant, hardly evoke the hallmark of justice given those purportedly harmed actually receive nothing.  Indeed, the use of cy pres funds has long been “a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to quickly file and resolve class actions before  actual damages can be made readily apparent.” It is no surprise various Attorney Generals have pushed hard against these sort of settlements.

As pointed out by one of the attorneys who appealed this Google case to the Supreme Court, today’s ruling likely “simply delays the day of reckoning for this unfair practice.”  Justice Thomas recognized today that there was something particularly odious about a settlement that only benefited lawyers and those third-party organizations acceptable to the Defendant.  Hopefully, in the near future the full Court will reach the same conclusion and put an end to this unsavory practice of rewarding a defendant’s “non-profit partners” rather than the actual litigants.

California Continues to Lead the data privacy Way

On February 22, 2019, an amendment to the CCPA – S.B. 561, was proposed that would do away with a cure provision, expand the statutory damages provision to any violation of the law, and limit the role of the Attorney General in policing violations by directly passing along greater rights to consumers.  If passed, these changes will significantly alter the reach of the law by making the plaintiff’s bar’s arsenal even wider and the law’s penalties that much stronger.   Previously, the California Consumer Privacy Act – which will come online in 2020, was the first major privacy initiative to provide for statutory damages in the event of a data breach.

California’s Governor also recently said that he was “now convening a team to look into the creation of a new law requiring technology giants to kick back some of their billions in earnings in the form of a Data Dividend for Californians.” California is not waiting around for federal privacy action – it is outright looking to lead the world when it comes to the creation of statutory privacy rights.

UPDATE: April 4, 2019

On April 4, 2019, Senate Bill 753 was proposed to amend CCPA and provide for a major new exception to the law’s reach. If passed, “a business does not sell personal information” under CCPA if the following applies:

(E) (i) Pursuant to a written contract, the business shares, discloses, or otherwise communicates to another business or third party an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer. (ii) The contract specified in clause (i) shall prohibit the other business or third party from sharing, selling, or otherwise communicating the information except as necessary to deliver, show, measure, or otherwise serve or audit an advertisement from the business.

In effect, there would be a Google and Facebook exception to CCPA.

It remains to be seen whether this amendment proposed by State Senator Henry Stern will ever be enacted but the mere fact it was proposed is a stark reminder that those companies with the most to lose have not stopped fighting this battle – whether by way of this proposed amendment to CCPA or by way of a broad preemption quest in Congress.

UPDATE: April 24, 2019

In opposition to S.B. 753, a coalition of privacy advocates wrote: “In sum, this new exception would remove the ability of consumers to prevent the dissemination of their personal information from the website they are visiting to any third party, allowing their personal information to flow unchecked into the ad-exchange system, after which a consumer can never regain future control. ”

As reported by DLA’s Jim Halpert, during the Senate Judiciary Committee Meeting of April 23, 2019, State Sen. Stern apparently bowed to the pressure and withdrew S.B. 753 from further consideration.

In addition to S.B. 561, the other amendment most likely to see success is State Assemblywoman Jacqui Irwin’s A.B. 873 – which places parameters on de-identified information and limits the present potentially unbounded scope of “personal information”. Thankfully, given the attention being placed on these issues, it is very likely that the ambiguities rushed into the statute’s initial draft will be sorted out and corrected before CCPA comes online in 2020.

JPM Coin

On Valentine’s Day 2019, J.P. Morgan gave a kiss to the blockchain/DLT community by announcing its JPM Coin– a branded stablecoin pegged to the dollar that will be used by its large institutional clients to settle payment transactions.  Upon settlement, each coin would be burned and traded for a dollar.  The ultimate benefits in the JPM Coin ecosystem will be found in the transaction speed and very low cost of execution.  This is a noteworthy move given that there are obvious short term negatives to J.P. Morgan in that the launch of such an ecosystem might initially cut into some custodial profits.

Perhaps driven by the fact no bank could ever really control Bitcoin, J.P. Morgan’s CEO previously said that Bitcoin was a fraud.  It is likely no coincidence that this launch only took place after Bitcoin cratered by nearly 80% of its value.  Moreover, this announced future use of a “digital coin” is very much something J.P. Morgan could exert some control over – hence its name, and would not even initially be made available to J.P. Morgan’s retail clients.  It is assumed that would change over time after deployment and this coin’s usage matures – retail clients may eventually be able to use JPM Coins for mobile payment transactions or in lieu of a time-consuming wire transfer.

Even though there was an unexpected major hiccup in 2018, as previously pointed out, “acceptance of blockchain technology by the financial industry will be indelible proof those mistakes of 1995 made by retail sales and marketing companies will not be repeated by the financial industry.” In other words, by jumping on board feet first to the adoption of a digital coin issued on its own Quorum permissioned blockchain, J.P. Morgan is taking a major step towards having the financial industry continue to lead the DLT movement until the technology catches up to other innovative use cases in other industries.  

Facebook’s utility chicken has come home to roost

On February 7, 2019– in a devastating blow to global surveillance advertising, Germany’s antitrust arm, the Federal Cartel Office, ruled that Facebook’s tying of its data collection practices to usage of its services was unlawful.  In the public announcement of this ruling, the FCO president Andreas Mundt said:  “Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts.” 

Not surprisingly, Facebook immediately blogged that it would file an appeal of this potentially ruinous ruling.  Though not ultimately based on the lack of “freely given” consent under GDPR, the ruling may ultimately have the same impact as if it were.  Interestingly, Facebook has previously shouted from the roofs that it was compliant with GDPR but never warned of a potential antitrust exposure – including in its most recent Annual Report.  

Other countries may also choose to use the antitrust route rather than wait on the pending Complaints filed against Facebook.  None of this should come as any surprise to Facebook given its own CEO saw the company as a “social utility” well over a decade ago.   

Interestingly, the FCO ruling considers the harm derived from Facebook’s data collection practices as the user’s “loss of control” rather than any specific pecuniary harm.  If affirmed, this novel antitrust ruling could be a watershed in surveillance advertising sufficient to crack the existing digital ad ecosystem and allowing for new business models to finally take hold.

Google adds warnings on data privacy exposures

In its Annual Report filed on February 5, 2019, Google’s parent, Alphabet, Inc., emphasized in a more pronounced way the privacy regulatory and business headwinds it now faces. Specifically, on pages 9 and 10 of the report, Alphabet writes “as the focus on data privacy and security increases globally, we are and will continue to be subject to various and evolving laws. The costs of compliance with these laws and regulations are high and are likely to increase in the future.” It goes without saying, proper compliance will never be optional for the company given that Google’s surveillance advertising accounted for over 85% of its total revenues in 2018.

According to its 10-K, those laws and regulations that may subject Alphabet “to significant liabilities and other penalties” include:

The California Consumer Privacy Act of 2018 that comes into effect in January of 2020, and gives new data privacy rights to California residents and regulates the security of data in connection with internet connected devices.

Privacy laws, which could be interpreted broadly thereby limiting product offerings and/or increasing costs.

Given the recent package of bills introduced in California to bolster CCPA and other privacy-related laws, Alphabet is certainly wise to include CCPA and unnamed “privacy laws” on its 10-K’s list of risk factors.

Alphabet also warns: “Changes to our data privacy practices, as well as changes to third-party advertising policies or practices may affect the type of ads and/or manner of advertising that we are able to provide which could have an adverse effect on our business.” As pointed out by Bloomberg, this wording is not merely reused boilerplate but represents new language.

Even though the duopoly of Google and Facebook are not going away anytime soon, Alphabet’s latest filing is an acknowledgement that upcoming regulatory and market changes may limit how these companies do business. In other words, the free reign they have had for so many years may finally be coming to an end.

Data Privacy Day 2019

January 28, 2019 will mark the tenth anniversary of Data Privacy Day.  Even though the sponsors, messaging and website may have changed from 20102011 and 2012, the overall idea that personal privacy rights should be specifically called out for celebration remains a powerful statement.  In 2014, Congress jumped on board by issuing a Resolution designating January 28th as ‘‘National Data Privacy Day’’.  Two years later, the 2016 celebration of Data Privacy Day crystalized why privacy stakeholders were starting to sound the alarm.  And, by 2019 it has gotten to the point where even large technology companies are calling for regulatory action.

In the coming months, a divided Congress will likely begin a bipartisan effort to address one of the few bipartisan topics out there – data privacy rights.  This effort may succeed if for no other reason next year launches California’s new data privacy regime and companies are feverishly lobbying behind the scenes to preempt this Consent Armageddon from materializing.    In other words, there may soon be a “Data Property Day” coming into focus – the date when privacy rights that were born out of early constitutional and statutory underpinnings first became a basic property right. 

Apple pushes new data regime

In a Time Magazine op-ed piece that is a likely preview of his talk at the “Globalization 4.0” World Economic Forum meeting next week in Davos, Apple’s Tim Cook proposes more government intervention in the digital ad marketplace.   Cook previously railed against the “data industrial complex” at an October EU privacy event.   Apple also recently poked Google in the eye with its massive CES billboard in Las Vegas that reads: “What happens on your iPhone, stays on your iPhone.”  

In his January 16, 2019 Time editorial, Cook suggests that consumers should no longer tolerate “companies irresponsibly amassing huge user profiles.”  He obviously is smart enough to recognize the existing digital ad ecosystem needs to stay firmly in place for his company to thrive – 25% of all persons now check their phones within one minute of waking up largely due to the existing social media landscape he now criticizes.  Rather, he proposes federal omnibus privacy legislation that would ostensibly place more control with consumers who will be allowed for the first time the chance to say, as he put it: “Wait a minute. That’s my information that you’re selling, and I didn’t consent.”

Cook “kicks off” his debate with the following salvo:

That’s why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.

Similar to what is now being enforced in Vermont, Apple apparently advocates for the registration of data brokers but adds the new regulatory requirement of tracking transactions as well as codifying the right of erasure enshrined in GDPR and purportedly also acceptable to Facebook.  Backing up “some” of its rhetoric with action, Apple has recently allowed even users outside GDPR’s purview the ability to learn what data is held by it and to correct any inaccuracies – it still, however, does not allow users to learn how their data is used by other companies:

It is not difficult to cynically consider Apple’s new lobbying campaign simply an attempt at undercutting Samsung and Google – especially given Apple itself will always remain a very integral part of the digital ad ecosystem.  In the near term, Apple faces little economic risk with its privacy-friendly posturing – only a potential increasing of its already lofty brand equity. Given that Apple is not technically a “data broker” the significant added costs to data brokers created by its advocacy will certainly not be absorbed by Apple. 

No matter what its motivation, Apple’s new perspective may one day give consumers a bird’s eye view of exactly how valuable their personal data is to companies lacking any direct relationship with them.  And, after that recognition, it may finally be time for consumers to get paid for their valuable data.

UPDATE: January 18, 2019  
Notwithstanding Mr. Cook’s public stance regarding Apple’s GDPR compliance, Apple Music was hit on January 18, 2019 with a complaint alleging a potential maximum penalty of € 8.02 Billion for various GDPR violations.