Media, Privacy & Beyond

Media, Privacy & Beyond

Developments and Insights Related to Media, Privacy, and the Practice of Law

Target Data Breach and NIST Cybersecurity Framework Raise Tough Insurance Questions

Posted in Data breach
Emily R. Caron

Last week, the White House and the US National Institute of Standards and Technology (NIST) released the voluntary cybersecurity framework they have been working on for a year—the result of an Executive Order entitled, “Improving Critical Infrastructure Cybersecurity.” The hope is that this new framework will eventually lead to a more robust cyber insurance market with lower premiums. While 85% of corporate executives named cyber attacks as their greatest risk in 2013, less than 20% of companies purchase cyber insurance. The NIST framework is a set of industry standards and best practices to help organizations manage cyber security risks.  The 41-page document can be found here.  The framework’s focus is to measure and mitigate risk in the country’s cyber infrastructure to protect airlines, roads and other vital aspects of the U.S. economy, but serves as a good model for any organization.

This is timely in light of the many data breaches that have taken place of late. For example, unless you’ve been living under a rock, you know that Target announced the theft of financial information, including credit and debit card information and imbedded PIN numbers, from as many as 110 million customers.  Since announcing the breach in December, information continues to come to light, and none of it is good.  For instance, the New York Times reported that Target was vulnerable to the cyber-attack because its systems were “astonishingly open—lacking the virtual walls and motion detectors found in secure networks.”  Hackers planted malicious code in early November, and it went undetected for weeks. Remarkably, Target did not find the breach on its own; the Secret Service discovered it during an unrelated investigation where agents had been tracking hackers overseas, and discovered common thread in a string of suspicious credit activity: payments made at Target.

Continue Reading

The Fate of Net Neutrality – What Will Be The FCC’s Next Step?

Posted in FCC, Net Neutrality
Carole HandlerJohn Shaeffer

Net Neutrality is short-hand for an ongoing debate of over six years duration about whether broadband providers should be permitted to differentiate between types of traffic flowing across their networks. For example, if a streaming video service is willing to pay more to a broadband provider, should that provider be allowed to give that video service’s packets of data preferential treatment across its portion of the Internet “super highway?” Those in favor of net neutrality – regulations requiring broadband providers to treat all data on its network the same, i.e. with neutrality – argue that such regulation would promote innovation by treating equally content services and applications across the Internet. Proponents argue that new competitors will be more able to obtain a foothold with such “equal” treatment. Those opposed to the regulation argue, in part, that by denying broadband providers this alternative revenue source from edge providers willing to pay for preferential treatment – something like first class airfare – the public that is the end-user consumer necessarily pays more for its broadband internet access. Although the policy issue remains unresolved, while this debate has been raging, the Internet has become ever more fundamental to commerce and communication.

The January 14, 2012 decision by the United States Court of Appeal for the District of Columbia in Verizon v. FCC, Case No. 11-1355, provides no insight on how to resolve this political debate. The Verizon Court comments that its “task as a reviewing court is not to ascertain the wisdom of the Open Internet Order regulations [the FCC’s order on Net Neutrality under review], but rather to determine whether the Commission has demonstrated that the regulations fall within the scope of its statutory grant of authority.” Verizon at 17. In short, the Verizon Court concluded that the FCC had statutory authority to regulate common carriers in such a manner but, citing a prior order from the FCC, ultimately concluded that the FCC had already decided that broadband providers were not common carriers.

Continue Reading

Morel victory: Verdict shows perils of improper photo attribution

Posted in Copyright
Emily R. Caron

A picture is said to be worth a thousand words, right? Well, eight pictures are worth $1.22 million, in the case of Haitian photographer Daniel Morel.  Late last month, jurors in the copyright infringement case against Agence France-Presse (AFP) and its U.S. distributor Getty Images awarded Morel $1.22 million in damages for willful copyright infringement and violations of the Digital Millennium Copyright Act (DMCA). This case offers a cautionary tale for those trying to navigate the “Wild West” environment of digital content in social media. According to Morel’s attorney, this appears to be the first time a digital licensor has been found liable for willful violation of a photojournalist’s copyright in his own works. Continue Reading

Debate continues on proper balance between right of publicity and free speech

Posted in First Amendment, Privacy Torts
Emily R. Caron

As the U.S. Supreme Court proceeds with its fall term, media lawyers with an interest in the right of publicity will be watching to see whether the Court takes up the seemingly conflicting cases that came out of the Ninth Circuit this summer in suits brought against EA Sports for its sports-simulation video games and the use of avatars resembling real-life athletes. In these games, EA Sports uses players’ likenesses in a product for commercial gain.   The first case, Keller v. Electronic Arts, No. 10-15387 (9th Cir. July 31, 2013), was brought by Sam Keller, a former college quarterback for Arizona State and Nebraska. The suit was consolidated with a similar suit brought by former UCLA basketball player Ed O’Bannon and others. The court evaluated whether such use is protected by the First Amendment. The court found that it was not.

The second suit, Brown v. Electronic Arts, No. 9-56675 (9th Cir. July 31, 2013) was brought by Jim Brown, the former Cleveland Browns player, alleging, as Keller did, that EA Sports used his likeness for commercial gain.  Again, the court evaluated whether such use is protected by the First Amendment. The court found that it is.

Wait. What? Yes, the same court hearing two different cases with essentially the same facts found, in one case, that the video game was a sufficiently transformative work to be protected by the First Amendment, and in the other, that it was not transformative enough to warrant First Amendment protection.  Continue Reading

The Path to Success—Successor Liability, That Is

Posted in Privacy, Privacy Torts
Eric Weslander

The doctrine of “successor liability” occasionally rears its head in the world of media and entertainment law, and is likely to become more important in coming years as plaintiffs seek creative means to impose liability for their reputation- or privacy-related injuries. Under this doctrine, a company that purchases another’s assets may be held liable, in some cases, for the seller’s debts. In an article published in the fall newsletter of the ABA’s TIPS section’s Media, Privacy, and Defamation Law Committee, I provide an overview of this doctrine and its application in the media world, analyzing the significance of courts’ guidance that successor liability is “an equitable doctrine and not an inflexible command.” The entire article may be accessed here.

Omnibus HIPAA Regulations approaching quickly

Posted in HIPAA/HITECH Act
Stacy Harper

The compliance date for the Omnibus HIPAA Regulations is rapidly approaching on September 23, 2013.  Healthcare Providers and Health Plans should be finalizing documents to respond to the new requirements.  Specific focus should be placed on:

  • Notice of Privacy Practices.  This document must be revised to incorporate changes.  It must be posted and available to patients in advance of the September 23, 2013 effective date.  Required changes include:
    • A statement that the covered entity must notify an affected individual of a breach of unsecured protected health information (PHI);
    • A description of the disclosures of PHI requiring an authorization (e.g., psychotherapy notes, marketing, and sale of information, and a statement that other uses or disclosures not described in the notice require authorization);
    • A statement that the recipient of fundraising materials may opt out of future fundraising communications;
    • A description of an individual’s right to restrict disclosure of PHI to health plans if he or she paid for the relevant care;
    • If the Covered Entity is a Health Plan, the NPP must state that genetic information will not be disclosed to the Plan Sponsor; and
    • Health Plans who disclose information for underwriting must also state genetic information will not be disclosed for this purpose. Continue Reading

Data Privacy in the Wake of PRISM: A Fundamental Human Right or Unrealistic Expectation?

Posted in Privacy
Tedrick Housh

The United States Supreme Court first recognized privacy as within the “penumbra” of constitutional rights almost fifty years ago. Privacy, however, has remained a relative concept in the United States. In a commercial context, we consider privacy in light of its perceived drag on speed and convenience. In a government context, we weigh it against our need for security and safety.

In Europe, privacy is a fundamental human right, like life, liberty and the pursuit of happiness, or as set forth in the UN Declaration of Universal Human Rights. As a result, EU members tend to be more vigilant and demanding than Americans when it comes to the protection of individual privacy.

At the top of today’s headlines is the report that the National Security Agency and the Federal Bureau of Investigation are tapping directly into the central servers of US internet companies to access audio and video chats, photographs, e-mails, documents and connection logs. If true, this means the United States government has been given nearly unfettered access to individual user data, not just anonymous, aggregated data. Edward Snowden, the Booz Allen consultant who leaked information about the program, called PRISM, has apparently told the press that “[t]hey quite literally can watch your ideas form as you type.”  See The Guardian and Washington Post, June 6, 2013. Continue Reading

Back to HIPAA Basics: What Is Protected Health Information?

Posted in HIPAA/HITECH Act, Privacy
Stacy Harper

As the September 2013 compliance date for the Omnibus HIPAA regulations approaches and the Office of Civil Rights settlement announcements continue, more organizations are assessing risks and implementing a more comprehensive HIPAA compliance strategy. For many organizations, this process begins with a simple question: to what extent do we create or maintain protected health information?

For many people, the phrase protected health information or PHI is associated with medical record documentation. But the definition under HIPAA is much broader. Protected health information is individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium, but not including employment records or education records. Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual that 1) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual and 2) identifies that individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Continue Reading

Business Associate HIPAA Compliance

Posted in HIPAA/HITECH Act
Stacy Harper

The recent Omnibus HIPAA Regulations finalized changes under the HITECH Act to apply privacy and security requirements to Business Associates. Understanding the full impact of these regulations on businesses that contract with healthcare providers, health plans, and healthcare clearing houses (“Covered Entities”) begins with an examination of the expanded definition of Business Associate under the law.

A Business Associate is a person not in a Covered Entity’s workforce who, on behalf of the Covered Entity, assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; repricing; legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services; or any other function or activity regulated by HIPAA. Continue Reading

OCR Releases Final HIPAA Regulations

Posted in HIPAA/HITECH Act
Stacy Harper

The Office of Civil Rights has released the text of the long-anticipated final Health Insurance Portability and Accountability Act (“HIPAA”) regulations, which are scheduled to be published in the federal register on January 25, 2013. The regulations are effective on March 26, 2013, providing covered entities and business associates until September 23, 2013 to comply.

Breach Notification
One of the highly anticipated provisions in the final regulations relates to breach notification. This final rule replaces the interim rule for HIPAA breach notification, originally published on August 24, 2009. Under the 2009 rule, a “breach” only included those impermissible uses or disclosures of protected health information that posed a significant risk of financial, reputational, or other harm to the individual. This was often referred to as the “risk of harm” threshold. The final rule removes the risk of harm threshold from the definition of a breach.  Continue Reading