Memoto’s website says: "The Memoto camera is a tiny camera and GPS that you clip on and wear. It’s an entirely new kind of digital camera with no controls. Instead, it automatically takes photos as you go. The Memoto app then seamlessly and effortlessly organizes them for you." 

Read more about the pros and cons of this new device at the New Media and Entertainment Law Blog.

Following his recent State of the Union address, President Obama issued an Executive Order entitled "Improving Critical Infrastructure Cybersecurity."

The Policy section of the Executive Order notes that repeated cyber intrusions into critical infrastructure demand improved cybersecurity. This section correctly points out that the threat to critical infrastructure "continues to grow and represents one of the most serious national security challenges we must confront."

Technology is advancing at warp speed, and the way we live is changing constantly. Indeed, what was once lifestyle bedrock is now going the way of the dinosaurs.

On January 17, 2013 the federal Department of Health & Human Services (“HHS”) announced a final omnibus rule that details amendments to the privacy, security, data breach and enforcement rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The 2013 HIPAA Amendments (which, with commentary from HHS, weighs in at 563 pages) are closely based on statutory changes under the HITECH Act of 2009, and were previewed in proposed and interim rules issued by HHS several years ago. They involve a number of sweeping expansions to the existing HIPAA Rules including: (1) a broader definition of “business associates” (“BAs”) to include downstream subcontractors that handle protected health information (“PHI”) on behalf of BAs; (2) increased penalties for noncompliance, with a maximum penalty of $1.5 million per violation; (3) expanded individual rights, including the right to request electronic medical records; and (4) new limitations on the use of PHI for marketing and fundraising, or the sale of PHI; among other broad changes.   Read the full text here.  Duane Morris is preparing a fuller description of the 2013 HIPAA Amendments that will be distributed shortly. Please do not hesitate to contact Lisa Clark, lwclark@duanemorris.com, Neville Bilimoria, NMBilimoria@duanemorris.com, or your contact at Duane Morris for more information.  Thanks to Elinor Hart, EHart@duanemorris.com, for her prompt assistance with this breaking development.  

On August 9, 2012, the FTC announced that Google agreed to pay a record $22.5 million civil penalty to settle charges that it made misrepresentations to users of the Safari Internet browser when Google represented that it would not place cookies or serve targeted ads to those users.  In doing so, Google violated an earlier privacy settlement it had with the FTC.

FTC Chairman Jon Leibowitz said “[t]he record setting penalty in this matter sends a clear message to all companies under an FTC privacy order. . . “[n]o matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

The FTC's aggressive enforcement is expected to continue and it is important that businesses review their privacy policies to ensure that the policies have not become dated and no longer represent the current data collection and maintenance practices of the business.

The FTC press release can be viewed at http://ftc.gov/opa/2012/08/google.shtm

The relationship between privacy and mobile applications is coming into focus.  On February 27, 2012, the California Attorney General entered into a Joint Statement of Principles with the six largest mobile application companies – Apple, Google, H-P, Microsoft, Amazon and RIM – regarding consumer privacy and transparency issues when data is collected through an app.  http://ag.ca.gov/cms_attachments/press/pdfs/n2647_agreement.pdf. The Five Principles set parameters for good practice.  Although not legally binding, the AG promises to review compliance in the fall, and may use California laws on privacy, false advertising, unfair business practices and others as enforcement tools.  Since California often leads the way in privacy enforcement it is likely that other states will follow suit.    

What are the ramifications of this development for mobile medical (mHealth) apps?  A medical app developer must take into account privacy issues, particularly if it collects or assists with the collections of personal data.  In addition, a mobile medical app provider must consider any HIPAA requirements, such as would apply if the app was offered by a health care provider or payor to a consumer, or used internally (e.g. transfer of data by physicians in a hospital).  HHS has established an mHealth Initiative to review the emerging mHealth area and to develop guidance.  In sum, privacy is quickly becoming an important compliance area for mHealth stakeholders: device makers, software and app developers, platform providers, investors, health care providers and payors, and consumers.  Keep an eye on developments and enforcement activities in this area. 

Today, the Federal Trade Commission released its final report titled "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers."  http://www.ftc.gov/opa/2012/03/privacyframework.shtm

The report details best practices for businesses to protect the privacy of consumers.  Recognizing the burden on small businesses, the FTC says that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year. 

In the report, the FTC addressed the following:

Do-Not-Track – the FTC will work with various groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system.

Mobile - the FTC continues to urge companies offering mobile services to work toward improved privacy protections, including disclosures. It will host a workshop on May 30, 2012 to address how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens.

Data Brokers – the FTC called on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data.  In addition, the website should detail the choices that data brokers provide consumers about their own information.

Large Platform Providers - The FTC cited heightened privacy concerns about the extent to which platforms, such as ISPs, operating systems, browsers and social media companies, comprehensively track consumers' online activities. It will host a public workshop in the second half of 2012 to explore issues related to comprehensive tracking.

Promoting Enforceable Self-Regulatory Codes - the FTC is working to develop industry-specific codes of conduct.

A few weeks ago this blog pointed out that the Department of Homeland Security's command center regularly monitors social networking sites such as Facebook and Twitter, popular sites like Hulu, controversial sites including WikiLeaks, and news and commentary sites like The Huffington Post and Drudge Report, according to a government document.

Now, there is an indication that the Federal Bureau of Investigation is developing a web application that will have the ability to monitor social media sites like Facebook and Twitter. Such an application supposedly will give the FBI intelligence about potential security threats.

Are George Orwell's fears of a governmental "Big Brother" from his novel 1984 coming true now? Well, let's hope not, but read on.

Recent press has reported on a particular government document: a Privacy Compliance Review issued by the U.S. Department of Homeland Security in late 2011. The document reveals that the DHS command center regularly monitors social-networking sites like Facebook and Twitter, popular sites like Hulu, controversial sites including WikiLeaks, and news and commentary sites like Drudge Report and The Huffington Post.

Just when you thought the state breach notification laws could not get more cumbersome, states continue to amend their breach notification laws in an effort to expand the content and reach of the notice. 

Texas Amendment Requires Notification to Affected Residents in All 50 States

Texas recently amended its data breach notification law by expanding the notification requirements to cover affected non-residents.  Prior to the amendment, Texas required that entities conducting business in Texas notify residents when sensitive personal information was believed to have been acquired by an unauthorized person.  The amended law, which becomes effective September 1, 2012, now requires notification to affected persons residing in all 50 states if affected non-residents live in a state that does not already require notification of the data breach.  The Texas amendment is a novel use of the state breach notification laws, essentially requiring national notification of the breach.  Penalties are incurred if non-residents are not appropriately notified.  The Texas law also expands state health privacy requirements, imposing further notification requirements for a breach of health information

Borders has long collected personal information from customers and promised that such information would not be disclosed without consent. In light of that and Borders' current bankruptcy proceedings, the FTC has sent a letter to the consumer privacy ombudsman overseeing the Borders bankruptcy that seeks the protection of customer personal information.

The FTC's letter appears prompted by its understanding that customer personal information held by Borders is scheduled to be auctioned and thereafter there will be a sale hearing.

As we head toward the Labor Day Weekend, it is a good time to point out a couple of noteworthy state level legislative developments in the Information Security and Privacy space.

Another data breach carried out by the “hactivist” group known as “Anonymous” provides an opportunity for businesses to become reacquainted with several important data security concepts. First let’s briefly review the  background of the incident.

This time Anonymous hacked the Bay Area Rapid Transit system, commonly known as BART. BART is the second largest public transportation system in Northern California and carries about 40,000 riders a day.  Anonymous was able to access and steal personal information on about 2400 BART customers who utilize the myBART website to manage their accounts. The information taken was reported by Anonymous to include system user names and passwords, individual last names, addresses, and telephone numbers.

In the flurry of activity immediately preceding the close of the United States Supreme Court's term in June, the court accepted Cert on what could be a pivotal 4th Amendment privacy case: United States v. Jones.  Jones presents the court with the opportunity to define the extent to which a person has an expectation of privacy with regard to their movements.