Big Data Archives - Page 6 of 12 - OF DIGITAL INTEREST

Big Data

National Roadmap for Health Data Sharing: FTC Advocates Preservation of Privacy and Competition

by Carla A. R. Hine and Jennifer S. Geetter | Apr 17, 2015 | Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, Ecommerce, Mobile Apps

On April 1, 2015, the Office of the National Coordinator for Health Information Technology (ONC), which assists with the coordination of federal policy on data sharing objectives and standards, issued its Shared Nationwide Interoperability Roadmap and requested comments. The Roadmap seeks to lay out a framework for developing and implementing interoperable health information systems that will allow for the freer flow of health-related data by and among providers and patients. The use of technology to capture and understand health-related information and the strategic sharing of information between health industry stakeholders and its use is widely recognized as critical to support patient engagement, improve quality outcomes and lower health care costs.

On April 3, 2015, the Federal Trade Commission issued coordinated comments from its Office of Policy Planning, Bureau of Competition, Bureau of Consumer Protection and Bureau of Economics. The FTC has a broad, dual mission to protect consumers and promote competition, in part, by preventing business practices that are anticompetitive or deceptive or unfair to consumers. This includes business practices that relate to consumer privacy and data security. Notably, the FTC’s comments on the Roadmap draw from both its pro-competitive experience and its privacy and security protection perspective, and therefore offer insights into the FTC’s assessment of interoperability from a variety of consumer protection vantage points.

The FTC agreed that ONC’s Roadmap has the potential to benefit both patients and providers by “facilitating innovation and fostering competition in health IT and health care services markets” – lowering health care costs, improving population health management and empowering consumers through easier access to their personal information. The concepts advanced in the Roadmap, however, if not carefully implemented, can also have a negative effect on competition for health care technology services. The FTC comments are intended to guide ONC’s implementation with respect to: (1) creating a business and regulatory environment that encourages interoperability, (2) shared governance mechanisms that enable interoperability, and (3) advancing technical standards.

Taking each of these aspects in turn, creating a business and regulatory environment that encourages interoperability is important because, if left unattended, the marketplace may be resistant to interoperability. For example, health care providers may resist interoperability because it would make switching providers easier and IT vendors may see interoperability as a threat to customer-allegiance. The FTC suggests that the federal government, as a major payer, work to align economic incentives to create greater demand among providers for interoperability.

With respect to shared governance mechanisms, the FTC notes that coordinated efforts among competitors may have the effect of suppressing competition. The FTC identifies several examples of anticompetitive conduct in standard setting efforts for ONC’s consideration as it considers how to implement the Roadmap.

Finally, in advancing core technical standards, the FTC advised ONC to consider how standardization could affect competition by (1) limiting competition between technologies, (2) facilitating customer lock-in, (3) reducing competition between standards, and (4) impacting the method for selecting standards.

As part of its mission to protect consumers, the FTC focuses its privacy and security [...]

Continue Reading

FTC Merger Review Likely to Incorporate Analysis of Privacy Issues

by Carla A. R. Hine | Mar 2, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest

The Federal Trade Commission (FTC or the Commission), along with the U.S. Department of Justice, can challenge mergers it believes will result in a substantial lessening of competition – for example through higher prices, lower quality or reduced rates of innovation. Although the analysis of whether a transaction may be anticompetitive typically focuses on price, privacy is increasingly regarded as a kind of non-price competition, like quality or innovation. During a recent symposium on the parameters and enforcement reach of Section 5 of the FTC Act, Deborah Feinstein, the director of the FTC’s Bureau of Competition, noted that privacy concerns are becoming more important in the agency’s merger reviews. Specifically she stated, “Privacy could be a form of non-price competition important to customers that could be actionable if two kinds of companies competed on privacy commitments on technologies they came up with.”

At this same symposium, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, remarked on the agency’s increasing expectations that companies protect the consumer data they collect and be more transparent about what they collect, how they store and protect it, and about third parties with whom they share the data.

The FTC’s Bureaus of Competition and Consumer Protection fulfill the agency’s dual mission to promote competition and protect consumers, in part, through the enforcement of Section 5 of the FTC Act. With two areas of expertise and a supporting Bureau of Economics under one roof, the Commission is uniquely positioned to analyze whether a potential merger may substantially lessen privacy-related competition.

The concept that privacy is a form of non-price competition is not new to the FTC. In its 2007 statement upon closing its investigation into the merger of Google, Inc. and DoubleClick Inc., the Commission recognized that mergers can “adversely affect non-price attributes of competition, such as consumer privacy.” Commissioner Pamela Jones Harbour’s dissent in the Google/DoubleClick matter outlined a number of forward-looking competition and privacy-related considerations for analyzing mergers of data-rich companies. The FTC ultimately concluded that the evidence in that case “did not support the theories of potential competitive harm” and thus declined to challenge the deal. The matter laid the groundwork, however, for the agency’s future consideration of these issues.

While the FTC has yet to challenge a transaction on the basis that privacy competition would be substantially lessened, parties can expect staff from both the Bureau of Competition and the Bureau of Consumer Protection to be working closely together to analyze a proposed transaction’s impact on privacy. The FTC’s review of mergers between entities with large databases of consumer information may focus on: (1) whether the transaction will result in decreased privacy protections, i.e., lower quality of privacy; and (2) whether the combined parties achieve market power as a result of combining their consumer data.

This concept is not unique to the United States. The European Commission’s 2008 decision in TomTom/Tele Atlas examined whether there would be a decrease [...]

Continue Reading

Consumer Health Information Update from Both Sides of the Atlantic

by Jennifer S. Geetter and Scott Weinstein | Feb 27, 2015 | Big Data, Consumer Protection, Data Privacy, General Interest, Mobile Apps

As we reported in May 2014, the Federal Trade Commission (FTC) convened stakeholders to explore whether health-related information collected from and about consumers — known as consumer-generated health information (CHI) — through use of the internet and increasingly-popular lifestyle and fitness mobile apps is more sensitive and in need of more privacy-sensitive treatment than other consumer-generated data.

One of the key questions raised during the FTC’s CHI seminar is: “what is consumer health information”? Information gathered during traditional medical encounters is clearly health-related. Information gathered from mobile apps designed as sophisticated diagnostic tools also is clearly health-related — and may even be “Protected Health Information,” as defined and regulated by Health Information Portability and Accountability Act (HIPAA), depending on the interplay of the app and the health care provider or payor community. But, other information, such as diet and exercise, may be viewed by some as wellness or consumer preference data (for example, the types of foods purchased). Other information (e.g., shopping habits) may not look like health information but, when aggregated with other information generated by and collected from consumers, may become health-related information. Information, therefore, may be “health information,” and may be more sensitive as such, depending on (i) the individual from whom it is collected, (ii) the context in which it is initially collected; (iii) the other information which it is combined; (iv) the purpose for which the information was initially collected; and (v) the downstream uses of the information.

Notably, the FTC is not the only regulatory body struggling with how to define CHI. On February 5, 2015, the European Union’s Article 29 Working Party (an EU representative body tasked with advising EU Member States on data protection) published a letter in response to a request from the European Commission to clarify the definitional scope of “data concerning health in relation to lifestyle and wellbeing apps.”

The EU’s efforts to define CHI underscore the importance of understanding CHI. The EU and the U.S. data privacy and security regimes differ fundamentally in that the EU regime broadly protects personally identifiable information. The US does not currently provide universal protections for personally identifiable information. The U.S. approach varies by jurisdiction and type of information and does not uniformly regulate the mobile app industry or the CHI captured by such apps. These different regulatory regimes make the EU’s struggle to define the precise scope and definition of “lifestyle and wellbeing” data (CHI) and develop best practices going forward all the more striking because, even absent such a definition, the EU privacy regime would offer protections.

The Article 29 Working Party letter acknowledges the European Commission’s work to date, including the European Commission’s “Green Paper on Mobile Health,” which emphasized the need for strong privacy and security protections, transparency – particularly with respect to how CHI interoperates with big data – and the need for specific legislation on CHI-related apps or regulatory guidance that will promote “the safety and performance of lifestyle and wellbeing apps.” But, [...]

Continue Reading

Any Progress? The Draft Data Protection Regulation Celebrates its Third Anniversary

by McDermott Will & Emery | Feb 11, 2015 | Big Data, Cloud, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Ecommerce, Electronic Contracting, Mobile Apps, Social Media, Text Messaging

On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.

The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.

The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.

It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.

The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.

Pressure Points: OCR Enforcement Activity in 2014

by Amanda Enyeart | Feb 9, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI). The resolution agreements and corrective action plans resolving the enforcement actions highlight key areas of concern for OCR and provide the following important reminders to covered entities and business associates regarding effective data protection programs.

Security risk assessment is key.

OCR noted in the resolution agreements related to three of the five security incidents, involving QCA Health Plan, Inc., New York and Presbyterian Hospital (NYP) and Columbia University (Columbia), and Anchorage Community Mental Health Services (Anchorage), that each entity failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to the entity’s EPHI and to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level. In each case, the final corrective action plan required submission of a recent risk assessment and corresponding risk management plan to OCR within a relatively short period after the effective date of the resolution agreement.

2. A risk assessment is not enough – entities must follow through with remediation of identified threats and vulnerabilities.

In the resolution agreement related to Concentra Health Services (CHS), OCR noted that although CHS had conducted multiple risk assessments that recognized a lack of encryption on its devices containing EPHI, CHS failed to thoroughly implement remediation of the issue for over 3-1/2 years.

3. System changes and data relocation can lead to unintended consequences.

In two of the cases, the underlying cause of the security breach was a technological change that led to the public availability of EPHI. A press release on the Skagit County incident notes that Skagit County inadvertently moved EPHI related to 1,581 individuals to a publicly accessible server and initially reported a security breach with respect to only seven individuals, evidentially failing at first to identify the larger security breach. According to a press release related to the NYP/Columbia security breach, the breach was caused when a Columbia physician attempted to deactivate a personally-owned computer server on the network, which, due to lack of technological safeguards, led to the public availability of certain of NYP’s EPHI on internet search engines.

4. Patch management and software upgrades are basic, but essential, defenses against system intrusion.

OCR noted in its December 2014 bulletin on the Anchorage security breach (2014 Bulletin) that the breach was a direct result of Anchorage’s failure to identify and address basic security risks. For example, OCR noted that Anchorage did not regularly update IT resources with available patches [...]

Continue Reading

C-Suite – Changing Tack on the Sea of Data Breach?

by McDermott Will & Emery | Feb 6, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest

The country awoke to what seems to be a common occurrence now: another corporation struck by a massive data breach. This time it was Anthem, the country’s second largest health insurer, in a breach initially estimated to involve eighty million individuals. Both individuals’ and employees’ personal information is at issue, in a breach instigated by hackers.

Early reports, however, indicated that this breach might be subtly different than those faced by other corporations in recent years. The difference isn’t in the breach itself, but in the immediate, transparent and proactive actions that the C-Suite took.

Unlike many breaches in recent history, this attack was discovered internally through corporate investigative and management processes already in place. Further, the C-Suite took an immediate, proactive and transparent stance: just as the investigative process was launching in earnest within the corporation, the C-Suite took steps to fully advise its customers, its regulators and the public at-large, of the breach.

Anthem’s chief executive officer, Joseph Swedish, sent a personal, detailed e-mail to all customers. An identical message appeared in a widely broadcast press statement. Swedish outlined the magnitude of the breach, and that the Federal Bureau of Investigation and other investigative and regulatory bodies had already been advised and were working in earnest to stem the breach and its fallout. He advised that each customer or employee with data at risk was being personally and individually notified. In a humanizing touch, he admitted that the breach involved his own personal data.

What some data privacy and information security advocates noted was different: The proactive internal measures that discovered the breach before outsiders did; the early decision to cooperate with authorities and press, and the involvement of the corporate C-Suite in notifying the individuals at risk and the public at-large.

The rapid and detailed disclosure could indicate a changing attitude among the American corporate leadership. Regulators have encouraged transparency and cooperation among Corporate America, the public and regulators as part of an effort to stem the tide of cyber-attacks. As some regulators and information security experts reason, the criminals are cooperating, so we should as well – we are all in this together.

Will the proactive, transparent and cooperative stance make a difference in the aftermath of such a breach? Only time will tell but we will be certain to watch with interest.

In with the New: Expect FTC Activity on IoT in 2015

by McDermott Will & Emery | Jan 26, 2015 | Big Data, Cybersecurity, Data Privacy, General Interest

The “Internet of Things” (IoT) continues to grow. (IoT refers to the ability of everyday objects to connect to the Internet and one another.) It is estimated that there will be 4.9 billion connected appliances, devices and other “things” in use worldwide by the end of 2015, an increase of 30 percent from 2014. The global market for IoT products is expected to reach $7.1 trillion by 2020.

Proponents of IoT believe that the data generated and shared by connected objects can provide tremendous benefits for individuals, businesses and society as a whole. For example, IoT devices could be used to alert a person of an impending heart attack, improve a business’ manufacturing processes and reduce vehicle traffic congestion. While IoT can provide many benefits, it also poses privacy and security challenges. Internet connected devices, especially when used in an individual’s home or on his or her body, can generate voluminous amounts of highly personal and sensitive data about that individual, including information about physical activity, existing health conditions, energy consumption and entertainment choices. Many users of these devices are unclear about how this data is being used and shared with others. Moreover, the sheer amount and sensitivity of the data collected and transmitted by many IoT products make them an appealing target for hackers.

The Federal Trade Commission (FTC) did not file an enforcement action against a manufacturer of IoT products for inadequate data privacy and security practices in 2014, as it had in 2013. Nonetheless, the privacy and security challenges associated with the massive collection of consumer data by IoT products still are on the FTC’s radar. Commissioner Julie Brill has written extensively about the need to weave in privacy principles to IoT. While IoT products ranging from automated door locks to internet connected pet trackers dominated this year’s International Consumer Electronics Show (CES), Chairwoman Edith Ramirez’s keynote address at the CES outlined several concerns about IoT, including ubiquitous data collection, the ability of IoT devices to capture sensitive personal information about consumers, unexpected uses of consumer data and data security concerns.

Since IoT is on the FTC’s radar, I predict that the FTC will carefully scrutinize manufacturers of IoT products during 2015 and perhaps bring another action against a maker of IoT products for inadequate data privacy or security practices.

In with the New: 2015 Privacy, Advertising and Digital Media Predictions – Part I

by Jennifer S. Geetter | Jan 7, 2015 | Big Data, Consumer Protection, Data Privacy, General Interest, Mobile Apps

What privacy, advertising and digital media trends will make headlines in 2015? Digital Health for one, Big Data for another.

Digital Health

The 2015 International Consumer Electronics Show (CES) started yesterday. Sessions like “Sensibles: The Smarter Side of Wearables” and “DIY Health: Consumer Accessible Innovation” suggest that the consumer health issues explored by the Federal Trade Commission (FTC) last Spring (see our blog post here) are increasingly relevant. Most notably, as more health-related information becomes digital, digital health businesses will need to revisit long-standing privacy, intellectual property protection, notice and consent practices that may not be well-suited to the more sensitive category of consumer-generated health information (CHI) (i.e., health-related information that consumers submit to or through mobile apps and devices). In many cases, the law is underdeveloped and businesses must develop and implement their own best practices to demonstrate good faith as stewards of CHI.

We predict that CHI and the issues raised by its collection, use, disclosure and storage will stay on the FTC’s radar during 2015. Perhaps the FTC will offer some insight about its position on CHI through guidance or regulatory activity related to a digital health business.

With mobile devices proliferating, the volume, versatility and variety of consumer-generated data, including CHI, also is proliferating. CHI typically stands outside of HIPAA’s regulatory silo. HIPAA regulates health plans, health care clearinghouses, health care providers who engage in standardized transactions with health plans and the business associates that assist health plans, clearinghouses and providers, and need protected health information to provide that assistance. Mobile medical services and environments, however, typically fall outside of this framework: most mobile apps, for example, are used directly by consumers, and often at the direction of and under the control of plans and providers. HIPAA may have, however, more reach into the growing business-to-business mobile app sector.

But, in the CHI arena, the sources of privacy and security regulation are murky. Among likely hot topics in 2015 are:

When is consumer-generated information also consumer-generated health information?
Can data ever be “de-identified” or made anonymous in light of the so-called mosaic (or pointillist) effect?
What role can the “pay with data” model play in consumer protection?
Is all CHI deserving of the same level of protection?
What sources of oversight exist and are they sufficient?

The news is ripe with references to data “privacy” and data “security,” but the sensitivity associated with health information requires thinking about data “stewardship” – a broader concept that encompasses not only privacy and security but also data asset management and data governance. Data stewardship captures not only data as an asset, but also as an opportunity to earn public trust and confidence while preserving innovation.

We predict that how to be good data stewards will be a critical issue for digital health businesses in 2015 and that forward-looking and transparent efforts at self-policing will be key to not only avoiding regulatory scrutiny but also fostering consumer trust.

Big Data

Big Data was big news [...]

Continue Reading

Privacy and Data Protection: 2014 Year in Review

by Daniel F. Gottlieb | Dec 11, 2014 | Advertising & Marketing, Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Ecommerce, Electronic Contracting, Email/Spam, General Interest, Mobile Apps, Promotions, Sweepstakes & Contests, Social Media, Text Messaging, Workplace Privacy

In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.

This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.

Read the full report here.

Is There an End in Sight for EU Data Protection Reform?

by McDermott Will & Emery | Dec 2, 2014 | Big Data, Consumer Protection, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, General Interest

On 5 November 2014, Peter Hustinx, the European Data Protection Supervisor (EDPS), together with Germany’s Federal Data Protection Commissioner, Andrea Voβhoff, held a panel discussion in respect of the state of play and perspectives on EU data protection reform.

Although participants identified a number of key outstanding issues to be resolved prior to the conclusion of the reform process, there was some optimism that such issues could be overcome, and the process completed, before the end of 2015.

Background

The EDPS is an independent supervisory authority whose members are elected by the European Parliament and the Council in order to protect personal information and privacy, in addition to promoting and supervising data protection in the European Union’s institutions and bodies. The role of the EDPS includes inter alia advising on privacy legislation and policies to the European Commission, the European Parliament and the Council and working with other data protection authorities (DPA) to promote consistent data protection throughout Europe.

The proposed data protection regulation is intended to replace the 1995 Data Protection Directive (95/46/EC) (the Directive) and aims not only to give individuals more control over their personal data, but also make it easier for companies to work across borders by harmonising laws between all EU Member States. The European Parliament and the Civil Liberties, Justice and Home Affairs (LIBE) Committee have driven the progress on new data protection laws, but there has been frustration aimed at the Council of Ministers for their slow progress. Following the vote by the European Parliament in March 2014 in favour of the new data protection laws, the next steps include the full Ordinary Legislative Procedure (co-decision procedure), which requires the European Parliament and the Council to reach agreement together.

The panel discussion attendees were made up of institutional representatives and key figures involved in the EU Data Protection Reform Package, including: Stefano Mura (Head of the Department for International Affairs at Italy’s Ministry of Justice); Jan Albrecht MEP (Vice-Chair and Rapporteur of the European Parliament LIBE Committee); and Isabelle Falque-Pierrotin (President of CNIL and Chair of the Article 29 Working Party). The purpose of the panel discussion was to consider the outstanding issues and next steps to finalise proposals on EU data protection reform, particularly in the context of the recent CJEU rulings on data retention and the right to be forgotten.

Key Messages

The key points raised during the panel discussion included:

There is optimism that the reform process will be completed in the next year subject to resolving outstanding issues, such as:
- Whether public authority processing should be included in the proposed data protection regulation – Andrea Voshoff commented that this issue was being considered by the Council of Ministers Committee in relation to the introduction of a clause preventing the lowering of standards by national laws. Stefano Mura added that while there is a desire for both a uniform approach between the EU Member States and a right for Member States to regulate their own public sectors, a [...]
  
  Continue Reading

Older Posts »

« Newer Posts

BLOG EDITORS

Amanda Enyeart

Marshall E. Jackson, Jr.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS