0
FTC Issues Policy Statement Affirming that Health Apps Must Comply with FTCFTC Issues Policy Statement Affirming that Health Apps and Connected Device Companies Must Comply with FTC’s Health Breach Notification Rule

FTC Issues Policy Statement Affirming that Health Apps and Connected Device Companies Must Comply with FTC’s Health Breach Notification Rule

At an open commission meeting on Wednesday, September 15th, the Federal Trade Commission (FTC) voted 3-2 to approve a policy statement affirming that health apps and connected devices that draw information from multiple sources need to comply with the FTC’s August 2009 Health Breach Notification Rule. The policy statement serves as a notice to health apps and connected devices – companies that are traditionally not covered entities under HIPAA –  “of their ongoing obligation to come clean about breaches”.  The statement also affirms that the entities may be subject to civil penalties of up to $43,792 per violation per day.

The American Recovery and Reinvestment Act of 2009 (Recovery Act of 2009) required the FTC to enforce breach notification requirements with respect to vendors and third parties and to adopt a rule implementing such requirements. Under the Health Breach Notification Rule, vendors of personal health records and related entities must notify U.S. consumers and the FTC, and, in some cases the media, if there has been a breach of unsecured identifiable health information.

Acknowledging that it has now been more than a decade since the promulgation of the Health Breach Notification Rule and that there has been a proliferation of apps and technologies that consumers can now use “to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas,” the FTC affirmed on Wednesday that apps capable of drawing information from multiple sources (such as through a combination of consumer inputs and APIs) are covered, even if the health information comes from only one source.

You can read the full policy statement of the FTC here.

FTC Chair Lina M. Khan and Commissioners Rohit Chopra and Rebecca Kelly Slaughter voted in favor of the policy statement, while Commissioners Joshua Phillips and Christine S. Wilson each issued dissenting statements. The dissenting opinions asserted that this statutory and regulatory opinion should be determined in the context of the rulemaking process that is currently under way, rather than a policy statement.

It is important that companies developing health apps and connected devices be aware of this announcement.  Beckage closely monitors developments in laws and regulations governing health data and breach response. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

Email Beckage Health Law Team Lead Sarah L. Rugnetta, Esq., (CIPP/E) at srugnetta@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.

*Attorney advertising; prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Website AccessibilityEastern District of New York Holds a Website By Itself is Not Place of Public Accommodation

Eastern District of New York Holds a Website By Itself is Not Place of Public Accommodation

Website class actions alleging violations of the Americans with Americans with Disabilities Act (“ADA”) continue to dominate the court systems. These lawsuits are indiscriminate involving businesses of all sizes across a myriad of industries. Commonly, these lawsuits involve a plaintiff who suffers from a disability and attempted to access a business’s website, alleging that the website itself should be considered a place of public accommodation, but their disability hindered their enjoyment of the business’s services. Nevertheless, a court in the Eastern District of New York has unequivocally concluded that a website is not a “place of public accommodation” within the meaning of Title III of the ADA.

Winegard v. Newsday LLC

On July 31, 2019, Plaintiff Jay Winegard, a legally deaf individual residing in Queens, New York, filed an action in the Eastern District of New York against the news service provider Newsday. Winegard alleged that Newsday violated the Americans with Disabilities Act, the New York State Human Rights law, and the New York State Civil Rights Law, and the New York City Human Rights Law in failing to provide closed captioning on two of the videos it hosted on its website.

On May 1, 2020, Newsday filed a Motion to Dismiss, arguing, in relevant part, that Newsday is not a place of public accommodation within the meaning of Title III of the ADA.

On August 16, 2021, while initially observing that the Second Circuit has not squarely resolved whether a website itself is a place of public accommodation, the Eastern District of New York concluded that “the ADA excludes, by its plain language, the websites of businesses with no public-facing, physical retail operations from the definition of” places of public accommodation.  In reaching its conclusion, the court relied heavily upon the text of the ADA, noting that the ADA’s definitions of places of public accommodation where overwhelming comprised of physical locations.

Echoing the recent Eleventh Circuit holding in Gil v. Winn-Dixie, the court further called upon Congress to clarify whether the places of public accommodation include websites and further remarked that in the thirty-one years since the passage of the ADA, Congress has failed to add non-physical places to the definition of places of public accommodation.

Finally, the court in Winegard concluded that previous Second Circuit reliance on Pallozzi v. Allstate Life Insurance Co. is misplaced, as that matter dealt with the enjoyment of insurance services which still had to procured at a physical location.

What does this mean going forward?

Whereas the Court’s decision in Winegard may not initially upend all website-based ADA claims in the Second Circuit, it is yet another example of the eroding argument that websites are automatically places of public accommodation. To that end, it is important that companies are proactive and prioritize accessibility to put themselves into a legally defensible position.

At Beckage, we have a team of highly skilled attorneys and technologists who are uniquely situated to help clients navigate website accessibility and work towards national and international standards with other privacy and security laws. Beckage works with clients at all stages of accessibility analysis and is here to help make your company ADA compliant and help ensure your company has the right tools in place to mitigate risk.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.  

CryptocurrencyWhat Recent Cryptocurrency Heists Reveal About Blockchain Security

What Recent Cryptocurrency Heists Reveal About Blockchain Security

In early August 2021, blockchain-based platform Poly Network reported a hack in which malicious actors moved an equivalent of $600 million in cryptocurrencies to their private wallets. This hack was the largest ever, after the 2014 hack of a Tokyo-based bitcoin exchange, which led to the theft of the equivalent of $460 million. A few days later, DAO Maker, a decentralized finance (DeFI) crypto platform announced a hack and theft of 2,261 Ethereum (the equivalent of $7 million at the time of the hack).

These heists reveal potential security vulnerabilities in the current system for purchasing and exchange cryptocurrencies despite the general promises of security provided by decentralized cryptocurrencies.

To understand how these cryptocurrency heists occurred, it is crucial to understand how cryptocurrency functions. In particular, how certain organizations provide cryptocurrency conversion services (i.e., converting Bitcoin to Ethereum). Traditionally, forms of currency (often referred to as “fiat” currency when distinguished from cryptocurrencies) are government issued and rely on a centralized banking system to validate money transfers and accounts. Most fiat currencies are not backed by commodities, such as gold, and therefore, have no intrinsic value. Value in fiat currency derives from consumer confidence (and is subject to government manipulation).

Cryptocurrencies, such as Bitcoin or Ethereum, however, are decentralized currencies with no central banking or financial system to validate transactions. Rather, these currencies rely on a network of users to validate transactions and balances. The technology that supports the storing and validating of transactions in a database (essentially a digital ledger) is called blockchain.

Most cryptocurrencies distribute this Blockchain ledger database across its users. The users earn rewards (usually the in the form of cryptocurrency) for hosting the ledger, validating transactions in the blockchain ledger, and solving complex computational math problems.

Cryptocurrency TransferThe lack of centralization creates complexities in converting currencies. Traditional exchange services involving fiat currency are handled by financial institutions who have the capacity to receive one type of currency (i.e., U.S. Dollar) and provide the equivalent amount in a different currency (i.e., the Euro).

Performing a similar instant exchange among cryptocurrencies requires an exchange service to stockpile multiple cryptocurrencies. Of course, this type of exchange service is inherently centralized – and that centralization of decentralized currency creates the security vulnerability that led to the recent string of crypto currency heists.

The attackers targeted the code behind the accounts that convert cryptocurrencies and injected malicious code that made the exchange service believe that the attacker was the intended recipient of the converted cryptocurrency.  The attackers ultimately redirected the currency into their personal wallets.

These recent events do not mean that those interested in holding or trading cryptocurrency should entirely avoid the use of exchanges. No transaction is 100% secure, and users should understand the potential risk involved in exchanging cryptocurrencies or converting fiat currency within the current systems of exchange.

The legal concerns stemming from these incidents mirror those in traditional incidents involving consumer information or fiat funds. However, the potential risk of loss is increased by the fact that cryptocurrency transactions in certain instances are uniquely untraceable and irreversible, meaning that the exchange may not be able to recover the stolen funds. Further compounding the risk is that these crypto exchange services may not have the same financial protections, insurance, or government backing as traditional financial institutions.

These events serve as a reminder that the security provided by decentralized currency may be lost when that currency is funneled through a centralized exchange.

*Attorney advertising: prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Jennifer Beckage Best Lawyers 2022Jennifer A. Beckage, Esq., Named to 2022 Best Lawyers List

Jennifer A. Beckage, Esq., Named to 2022 Best Lawyers List

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E has been selected by her peers for inclusion in the 2022 Edition of The Best Lawyers in America© for her work in Electronic Discovery and Information Management Law.

Recognition by Best Lawyers is based entirely on peer review.  The methodology is designed to capture, as accurately as possible, the consensus opinion of leading lawyers about the professional abilities of their colleagues within the same geographical area and legal practice area.

Jennifer Beckage is Managing Director of Beckage, a 360-degree technology law firm with a recognized focus on data security and privacy compliance, incident response, and litigation. Throughout her legal career, she has responded to numerous headline-making, national and international cybersecurity incidents.  Ms. Beckage is also a frequent contributor to the global conversation surrounding incident response, speaking at several legal and cybersecurity industry events annually and providing interviews and quotes to national media on topics related to technology and cybersecurity.  She is a Certified Information Privacy Professional, United States (CIPP/US) and Certified Information Privacy Professional, Europe (CIPP/E) and a recognized Super Lawyer in the Technology Transactions category.  Prior to her legal career, Ms. Beckage owned and led technology companies and served as an executive of a publicly traded company.

 

0
Jodi Beaubien - Head of Cyber Partnerships

AUSTIN, TXAugust 9, 2021 — Nationally recognized, women-owned tech law firm, Beckage, is pleased to announce the addition of Jodi Beaubien, who will serve as Head of Cyber Partnerships.

In this role, Jodi will act as a liaison and direct point of contact for incident management and data breach services for Beckage’s partners, while also overseeing the development and implementation of new client and partner offerings. She will also work closely with Beckage’s global 24/7 incident response team, which is made up of lawyers and technologists.

Prior to joining Beckage, Jodi served as Head of Cyber Risk Solutions at a Fortune 500 company specializing in cybersecurity technology. She is a thought-leader in the technology and data security industries and has significant experience working with large companies on international incident response and communication strategy. Jodi began her career in crisis communications in New York City, during the events and aftermath of 9/11, where she worked with FEMA, HUD and other agencies to provide critical support to those displaced and impacted.

Jodi frequently speaks for large, global organizations on cybersecurity topics, including ransomware and infrastructure defense from attacks. She is also a contributor to the global cybersecurity and technology conversation and has published several articles on crisis communications in national and international media, such as HR Today.

Jodi holds an MBA in Organizational Management with a concentration in Project Management (magna cum laude) from The Forbes Business School, an Executive Certification in Leadership Development from Columbia University, and a B.S. in Organizational Development (summa cum laude) from Ashford University.  Among her designations, she maintains certifications from the Society for Human Resources Management and the Project Management Institute.

Jodi’s breadth of experience and skilled communication spans beyond incident management. She concerns herself with stakeholder priorities while acting as a conduit between the firm, the carrier, and the affected organization, both pre and post incident. Her value to the firm and our partners will be unparalleled.

About Beckage: Beckage is a women-owned law firm that focuses on technology, data security, and privacy. The firm is also a NetDiligence Platinum Authorized Breach Coach, a designation provided to law firms who demonstrate the highest level competency and sophistication in data breach response. Beckage attorneys counsel clients on matters pertaining to data security and privacy compliance, litigation and class action defense, incident response, government investigations, technology intellectual property, and emerging technologies such as Artificial Intelligence (AI), digital currencies, Internet of Things (IoT) devices, and 5G networks. Beckage has offices from California to New York.

###

Contact: Morgan Neal
mneal@beckage.com
585.738.2438

1 2 3 10