0
FTC Issues Policy Statement Affirming that Health Apps Must Comply with FTCFTC Issues Policy Statement Affirming that Health Apps and Connected Device Companies Must Comply with FTC’s Health Breach Notification Rule

FTC Issues Policy Statement Affirming that Health Apps and Connected Device Companies Must Comply with FTC’s Health Breach Notification Rule

At an open commission meeting on Wednesday, September 15th, the Federal Trade Commission (FTC) voted 3-2 to approve a policy statement affirming that health apps and connected devices that draw information from multiple sources need to comply with the FTC’s August 2009 Health Breach Notification Rule. The policy statement serves as a notice to health apps and connected devices – companies that are traditionally not covered entities under HIPAA –  “of their ongoing obligation to come clean about breaches”.  The statement also affirms that the entities may be subject to civil penalties of up to $43,792 per violation per day.

The American Recovery and Reinvestment Act of 2009 (Recovery Act of 2009) required the FTC to enforce breach notification requirements with respect to vendors and third parties and to adopt a rule implementing such requirements. Under the Health Breach Notification Rule, vendors of personal health records and related entities must notify U.S. consumers and the FTC, and, in some cases the media, if there has been a breach of unsecured identifiable health information.

Acknowledging that it has now been more than a decade since the promulgation of the Health Breach Notification Rule and that there has been a proliferation of apps and technologies that consumers can now use “to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas,” the FTC affirmed on Wednesday that apps capable of drawing information from multiple sources (such as through a combination of consumer inputs and APIs) are covered, even if the health information comes from only one source.

You can read the full policy statement of the FTC here.

FTC Chair Lina M. Khan and Commissioners Rohit Chopra and Rebecca Kelly Slaughter voted in favor of the policy statement, while Commissioners Joshua Phillips and Christine S. Wilson each issued dissenting statements. The dissenting opinions asserted that this statutory and regulatory opinion should be determined in the context of the rulemaking process that is currently under way, rather than a policy statement.

It is important that companies developing health apps and connected devices be aware of this announcement.  Beckage closely monitors developments in laws and regulations governing health data and breach response. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

Email Beckage Health Law Team Lead Sarah L. Rugnetta, Esq., (CIPP/E) at srugnetta@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.

*Attorney advertising; prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Website AccessibilityEastern District of New York Holds a Website By Itself is Not Place of Public Accommodation

Eastern District of New York Holds a Website By Itself is Not Place of Public Accommodation

Website class actions alleging violations of the Americans with Americans with Disabilities Act (“ADA”) continue to dominate the court systems. These lawsuits are indiscriminate involving businesses of all sizes across a myriad of industries. Commonly, these lawsuits involve a plaintiff who suffers from a disability and attempted to access a business’s website, alleging that the website itself should be considered a place of public accommodation, but their disability hindered their enjoyment of the business’s services. Nevertheless, a court in the Eastern District of New York has unequivocally concluded that a website is not a “place of public accommodation” within the meaning of Title III of the ADA.

Winegard v. Newsday LLC

On July 31, 2019, Plaintiff Jay Winegard, a legally deaf individual residing in Queens, New York, filed an action in the Eastern District of New York against the news service provider Newsday. Winegard alleged that Newsday violated the Americans with Disabilities Act, the New York State Human Rights law, and the New York State Civil Rights Law, and the New York City Human Rights Law in failing to provide closed captioning on two of the videos it hosted on its website.

On May 1, 2020, Newsday filed a Motion to Dismiss, arguing, in relevant part, that Newsday is not a place of public accommodation within the meaning of Title III of the ADA.

On August 16, 2021, while initially observing that the Second Circuit has not squarely resolved whether a website itself is a place of public accommodation, the Eastern District of New York concluded that “the ADA excludes, by its plain language, the websites of businesses with no public-facing, physical retail operations from the definition of” places of public accommodation.  In reaching its conclusion, the court relied heavily upon the text of the ADA, noting that the ADA’s definitions of places of public accommodation where overwhelming comprised of physical locations.

Echoing the recent Eleventh Circuit holding in Gil v. Winn-Dixie, the court further called upon Congress to clarify whether the places of public accommodation include websites and further remarked that in the thirty-one years since the passage of the ADA, Congress has failed to add non-physical places to the definition of places of public accommodation.

Finally, the court in Winegard concluded that previous Second Circuit reliance on Pallozzi v. Allstate Life Insurance Co. is misplaced, as that matter dealt with the enjoyment of insurance services which still had to procured at a physical location.

What does this mean going forward?

Whereas the Court’s decision in Winegard may not initially upend all website-based ADA claims in the Second Circuit, it is yet another example of the eroding argument that websites are automatically places of public accommodation. To that end, it is important that companies are proactive and prioritize accessibility to put themselves into a legally defensible position.

At Beckage, we have a team of highly skilled attorneys and technologists who are uniquely situated to help clients navigate website accessibility and work towards national and international standards with other privacy and security laws. Beckage works with clients at all stages of accessibility analysis and is here to help make your company ADA compliant and help ensure your company has the right tools in place to mitigate risk.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.  

CryptocurrencyWhat Recent Cryptocurrency Heists Reveal About Blockchain Security

What Recent Cryptocurrency Heists Reveal About Blockchain Security

In early August 2021, blockchain-based platform Poly Network reported a hack in which malicious actors moved an equivalent of $600 million in cryptocurrencies to their private wallets. This hack was the largest ever, after the 2014 hack of a Tokyo-based bitcoin exchange, which led to the theft of the equivalent of $460 million. A few days later, DAO Maker, a decentralized finance (DeFI) crypto platform announced a hack and theft of 2,261 Ethereum (the equivalent of $7 million at the time of the hack).

These heists reveal potential security vulnerabilities in the current system for purchasing and exchange cryptocurrencies despite the general promises of security provided by decentralized cryptocurrencies.

To understand how these cryptocurrency heists occurred, it is crucial to understand how cryptocurrency functions. In particular, how certain organizations provide cryptocurrency conversion services (i.e., converting Bitcoin to Ethereum). Traditionally, forms of currency (often referred to as “fiat” currency when distinguished from cryptocurrencies) are government issued and rely on a centralized banking system to validate money transfers and accounts. Most fiat currencies are not backed by commodities, such as gold, and therefore, have no intrinsic value. Value in fiat currency derives from consumer confidence (and is subject to government manipulation).

Cryptocurrencies, such as Bitcoin or Ethereum, however, are decentralized currencies with no central banking or financial system to validate transactions. Rather, these currencies rely on a network of users to validate transactions and balances. The technology that supports the storing and validating of transactions in a database (essentially a digital ledger) is called blockchain.

Most cryptocurrencies distribute this Blockchain ledger database across its users. The users earn rewards (usually the in the form of cryptocurrency) for hosting the ledger, validating transactions in the blockchain ledger, and solving complex computational math problems.

Cryptocurrency TransferThe lack of centralization creates complexities in converting currencies. Traditional exchange services involving fiat currency are handled by financial institutions who have the capacity to receive one type of currency (i.e., U.S. Dollar) and provide the equivalent amount in a different currency (i.e., the Euro).

Performing a similar instant exchange among cryptocurrencies requires an exchange service to stockpile multiple cryptocurrencies. Of course, this type of exchange service is inherently centralized – and that centralization of decentralized currency creates the security vulnerability that led to the recent string of crypto currency heists.

The attackers targeted the code behind the accounts that convert cryptocurrencies and injected malicious code that made the exchange service believe that the attacker was the intended recipient of the converted cryptocurrency.  The attackers ultimately redirected the currency into their personal wallets.

These recent events do not mean that those interested in holding or trading cryptocurrency should entirely avoid the use of exchanges. No transaction is 100% secure, and users should understand the potential risk involved in exchanging cryptocurrencies or converting fiat currency within the current systems of exchange.

The legal concerns stemming from these incidents mirror those in traditional incidents involving consumer information or fiat funds. However, the potential risk of loss is increased by the fact that cryptocurrency transactions in certain instances are uniquely untraceable and irreversible, meaning that the exchange may not be able to recover the stolen funds. Further compounding the risk is that these crypto exchange services may not have the same financial protections, insurance, or government backing as traditional financial institutions.

These events serve as a reminder that the security provided by decentralized currency may be lost when that currency is funneled through a centralized exchange.

*Attorney advertising: prior results do not guarantee future outcomes.

Subscribe to our Newsletter.