Category Archives: Electronic Communication

Court action against FCC’s “net neutrality” rules could change rules of Internet service

The “open” nature of high-speed Internet service in the United States may be at risk based on a new appeals court ruling that struck down the Federal Communication Commission’s “net neutrality” regulations.

Since 2010, the FCC regulations, known as the “Open Internet Order,” have prohibited broadband service providers (ISPs) from blocking access to lawful content. as well as from blocking applications that compete with the  provider’s service offerings. The Order also prohibits providers of fixed broadband service (i.e., non-mobile broadband) from unreasonably discriminating in transmitting lawful Internet traffic, such as by granting preferred status or speeds to websites that are affiliated with the provider or who pay a fee to the provider.

The Court’s decision in Verizon v. Federal Communications Commission struck down most of the Open Internet Order.  In particular, the Court said that the FCC went beyond its regulatory authority in imposing the anti-blocking and anti-discrimination rules on ISPs.

Notably, the Court did not say that the FCC could never impose such rules on ISPs. Instead, the Court found issue with the way that the FCC imposed the rules on ISPs. Specifically, the Court faulted the FCC for creating rules that could be considered common carrier obligations and then imposing them on ISPs that were not considered to be “common carriers” under the Communications Act.

The Court did uphold the Order’s requirement that ISPs disclose to consumers accurate information about their network management practices, performance and commercial terms of service.  So, although an ISP can now block or slow a particular website, it must disclose that practice to its subscribers.

The FCC is expected to appeal the decision.  Alternatively, the FCC could attempt to re-write the rules within the guidelines of the decision. Either way, it will be interesting to see whether any broadband service providers change the way that they deliver services to consumers. Under the Court’s ruling, an ISP who is also a cable service provider could block or slow certain over-the-top services so long as they disclose that fact to subscribers. An ISP could charge a higher fee for access to certain sites, or perhaps a reduced fee to consumers who are  willing to accept a more limited scope of the World Wide Web.   Alternatively, some ISPs may use the Court’s ruling as an opportunity to attract new consumers by pledging to make all sites freely available without blocking or discrimination.

Either way, consumers are likely to see changes in their broadband service soon based on the new ruling.

New Data Breach 411 app helps companies navigate data breach laws

It’s a general counsel’s worst nightmare. Sensitive data. Gone. Stolen by faceless thieves who breached the company’s seemingly secure network.DataBreach411-2

As my partner Scott Vernick of Fox Rothschild recently stated:  “Data breaches can severely impact a company’s reputation and have debilitating consequences to businesses big and small.”

A new mobile phone app launched by the Fox Rothschild Privacy and Data Security Practice provides a guide to swift damage control in situations like this. The app—called Data Breach 411—can help companies who are affected by a breach navigate the various laws and regulations relating to data breaches. Currently, 46 states have laws in place addressing how organizations should prepare for and respond to the loss or theft of data.

According to Vernick:  “Our app is a ‘one stop shop’ for in-house counsel and privacy officers to instantly access the relevant state-specific details on what they need to do, who they need to notify, when and how. The ability to access these state rules at your fingertips can make all the difference in terms of what’s at stake for an organization: loss of reputational integrity, public trust and business, and time-consuming and costly remediation efforts.”

Information available via the Data Breach 411 app include:

  • State Security Breach Statutes: An alphabetical listing of the states that have data breach laws in place and links to all the relevant notification statutes.
  • HIPAA/HITECH Statutes: Breach notifications rules and other pertinent information related to the loss or theft of personal health information.
  • Resources: Links to credit agencies and credit monitoring services as well as the FTC website. Also, a section on COPPA – the Children’s Online Privacy Protection Act – and relevant information surrounding the mining of data on minors. This section also includes links to Fox’s Privacy Compliance & Data Security Blog and its HIPAA, HITECH and Health Information Technology Blog.

The Data Breach 411 app is currently available for free in the iTunes Store. An Android version will be available soon. To download the app, click here.

Does your website privacy policy describe how you handle “do not track” requests? If not, read this . . .

A new California state law is prompting businesses around the country to update their website privacy policies to more fully describe how the business handles certain customer data.

California’s Online Privacy Protection Act (CalOPPA) already required any commercial website or online service that collected personally-identifiable data from California residents to post a privacy policy. The new law amends CalOPPA to mandate that privacy policies explicitly describe how the website or service will respond to “do not track” requests from users.

My partner Mark McCreary prepared a detailed summary of the CalOPPA amendment and its additional disclosure requirements.  Mark’s summary is available via this link.

Federal Trade Commission issues new “.com Disclosures” guidance for online advertising

On March 13, 2013,  the FTC updated its “.com Disclosures” guidance document for online disclosures to address new issues resulting from the expanding use of smartphones and other mobile devices for advertising purposes.

Originally published in 2000, the FTC guide addresses how companies who are engaged in online advertising should provide the various disclosures that are required by the laws that the FTC enforces. These disclosures include those required to prevent a claim that a particular advertisement is misleading or deceptive.   Examples include: Continue reading

FTC proposes update to children’s online privacy rules

The Federal Trade Commission (FTC) has proposed an updated set of online privacy rules to address the use of new technologies — including mobile technologies – by children under the age of 13.  The original rules, issued in 2000 to implement requirements of the Children’s Online Privacy Protection Act (COPPA), require operators of commercial websites and online services directed to children under age 13 to:

  • post a privacy policy describing how the site handles children’s personal information;
  • provide direct notice to parents and obtain verifiable parental consent before collecting children’s personal information;
  • give parents the option to allow the operator to collect and use a child’s information, but not disclose it to third parties;
  • give parents access to their child’s personal information for review and/or deletion;
  • give parents the opportunity to prevent further use of the information; and
  • maintain the confidentiality, security, and integrity of information collected from children.

Changes proposed in the new rule include:

  • an expanded definition of “personal information” that includes substantially all information that can be used for online profiling or directed behavioral advertising – including geo-location information, instant messaging user IDs, voice over IP (VOIP) identifiers, video chat user IDs, and tracking cookies;
  • a requirement that key information be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy;
  • new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s identification is deleted promptly after verification is done;
  • a requirement that website operators ensure that service providers or others to whom they disclose a child’s personal information implement reasonable procedures to protect it, retain the information for only as long as is reasonably necessary, and properly delete the information; and
  • a requirement that self-regulatory “safe harbor programs” audit their members at least annually and report the results of those audits to the FTC.

The FTC will accept comments on the proposed rules through November 28, 2011.

Social Media Use in Doctor / Patient Communications

My colleague Rebekah Monson recently co-authored an article discussing the growth of social media as a tool for doctor/patient communications.  Although this use of social media requires careful consideration so that private information is not Tweeted, Facebooked, or otherwise make available for public view, Rebekah points out that

Social media is a powerful tool that can be used effectively and efficiently for peer, patient, and family communication, as well as a vehicle for learning, as part of patient education, graduate medical education (GME), and continuing medical education (CME). . . .The Internet is replete with lay opinions and medical misinformation. Surgeons who use social media have a unique opportunity and non-legal responsibility to critically review and correct this misinformation.

The full text of Rebekah’s article can be found here.



HIPAA privacy violations result in penalties exceeding $4.3 million

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced its first-ever civil monetary penalty against a health system for alleged violations of the HIPAA privacy rule.  The penalty of over $4.3 million, which was levied against Cignet Health, was followed by OCR’s announcement of a $1 million settlement resolving a HIPAA privacy complaint against certain entities affiliated with Mass General. 

My colleague Rebekah Monson recently published an article describing the actions that resulted in penalties, as well as the penalty calculation methods.  As Rebekah notes in the article:

While the Cignet case could be considered to be an isolated and extreme example, the type of HIPAA breach in the Mass General case is not unusual. The timing of the two announcements, significant penalties, and three-year [corrective action plan] (for Mass General) may signal OCR’s plans to use the HITECH-increased penalties as an enforcement tool.

The full text of the article is available here.