Privacy and Data Security
Subscribe to Privacy and Data Security's Posts

Worker Safety, Privacy Clash as Temperature Checks Become Norm

Employers are poised to collect health data from their workforces daily as they adopt temperature checks and other screening protocols to fight the coronavirus, triggering concerns about workers’ privacy and whether the practices will continue beyond the pandemic. “The temperature checks give employees and customers the feeling of safety and the idea that the company is doing everything possible, even if the screenings don’t protect the workplace,” said Michael Sheehan, a partner with McDermott Will & Emery, in a recent Bloomberg Law article. Access the full article.

Continue Reading

COVID-19: FAQs on Employees Experiencing Symptoms and Employee Absences

With rapid developments in local, state and federal guidance and law, the appropriate approach for each employer in relation to COVID-19 will vary depending on the nature of their work, the industries served and their location and size, among other considerations. This article outlines what employers need to know about employees experiencing symptoms and employee absences. Access the full article.

Continue Reading

Five Reasons Why Telehealth Is Here to Stay (COVID-19 And Beyond)

Telehealth is no longer just a nice-to-have, but instead a must-have for patients and healthcare professionals alike during the COVID-19 pandemic. Lisa Mazur, partner at McDermott Will & Emery specializing in the digital healthcare space, is quoted in a recent Forbes article about why telehealth is here to stay: “Telehealth was already experiencing significant momentum and growth prior to this public health emergency, and its continued trajectory has been solidified by the vital role it is playing in care delivery today.” Access the full article.

Continue Reading

The Rise of Facial Recognition Technology: Mapping the Legal Framework

In January 2020, the Supreme Court decided it would not hear the issue of whether Facebook broke the law in Illinois when it instituted a photo-tagging feature that honed in on users’ faces and tagged them without their consent, and Facebook has now settled with the users for $550 million. The Illinois law is part of a patchwork of laws applicable to facial recognition technology (FRT). McDermott’s Ashley Winton contributes to the second installment of a three-part article series on FRT. This article examines the applicable legal framework and regulatory guidance, including intellectual property rights, general privacy legislation, specific state biometric data laws and more. Access the full article. Originally published on Cybersecurity Law Report, February 2020

Continue Reading

HIPAA Boss Sees ‘Low-Hanging Fruit’ Ripe For Enforcement

Healthcare providers and insurers are still making tons of rookie mistakes on patient privacy, turning themselves into easy enforcement targets, according to Roger Severino, director of the US Department of Health and Human Services. Severino made headlines in 2017 for expressing interest in punishing a "big, juicy, egregious" privacy breach, and seemingly followed through with a $16 million settlement stemming from Anthem Inc.'s megabreach involving 79 million patients. But, an emphasis on smaller violations makes sense in light of the OCR's recent acknowledgement of limits on its penalty powers, said Edward G. Zacharias, a McDermott partner. Access the full article. Originally posted on Law360, February 2020

Continue Reading

4 Ways to Manage Retirement Plan Data in New Era of Cybersecurity

IBM estimated last year that data breaches cost companies $148 per stolen record. Given that, not surprisingly, many employers have grown increasingly concerned about the potential impact of such breaches, including breaches that may affect employer-sponsored benefit plans. Courts have not yet formally addressed whether ERISA requires benefit plan fiduciaries to manage cybersecurity risks. However, a federal district court recently rejected a motion to dismiss filed by defendants seeking to avoid liability for fraudulent distributions from a plan caused by cyber criminals. There, the court held that the defendants were plan fiduciaries and that the plaintiffs had pled facts sufficient to allege that the defendants breached their fiduciary duties. Although this decision only relates to a motion to dismiss, the case underscores the potential for plaintiffs to assert, even in the absence of clear guidance, that plan fiduciaries are not doing enough to protect...

Continue Reading

2018 Digital Health Data Developments – Navigating Change in 2019

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report. EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their...

Continue Reading

GDPR 6 Months After Implementation: Where are We Now?

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come. Critical provisions The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside...

Continue Reading

Internal Revenue Service Outlines Critical Cybersecurity Safeguards to Protect Sensitive Data

The Internal Revenue Service and the Security Summit partners recently issued a news release outlining the “Security Six,” a list of essential steps to protect stored employee information on networks and computers. Employee benefits professionals, including those who administer welfare and retirement plans for employees and beneficiaries, should review and implement the “Security Six” in order to protect sensitive data from cyberattacks. Access the full article. We would also like to thank law clerk Charnae Supplee for contributing to this article.

Continue Reading

STAY CONNECTED

TOPICS

ARCHIVES