Sep 202020
 September 20, 2020  Posted by  Business, Court, Featured News, Healthcare

A press release from California’s Attorney General, posted September 17:

SACRAMENTO – California Attorney General Xavier Becerra today announced a landmark settlement against Glow, Inc. (Glow), a technology company that operates a fertility-tracking mobile app that stores personal and medical information. The settlement, which is subject to court approval, resolves the Attorney General’s investigation of Glow’s app for serious privacy and basic security failures that put women’s highly-sensitive personal and medical information at risk. In addition to a $250,000 civil penalty, the settlement includes injunctive terms that require Glow to comply with state consumer protection and privacy laws, and a first-ever injunctive term that requires Glow to consider how privacy or security lapses may uniquely impact women.

“When you meet with your doctor or healthcare provider in person, you know that your sensitive information is protected. It should be no different when you use healthcare apps over the internet,” said Attorney General Becerra. “Mobile apps, like Glow, that make it their business to collect sensitive medical information know they must ensure your privacy and security. Excuses are not an option. A digital disclosure of your private medical records is instantaneously and eternally available to the world. Today’s settlement is a wake up call not just for Glow, Inc., but for every app maker that handles sensitive private data.”

The Attorney General’s complaint alleges the Glow app:

  • Failed to adequately safeguard health information;
  • Allowed access to user’s information without the user’s consent; and
  • Additional security problems with the app’s password change function could have allowed third parties to reset user account passwords and access information in those accounts without user consent.

The injunctive terms of the settlement require Glow to incorporate privacy and security design principles into its mobile apps. Glow will also be required to obtain affirmative consent from users prior to sharing or disclosing personal, medical, or sensitive information, and it will be required to allow users to revoke previously granted consent.

Attorney General Becerra has secured other novel injunctions to protect consumers. Since taking office in January 2017, he has announced a $600 million settlement with Equifax for improperly exposing the personal information of 147 million consumers; a $148 million settlement with Uber for failing to notify regulators and users of a data breach; an $18.5 million settlement with Target for failing to provide reasonable data security; a $935,000 settlement with Aetna for illegally revealing that patients were taking HIV-related medication; and a $3.5 million settlement with Lenovo for illegally preinstalling software that compromised the security of its computers.

A copy of the settlement, which is subject to court approval, is available here. A copy of the complaint is available here.

h/t, Centennial Man

Sep 202020
 September 20, 2020  Posted by  Govt, Healthcare, Non-U.S., Surveillance

Farhat Nasim reports:

Expressing concern over breach of data privacy, chemist body, All India Organization of Chemists & Druggists (AIOCD) recently moved comments and feedback on the Draft Health Data Management Policy with Indu Bhushan, CEO, National Health Authority (NHA). The draft policy was first published on August 26, 2020, and a week was given for consultation as well as for sending objections to the policy.

…  Rajiv Singhal General Secretary AIOCD said, “The Policy should also clearly lay down the lawful procedures for the authorities authorized under the policy /data fiduciaries or other health service providers for accessing the sensitive and or personal data of an individual so that an amount of ‘checks and balances’ is maintained and also to ensure that the privacy of an individual is safe at all times. The Policy also does not contain sufficient safeguards for the encryption of sensitive data.”

Read more on Medical Dialogues.

Sep 192020
 September 19, 2020  Posted by  Online, Surveillance, U.S., Youth & Schools

 The Rutherford Institute has issued a precautionary “opt out” letter as a means by which families whose children are taking part in remote learning / virtual classes might assert their Fourth Amendment privacy rights and guard against intrusive government surveillance posed by remote learning technologies. The Institute released its model “Parental Reservation of Rights – Remote Learning Surveillance” letter in the wake of a growing number of incidents in which students have been suspended and reported to police by school officials for having toy guns nearby while taking part in virtual schooling.

Read more on The Rutherford Institute.

h/t, Joe Cadillic

Sep 192020
 September 19, 2020  Posted by  Court, Featured News, Non-U.S.

Louise Freeman, Dan Cooper, Katharine Kinchlea and Tom Cusworth of Covington & Burling write:

The English High Court has recently awarded damages in a data privacy case, with two features of particular interest.  First, the nature of the claim is more reminiscent of a claim in defamation than for data privacy breaches, which is a development in the use of data protection legislation.  Secondly, the damages awarded (perhaps influenced by the nature of the case) were unusually high for a data privacy case.

Read more on InsidePrivacy.