The Internet of Pills: The FDA’s Approval of Digital Smart Pills Takes the Internet of Things to New Levels

If your insurance company knew that you did not take your medication as prescribed, could it deny future coverage? Could your physician refuse to continue to treat you? What if your medication was an anti-psychotic; could you be terminated from your employment? Could you be ordered to take it as a condition of parole? What other rights could be impacted?

These 1984 type questions are being asked today because the Food and Drug Administration has approved a “Smart pill” – i.e., a pill embedded with a digital sensor that records when, whether and in what amount you have taken your prescription medicine – for Abilify MyCite, a medicine for the treatment of schizophrenia and related disorders, which can include paranoia and delusions.

Proponents of digital medicine claim it will improve overall public health, especially for the forgetful among us. They point out that many patients with these types of conditions do not take their medication regularly, with severe consequences.

Opponents warn that the new data collecting pills can create an environment that coerces patients to become addicted to medicine they would otherwise not want to take. As quoted in the N.Y. Times, Dr. Paul Applebaum, director of law, ethics and psychiatry at Columbia University’s psychiatric department, warns that “[m]any of those patients don’t take meds because they don’t like side effects, or don’t think they have an illness, or because they become paranoid about the doctor or the doctor’s intentions.” He wonders why a drug treating these particular symptoms was chosen as the starting point for this new data gathering tool.

The medicinal, legal, and practical ramifications of this “Internet of Pills” will be played out in the courts, in doctors’ offices and in many unanticipated ways over the next several years.

All Eyes on Equifax

As news around the world has reported, the Equifax data breach from mid-May through July resulted in the exposure of sensitive personal information of more than 143 million American consumers. Although this may not be the largest data breach ever, it has been regarded as one of the most significant breaches because of the sensitive information at risk: social security numbers, drivers’ license numbers, addresses, and more.

The Federal Trade Commission (FTC) confirmed this month that it is “actively investigating” the data breach due to the “intense public interest and potential impact” of the breach. The breach is also being investigated by the Department of Justice, Consumer Financial Protection Bureau, and the Securities and Exchange Commission. The investigations were the result of action by multiple senators and legislative committees highlighting the severity of the breach and the deficiencies of Equifax’s response, as well as threats by several states to bring suit against Equifax.

Senator Mark Warner (D-Va) sent a detailed letter to the acting head of the FTC calling for the investigation, and calling for the agency to scrutinize Equifax for the security lapses and its poor handling of customer service after the breach was disclosed. Specifically, Sen. Warner has stated: “The hack was awful but then [Equifax’s] response to the hack continued to show [Equifax’s] incompetence. This should be a new impetus to move.”

The investigations are expected to involve the alleged errors by Equifax leading up to the breach and in handling the breach. In addition to the company’s alleged cyber vulnerabilities which led to the breach, the investigations will also include potential insider trading by Equifax executives more than a month before the breach was made public and ambiguous language in Equifax’s Terms of Service, purporting to waive a consumer’s right to sue the service.

Most importantly, the FTC’s investigation of the Equifax breach could provide momentum for Congress to act on federal data privacy legislation. Although this legislation has been long pushed for by advocates and elected officials, the efforts have proved unsuccessful in recent years. Sen. Mark Warner has stated that he is working on efforts to pass a data breach notification law requiring companies to notify customers about a breach within a certain narrow time frame. Given the scope of the breach, and Equifax’s response, this may be the final straw to prompt a definitive reaction from Washington.

The SEC Takes Action to Protect Retail Investors

In recent years, retail data breaches have become the norm. The news is filled with stories of nefarious hackers, identity theft, and credit monitoring. A topic that we rarely hear about, however, is the impact a data breach event can have on retail investors. Data breaches can have catastrophic consequences for retailers and, by extension, their investors, as a result of both decreased profits and increased expenses. To address this issue, the SEC has established two new initiatives specifically targeted at protecting retail investors from cybersecurity risks. To learn more, check out the SEC’s September 25, 2017 Press Release, available here.

The Equifax Mass Hack Serves as a Reminder for All to Take Action

Equifax, one of the “big three” credit-reporting agencies and a broker in personal-identifying data, announced September 7 “a cybersecurity incident,” as stated in a mea culpa by its Chairman and CEO Richard Smith.

Smith explained that hackers gained access to the names, dates of birth, SSN, addresses, and in some cases, driver’s license and credit card numbers of 143 million Americans. That is nearly half the United States’ population, many of which were unaware Equifax had their information to begin with. Equifax gets this data from creditors who report credit activity on individuals, rather than from the individuals themselves.

In response, the financial institutions reporting to Equifax, and the individuals about whom it tracks and rates will be filing lawsuits across the country. Two such lawsuits sprung up within hours of Equifax’s announcement. The complaints were filed in federals courts in Portland and Atlanta on behalf of nationwide classes. Large-scale litigation such as this is par for the course in the aftermath of high-profile data breaches, which can result in settlement payments up to hundreds of millions of dollars.

Just recently, Target agreed to payout over $39 million to settle litigation with banks and another $18.5 with consumers over a 2013 breach that exposed 40 million credit and debit cards and the personal information of about 60 million customers. Heartland, a credit card processing company, paid out over $110 million to credit card companies and individuals for a 2008 breach that exposed about 130 million credit and debit cards. And in June of this year, Anthem agreed to pay $115 million to settle litigation over a 2015 hacking that compromised about 79 million people’s personal information.

Equifax appears to have been bracing for such litigation during the five weeks between its discovery of the breach on July 29, and its disclosure to the public on September 7. During that time, it created a website that in theory allows individuals to check whether they are among the 44% of Americans affected by the breach. The website invites those affected to “Click the button below to continue your enrollment in TrustedID Premier”—an Equifax security monitoring service that is free, but only for one year. Notably, enrollment requires that you accept Equifax’s Terms of Use. Those terms seemingly required arbitration of all disputes, and waiver of the ability to bring or participate in a class action lawsuit, such as those filed in Portland and Atlanta.

That arbitration provision and class action waiver received heavy criticism and sparked an investigation by New York Attorney General Eric Schneiderman who called the provision “unacceptable and unenforceable.” Equifax subsequently updated its terms to remove the provision.

The website had other problems, however, that have not been resolved. It has been described as a marketing funnel for Equifax’s own credit protection service, the value of which is in serious question. Moreover, the website does not work.

It gives inconsistent reports to people, myself included. On September 7, the website stated that my information was not impacted. On September 8, it said it was. Others have experienced the same, or received “System Unavailable” messages. One has to question whether Equifax even knows the full extent of its breach.

As an individual, this is a reminder to protect yourself to the extent possible by creating strong passwords unique to each website, take advantage of advanced security features like two-step authentication, and consider ending relationships with businesses that do not offer advanced security options. If you believe you were affected by the Equifax breach, and there is nearly a 50/50 chance you were, consider instituting a credit freeze.

As a holder of consumer information, this is a reminder of the incredible focus that must be paid to securing your customers’ privacy. It is also a reminder to review your own customer agreements. Equifax was in a unique position because it did not have an agreement with the people whose information it carried. If you do, this is a good time to consider consulting with a lawyer as to whether you need an arbitration provision and class action waiver or, if such provisions are already in your agreements, whether they are legally current and, thus, enforceable.

Privacy Risks with Snail Mail

With all (or most) eyes on privacy issues in cyberspace, companies can lose sight of traditional methods of violating privacy rights.

A recent example is Aetna’s late July mailing of 12,000 letters where the large windowed envelopes easily revealed the recipients’ names, addresses, and HIV status and/or prevention information. While the number of affected individuals may seem comparatively low, this incident nevertheless garnered negative publicity and attention.

Since privacy violations can lead to lawsuits, heavy fines, or even criminal penalties, companies—especially those that handle protected information—should review their mailing policies. If third-party mailing companies are used, those companies’ policies should also be reviewed.

Some policies that may help reduce potential privacy breaches for snail mail include:

  • Using heavier-stock or security envelopes with no windows
  • NOT using envelopes with pre-printed sender information if the sender information would reveal private information (for example, if your organization name reveals the specific type of medical condition suffered by your patients)
  • Having someone spot check the final product
  • Making sure that addresses are up-to-date
  • Using a form letter that only provides generalized information and instead requiring the patient to contact your office for particularly sensitive information, such as test results
  • Eliminating unnecessary confidential information (such as Social Security Numbers)
  • Shredding and/or proper disposal of misprinted mail
  • Training employees or vendors regularly

If you need further or specific guidance, or guidance on other media, please do not hesitate to speak to an attorney.

SEC Study Shows Improved Cybersecurity Preparedness in the Investment Industry, But Improvement Still Needed

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert that summarized the OCIE Staff’s “observations from the Cybersecurity 2 Initiative examinations,” which involved validation and testing of procedures and controls of 75 broker-dealers, investment advisers, and investment companies.  The staff noted that a majority of firms’ policies and procedures “appeared to have issues.”  For more information, please see the Risk Alert, which is available here.

Questions Remain as to Extent of HBO Cyberattack

On Monday, HBO acknowledged that it had been the victim of a cyberattack. The hacker(s) claiming responsibility use the alias “little.finger66,” a reference to HBO’s hit show, Game of Thrones.

The hackers accessed an estimated 1.5 terabytes of data. They have leaked full episodes of Ballers and Room 104, as well as a script from the upcoming episode of Game of Thrones. They promise that more is to come. HBO is working with law enforcement and private security firms to examine the extent of the breach and to protect its data.

HBO has expressed an intent to offer its employees credit monitoring, which raises questions as to whether human resources records were accessed. Thankfully for subscribers, at this time, there is no indication that the hackers accessed subscribers’ login credentials or payment information.

Also, luckily for HBO, it appears that HBO’s email system was not compromised in its entirety, unlike with the Sony Entertainment breach in 2014. The release of confidential and proprietary information following the Sony breach – such as executives’ salaries and embarrassing email communications – sent ripples through the entertainment industry and led Sony’s then co-chairman to resign. It also resulted in a class action lawsuit brought by certain Sony employees.

We will continue to monitor this story as it unfolds.

Updated HIPAA Breach Reporting Tool Launched by HHS

“…a more positive, relevant resource of information for concerned consumers.”

On July 25, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), unveiled a revised Health Insurance Portability and Accountability Act (HIPAA) Breach Reporting Tool (HBRT) that provides consumers improved access to information on breach data, and also provides greater ease-of-use for organizations reporting incidents. The HBRT makes required reporting information public, such as name of the entity suffering the breach; state where the breach occurred; number of individuals affected; date of the breach; type of breach (e.g. hacking/IT incident, theft, loss, unauthorized access or disclosure); and the location of the breached information (e.g. laptop, paper records, desktop computer). HIPAA also requires health care providers and other covered entities to promptly notify individuals of a breach and, in some cases, notify the media.

HHS Secretary Tom Price, M.D., explained, “HHS heard from the public. . . .To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned citizens.”

The HRBT may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

DLA Piper Falls Victim to Latest Cyberattack

After last month’s WannaCry ransomware attack infected thousands of businesses and individuals across the globe, law firms were identified as likely targets of future, similar attacks. On Tuesday, multinational firm DLA Piper became the latest victim of a major cyber hack.

The Petrwrap/Petya attack, which was found to have originated in the firm’s office in Spain, caused DLA’s network and phone system to be shut down. Employees were instructed to turn off their computers and to unplug their laptops from the network as a precaution. During the shutdown, a DLA Piper spokesperson said in a statement: “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.” DLA worked with external forensic experts, including the FBI and UK National Crime Agency, to get its systems back online and recover from the attack. Nonetheless, the firm’s lawyers were without access to company phones and email due to the lockdown.

In addition to DLA Piper, other large companies were hit, including Russian oil producer Rosneft and Danish shipping company Maersk. Though first reported in the Ukraine, where the most severe damage has been sustained, the virus quickly spread to the United States and Europe. United States-based pharmaceutical company Merck was also infected. DLA Piper has experienced effects of the attack in its offices globally.

While DLA Piper is the only law firm that has been reportedly attacked by the Petrwrap/Petya ransomware thus far, experts have indicated that law firms, generally, are attractive targets for hackers, as they maintain an abundance of highly-sensitive client information on their systems. Many smaller firms are vulnerable and easily exploited because they do not have the infrastructure to protect themselves against cyber threats. Yet, as can be seen, these increasingly pervasive attacks can cripple even the most prepared companies. In fact, DLA Piper, a firm with a global cybersecurity team, published an article in the wake of the WannaCry, titled “9 Things You Should Know to Protect Your Company from the Next Attack.”

Details about the Petrwrap/Petya ransomware, including how it is spread, are still being investigated. Researchers have reported that it is both similar to and different from WannaCry in various ways. Needless to say, in the face of another widespread attack, it is more important than ever for law firms to be vigilant against cyber threats.

 

SCOTUS to Address Whether There is a Reasonable Expectation of Privacy in Mobile Phone Location Data

On June 5, 2017, the United States Supreme Court granted a petition for a writ of certiorari in Carpenter v. United States, from the Sixth Circuit Court of Appeals. The Supreme Court will have to address whether or not the Fourth Amendment protects government access to historical cellular phonesite records. In Carpenter, the government seized several months’ worth of cell phone location records from robbery suspects without obtaining a probable cause warrant. For one suspect, Timothy Carpenter, the records revealed 12,898 separate points of location data. For another suspect, Timothy Sanders, the records revealed 23,034 separate points of location data.

FBI agent Christopher Hess offered expert testimony explaining that the cell phone data acquired under the  Stored Communications Act (“SCA”)(18 U.S.C. Chapter 121 §§ 2701–2712) indicated that Carpenter and Sanders’ phones were within one-half mile to two miles of the location of each of the robberies around the time the event occurred. Carpenter and Sanders sought to suppress this evidence under the Fourth Amendment, but the district court denied their motion.

The SCA permits the government to obtain records where “specific and articulable facts show that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation”—a much lower bar than the probable cause needed to obtain a run-of-the-mill search warrant.

A divided panel of the Sixth Circuit stated that, “although the content of personal communications is private, the information necessary to get those communications from point A to point B is not.” For example, while individuals may enjoy a reasonable expectation of privacy regarding the content of their telephone calls, they do not have the same expectation for the numbers dialed. The court concluded that, “[t]oday, the same distinction applies to internet communications,” i.e., while the Fourth Amendment protects the contents of an email, it does not protect metadata. The Sixth Circuit joins the Fourth, Fifth, and Eleventh Circuits in holding that there is no reasonable expectation of privacy in historical cell site location information under the Fourth Amendment, and therefore no warrant is required.

Numerous lower court judges encountering the issue have followed the Supreme Court’s third-party-doctrine cases, which hold that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. However, this line of thinking has been deemed antiquated by some in light of the vast amounts of data that are collected on a daily basis. Justice Sotomayor noted in United States v. Jones, that it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties and that this approach is ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. 132 S. Ct. 945, 957 (2012).

In recognition of this changing tide, and relevant to the issue presented in Carpenter, some courts have concluded that individuals have a reasonable expectation of privacy in their location. For example, in United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), aff’d on other grounds sub nom. Jones, 132 S. Ct. 945, the D.C. Circuit held that using a GPS device to surreptitiously track a car over the course of 28 days violated reasonable expectations of privacy and was therefore a Fourth Amendment search. Id. at 563. The court explained that “[p]rolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than any individual trip viewed in isolation.” Id. at 562. Therefore, people have a reasonable expectation of privacy in the intimate and private information.

Collecting and analyzing cell phone records can, and often does, reveal extraordinarily sensitive details about a person’s life. This case will have an enormous impact on the Fourth Amendment in connection with data collected and an individual’s expectation of privacy in the ever progressing digital age.