News & Insights


July 25, 2016

Data, Privacy & Security Practice Report – July 25, 2016

2.7 Million Dollar HIPAA Settlement –  Last week, Oregon Health & Science University (“OHSU”) agreed to pay $2.7 million to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule, Privacy Rule, and Breach Notification Rule.  OHSU is a public academic health center and research university located in Portland, Oregon. 

In 2013, OHSU notified the United States Department of Health and Human Services, Office for Civil Rights (“OCR”), of two breach incidents.  The first incident occurred when an unencrypted laptop containing electronic protected health information (“ePHI”) was stolen.  The second incident occurred when OHSU employees stored ePHI on an internet-based storage system, also known as a cloud storage, in order to maintain spreadsheets of patients.  In that incident, there was no evidence that the stored ePHI was accessed or used by anyone who did not have a legitimate need to view the information.  However, the breach resulted because the cloud storage service provider was not an OHSU business associate with a contractual agreement to use or store OHSU patient health information as required by 45 C.F.R. § 164.308(b)

After receiving the notifications from OHSU, OCR initiated an investigation and found that OHSU had implemented policies and procedures pursuant to the HIPAA Rules.  However, OCR found that OHSU failed to fully comply with the HIPAA Rules during certain time periods.  For instance, from January 5, 2011, until July 3, 2013, OHSU failed to “implement policies and procedures to prevent, detect, contain, and correct security violations” as required by 45 C.F.R. § 164.308(a)(1)(i).

OCR has the authority to conduct compliance reviews and investigations of complaints alleging violations of the HIPAA Rules.  Specifically, the HIPAA Security Rule sets forth certain safeguards for ePHI.  HIPAA covered entities and business associates must comply with the requirements of the HIPAA Rules.  OHSU  is a covered entity, as defined at 45 C.F.R. § 160.103.

The settlement between OCR and OHSU resolves these potential violations by OHSU of the HIPAA Rules.  According to the settlement, OHSU will pay $2.7 million and comply with a corrective action plan.  Under the corrective action plan, OHSU must develop and maintain a comprehensive risk management plan and implement a solution that will ensure all OHSU owned and personally-owned devices that access ePHI on OHSU’s secure network are encrypted.  In addition, OHSU must provide privacy and security training for all OHSU workforce members with access to PHI and ePHI.  OCR will monitor OHSU’s compliance with the corrective action plan over the next three years.

Reporter, Jennifer Raghavan, San Francisco, CA, +1 415 318 1234,

Criminal Mugshots Are Privacy-Protected Says Divided Sixth Circuit Panel – A deeply divided en banc panel of the U.S. Court of Appeals for the Sixth Circuit held that federal authorities can withhold criminal booking photos requested by the public pursuant to the Freedom of Information Act (“FOIA”).  The court cited privacy interests in the digital age as the main driver of its holding.  The Detroit Free Press initiated the lawsuit after the U.S. Marshals Service refused the newspaper’s request for the booking photos of four Michigan police officers charged with public corruption crimes.  The Sixth Circuit’s decision overturned a 20-year-old precedent by the same court that found no privacy right for individuals depicted in mugshots.

In reversing its 1996 decision, the Sixth Circuit relied on FOIA exemption 7(C).  Under FOIA, the government is required to disclose records to the public unless the records fall into one of nine FOIA exemptions.  Exemption 7(C) authorizes federal agencies to withhold requested records for “law enforcement purposes” when their public release “could reasonably be expected to constitute an unwarranted invasion of personal privacy.”  When an agency withholds records pursuant to Exemption 7(C), however, the public can still gain access to the records by showing that the public interest in disclosure outweighs any privacy interests.   

Authored by Circuit Judge Deborah L. Cook, the majority opinion found that criminal mugshots “fit squarely within the realm of embarrassing and humiliating information,” which establishes a “non-trivial privacy interest in the booking photos.”  The court found that “[i]n 1996, this court could not have known or expected that a booking photo could haunt the depicted individual for decades.”  “Experience,” wrote Judge Cook, “has taught us otherwise.”  The court, therefore, found that the privacy interest of arrested individuals outweighed any public interest in the photos.  Nine judges signed onto the majority opinion, and seven signed onto the dissent.

The dissent, authored by Circuit Judge Danny J. Boggs, argued that the majority’s decision “undermine[d] the public confidence that is essential to any effective criminal justice system.”  Instead of preventing the disclosure of mugshots, the dissent argued that a balance between privacy concerns and the free flow of information could be achieved by other means.   
Prior to the Sixth Circuit’s reversal, there was a circuit split as to whether the public had automatic access to the booking photos of criminal defendants under FOIA.  In 2012, the Sixth Circuit became the lone holdout: Sixth Circuit-covered jurisdictions of Michigan, Ohio, Kentucky, and Tennessee allowed the public unfettered access to mugshots; the rest of the country could not access photos without overcoming the privacy interests of arrested individuals.  Also in 2012, however, the U.S. Marshal Service adopted a nationwide policy to refuse all requests for federal criminal mugshots.  Several lawsuits by the Detroit Free Press ensued. 

Despite the narrowness of the majority’s victory, the Sixth Circuit’s decision puts an end to the circuit split . . . at least for now.  Free press advocates hope to appeal to the U.S. Supreme Court.    

Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214,

Meteoric Rise Of Pokémon Go Spurs Privacy Concerns -- What is now more popular than Facebook, Twitter, and Tinder?  Pokémon Go.  As the hit smartphone game’s popularity has grown since it was released on July 6, so has scrutiny of the type and quantity of data it collects, uses, and shares.  Regulators and users are concerned that the game is accessing and storing users’ private data, such as location, emails, and photos.  A range of privacy and consumer protection laws could be used to address these growing concerns.

Niantic Inc., which spun-off from Google in 2015, developed Pokémon Go with Nintendo and The Pokémon Company.  The Pokémon franchise became a cultural phenomenon in the early 2000s, initially as a trading card game, and then with spin-offs into other games, movies, and a television show.  The franchise is now making a comeback with Pokémon Go.  Niantic originally developed the hugely popular augmented reality game “Ingress,” which allows competing teams to catch virtual items through their smartphones, in a real-world setting.  Pokémon Go combines the Pokémon game with the Ingress platform.  Like Ingress, Pokémon Go uses smartphone cameras and the ability to track users’ time and location to create a real-world scenario in which users can catch virtual Pokémon.  The game also uses “lure” and “gym” features to steer users to one location to catch Pokémon.

The amount of publicity the game has received has led to heightened attention around the now common privacy issues of over-collection of adult users’ data and protection of children’s data.

The game’s privacy policy allows it to collect “fairly extensive” data on users.  Although the game’s disclosures appear to be fairly standard and comprehensive in explaining how and what data is collected from both adults and children, the Federal Trade Commission (“FTC”) and state consumer protection and unfair competition authorities may scrutinize whether these disclosures match up with the data the game actually collects and how such information is used.

Given the FTC’s recent concerns about technology companies tracking users’ precise locations, regulators could be particularly focused on how Pokémon Go uses location data.  In June, the FTC imposed a $4 million civil penalty on mobile advertising company Inmobi to resolve claims that it tracked smartphone users’ exact locations to target them with geo-specific advertising, but did not secure their permission to do so.  The allegations against Inmobi included assertions that the company violated the Children’s Online Privacy Protection Act by gathering information about children without their parents’ permission.

Similarly, Pokémon Go may be scrutinized for how it tracks data on the location of children—one of its target audiences—although the game does take steps to identify the users under age 13 and gain their parents’ consent.  Some lawmakers are already questioning whether this consent provides enough protection.  For example, Senator Al Franken of Minnesota sent a letter to Niantic Chief Executive John Hanke asking how the game ensures that the parents’ consent is “meaningful.”  “I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent,” Sen. Franken wrote.

Even if consent is obtained, there is concern that the game collects information it does not need.  For example, initially, the game’s disclosure policy allowed Pokémon Go to delve into iPhone users’ Google email accounts and documents without alerting the users.  A patch released on July 13 allows the company only to see basic account information.  But this may not stop hackers from gaining access to the information, and because the game collects so much data on users, it may be a tempting target for hackers.

One area of interest is how Niantic will share the data it collects through the game.  The company’s privacy policy states that the company may “share aggregated information and non-identifying information with third parties for research and analysis, demographic profiling, and other similar purposes.”  This may allow Niantic to sell this information to marketers to track players’ daily commutes, for example, as long as the data is aggregated and contains no identifying information. 

In the future, users who have claims relating to  the game’s use of personal information, and its ability to potentially share that information with others, may file lawsuits under the Computer Fraud and Abuse Act or the Video Privacy Protection Act.  But those lawsuits would raise new legal questions regarding what constitutes “authorization” to access information on a smartphone, and whether Pokémon Go players are “subscribers” of goods or services, respectively.

Reporter, Bethany Rupert, Atlanta, GA, + 1 404 572 3525,

Baseball Hacking Scandal Leads To 4-Year Sentence And MLB InvestigationOn Monday, July 18, 2016, the U.S. District Court for the Southern District of Texas sentenced former St. Louis Cardinals scouting director Chris Correa to nearly four years in prison for the hacking of the Houston Astros’ emails and player information database.  The following day, Major League Baseball announced it will launch its own investigation into the hacking scandal now that the criminal case has concluded.  The case marks the first known instance of criminal corporate espionage in U.S. professional sports.

Correa’s unauthorized access to the Astros’ data did not involve sophisticated hacking – rather, he gained access to the confidential data when a Cardinals’ employee resigned to take a job with the Astros.  Correa received the departing employee’s Cardinals-issued computer, along with that device’s password, and used variations of the password to figure out the employee’s new password with the Astros.  Those credentials gave Correa unauthorized access to the now-Astros’ employee’s email account and the “Ground Control” player information database maintained by the Astros organization.

Over the course of a year and at least 5 log-in attempts, Correa viewed, among other protected data, an Astros report that discussed team prospects, certain player contracts and related bonus offers, and information on the Astros’ potential trades with other MLB teams.  The intended loss to the Astros for all of Correa’s privacy breaches totaled $1.7 million.  Correa pled guilty earlier this year to five counts of unauthorized access of a protected computer and was sentenced last week to 46 months in prison.

Following Correa’s sentencing, MLB Commissioner Rob Manfred asked the League’s Department of Investigations to conduct a complete investigation of the facts in this matter.  The MLB investigation could potentially lead to penalties for the Cardinals organization, which fired Correa in July 2015.  According to the Major League Baseball Constitution, the commissioner has broad power to “investigate . . . any act, transaction or practice charged, alleged or suspected to be not in the best interest of the national game of baseball,” and can take punitive action against MLB clubs, owners, employees or players involved.

Reporter, Nicole Pereira, New York, NY, + 1 212 556 2132,

Congressional Report Finds FDIC Data Breach Response Obstructed Congressional Oversight – On July 12, the U.S. House of Representatives Committee on Science, Space, and Technology (the “Science Committee”) released a report regarding its investigation of an October 2015 data breach and the subsequent response of the Federal Deposit Insurance Corporation (“FDIC”).  The Science Committee’s report found that the FDIC’s cybersecurity practices were deficient and that its responses to the Science Committee’s requests for information were deliberately evasive and constituted willful obstruction of the investigation.  On July 14, FDIC Chairman Martin Gruenberg testified before the Science Committee, admitting that the FDIC’s response to the October breach was marked by several failures. 

On October 15, 2015, an FDIC employee copied personally identifiable information affecting more than 71,000 individuals and entities onto a portable storage device prior to departing the FDIC’s employment.  The FDIC referred the incident to the Office of Inspector General (“OIG”) in November 2015, but did not notify the Science Committee (as required under Office of Management and Budget guidelines for a breach of that size) until February 26, 2016. 

The FDIC’s February letter to the Science Committee characterized the October breach as affecting over 10,000 individuals, but the OIG later determined that the breach was much larger than the FDIC had reported.  Additionally, in an April briefing to Science Committee staff, FDIC staff misrepresented the former employee’s behavior as accidental.  In May, the FDIC’s Chief Information Officer Lawrence Gross testified that the former employee was “not computer proficient.”  However, the OIG’s report showed that the individual had in fact intentionally copied the files and possessed a graduate degree in Information Technology Management. 

These mischaracterizations, combined with the FDIC’s response to several other incidents, contributed to the Science Committee’s finding that FDIC Chief Information Officer Gross has contributed to a “toxic work environment,” resulting in a history of failing to take steps to prevent data breaches.  FDIC Chairman Gruenberg told the Science Committee on July 14 that the FDIC is working on taking corrective actions to minimize the potential for similar incidents. 

Reporter, Tom Randall, Washington, DC, +1 202 626 5586,

Also In The News

Brexit: Parallel UK-EU Lines On Data Privacy? – The British public’s vote to leave the European Union has wide-ranging implications for many aspects of the law, with one growing area of focus being Brexit’s potential impact on the UK’s data privacy laws.  In her article, King & Spalding attorney Kim Roberts discusses that potential impact.  To access the article, click here.

King & Spalding Issues Client Alert Regarding The EU’s New Cybersecurity Standards – On July 6, 2016, the European Parliament gave final approval to the Network and Information Security Directive (“Directive”), the first-ever EU-wide cybersecurity standards.  The Directive requires “operators of essential services” and some internet services providers to adhere to minimum cybersecurity standards and report significant cyber-attacks to public authorities.  The new regime, which creates substantial compliance and regulatory obstacles to a broad range of businesses operating within the European Union, will come into force in August 2016.  Member states will then have until May 2018 to implement the Directive and incorporate it into their national laws.  The client alert on the matter, issued by the Business Litigation and Data, Privacy & Security Practice Groups at King & Spalding, can be accessed here.