News & Insights


October 30, 2018

Data, Privacy & Security Practice Report – October 30, 2018

FDA Proposes Updates To Premarket Cybersecurity Guidance For Medical Devices – The U.S. Food and Drug Administration (“FDA”) released updated draft guidelines on how medical device manufacturers should protect against data breaches and viruses prior to marketing their products.  The new draft, once finalized, will replace the agency’s 2014 guidance on the subject.

As indicated in its October 18 draft, the FDA’s modifications to its premarket cybersecurity guidance are intended to reflect the current threat landscape.  The FDA’s new recommendations touch on device design, labeling, and documentation included in premarket submissions for agency approval.  FDA hopes that manufacturers can proactively address possible cyber concerns when developing, designing, and ultimately marketing their medical devices.  In addition, the guidance recommends that manufacturers prepare a “cybersecurity bill of materials,” a list of commercial, open source, and off-the-shelf software and hardware components included in devices.  According to the FDA, this information will better enable users (patients, providers, and healthcare delivery organizations) to effectively manage their devices, understand the potential impact of vulnerabilities, and deploy appropriate countermeasures.

As part of its guidance, the FDA created two tiers of medical devices based on the cybersecurity risks associated with the specific products.  Tier 1 products, those deemed a “higher security risk,” include devices capable of connecting to another medical or non-medical product, or to a network or the internet, either wired or wirelessly.  These types of devices—i.e. defibrillators, pacemakers, insulin pumps, and the support systems that interact with these them—are so classified because an incident affecting the device could result in direct harm to patients.  Tier 2 devices, those with “standard cybersecurity risk,” are products that do not qualify for Tier 1 status. 

FDA will conduct a public workshop for affected stakeholders on January 29-30, 2019 to discuss the draft guidance before it is finalized.  Medical device manufacturers are also reminded of the FDA’s post-market guidance, released in 2016, which includes recommendations for maintaining the cybersecurity of network-connected devices once in use. 

Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214,


Class Action Filed Against Housekeeping Company Under Illinois Biometric Privacy Act –  A proposed class action lawsuit filed in Illinois against Xanitos Inc., a Pennsylvania-based hospital housekeeping company, alleges that its employee timekeeping system violates the Biometric Information Privacy Act (“BIPA”), an Illinois state law. 

Passed in 2008, BIPA defines biometric information as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and sets standards for private entities that possess or store such information.  Companies must (i) obtain consent from the individual if biometric information will be collected; (ii) securely store biometric information; and (iii) destroy the information in a timely manner.  BIPA allows individuals to file a lawsuit for violations with damages allowed at $1,000 per violation or $5,000 for each reckless or intentional violation.

The Illinois lawsuit claims that Xanitos requires employees to utilize fingerprint scanning for timekeeping at the beginning and end of each shift.  The case filings further allege that Xanitos did not provide employees with notice or obtain written consent authorizing the collection of biometric information, nor was a retention schedule disclosed.  In addition to attorneys’ fees and costs, the plaintiff is seeking $1,000 per violation for each proposed class member, which includes any Illinois resident who had biometric information obtained by Xanitos.

A bill to amend BIPA, SB 3053, is pending before the Illinois General Assembly and proposes to offer exemptions for private entities if:

“(i) the biometric information is used exclusively for employment, human resources, fraud prevention, or security purposes; (ii) the private entity does not sell, lease, trade, or similarly profit from the biometric identifier or biometric information collected; or (iii) the private entity stores, transmits, and protects the biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”

Since BIPA’s passage a decade ago, only Washington and Texas have passed similar laws.

Reporter, Julie C. Crawford, Washington, D.C.,  +1 202 661 7814,


K&S Client Alert: U.S. Department Of Justice Issues New Guidance On The Use And Selection Of Corporate Monitors In Criminal Cases – Just three months into the job, Brian Benczkowski, the head of the U.S. Department of Justice’s criminal division, has issued a memorandum entitled “Selection of Monitors in Criminal Division Matters,” providing new guidance on the usage and selection of independent corporate monitors.

A copy of the King & Spalding Client Alert on this topic can be found here.

K&S eLearn Seminar: Washington Insight: What Will Election 2018 Mean for You? – On November 6th, Americans will cast their votes in what could be the most expensive nonpresidential election in our nation’s history. Control of the House of Representatives and the Senate is at stake with the winning parties setting the legislative agendas in their respective houses for the next two years. Importantly, the outcome of the election will set the stage for the 2020 presidential election campaign which unofficially begins on November 7th.

Join us as we discuss the impact of the elections, including:

  • Will Democrats win the 23 seats they need to gain majority control of the House? Will Republicans increase their numbers in the Senate? Regardless of whom is in control, what will the leadership of the House look like?
  • What will the priorities of the next Congress be and what will they mean for your industry? Will healthcare and the ACA be on the agenda? What’s the future of tariffs? If Republicans retain control of both chambers, will there be more tax reform?
  • How will you be prepared for the next two years?
  • Finally, what will the results of the 2018 midterm elections mean for the 2020 presidential election?

Please join the Washington, D.C.-based Government Affairs and Public Policy practice of King & Spalding LLP on Thursday, November 8, from 12:30 P.M. to 1:30 P.M. as we dissect the Election Day results and provide insight on what’s to come in the lame-duck session, in 2019, and as America gears up for Election 2020.

Click here for more information, or click here to register.