Superior Court of Pennsylvania Affirms Rejection of Proposed Data Breach Class of UPMC Workers, Finding Hospital Owed No Duty to Protect Information

Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had no duty of care to protect the compromised information was based upon a thorough analysis of factors the Pennsylvania Supreme Court has established for determining the existence of a duty.  The dissent analyzed the same factors but argued that on balance, they weighed in favor of finding a duty. Continue Reading

Switzerland and the United States Agree Privacy Shield Framework

The governments of Switzerland and the United States finalised the Swiss-U.S. Privacy Shield Framework on 11 January. The Framework is similar in many respects to the EU-U.S. Privacy Shield, and replaces the U.S.-Swiss Safe Harbor Framework with immediate effect.

Background Continue Reading

The new Cybersecurity Law of China: What does it mean for the International Market?

On 7 November, the government of the People’s Republic of China passed the much-anticipated Cyber Security Law of China, which will come into force 1 June 2017. After first and second drafts were put out for public consultation in June 2015 and May 2016, respectively, it was a third draft issued in October 2016 that was ultimately passed into law.

China’s cyber history Continue Reading

EU Commission publishes its proposals for new e-Privacy Regulation

On 10 January, the EU Commission proposed a new Regulation on Privacy and Electronic Communications (“proposed Regulation”) to replace Directive 2002/58 (known as the “ePrivacy Directive”).

The proposed Regulation

The proposed Regulation aims to align the rules that apply to electronic communications services with the forthcoming General Data Protection Regulation (GDPR). Continue Reading

Implementing the GDPR: Reed Smith Webinar on Planning your Path to Compliance in 2017

We are hosting a webinar on January 30, 2017, to discuss the new obligations global organisations with interests in Europe will need to meet to comply with the GDPR. With just over 16 months to go until the Regulation will be enforced, it is vital that you understand the requirements and that you are able to plan your compliance activity over the coming months, in a way that is both commercial and practical for your business.

To register for our webinar, please click here

To refresh your memory on the GDPR and the new requirements in advance of the webinar, please download the materials below. These materials are designed to provide a practical guide to the Regulation and consist of:

  • A handy foldout guide listing the steps on the path to compliance, in the same order they will be looked at for the webinar: click here to download
  • A 2-page flyer with the headline information you need to know, as an introduction to the Regulation: click here to download
  • A 20-page booklet giving a more detailed look at the new obligations and changes from the previous legislation: click here to download

We hope you can join us for this webinar. Please contact one of the team members if you have any questions.

NIST Publishes Introduction to Privacy Engineering and Risk Management to Assist Agencies and Organizations in Designing Privacy-Compliant Systems

On January 4, 2017, the National Institute of Standards and Technology (“NIST”) published the final version of NIST IR 8062 “An Introduction to Privacy Engineering and Risk management in Federal Systems.”  The report introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on systems.  In the blog post accompanying the release, NIST notes that the report is intended to address the absence of a vocabulary for talking about privacy outcomes and to produce “processes that are repeatable and could lead to measurable results.”

To this end, the report introduces three (3) privacy engineering objectives, which are intended to help system designers, engineers and policy teams to help “bridge the gap between high-level privacy principles and their implementation within systems.” These objectives are defined as follows: Continue Reading

Federal Circuit Clarifies Descriptiveness Standard in Overturning ‘Dotblog’ Trademark Refusal

It’s not uncommon for internet-based services to utilize names referencing their online presence, much like it is not uncommon for the monikers of app-based services to refer to their mobile format. But at what point does a suggestive term become merely descriptive to the point that it can be denied trademark registration? The United States Court of Appeals for the Federal Circuit weighed in on that question in a January 4 opinion that overturned the U.S. Patent and Trademark Office’s refusal to register the mark “Dotblog.” According to the Federal Circuit, the earlier refusal was in error because it “incorrectly concluded that the proposed mark is descriptive rather than suggestive,” and offered insight into how courts might determine the category into which a proposed mark should be placed.

At issue in the appeal was Driven Innovations’ application to register “Dotblog” as a trademark. The company described the mark as referring to “a service…us[ing] proprietary search techniques to find relevant and current blog posts relating to any given search query and provide….a summary report of what those posts are saying about” that query.  The USPTO refused registration, finding it merely descriptive, and confirmed the decision on appeal, concluding that (in the words of the Federal Circuit): Continue Reading

Article 29 Working Party issues guidance on data portability, DPOs and lead supervisory authorities

As we enter 2017, 2018 doesn’t seem that far away…and with the new General Data Protection Regulation (GDPR) due to come into effect from 25 May 2018, organisations are running out of time to ensure compliance with the new data protection requirements. It is therefore not surprising that the Article 29 Working Party (“Working Party”) is already issuing guidance.

Here, we discuss the Working Party’s recent guidelines on: Continue Reading

FDA Releases Guidance on Cybersecurity and Medical Devices

The FDA represents the latest federal agency to show a focus on cybersecurity issues with the release December 28 of new guidance. While the prospect of network-enabled medical devices increasingly offers the promise of improved care and patient treatment, evolving technology and new-found connectivity present emerging security considerations as well.

The Food and Drug Administration issued final nonbinding recommendations for industry and FDA staff on Postmarket Management of Cybersecurity in Medical Devices. The 30-page guidance particularly flagged the need to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device. It also supported rigorous risk-assessment programs to measure the potential impact of vulnerabilities on patient safety.

The recommendations represent FDA’s current thinking on the issue and do not bind FDA or the public. FDA is responsible for reviewing, approving, and regulating medical products, including pharmaceutical drugs and medical devices, as well as food, cosmetics, and other products.

As part of its recommendations, FDA encouraged the use and adoption of the voluntary “Framework for Improving Critical Infrastructure Cybersecurity” issued by the National Institute of Standards and Technology. Under that framework, manufacturers “Identify, Protect, Detect, Respond and Recover” throughout the lifecycle of the product.

Other recommendations included implementing comprehensive cybersecurity risk management programs and documentation (such as complaint handling), threat modeling, and focusing on assessing the risk of patient harm by considering the exploitability of the vulnerability and the severity of patient harm should the vulnerability be exploited. The guidance provides details on how risk assessment may be deployed.

FDA also clarified the circumstances under which it would require that companies notify the agency of actions taken to correct device cybersecurity vulnerabilities under 21 CFR part 806. Additionally, for Premarket Approval devices with periodic reporting requirements, FDA recommended that certain information regarding cybersecurity vulnerabilities and resulting device changes should be included in the reports to the agency.

Government agencies are increasingly focused on cybersecurity, and FDA follows in the path of agencies, including NIST, as discussed above, as well as the Federal Trade Commission, in releasing nonbinding guidance on how to assess and respond to vulnerabilities. Though these recommendations are voluntary, the federal government is steadily building a baseline of its expectations for industry, and it will consider these expectations when investigating industry practices.

See a previous post on our sister blog, Drug & Device Law, here.

Advertising Law 2016: Top 5 Trending Topics

Jason Gordon and Michael Strauss penned an article for Law360 about the top five trends that dominated advertising law in 2016.  The article discusses core advertising industry issues such as media transparency, SAG-AFTRA, Federal Trade Commission enforcement efforts, and the gamification of mobile apps.

To find out more, click here.