Tag Archives: data

HIPAA-Covered Entity Exemption To CCPA, Don’t Be Mistaken – You May Still Have To Comply

With the California Consumer Privacy Act’s (CCPA) compliance deadline fast approaching (January 1, 2020), companies are preparing to comply with the additional complex data privacy and security requirements. HIPAA-Covered Entities may mistakenly overlook the fact that the CCPA does not wholly-exempt personal information collected by HIPAA-Covered Entities, but in turn only exempts information already protected by HIPAA. HIPAA, the Health Insurance Portability and Accountability Act, requires health care organizations, employer-sponsored group health plans, healthcare clearinghouses, and other Covered Entities to ensure the privacy and security of Protected Health Information (“PHI”). Although the CCPA exempts data that constitutes PHI, a HIPAA-Covered Entity or related Business Associate must still protect personal data (or even health data) that is covered by the CCPA but does not satisfy the definition of PHI under HIPAA.

HIPAA-Covered Entity Data Could Be Subject to CCPA

What type of data is governed by HIPAA and, as a result, exempt from the CCPA? PHI is defined as “individually identifiable health information” held or transmitted by a Covered Entity or its Business Associate, in any form or medium, whether electronic, paper, or oral. For example, health information, demographic data, medical histories, test results, and insurance information are forms of PHI if they can reasonably be used to identify a patient. Identifiers coupled with health information such as names, geographic locations, dates, contact information, social security numbers, and more can also constitute PHI. If the data amounts to PHI, that data is exempt from the CCPA.

Not all data collected by a HIPAA-Covered Entity amounts to PHI. For example, employment records held in the hands of an employer (rather than held by the group health plan sponsored by the employer) are not PHI. Any data collected by a HIPAA-Covered Entity that is not PHI will be subject to the CCPA (to the extent the entity is subject to the CCPA). However, the CCPA provides for an exception. When a Covered Entity or health care provider maintains health information in the same manner as PHI, even though the health information is not PHI, the CCPA rules do not apply. That being said, applying HIPAA privacy and security rules to non-PHI could be a burdensome task and cause confusion amongst a Covered Entity’s employee population.

What This Means for HIPAA-Covered Entities

Start your data mapping now. To determine what information is collected that is not protected under HIPAA and, to what extent the CCPA applies to such data, you must understand what categories of information are collected, who it is received from, what’s being done with the data and who it is shared with. From there, you can formulate a CCPA plan that correlates and flows with obligations under HIPAA to ensure efficiencies throughout your data compliance program.

As you are reviewing CCPA application to your entity, reach out to our experienced privacy and ERISA team to partner with you to develop a practical plan that minimizes risk and syncs to your already existing HIPAA obligations. Here is a link for more information about our team: Privacy Team

Want to learn more about CCPA, click here to read Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

Share Button

GDPR One Year Later: Has Your Company Sorted Through The Confusion And Risks – What U.S. Companies Need To Remember

It’s been more than 1 year since Europe’s General Data Protection Regulations (GDPR) went into effect, and the data protection regulatory front still remains confusing and difficult to trudge through for many U.S. based companies. However, it is clear, there is no slowing down when it comes to increased data privacy regulation. Below is a refresher on the basics of GDPR, as last year we saw many U.S. based companies put aside the issue of whether they needed to focus dollars and time on complying with GDPR. As the regulatory front continues to grow and there is increasing pressure from consumers, customers and vendors to pay attention to data privacy laws (like GDPR), companies who avoided GDPR should review the jurisdictional requirements to confirm their compliance obligations.


Why should a U.S. (or local Midwest based) company pay attention to a set of regulations providing rights (in general) to residents of European nations? The answer is simple; GDPR’s extra-territorial reach allows European nations who have adopted GDPR to latch onto U.S. based companies who have no physical presence in Europe. A U.S. based company with no operations (or other establishment) in Europe will be subject to GDPR jurisdiction if the company either (1) offers goods or services to residents of European nations, or (2) monitors the behavior (i.e. through its website) of residents of European nations.


Companies who desire to start formulating a plan with respect to data privacy compliance should start with data mapping. Understanding where and who data is collected from, what the company does with the data and where and who data is shared with will help a company determine what data privacy regimes govern its operations. From there, a company can begin to pull together its data privacy compliance program (whether basic or more sophisticated) to ensure compliance with all applicable data privacy laws.


Among other things, GDPR requires a company to include specific disclosures in its website’s privacy policy, to have in place consent rights and disclosures with respect to the use of cookies, and to formulate various technical and operational policies and procedures with respect to the treatment and use of data.

Penalties under GDPR for noncompliance can be hefty and upwards of $20 million Euros or 4% of a company’s worldwide annual turnover (whichever is greater). Companies may also be subject to criminal penalties, suits by supervisory authorities or private rights of action by individuals. And today, various European supervisory authorities are beginning to investigate compliance among dozens of U.S. based companies.


Even if a company determines that GDPR’s jurisdictional reach does not apply to its operations, many U.S. based companies are seeing their customers and services providers require them to comply with the terms of GDPR (through flow-down liability). It is important for companies to understand what they are contractually signing up for and what impact agreeing to GDPR compliance will have.

What this means for most U.S. based companies, is that if GDPR is not yet on your radar (or you subtly ignored GDPR over the last few years), today is the day to review its application and take the necessary steps to gain compliance. With the regulatory focus on data privacy and security, even if GDPR does not apply to your company, almost all U.S. based companies will be impacted by various data privacy state laws working their way through local legislation. Starting with GDPR analysis is just the beginning!


As you are evaluating GDPR’s ongoing impact, our experienced privacy team is ready to partner with you in formulating a practical, effective and tailored compliance approach that minimizes disruptions to your company’s business plans. Here is a link for more information on our team: Privacy Team

Click here to read Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

Share Button

Lurking in the Shadows – Is Your Business Affected By The California Consumer Privacy Act?

Unless you have been paying attention to data privacy news, you may not realize that January 1, 2020, is the implementation date of the California Consumer Protection Act (CCPA) and that July 1, 2020, is the current deadline for the California Attorney General to implement regulations under CCPA.  As currently drafted, the CCPA directs the California Attorney General to forego bringing any enforcement action under the CCPA until six months after publication of such final regulations, or July 1, 2020, whichever is sooner.

The CCPA constitutes an expansion beyond California’s existing privacy laws and various provisions of the new law will apply to all businesses that do business in California:

  • With annual gross revenue greater than $25 million (not just in California),
  • That obtain or share for commercial purposes the personal information of 50,000 or more California residents, households or devices, or
  • That get 50% or more of their revenue from selling or sharing the personal information of California residents. 

Many non-California based businesses may be surprised to learn that they fall within the scope of the CCPA. 

The CCPA was passed quickly to avoid a similar voter initiative ballot measure, and as a result has numerous ambiguities and apparent inconsistencies. The law was amended on September 23, 2018, and it is very likely that the law will be changed again by amendment, and clarified through final rules and regulations, before it comes into effect on January 1, 2020.

In the meantime, it is useful to look at what the law, in its current form, will require. From a practical perspective, for businesses already following California’s existing privacy laws, some of the main differences under the new law will be: (1) allowing California residents to opt out of the sale of their personal information to third parties, (2) getting opt in consent before selling the personal information of California residents under the age of 16, (3) advising California residents, upon request and in privacy notices, what personal information the business has collected about them, how it was collected, why, and if it has been shared or sold, (4) the introduction of personal information “portability” and deletion requirements for businesses that maintain covered personal information; and (5) having a privacy policy that includes both online and offline personal information collection. 

Note that at this point, the application of the CCPA to employee data remains an open question. On its face, the CCPA appears to apply only to California “consumers.” However, the CCPA’s definition of consumer (a California resident) combined with California’s longstanding practice of protecting individual privacy rights, suggests that the CCPA also may extend to the personal information of California residents maintained as part of an employment relationship. If so, the CCPA would apply to residents of California who are job applicants, full or part time employees, temporary workers, interns, volunteers, independent contractors, and even such persons’ dependents or beneficiaries.

While the CCPA will almost certainly change again before it comes into effect on January 1, 2020, businesses may want to begin thinking now about some of the core new provisions in that law, in particular, how the business will respond to consumers’ requests for information about their personal information held by the business and such consumers’ requests to delete their personal information held by the business.  Note that as presently drafted, the CCPA requires businesses to maintain a twelve (12) month look back (as early as back to January 1, 2019) of data processing activities relating to covered personal information. 

Also worth watching is the law’s treatment of private rights of action. While the CCPA does not contain a private right of action for violation of any of the new disclosure or individual rights provisions, it does provide a private right of action for California consumers whose information has been compromised in a data breach resulting from inadequate security measures.  This essentially codifies the concept of negligence in California data breaches and, by imposing statutory damages ($100-$750), may largely affect the pleading and proof of damages in data breach cases, which is often the issue of greatest dispute.  From a litigation standpoint, these statutory damages plus the broad definition of “consumer” means that plaintiff’s attorneys may be gearing up to use the CCPA to bring cases against businesses that do business in California on behalf of a myriad of different groups about whom businesses typically hold personal information including, for example, end use customers, employees, shareholders and service providers and vendors.

If you have questions or would like to discuss the CCPA’s application to your business, please contact a member of the McGrath North Privacy and Data Security team.

Share Button

Who Owns Farm Data?

farm dataAs farmers gear up for planting season, a common question asked is who owns farm data generated by agriculture technology providers (“ATP”)? The answer isn’t as simple as it should seem.

Farm data is generally defined as data collected and analyzed from sensors and software on planters, combines, sprayers and other farm implements. Farm data can be used to help farmers improve efficiency, reduce inputs, know when to irrigate, produce better yields and ultimately make higher profits. However, farmers have concerns over how their agricultural data may be used, shared and sold which may lead to adverse economic or commercial consequences for the farmer. For example, will farm data be accessible to government agencies like the Environmental Protection Agency, used by Wall Street traders to speculate or manipulate the commodities market or leveraged by seed and chemical companies? The issue is further exasperated when multiple parties are involved. For instance:

    • Does a landowner own farm data generated on their land or the tenant?
    • Does a co-op that applies the fertilizer and/or pesticide own the farm data or the farmer who pays for the application?
    • Does the owner of the precision ag hardware that collects the data own the farm data or the farmer on whose land the equipment is used?

In light of these questions and concerns, the American Farm Bureau Federation led a consortium of thirty-five farm and commodity groups to set forth “Privacy and Security Principles for Farm Data.” The principles state with regard to farm data ownership:

Ownership: We believe farmers own information generated on their farming operations. However, it is the responsibility of the farmer to agree upon data use and sharing with the other stakeholders with an economic interest, such as the tenant, landowner, cooperative, owner of the precision agriculture system hardware, and/or ATP etc. The farmer contracting with the ATP is responsible for ensuring that only the data they own or have permission to use is included in the account with the ATP.

Available at http://www.fb.org/issues/bigdata/privacysecurityprinciplesfarmdata.html.

It must be noted that the “Privacy and Security Principles for Farm Data” aren’t binding and there are no federal laws directly regulating the storage use or transfer of agricultural data. However, the takeaway is that farmers, landlords, co-ops and agriculture technology providers need to make sure their contract or lease is explicit to who owns farm data. When drafting such contracts, important questions to keep in mind include: (1) Does the contract describe what type of data is being collected; (2) Is control of farm data addressed; and (3) Does the contract state whether the farm data may be accessed, sold or shared with others? Farmers, landlords, co-ops and agriculture technology providers therefore need to take the time to carefully draft and understand contractual language before they sign to ensure farm data ownership issues are clear.

  • Luke C. Holst is a registered patent attorney with over twenty years of experience in the agriculture industry as part owner-operator of a family farm in Northwest Iowa. Holst is a former Patent Examiner at the U.S. Patent and Trademark Office; Law Clerk to the Honorable Mark W. Bennett at the U.S. District Court for the Northern District of Iowa; and Legislative Counsel to Congressman Steve King at the U.S. Capitol. At McGrath North, Holst works on patent and trademark issues, including intellectual property litigation.
Share Button

EU Court Declares “Safe Harbor” Data-Transfer Agreement Invalid: Is Your Company Affected?

data transferBackground.

On October 6, 2015, the European Court of Justice (ECJ) issued a ruling invalidating the U.S.-EU Safe Harbor Framework (Safe Harbor). Safe Harbor is an agreement between the U.S. and the EU designed to create a streamlined way to transfer personal data from Europe to U.S. firms in accordance with European data protection rules.  Over 4,000 U.S. companies are currently Safe Harbor self-certified.

Does It Impact Your Company?

Yes, if your company has relied on its Safe Harbor certification for authority to transfer data from the EU to the U.S. for processing (for example, if your company transfers European employees’ personal data back to the U.S. for human resources purposes) or if your company uses vendors or suppliers that have relied on the Safe Harbor to transfer data from the EU to the U.S.

What Are Your Company’s Next Steps?

If you believe your company may be affected by this decision, we recommend working quickly to analyze any cross-border data flows to the U.S.  Such analysis includes a thorough review of your company’s supply chain. If your company transfers data from the EU to a U.S. processor, or accesses data of EU data subjects that may be stored or processed by a processor in the EU, we recommend reviewing all agreements executed with such processors, identify which ones have represented they are Safe Harbor certified and promptly work with each such entity to find an alternative means to satisfy the European data protection rules.

For compliance purposes, we also recommend mapping out what kinds of data is processed cross-borders (personal and otherwise), identify the data subjects (customers, employees, etc.) and estimate the amount of transferred data.

How Can Your Company Continue to Transfer Data in the Absence of Safe Harbor?

To the extent that your company or your vendors or suppliers have relied on Safe Harbor for data transfers, you should consider alternative mechanisms to legalize such data transfers, including incorporating the Model Contract Clauses by addenda into current supplier and vendor agreements, implementing Binding Corporate Rules or obtaining prior written consent from all data subjects.

Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions, would like to discuss how the Safe Harbor ruling applies to your company or if you would like additional information on how to make your company compliant with the EU Data Protection Directive.

Read the press release from the European Court of Justice. (http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf)


Share Button

New Sheriff In Town: FTC Enters The Fray As A Federal Enforcer Of Healthcare Data Breaches

SheriffOver the last several years, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has significantly increased its HIPAA healthcare data breach enforcement posture, resulting in aggregate fines exceeding more than $10 million since June 2013.   Despite these increased enforcement efforts, however, the Federal Trade Commission (“FTC”) has now entered the fray as an additional federal enforcer of healthcare data breaches.

In August 2013, the FTC filed an administrative complaint against LabMD, a Georgia cancer detection services laboratory, for failing  to provide reasonable and appropriate security for protected health information (“PHI”) on its computer networks, resulting in a breach affecting over 9,000 consumers’ billing information.  The FTC claimed that this alleged security failure and consumer harm represented an unfair act or practice under Section 5 of the FTC Act.  In the course of rejecting LabMD’s motion to dismiss, the FTC asserted its jurisdiction by stating that nothing in HIPAA indicated an intent of Congress to restrict the FTC’s authority over alleged unfair data security practices such as those at issue in the LabMD case, and that nothing in HIPAA or HHS’ rules negated the FTC’s authority to enforce the FTC Act.  On May 12, 2014, a federal district court dismissed LabMD’s motion for a preliminary injunction to stop the FTC’s administrative proceeding.  Regardless of the outcome of the FTC administrative proceeding, businesses should take note that on January 28, 2014, LabMD announced it would be winding down its operations, citing the debilitating effects of the FTC’s investigative practices and litigation.

Businesses subject to the HIPAA Privacy, Security and Data Breach Notification rules now need to be concerned with more than the OCR and state Attorneys General, who are given direct enforcement power under HIPAA, in that the FTC has now clearly asserted itself as an additional regulator of healthcare data breaches.  Businesses should remain diligent in their HIPAA compliance efforts as a breach of PHI may result in multiple enforcement actions.  For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.

Share Button

Cyber-Risk: It’s Not Just An IT Issue, It’s A Board Issue

Cyber-RiskOn June 10, 2014, U.S. Securities and Exchange Commissioner Luis A. Aguilar spoke at the New York Stock Exchange “Cyber Risks and the Boardroom” Conference.  With the high number of recent successful cyber-attacks, Commissioner Aguilar suggests that cyber-risk must be considered a part of a board’s overall risk oversight. It is the board’s responsibility to ensure the adequacy of the company’s cybersecurity measures.  Aguilar cites to suggestions for how this can be done, including boards reviewing annual budgets for privacy and IT security programs, assigning roles and responsibilities for privacy and security, and receiving regular reports on breaches and IT risks.  Aguilar encourages companies to conduct regular risk assessments and cites the recently released Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (“NIST”) as the likely standard for best practices in assessing a company’s cybersecurity risks. In short, boards need to be or get educated on cybersecurity risks and be proactive in trying to minimize such risks.

Commissioner Aguilar’s speech can be found at: http://www.sec.gov/News/Speech/Detail/Speech/1370542057946

Share Button