CURRENT MONTH (October 2018)
Dish Network Settles Streaming Dispute With Injunction and Damages
By Sara Beth A.R. Kohut
Dish Network LLC and NagraStar LLC filed an agreed motion for final judgment and permanent injunction with certain defendants to end their SetTV streaming service that allegedly retransmitted Dish’s programming without authority. Dish Network LLC v. Johnson, No. 8:18-cv-1332-T-33AAS (M.D. Fla. Oct. 24, 2018). The fourth largest pay-television provider in the U.S. sued SET Broadcast LLC and persons associated with it in May 2018 for violating the Federal Communications Act by taking content from Dish’s satellite broadcasts and redistributing it through their streaming service. The defendants operated their streaming service for approximately 16 months, obtaining about 261,000 subscribers. The U.S. District Court for the Middle District of Florida had previously granted temporary and preliminary injunctive relief to Dish. The agreed motion for final judgment included a permanent injunction against the defendants, plus statutory damages of $90,199,000.
FTC Offers Small Business Cybersecurity Guidance
By Sara Beth A.R. Kohut
The U.S. Federal Trade Commission’s Bureau of Consumer Protection recently issued a notice of cybersecurity resources available on its website for small businesses. The information is set forth in 12 “need-to-know” topics, which will also be addressed in the FTC’s weekly Business Blogs. The initial posting covered Cybersecurity Basics, offering tips to incorporate security in the usual course of business. The basic stages include securing wireless networks, multi-factor authentication, data-breach planning, and staff training. Other topics will include physical security, ransomware, vendor managements, and cyber insurance. The FTC’s materials also being promoted by the Small Business Administration, National Institute of Standards and Technology, and the Department of Homeland Security.
NJ and Aetna Reach Settlement Over HIPAA, State Law Violations
By Lawrence Thomas, Drexel University Thomas R. Kline School of Law
The State of New Jersey and Aetna, Inc. have reached a settlement agreement after Aetna improperly disclosed Protected Health Information (PHI) in violation of HIPAA and state laws, such as the New Jersey AIDS Assistance Act. Aetna allegedly compromised the information of thousands of Americans and hundreds of New Jersey residents on two occasions in 2017 when it mailed revealing information about patients’ HIV/AIDS status and atrial fibrillation (AFib) diagnoses. Aetna mailed information in envelopes containing large transparent glassine windows that revealed the addressees’ names and information such as “HIV Medications” and “IMPACT-AFIB”—disclosing diagnoses or causing interpretations of diagnoses. Under the settlement, Aetna must implement new policies and procedures to safeguard PHI and Personally Identifiable Information (PII), as well as modify its procedures for printing and mailing PHI/PII. Aetna must further appoint an independent consultant to monitor and report on procedures for member privacy, confidential information, and PHI/PII. New Jersey and Aetna have agreed on a settlement payment of $365,211.59, and Aetna will be subject to monitoring by the New Jersey Division of Consumer Affairs for at least two years.
ABA Issues Ethics Opinion on Lawyer Data Breaches
By Irene Mo
The American Bar Association’s Standing Committee on Ethics and Professional Responsibility released Formal Opinion 483, “Lawyers’ Obligation After an Electronic Data Breach or Cyberattack,” on October 17. Specifically, the Opinion focuses on a breach involving client information. To avoid a data breach, an attorney must: 1) stay updated on the risks and benefits of incorporating technology into the delivery of legal services (Model Rule 1.1); 2) reasonably safeguard client information from unauthorized access or disclosure (MR 1.6(c)); and 3) ensure compliance from other attorneys, staff, and third-party vendors with cybersecurity policies (MR 5.1 and 5.3). If a data breach does occur, an attorney must notify current (MR 1.4) and former (MR 1.9(c)) clients of the breach, regardless of what cybersecurity safeguards were in place, and keep clients updated on the attorney’s response and mitigation plan. The Committee notes that in addition to an attorney’s compliance with Formal Opinion 483, the attorney should also analyze compliance under state and federal laws.