The U.S. Food and Drug Administration has released final guidance dealing with medical applications running on mobile devices, including consumer smartphones and tablets. Under the new guidance, the FDA indicates that it intends to treat some apps with the same scrutiny which is applies to traditional medical devices.
This guidance has profound (although not entirely unexpected) impact on app developers exploring and exploiting the use of consumer electronic devices to empower people in medical and healthcare related ares. Under the new guidance, developers must look to the functionality of their software, and where appropriate, submit it to the FDA for review and approval. Typically the line of demarcation depends on whether the application interfaces with a regulated medical device, such as blood-pressure monitoring device, or if the app turns the mobile device into a device for assessing the health of an individual. Unfortunately, these lines are somewhat indistinct thus leaving app developers with open questions about whether apps that may skirt these lines are subject to FDA review or not.
This is an area where the law and regulations will continue to evolve over time. In the meantime, app developers who are venturing into products applications which could potentially fall within the jurisdiction of the FDA need to carefully consider their offering and implications of potential regulation by the FDA.
As of today, there are now a total of six states which have passed laws which specifically prohibit employers from demanding that employees provide the employer with their Facebook passwords: California, Illinois, Michigan, New Jersey, Maryland, and Delaware.
As more and more employers have begun demanding access to employees’ or potential employees’ personal, non-public social media data, these laws represent clearly developing trend towards greater protection of employee privacy. It is important to note, however, that none of the laws enacted to date prohibit employers from reviewing what employees or potential employees publicly post to social media sites.
With this kind of rapidly changing privacy landscape, it is increasingly important for employers to continuously review and update their hiring and other employment policies. What’s more, the most recent laws are most likely only the tip of the iceberg. Many other states are considering similar laws, some of them potentially even more far reaching than those enacted by these first six states. Likewise, the specter of increasing federal laws and regulations dealing with privacy both within and outside the workplace is also increasingly real.
And so, the $100,000 question: “Have you reviewed your company’s employment policies lately?” If not, now is a good time to do so!
Exclusive: Anatomy Of A Brokerage IT Meltdown – Security –.
InformationWeek.com has an excellent article up which details the breakdowns in IT policy and procedure which lead the now-defunct stock brokerage, GunnAllen Financial, become the first company to be fined by the SEC for failing to protect customer data.
The article is a hair-raising read and the actions of both GunnAllen and its IT company, The Revere Group, would be almost comical if not for the incredibly serious implications of the cavalier way in which they dealt with sensitive client information.
While this instance is an extreme one, it is an object lesson for companies handling sensitive client information. The consequences of poor data management and data security are dire!
Stanford has just wrapped up a conference on Intellectual Property that seems to have had some very interesting and notable highlights. Head over to the GigaOm article for a bit more detail (and here for the full agenda), but here are a few of the highlights of interest:
University of Colorado Professor Paul Ohm is headed off to join the FTC, but he stopped by the conference and gave a presentation that made it clear that he intends to do more than a but of arm-twisting in Washington to get companies to live up to their privacy promises.
Another presentation discussed unauthorized distribution of copyrighted content though the lens of the porn industries current frustrations. It looks like maybe Big Porn is starting to realize that the litigation tactic is a loosing battle, as they begin to experiment with shifts towards making “experience goods” like live chats and other engagement oriented products.
Collen Chien of U.C. Santa Clara presented on the current patent mess in the mobile device industry and hos the historic patent epidemics over farmer’s tools and railroad technology in the late 19th and early 20th centuries may portend much needed reform in our current patent morass.
Professor Howard Abrams discusses the U.S. Supreme Court of Golan v. Holder from earlier this year in which the Court upheld Congress’ rights to retroactively extend copyright terms. The case when on to indicate that congress can extend copyright protection to previously public domain works and to state that First Amendment is not implicated by these actions, as these works were available in the marketplace and thus represented commercial speech.
In October of 2011, the Securities and Exchange Commission issued a non-mandatory guidance statement on cybersecurity and the reporting of security requirements. Despite this guidance, which was intended to clarify existing reporting requirements for publicly traded companies under Sarbanes-Oxley and other federal privacy laws and regulations, many companies are either not reporting cybersecurity breaches or are skirting the reporting requirements by making very general disclosures which appear designed to minimize or disguise the nature and severity such breaches.
In response to this dearth of meaningful reporting, the Chairman of the Senate Commerce, Scientce and Transportation Committee, Sen. Jay Rockefeller, is seeking to add provisions to cybersecutiy laws that would strengthen and clarify breach-reporting obligations. Among the results of these changes would be a requirement that the SEC clarify when companies must disclose cyber breached and requiring companies to spell out the steps they are taking to protect their computer systems from intrusions.
In the wake of such spectacular hacks as the breach of LinkedIn’s site and the repeated intrusions into Wyndam Hotel’s systems (for which the FTC is actively pursuing punitive enforcement against the company), it has become increasingly clear that cyber-crime is a real risk to businesses. In response to the damage that such intrusions does to both investors and end-customers, the government is clearly placing increased pressure on companies to step up and combat this economic threat through implementation of better preventative measures and by disclosing the existence of breaches after the fact, to ensure that system issues within companies’ security are not simply swept under the proverbial rug. Increasingly businesses must make protection of critical infrastructure and its data storage, handling, and destruction key elements in their business planning and implementation, rather than the afterthought if often seems to be.
Yet another sign that the privacy issues are starting to come in from the cold: The California Attorney General’s office is setting up a special unit for the purpose of enforcing state and federal privacy laws.
This has the potential to have a major impact on not just Silicon Valley, but also (if Massachusetts and Nevada are any indicator) any company doing business in the state of California.
As a result of moves such as this, it is increasingly important that companies make sure that their policies, procedures, and practices on customer privacy are fully up to date. More and more, this is a truly business-critical issue.
TechCrunch addresses the current state of the mobile app industry with respect to privacy policies.
The past year has seen some noteworthy scandals regarding apps that treat sensitive user data in undisclosed (and sometime hair-raising) manners. Path’s access to and siphoning off of private address book data is just one example of this.
As a result of growing concerns over the handling of sensitive data by mobile apps, Both the Federal Trade Commission (the “FTC”) and the California state Attorney General’s office have gotten far more aggressive in terms of pushing compliance with privacy laws and the creation of workable industry standards. The California Attorney General in particular has announced that it will be enforcing California’s Online Privacy Protection Act against app developers.
With greater attention (and enforcement efforts) under way, app developers need to pay far more attention to industry best practices on privacy issues, including putting in place app privacy polices (and making them readily available to its customers).