Settlement Agreement With Health App Developer Part of Emerging Trend
“When you meet with your doctor or healthcare provider in person, you know that your sensitive information is protected. It should be no different when you use healthcare apps over the internet,” according to California’s Attorney General Becerra. The consequences of not having the appropriate data protections? It means “a digital disclosure of your private medical records is instantaneously and eternally available to the world” per Becerra.
For these reasons, especially in the new era of telemedicine, developers of medical applications (health app) understand that consumers’ privacy and security must be protected. “Excuses are not an option,” Becerra warns. California’s settlement agreement with Upward Labs Holdings, Inc. (Upward Labs) and its subsidiary Glow, Inc. (Glow), is an example that Becerra’s warning should not be ignored.
Background
Upward Labs and Glow developed and offered the Glow App, a fertility tracking health app. The app collects and stores the personal and medical information of its users. California’s Confidentiality of Medical Information Act (CMIA) covers businesses that offer health apps. CMIA requires these businesses to preserve the confidentiality of the medical information the health apps collect and store. CMIA also prohibits these businesses from disclosing such medical information without obtaining the individual user’s authorization.
Between 2013 and 2016, basic security flaws in Glow App caused serious vulnerabilities. Users’ personal and medical information was put at risk by allowing data transfers without required authorizations and by failing to verify a user’s old password when new passwords were created to access data stored by Glow App. These security flaws were materially at odds with the privacy policy and terms of use on the Upward Labs and Glow websites, which claimed that Glow App uses “industry-standard security measures to protect the loss, misuse and alteration of information under [Glow’s] control.”
Following an investigation into these security flaws, Becerra’s office filed a complaint against Upward Labs and Glow on September 17, 2020, alleging the companies violated CMIA and California’s Unfair Competition Law, in parallel with a Settlement Agreement and Final Judgment that the court approved the following day.
Settlement agreement
First, the agreement requires the defendants to pay a $250,000 civil penalty and various forms of injunctive relief. This includes a requirement to comply with California’s consumer protection and privacy laws. Agreement requires that Glow develop and maintain a process to incorporate privacy-by-design and security-by-design principles into all new health apps. Or changes to the manner by which Glow App collects, stores, processes, uses, transmits or maintains personal and medical information.
Additionally, Glow must implement a Written Information Security Program (WISP). The WISP is designed to protect the security, confidentiality, integrity and availability of the personal and medical information collected and stored.
The WISP must include administrative, technical and physical safeguards. These are commensurate with the size and complexity of Glow’s operations. Also, the sensitivity of the data that Glow collects, stores, processes, uses, transmits and/or maintains.
Feels familiar
If the concept of an attorney general negotiating a requirement for a WISP, or a requirement to implement administrative, technical and physical safeguards sounds familiar, you are correct. As we have discussed in previous posts examining New York attorney general’s enforcement actions, these concepts are key components of the 2020 settlement agreements New York reached with Zoom and Dunkin Donuts for the security vulnerabilities that plagued those companies.
The similarity between these three agreements shows that even in the absence of federal privacy or data security legislation, attorney generals from economic powerhouses on the East and West Coast are developing a de facto information security standard for businesses that collect or possess consumer data.
Beyond the commonality with New York enforcement agreements, one important, innovative and arguably unique requirement in the California agreement is that Glow’s privacy-by-design and security-by-design principles must “consider how privacy or security lapses may impact online threats affecting women and online risks that women face, or could face, including gender-based risks, from privacy and security lapses.” This appears to be one of, if not the first time that privacy concerns unique to one gender have been recognized as something that must be considered by developers.
Erik Dullea is a Denver-based partner with the law firm Husch Blackwell LLP who focuses on administrative and regulatory law with an emphasis on workplace safety and security in critical infrastructure sectors such as mining, energy and aviation.