Privacy & Cybersecurity
Viewpoints
Filter by:
The Ongoing March toward Privacy Law in the US – A State Legislative Roundup
February 16, 2021 | Blog | By Cynthia Larose, Christopher Buontempo
Based on what we are already seeing in terms of the impressive volume of state-level proposed privacy legislation in the early days of 2021, it appears that we may see a big year for US privacy law. Below is a sampling of where things stand in Virginia, Washington, New York, Minnesota, Oklahoma, Utah, and North Dakota.
Read more
Happy Data Privacy Day!
January 28, 2021 | Blog | By Cynthia Larose
January 28 is known worldwide as “Data Privacy Day” or “Data Protection Day,” and it’s a good opportunity to remind everyone of some privacy basics – particularly as people are still working remotely and threats to information and security increase. Privacy and data protection is no longer “nice to have”. It is business imperative.
Read more
Fifth Circuit Vacates $4.3M HIPAA Penalty and Potentially Opens the Door for Future HIPAA Enforcement Challenges
January 25, 2021 | Blog | By Dianne Bourque
With a notably sharply worded opinion, the Fifth Circuit recently vacated over $4.3 million in penalties levied against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) by the Department of Health and Human Services (HHS) for a series of alleged HIPAA violations. The case stems from three separate incidents that occurred between 2012 and 2013. In two instances, M.D. Anderson workforce members lost unencrypted protected health information (PHI), while the third incident involved the theft of a faculty member’s laptop also containing unencrypted PHI. On appeal, the Fifth Circuit concluded that HHS’s civil monetary penalties order against M.D. Anderson was arbitrary, capricious, and contrary to law, vacating the penalties and pointedly criticizing the agency’s actions and arguments in this matter.
Beyond its harsh words for HHS, this opinion is notable for calling into question some longstanding HHS enforcement practices and interpretations of the HIPAA regulations. The opinion also makes clear that regulated entities should check the math when HHS levies a fine. Although limited in its precedential authority, the Fifth Circuit’s opinion, at the very least, gives HIPAA-regulated entities some new food for thought if faced with an HHS enforcement action.
Read more
Beyond its harsh words for HHS, this opinion is notable for calling into question some longstanding HHS enforcement practices and interpretations of the HIPAA regulations. The opinion also makes clear that regulated entities should check the math when HHS levies a fine. Although limited in its precedential authority, the Fifth Circuit’s opinion, at the very least, gives HIPAA-regulated entities some new food for thought if faced with an HHS enforcement action.
Transferring Personal Data from the EU to the UK: Interim Solutions
January 13, 2021 | Blog
The new 1,246-page Trade and Cooperation Agreement (TCA) between the United Kingdom and the European Union has ended the suspense over what restrictions will apply to the transfer of personal data between the EU and the UK now that the Brexit transition period has run its course. As expected, the UK has chosen to allow UK personal data to be transferred to the EU freely on the basis that the EU’s GDPR provides adequate protection for the transferred data. But the EU has not yet agreed that EU personal data can be transferred freely to the UK.
Read more
Vendor Management Fail: FTC Settles with Mortgage Analytics Company following Vendor Security Issues
January 11, 2021 | Blog | By Christopher Buontempo , Cynthia Larose
An oft-used business management concept is to “hire people smarter than you.” The concept also applies to hiring vendors – hire vendors that are better than you (especially when it comes to information security). Texas-based Ascension Data & Analytics LLC (Ascension), a technology and data analytics company used by the mortgage industry, did not utilize that concept in its vendor hiring process, and as a result, recently entered into a proposed settlement agreement with the Federal Trade Commission (FTC) following charges that it violated the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule by failing to ensure that its third-party vendor adequately protected mortgage holder personal information.
Read more
Holiday Gift from California AG: FOURTH Set of Proposed “Modifications” to CCPA Regs Already in Effect
December 11, 2020 | Blog | By Cynthia Larose
As businesses continue to work on compliance with the California Consumer Privacy Act (CCPA) and the multiple versions of regulations issued by the Attorney General’s Office, Attorney General Becerra has issued yet another set of proposed modifications to the regulations implementing the CCPA. This fourth set of proposed modifications comes on the heels (and builds on) the third draft set of modifications issued in October. That October revision had not been finalized after comments had been received.
Read more
Data Breaches Can Cost $$ – Plus Ongoing Obligations (ask Home Depot): Lessons and Takeaways
December 2, 2020 | Blog | By Cynthia Larose, Christopher Buontempo
The Home Depot, Inc. (“Home Depot”) recently entered into a multi-state Assurance of Voluntary Compliance with Attorneys General of 46 states and the District of Columbia (the “Settlement”) stemming from a massive 2014 data breach that exposed the payment card information of approximately 40 million Home Depot customers. In addition to the steep penalty, Home Depot is required to undergo an extensive security overhaul.
Read more
Senate Passes IoT Cybersecurity Bill by Unanimous Consent
November 18, 2020 | Blog | By Christian Tamotsu Fjeld, Christopher Harvie
European Commission Publishes Proposed New Data Transfer Agreement
November 13, 2020 | Blog
The European Commission has just published a consultation draft of the long-promised updated version of the Standard Contractual Clauses (SCCs). The SCCs are the most commonly used legal mechanism for transferring personal data from the EEA to non-EEA countries (known as “third countries”). In a nutshell, the new SCCs have finally caught up with the GDPR, which came into effect nearly two and a half years ago. Once the Commission formally adopts the new SCCs, organizations will have a one-year grace period to transition from the old SCCs to the new SCCs.
Read more
EU Data Protection Regulators Issue Critical Draft Guidance on Personal Data Transfers
November 12, 2020 | Blog
US companies and other organizations whose activities involve the use of personal information from Europe were unsettled by the EU Court of Justice’s July 2020 Schrems II decision that cast doubt on the lawfulness of transferring personal data from the EU to the US. The European Data Protection Board (EDPB) has now published its long-awaited guidance as to what it expects organizations to do to bolster protections for transfers of personal data. The new guidance imposes a very high burden on transferors and recipients of EU personal data.
Read more
California Privacy Rights Act Passes - Dramatically Altering the CCPA
November 6, 2020 | Blog
Voters in California have passed Proposition 24, commonly referred to as the California Privacy Rights Act of 2020 (“CPRA”). Less than a year after the CCPA became effective, the voters’ approval of the CPRA will provide significant new rights to California consumers, create new compliance obligations for covered businesses, establish a new enforcement agency, and provide for data minimization and retention obligations, among other aspects.
Read more
US Health System Warned of Coordinated Ransomware Attacks
October 30, 2020 | Blog | By Dianne Bourque
US hospitals and healthcare facilities struggling to maintain normal operations during the COVID-19 emergency, were warned this week by the federal Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) of a “targeted and imminent cybercrime threat.” Specifically, CISA, FBI and HHS have credible information that malicious cyber actors are targeting hospitals and other health care providers with Trickbot malware, leading to ransomware attacks, data theft and significantly, the disruption of healthcare services during the pandemic.
Read more
CCPA: When “Final” Doesn’t Mean What You Think It Means (with apologies to The Princess Bride)
October 14, 2020 | Blog | By Cynthia Larose
Earlier this week, the California Department of Justice unexpectedly released a third set of proposed modifications to the CCPA regulations. This move took place only two months after the California Attorney General’s Office “finalized” the long-awaited CCPA regulations. The latest changes relate to offline notices, “Do Not Sell My Personal Information” opt-out requests, authorized agent requests, and children’s information, as discussed below.
Read more
California Update: Governor Signs One Privacy Bill and Vetoes Another
October 1, 2020 | Blog | By Cynthia Larose
California Governor Gavin Newsom has signed Assembly Bill 1281 (discussed here) to extend the California Consumer Privacy Act (CCPA) “exemptions” for business-to-business (B2B) and employee personal information. The exemption was headed for a sunset on December 31, 2020 without legislative action, and this extension will continue through the end of 2022.
Read more
Kick the CCPA Compliance Program Back Into Gear
September 8, 2020 | Blog | By Cynthia Larose
2020 “back to school” has a whole new meaning in the age of COVID-19. Now, it is finally time for companies to take compliance with the California Consumer Privacy Act (“CCPA”) off the back burner and implement policies and procedures and processes. The California Attorney General’s final regulations are in place and approved (“Final Regulations”), and ready for enforcement.
Read more
Proposed Mega Child Privacy Class Action Settlements May Impact Many App Providers
September 1, 2020 | Blog
Last week, the plaintiffs in three related children’s privacy class actions sought preliminary approval of proposed settlements with sixteen defendants in those coordinated actions. The matters—known as the Kiloo Action, the Disney Action, and the Viacom Action—are pending in the Northern District of California, case numbers 3:17-CV-04344-JD; 3:17-CV-4419-JD; 3:17-CV-4492-JD.
Read more
CCPA Employee and Business-to-Business Exemptions Passed out of Legislature
August 31, 2020 | Blog | By Cynthia Larose
The California Legislature has passed AB-1281 over to the Governor’s desk, approving the continuation of an exemption for personal information collected in the employment context and certain information collected in the course of a business-to-business (B2B) transaction or about B2B-related personnel.
Read more
California AG Announces CCPA Regulations are Final – And Effective Immediately
August 17, 2020 | Blog | By Cynthia Larose
California Attorney General Becerra announced Friday afternoon that the Office of Administrative Law (OAL) had approved the final CCPA regulations his office submitted to the OAL in June, and that the review process is complete. This means that the CCPA Regulations go into effect immediately.
Read more
NYDFS’ First Cybersecurity Enforcement Action - What Happened and Important Lessons for Organizations
August 12, 2020 | Blog | By Cynthia Larose, Christopher Buontempo
The New York State Department of Financial Services (“NYDFS”) has announced its first enforcement action of NYDFS’ Cybersecurity Regulation, Part 500 of Title 23 (“Cybersecurity Regulation”) against First American Title Insurance Company (“First American”), a leading title insurance provider.
Read more
Viewpoint Editors
Cynthia J. Larose
Member / Chair, Privacy & Cybersecurity Practice
John B. Koss
Managing Director, E-Data Consulting Group
Dianne J. Bourque
Member
Christopher J. Harvie
Member
Kevin M. McGinty
Member / Co-chair, Class Action Practice
Explore Other Viewpoints:
- Antitrust
- Appellate
- Arbitration, Mediation & Alternate Dispute Resolution
- Artificial Intelligence
- Awards
- Bankruptcy & Restructuring
- California Land Use
- Class Action
- Complex Commercial Litigation
- Construction
- Consumer Product Safety
- Cross-Border Asset Recovery
- Debt Financing
- Direct Investing (M&A)
- Diversity
- EB-5 Financing
- Education & Nonprofits
- Employment
- Energy & Sustainability
- Environmental Enforcement Defense
- Environmental Law
- FDA Regulatory
- Federal Circuit Appeals
- Financial Institution Litigation
- Government Law
- Growth Equity
- Health Care
- Health Care Compliance, Fraud and Abuse, & Regulatory Counseling
- Health Care Enforcement & Investigations
- Health Care Transactions
- Health Information Privacy & Security
- IP Due Diligence
- IPRs & Other Post Grant Proceedings
- Immigration
- Insolvency & Creditor Rights Litigation
- Institutional Investor Class Action Recovery
- Insurance & Financial Services
- Insurance Consulting & Risk Management
- Insurance and Reinsurance Problem-Solving & Dispute Resolution
- Intellectual Property
- Investment Funds
- Israel
- Licensing & Technology Transactions
- Life Sciences
- Litigation & Investigations
- M&A Litigation
- ML Strategies
- Medicare, Medicaid and Commercial Coverage & Reimbursement
- Mergers & Acquisitions
- Patent Litigation
- Patent Prosecution & Strategic Counseling
- Pharmacy Benefits and PBM Contracting
- Portfolio Companies
- Privacy & Cybersecurity
- Private Client
- Private Equity
- Pro Bono
- Products Liability & Complex Tort
- Projects & Infrastructure
- Public Finance
- Real Estate Litigation
- Real Estate Transactions
- Real Estate, Construction & Infrastructure
- Retail & Consumer Products
- Securities & Capital Markets
- Securities Litigation
- Special Purpose Acquisition Company (SPACs)
- Sports & Entertainment
- Strategic IP Monetization & Licensing
- Tax
- Technology
- Technology, Communications & Media
- Technology, Communications & Media Litigation
- Trade Secrets
- Trademark & Copyright
- Trademark Litigation
- Venture Capital & Emerging Companies
- White Collar Defense & Government Investigations
- Women's Health and Technology