Privacy & Cybersecurity

If you are a medical device manufacturer, the Food and Drug Administration (FDA) says that you should prepare a “cybersecurity bill of materials” before marketing your devices.  As outlined in our sister blog’s post, the requirement would require manufacturers to produce a list of the components that could be susceptible to vulnerabilities.

California continues to lead the nation in cybersecurity and privacy legislation on the heels of the recent California Consumer Privacy Act of 2018 (“CCPA”).  Governor Brown recently signed into law two nearly identical bills, Assembly Bill No. 1906 and Senate Bill No. 327 (the “Legislation”) each of which required the signing of the other to become law, on September 28th, 2018.

Welcome to October!  October 2018 marks the 15th year of the observance of National Cyber Security Awareness Month, a joint effort of the U.S. Department of Homeland Security and the National Cyber Security Awareness Alliance.  We’ll be keeping you updated on all things privacy and security throughout the month.

Late last week the White House released its National Cyber Strategy, setting forth its approach to protecting U.S. critical infrastructure from global cyber threats.

As previously noted in this blog, the Neiman Marcus payment card data theft class action reflects a lenient approach to the issue of standing in data breach cases.  In that case, the Seventh Circuit rejected arguments that customers claiming to have sustained only the theft of debit and credit card information had not alleged sufficient injury to have standing to sue. 

Labor Day is passed, and the Privacy & Security Matters blog is back after a bit of a hiatus.    The California State Legislature was busy up to the last day of the session working on privacy legislation.

The Federal Communications Commission (“FCC” or “Commission”) is busy evaluating scores of comments and reply comments it received in several ongoing TCPA proceedings in the past month.

After the U.S. Court of Appeals for the District of Columbia released its highly anticipated decision in ACA International v. Federal Communications Commission, courts have been addressing issues raised in that case. We previously summarized the opinion — which raises four issues, one of which is what constitutes an Automatic Telephone Dialing System (“ATDS”).

The European Parliament passed a resolution today strongly criticizing Privacy Shield and recommending that Privacy Shield be suspended as of September 1, 2018, if the US doesn’t shape up by that deadline.  Should US companies that rely on Privacy Shield panic?

The Supreme Court ruled, at the end of June, that seizing cell-site location information—data that tracks cell phone users’ movements—constitutes a search under the Fourth Amendment.

In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security.  To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security.

June 28, 2018 will be a watershed day in the history of U.S. data privacy legislation.   California has become the first state to move away from the U.S. approach of legislating data privacy in slow bits.  

Manufacturers of wireless devices used for Internet of Things (IoT) applications should take heed of new Trump Administration proposals aimed at reducing the cybersecurity threats from botnets and other automated and distributed attacks.

In the latest decision concerning standing in data breach cases, the Fourth Circuit has vacated a district court’s dismissal and reinstated putative class action data breach litigation against the National Board of Examiners in Optometry Inc. (“NBEO”).

Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems.

The Federal Communications Commission (“FCC”) is reconsidering several issues central to TCPA liability, including what equipment constitutes an automatic telephone dialing system ((“ATDS”) and who the “called party” is when a wireless number has been reassigned.

Our previous post discussed the decision in Marshall v. CBE Group, Inc., which completely rejected the FCC’s broad interpretation of an ATDS and found in favor of the defendant. Since then, another district court in the Ninth Circuit has followed suit, but three others in the Eleventh Circuit have concluded that the FCC’s 2003 Order survives ACA Int’l. It could behoove some TCPA defendants to seek stays while this circuit split is sorted out or until after the FCC clarifies its position on the ATDS issue following ACA Int’l.

The Federal Communications Commission (“FCC”) is reconsidering several issues central to TCPA liability, including what equipment constitutes an automatic telephone dialing system (“ATDS”) and who the “called party” is when a wireless number has been reassigned.

Recently, a new bill was signed by Colorado Governor John Hickenlooper, creating far reaching new requirements for entities that collect or maintain personal identifying information of Colorado residents. These requirements, which will create one of the strictest state based privacy and data breach laws in the country, will go into effect September 1, 2018. 

The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security.