Data Privacy & Cybersecurity Blog

. In 2024, AI legislation proliferated as countries across the globe took significant steps to balance the opportunities AI presents with the risks it poses. From privacy concerns to ethical considerations and economic implications, the regulatory framework for AI becomes more nuanced by the day, aiming to ensure that AI is developed and used responsibly.

In just over one month, the Republican party will control the Senate and House of Representatives, not to mention the Oval Office. How will this affect the future of Privacy and AI Legislation?

Read about how a pivotal move that signals increased scrutiny of digital marketing practices, the Office of the Australian Information Commissioner (OAIC) released comprehensive guidance on November 4, 2024, addressing tracking pixels and associated privacy obligations. For businesses operating in Australia and leveraging tracking pixels as part of their digital strategies, this development brings both clarity and new compliance challenges, underscoring the need for compliance with the Australian Privacy Act (Privacy Act).

Microsoft’s latest Digital Defense Report 2024 provides insights into the evolving global cybersecurity landscape and the role of artificial intelligence. This report is critical as Microsoft has a tremendous global vantage point that allows others to gain visibility into the attack activity it sees.

Attorney Jade Davis shares tips for Preserving Attorney-Client Privilege During Cybersecurity Incidents.

Attorney Richard Sheinis discusses China’s long awaited “Network Data Security Management Regulations.”

Attorney Lea McBryde discusses the U.K. Government’s Data Use and Access Bill.

Apple Intelligence was launched on Monday, October 28, and is available on any iPhone 16 and iPhone 15 Pro that is updated to iOS 18.1. It is also available on certain models of iPads and Macs. As a lawyer advising companies on AI governance, I am always checking to see how new AI products might

Partner Richard Sheinis discusses the details behind Illinois’ new law, which regulates the use of AI for employers.

Attorney Savannah Liner Avera discusses the recent passing of Malaysia’s Personal Data Protection (Amendment) Bill on July 31, 2024, bringing significant changes to the PDPA 2010.

Attorney Jade Davis discusses the frameworks and profiles released by the National Institute of Standards and Technology (NIST) to help companies manage the opportunities and risks posed by AI.

Background In August 2024, global data privacy saw major shifts with new cross-border agreements like the EU-Japan EPA, Brazil's landmark injunction on WhatsApp, a sizeable fine against Uber, and China's identity authentication measures. Sector-specific protections tightened, especially for children's privacy in the U.K. and facial recognition in Denmark, while formal guidance from Brazil and India

Background As we move toward the end of 2024, it seems the time is right for an update of AI statutory developments so far this year.  While the EU has once again set the standard with the EU AI Act, the 30,000-foot view in the U.S. is that while there is a lot of talk

Partner Jade Davis dives into key developments surrounding children’s online privacy, including the California Age-Appropriate Design Code Act and the DOJ/FTC case against TikTok.

We have been writing about the EU AI Act for several months, and with its August 1 arrival the countdown begins for the effective dates of its various provisions.

Learn more about recent updates to the Kids Online Safety Act (KOSA) and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0).

On July 30, 2024, Texas Attorney General Ken Paxton reached a record $1.4 billion deal to settle claims against Meta…

By December 23, 2024, all entities regulated under the HIPAA Privacy Rule must comply with the latest amendments, which provide enhanced protections for reproductive health information and more.

Learn more about the July 10 passing by the Malaysian Parliament of a bill to amend its Personal Data Protection law and what it may mean for businesses.

AI-powered meeting tools have become valuable tools in the construction industry and beyond. But do the benefits outweigh the associated security and privacy risks?

The latest draft of the American Privacy Rights Act (APRA) was released on June 20, 2024, affecting civil rights and algorithmic basis, opt-out rights, and more.

Biometrics continue to transform how we live, communicate and access life. Here is a snapshot update into biometrics across the globe.

A Texas judge has ruled in Am. Hosp. Ass’n v. Becerra that HHS doesn’t have the authority to restrict medical providers’ use of tracking technologies, having major implications on how medical providers can disclose individually identifiable health information.

The Cyber Security Agency of Singapore released amendments to its cybersecurity laws on May 7, reinterpreting how critical information infrastructure is defined, identified, and secured.

FTC final rules, business guidance, warnings, and enforcement actions keep rolling in. Check out the latest round up of Federal Trade Commission (FTC) updates in the data privacy sector.

The EDPB recently issued a report on the work done by the ChatGPT Taskforce offering guidance on how AI programs might be evaluated for GDPR compliance going forward…

Vermont’s new Data Privacy Act is poised to be the second strongest in the U.S., focusing on protecting consumers and children from aggressive data gathering and addictive algorithms. Learn about the bill’s key provisions, compliance requirements, and potential impact on your business.

In March 2024, the Cyberspace Administration of China published new regulations on the cross-border data flows. These regulations aim to loosen the constraints of the compliance burden companies face while having operations in China…

The FTC recently updated the Health Breach Notification Rule regarding the disclosure of health related information among websites and mobile applications.

In April 2024, the “Foreign Adversary Controlled Applications Act” and “Protecting Americans’ Data from Foreign Adversaries Act of 2024” were signed into legislation, resulting in numerous data privacy matters being affected…

California rolled out 31 new Artificial Intelligence bills affecting almost every level of commerce. Find out how they may affect your business, human resource operations, healthcare, schools, and more.

The recent update issued by OCR on March 18, 2024, revised the initial guidance from December 1, 2022, providing clearer directives for HIPAA covered entities and business associates regarding the deployment of online tracking tools.

Touted as the world’s first comprehensive legal framework of its kind, the AI Act will go into effect in stages over the next three years. The AI Act will apply to both businesses operating within the EU and to any AI developers or creators whose AI systems are used in EU countries and raises a few questions…

The EU Consumer Protection Agency has rallied against Meta’s “Pay or Consent” model, claiming it is entirely too aggressive and coercive, fundamentally undermining the principles of GDPR.

On February 13, 2024, EU member states voted unanimously in favor of the proposed EU AI Act, the result of extensive negotiations and compromises between member states and is now expected to be formally adopted in March or April of this year.

In the ongoing global hunt for cybercriminals, the past thirty days have been illuminating for some, unsurprising for others, and climactic for all following the takedown of LockBit.

After almost four years of review and 175,000 public comments later, the FTC unveiled its plan to update the Children’s Online Privacy Protection Rule (COPPA Rule) on December 20, 2023, after the Commission voted 3-0. The last COPPA revision was made in 2013…

The EU’s cookie reduction pledge represents a significant move towards enhanced digital privacy. While offering more control over cookies, the emergence of alternative tracking methods like device fingerprinting and contextual targeting highlights new complexity, reminding companies that users are no longer data-naïve.

Global legislative developments in the privacy sphere were abundant in 2023. Privacy professionals from around the world predict that legislation pertaining to data privacy and cyber security will continue to flourish in 2024, and this post explores those predictions.

Globally, business owners are asking how the European Union’s AI Act affects their business. This article will delve into the Act and how businesses will be affected globally, with an emphasis on the U.S.

After roughly a year of multiple warnings by the HHS concerning the usage of online tracking technologies and associated privacy and security risks, class action lawsuits have begun to be filed…

In May 2023, the FTC issued a warning that it would be closely monitoring the use of biometric information technology, including those powered by machine learning, because they raise significant consumer privacy and data security concerns and have the potential for bias and discrimination. On December 19, the FTC made good on its promise by

On December 8, 2023, the California Privacy Protection Agency (CPPA) Board voted 5-0 at its meeting to advance a legislative proposal to require browser vendors to include a feature that allows users to exercise their California privacy rights through opt-out preference signals. This recent unanimous decision marks a significant stride toward fortifying consumer privacy rights in the digital realm

On December 19, 2023, the FBI announced its investigation into Blackcat group, also known as AlphV or Noberus, and that it gained visibility into AlphV’s computer network due in part to assistance provided by an informant. “Law enforcement engaged a confidential human source who routinely provides reliable information related to ongoing cybercrime investigations,” the FBI

As the rest of the world continues to move forward with national data privacy legislation, the United States continues its well-established habit of proposing piecemeal data privacy laws that go nowhere

On November 8, 2023, the CPPA published an updated draft of its cybersecurity audit regulations, intended, in part, to facilitate board discussion and public participation during the upcoming CPPA board meeting…

November was a busy month for data privacy. See below for updates to the EU AI Act, the Information Commissioner’s Office’s (ICO) response regarding third party cookies, the ICO’s appeal of Clearview ruling, and the Italy data protection authority’s (DPA) training probe

The U.S. Department of Health and Human Services (HHS) Office of Information Security recently published new cybersecurity resources with the goal of mitigating common cybersecurity threats in the health care sector. HHS Resources Webinars: These are spotlighted periodically and noticed to subscribers. The next webinar spotlights Health Industry Cybersecurity Practices 2023 changes as it relates

Written by: Savannah Liner Avera, Esq. Connecticut Attorney General William Tong announced a historic settlement with Google regarding its predatory disregard for users’ location tracking preferences. Google will pay $391.5 million to 40 states in a privacy violation settlement for continuing to track users after opting out of a feature called location history. Background This

Written by: Richard Sheinis, Esq. Canada’s Federal Privacy Law, the Personal Information Protection and Electronics Documents Act (PIPEDA) is over 22 years old.  Its replacement, proposed Bill C-27, which introduces the Consumer Protection Privacy Act (CPPA) is still at least one year away from being passed. The CPPA is part of Canada’s Digital Charter Implementation

Written by: Gabriel Lopez, Esq.  Earlier this month, European Union (EU) lawmakers began political debate on the EU’s Artificial Intelligence Act (AI Act). The legislation focuses on regulating the use of artificial intelligence in society. The AI Act seeks to introduce legal obligations commensurate with the potential harm, societal or otherwise, that may come with

Written by: Gabriel Lopez, Esq. A $35 million settlement between the residents of Illinois and Snapchat has been reached following a class action lawsuit over the collection of biometric data. According to the complaint filed on May 11, 2022, for alleged violations of Illinois’ Biometric Information Privacy Act, the company allegedly collected biometric data through

Written by: Richard Sheinis, Esq. As many of you know, the VCDPA is scheduled to go into effect on January 1, 2023.  In advance of the effective date, the Virginia Legislature has passed several amendments to the Act.  The amendments are as follows: A new exemption to the right to delete when the personal data

Written by Joseph Stepina, Esq. Canadian e-commerce company, Shopify Inc., faces a new class action lawsuit over a 2020 data breach in which hackers were able to access personally identifiable information of over 270,000 individuals. Shopify contracted with Leger, who sells SAS cryptocurrency hardware wallets, to store its customers’ personal information. In addition, the hackers

Written by: Brock Wolf, Esq. Last month, the Federal Trade Commission (“FTC”) announced a proposed settlement with the online retailer of customized merchandise, CafePress. This settlement follows allegations that the company failed to implement reasonable security measures and attempted to cover up a 2019 data breach. The proposed settlement would call for CafePress to pay

Written by: Brock Wolf, Esq. Indiana Governor Eric Holcomb signed into law an amendment to Indiana’s data breach notification statute. The amendment, which takes effect on July 1, 2022, implements a forty-five (45) day deadline for reporting a breach to affected individuals and the Indiana Attorney General. Indiana’s breach notification law now requires entities to

Written by: Joseph Stepina, Esq. Notorious ransomware group Conti has, itself, been the target of cyberattacks after it announced its allegiance to Russia and its support of Russia’s ongoing invasion of Ukraine.  Conti is famous for conducting ransomware attacks on a variety of business and governmental entities including Ireland’s national health service, Shutterfly, and fashion

Written by: Brock Wolf, Esq. On March 1, 2022, the United States Senate unanimously passed the Strengthening American Cybersecurity Act.  This package of three bills aims to strengthen U.S. cybersecurity infrastructure by enhancing incident reporting requirements, tightening cybersecurity requirements for federal agencies and calling for federal agencies to migrate to cloud-based networks. One of the

Written by: Brock Wolf, Esq.  Last month, on February 17, the California Privacy Protection Agency (“CPPA”) announced at a board meeting that the publication of final regulations under the California Privacy Rights Act (“CPRA”) will be delayed.  Under the CPRA, regulations were to be finalized by July 1, 2022.  The goal was to provide businesses

Written by: Richard Sheinis, Esq.  On March 3, 2022 the Utah Consumer Privacy Act (“UCPA”) was passed by the Utah legislature and sent to the Governor to sign, which he is expected to do.  Most of you will be familiar with the requirements of the UCPA as they are similar to recently passed privacy laws

Written by: Brock Wolf, Esq. Washington is among the states expected to pass a comprehensive data privacy law this year. At least, that has been the headline since 2019, when the Washington Privacy Act was first introduced in the legislature. Now, for the fourth year in a row, the legislature will attempt to pass a

Written by: Brock Wolf, Esq. Illinois’ Biometric Information Privacy Act (“BIPA”) is arguably the nation’s strictest when it comes to biometric information. Biometric information protected by BIPA includes fingerprints, retina or iris scans, hand scans, facial recognition, DNA and other unique biological information. Passed in 2008, BIPA requires that before companies may collect or otherwise

Written by: Richard Sheinis, Esq. Several Democratic legislators have introduced the Algorithmic Accountability Act of 2022 (the “Act”). This legislation is a redo of the 2019 Algorithmic Accountability Act. While this piece of legislation will likely die on the vine, like so many personal data related bills before it, it demonstrates a disturbing trend to

Written by: Richard Sheinis, Esq. As many of our readers know, the transfer of personal data from the EU to countries outside the EU is heavily regulated by the GDPR. Companies that transfer personal data from the EU to the US typically use Standard Contractual Clauses, which are intended to provide some assurance that personal data

Written by: Brock Wolf, Esq. Mass General Brigham Incorporated and its affiliate healthcare providers (“Mass General”) agreed to pay $18.4 million to settle a class-action against the healthcare system. While healthcare providers around the nation are falling victim to data breaches and ransomware attacks, this lawsuit has a different origin. Instead, this class-action stems from

Written by: Richard Sheinis, Esq. CNIL, the French Data Privacy Supervisory Authority, has fined Google 150 Million Euros, and Facebook 60 Million Euros, for having websites that do not make refusing cookies as easy as accepting them.  Prior GDPR guidance, and rulings from various supervisory authorities, required that websites using cookies have a cookie banner

Written by: Brock Wolf, Esq. Last month, India’s Joint Parliamentary Committee submitted its report on India’s draft Data Protection Bill (the “Bill”) to Parliament. The report, which comes after two (2) years of deliberations, contains the Joint Parliamentary Committee’s recommendations and a revised draft of the Bill. In 2017, the Supreme Court of India declared

Written by: Richard Sheinis, Esq. In September 2021, Senator Richard Blumenthal and eight other Democratic Senators sent a letter to FTC Chair Lina Kahn requesting that the agency begin a rulemaking process to address data privacy.  Blumenthal and the other Senators stated that consumer privacy had become a consumer crisis with tech companies routinely breaking

Written by: Brock Wolf, Esq. Earlier this month, on December 9, 2021, a critical vulnerability was discovered in the Apache Software Foundation’s  (“Apache”) Log4j code, potentially providing threat actors with access to millions of computers and devices worldwide. On December 10, the director of cybersecurity at the National Security Agency (NSA) and the Department of

Written by: Alyssa J. Feliciano, Esq. The European Data Protection Board (“EDPB”) released new guidelines in November to clarify when a processing operation should be classified as an international data transfer based upon Article 3 and Chapter V of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”). The guidelines are intended to create a

Written by: Brock Wolf, Esq. and Alyssa J. Feliciano, Esq. California continues to update its privacy policies. Changes and clarifications are constantly being announced, making it imperative for businesses to stay vigilant in their practices. Notably, the California Privacy Protection Agency subcommittee (the “Agency”), which was created under the California Privacy Rights Act (“CPRA”), proposed

Written by: Richard Sheinis, Esq. Last month I wrote about the need for federal data privacy legislation.  Although numerous Senators have introduced such legislation, nothing much seems to happen after the initial introduction.  Adding to the list, Senator Catherine Cortez Masto (D-Nev.) is introducing the Digital Accountability and Transparency to Advance (DATA) Privacy Act.  There

Written by: Brett Lawrence, Esq. On September 16, 2021 by Royal Decree, Saudi Arabia implemented the Personal Data Protection Law (“PDPL”). The PDPL becomes effective on March 23, 2022 and will be enforced by the Saudi Data and Artificial Intelligence Authority (“SDAIA”). Regulated businesses have until March 23, 2023 before the PDPL is enforced. We

Written by: Richard Sheinis, Esq. The U.S. is lagging further and further behind the rest of the world when it comes to the privacy of personal data.  The EU’s General Data Protection Regulation (GDPR), which became effective in 2018, has become the “gold standard” for data privacy.  Many countries have used the GDPR as the model

Written by: Alyssa Feliciano, Esq. Representative Deborah Ross [D] and Senator Elizabeth Warren [D] proposed the Ransom Disclosure Act (“RSA”), to provide DHS with information regarding ransomware attacks and subsequent payments that are made by covered entities.  The goal of the RSA, according to Rep. Ross and Sen. Warren, is to provide DHS with data

Written by: Brett Lawrence, Esq. 1. California’s Genetic Information Privacy Act On October 6, 2021, California passed the Genetic Information Privacy Act (“GIPA”). Under GIPA, California residents have greater control over how their genetic information will be collected and used by specific companies. GIPA becomes effective on January 1, 2022. GIPA applies to “direct-to-consumer genetic testing

Written by: Alyssa Feliciano, Esq. On September 24, 2021, the European Data Protection Board (“EDPB”) released an opinion on the draft adequacy decision for South Korea, which in large part was positive for the country.  There were certain areas of concerns that were pointed out by the EDPB.  Once the EDPB’s stated issues are addressed

Written by: Brett Lawrence, Esq. On August 20, 2021, China passed its Personal Information Protection Law (“PIPL”). This is China’s first general and broadly sweeping privacy law regulating the collection, processing, and transferring of personal information, similar to the European Union’s General Data Protection Regulation (“GDPR”). PIPL takes effect on November 1, 2021, less than

Written by: Richard Sheinis, Esq. We are all aware of the requirements under several laws that a company’s website must have a link to the company’s privacy policy explaining how the company treats personal information. The oxymoronic part of the privacy policy requirement, however, is that laws require more and more information to be included

Written by: Alyssa Feliciano, Esq. A federal judge in South Carolina denied a motion to dismiss claims in a class action lawsuit brought under the California Consumer Privacy Act (“CCPA”). The class action suit was brought against Blackbaud, following a ransomware attack in early 2020 that left countless individual’s data compromised.  Blackbaud attempted to have

Written by: Alyssa Feliciano, Esq. On August 16, 2021, a California federal district court dismissed what would have been the first case brought by a British or EU resident to the US regarding the interpretation and enforcement of GDPR. The Plaintiff, a UK resident, alleged that US-based company, PubMatic, placed unique and therefore individuating identifiers

Written by: Alyssa Feliciano, Esq. The CCPA gives authority to its Attorney General (“AG”) to determine how businesses must comply with the opt-out of the sale of personal information requirement under the law. California’s recently inaugurated AG, Rob Bonta, announced that businesses will be required to accept Global Privacy Control (“GPC”) signals as an opt-out

Written by: Brett Lawrence, Esq. In July 2020, the Uniform Law Commission (“ULC”) voted to approve and recommend the proposed Uniform Personal Data Protection Act (“UPDPA”). Like the Uniform Commercial Code, the UPDPA is a model law designed as a cut-and-paste piece of legislation that states can tailor and subsequently adopt to their liking. The ULC

Written by: Alyssa Feliciano, Esq. On July 16, 2021, the EU’s Commission Nationale pour le Protection des Données (“CNPD”) fined Amazon the equivalent of $887 million dollars after it determined that Amazon was processing personal data in violation of the GDPR.  Amazon representatives released a statement that the finding was without merit, citing that Amazon

Written by: Charles R. Langhorne IV, Esq. On July 7, 2021, the European Data Protection Board (“EDPB”) issued guidance further clarifying the relationship between controllers, joint controllers, and processors, under the General Data Protection Regulation (“GDPR”). This guidance is an update to the guidance issued by the Article 29 working party on February 16, 2010. The

Written by: Richard Sheinis, Esq. Most of you know that on June 4, 2021, the European Commission (“EC”) adopted two (2) new sets of Standard Contractual Clauses (“SCC”) for the cross-border transfer of personal data from the EU.  The new SCC are due to a general need for updating the existing SCC, as well as

Written by: Brett Lawrence, Esq. and Alyssa J. Feliciano, Esq. On July 9, 2021, New York City’s biometric data law (the “Law”) became enforceable. The Law requires specific businesses to notify customers when their biometric data is being collected or shared. The Law further prohibits the selling of biometric data. Biometric Data Defined The Law defines

Written by: Charles R. Langhorne IV, Esq. and Alyssa J. Feliciano, Esq. CURRENT STATUS The Bill passed and has been signed by the Governor. EFFECTIVE DATE July 1, 2023 TO WHOM DOES CPA APPLY? The CPA applies if a business meets one the following circumstances: Requirement 1: Conducts business in Colorado; or Produces commercial products or services

Written by: Brett Lawrence, Esq. On June 30, 2021, the New York Department of Financial Services (“DFS”) issued new guidance on ransomware prevention. Noting the increase in ransomware attacks and increases in the cost of cybercrime, DFS issued nine (9) specific security controls that every business should implement to remove common weaknesses exploited by ransomware

Written by: Charles R. Langhorne IV, Esq. and Alyssa J. Feliciano, Esq. Nevada law already allows individuals to “opt out” of allowing a business to sell their personal information.  On June 2, 2021, Nevada Governor, Steve Sisolak, signed SB 260, which amended the definition of “sale”.  This change means that the existing law will become broader

Written by: Richard Sheinis, Esq. This Bill was first introduced in 2016 in response to a dispute between the FBI and Apple in which the FBI sought to have Apple provide access to the locked mobile phone of a suspect in a mass shooting in San Bernardino, California.  The Act has been reintroduced each year since

Written by: Charles R. Langhorne IV, Esq. On June 4, 2021, the European Commission issued the long awaited new version standard contractual clauses (“SCCs”). In fact, the Commission issued two (2) different sets of SCCs. Governing transfers of personal data within the European Union. Officially cited as: C(2021) 3701. Governing transfers of personal data outside the

Written by: Brett Lawrence, Esq. On May 12, 2021, President Joe Biden signed an executive order to improve the nation’s cybersecurity and protect the federal government’s networks (the “Order”). In their official statement, the White House expressly mentioned that the Colonial Pipeline and other cybersecurity incidents were “sobering reminders” that malicious cyber activity remains prevalent. The

Written by: Charles R. Langhorne IV, Esq. On April 7, 2021, North Carolina joined the race to enact state privacy law, by introducing the North Carolina Consumer Privacy Act (the “Act”). The Act was introduced by Senators DeAndrea Salvador (D), Ben Clark (D), and Joyce Waddell (D). Notably, all of the sponsoring senators are Democrats, which

Written by: Brett Lawrence, Esq. On May 6, 2021, Microsoft announced it will allow its commercial and public sector customers in the European Union (“EU”) to process and store all of their personal data in the EU. This implementation will be completed by the end of 2022 and is called the “EU Data Boundary for

Written by: Brett Lawrence, Esq. On April 14, 2021, the European Data Protection Board (“EDPB”) announced it had adopted two opinions in support of the draft UK adequacy decisions. The opinions stem from the EDPB’s review of the European Commission’s draft adequacy decisions for the General Data Protection Regulation (“GDPR”) and the Law Enforcement Directive (“LED”).

Written by: Richard Sheinis, Esq. On April 19, 2021 the FTC issued what might be called guidance, but is more of a warning, regarding the use of artificial intelligence.  The FTC cautions against using AI in a way that produces discriminatory outcomes. The FTC states that in order to avoid bias and prejudice, the data

Written by: Charles R. Langhorne IV, Esq. Back in March the New York Department of Financial Services (“NY DFS”) issued Circular Letter No. 2 (2021) providing guidance to insurers offering cyber insurance in New York. The guidance provides a framework that could very well become required of insurers at a later date. The guidance urges

Written by: Brett Lawrence, Esq. 1. CCPA Regulations Effective as of March 15, 2021, California’s Office of Administrative Law approved additional California Consumer Privacy Act (“CCPA”) regulations. The regulations provide the following: Offline Notification. Any business who sells personal information of a consumer that has been collected “offline” must provide proper consumer notification through an offline

Written by: Richard Sheinis, Esq. As of April 1, 2021, the French Supervisory Authority, Commision Nationale de l’Informatique et des libertes (“CNIL”) will enforce its cookie and ad tracker guidelines.  CNIL had previously announced it would give companies until March 31, 2021 to adjust their ad tracker and cookie practices to come into compliance. Most

Written by: Brett Lawrence, Esq. On March 5, 2021, the Federal District Court for the Northern District of California granted Walmart’s motion to dismiss the plaintiff’s class action lawsuit for exposed customer personal data. This was one of the first major lawsuits alleging violations under the California Consumer Privacy Act (“CCPA”). We previously discussed this

Written by: Richard Sheinis, Esq. The Biometric Information Privacy Act (“BIPA”) is an Illinois statute that prohibits the use of biometric identifiers or information without prior notification and written consent.   Facebook ran into trouble when a lawsuit was filed in 2015 alleging Facebook violated BIPA by tagging photos using facial recognition without their consent. Facebook

Written by: Brett Lawrence, Esq. Brazil and the European Union recently issued further guidance on the procedures for handling and reporting a data breach. While Brazil finally published guidance before the law is to take effect, the European Union (“EU”) issued contextualized guidance for the types of data breaches that controllers usually experience. Brazil Brazil’s data

Written by: Charles R. Langhorne, IV, Esq. In 2020, Canada announced that its legislature was planning to revamp the existing federal legislation (PIPEDA). The understanding is that it will lead to a more GDPR-esque framework of data privacy. The goal of these policies is to govern the direction of IAB Canada’s role in shaping the

Written by: Brett Lawrence, Esq. Ecuador may soon be another country to enact general data privacy legislation. Introduced in September 2019, Ecuador’s Data Protection Bill (the “Bill”) nearly mirrors the European Union’s General Data Protection Regulation (“GDPR”). The Bill has 76 articles and 12 chapters; we summarize some of the fundamental provisions below. Jurisdictional Reach

Written by: Brett Lawrence, Esq. On January 14, 2021, the United States Court of Appeals for the 5th Circuit overturned a $4.348 million fine issued by the Department of Health and Human Services (“HHS”) for alleged HIPAA violations against the University of Texas M.D. Anderson Cancer Center. Factual Background The case arose as a result

Written by: Brett Lawrence, Esq. Last month, the Federal Trade Commission (“FTC”) settled two allegations against two companies surrounding the unfair and deceptive use of facial recognition software and disclosure of health data. Everalbum, Inc. The FTC alleged that Everalbum, Inc., a California-based developer of a photo app called “Ever,” deceived consumers about its use

Written by: Charles R. Langhorne IV, Esq. 2021 is off to a hot start with many states introducing private sector privacy legislation. In this article I will outline: Virginia Washington Oklahoma New York Minnesota Virginia Virginia seems to be on track to win the race for the quickest to pass a privacy law. The Consumer

Written by: Richard Sheinis, Esq. On December 24, 2020, the EU-UK Trade Cooperation Agreement was announced.  This Agreement contained an adequacy “bridge” so that the EU will treat the UK as an adequate jurisdiction for purposes of the protection of personal data for up to 6 months.  During this period, the EU is to assess

Written by: Charles R. Langhorne IV, Esq. On January 6, 2021, New York legislators introduced the Biometric Privacy Act (“BPA”) to protect the rights of New York residents whose biometric information has been collected, used, or stored by a private entity. Not surprisingly, BPA does not apply to state or local government entities. BPA imposes

Written by: Brett Lawrence, Esq. On January 5, 2021, the Council of the European Union released a new draft version of the ePrivacy Regulation. The draft regulation is intended to replace the current ePrivacy Directive since the European Commission approved the first draft ePrivacy Regulation back in January 2017. In fact, this new draft version

Written by: Richard Sheinis, Esq. The transatlantic transfer of personal data from the EU to the US is still a mess.  Since the EU Court of Justice struck down the EU-US Privacy Shield in July 2020, and called into question the validity of the EU’s standard contractual clauses, a solution to allow transfer of personal

Written by: Sean Cox, Esq. On December 10, 2020, the Trump administration announced proposed changes to the HIPAA privacy rule. According to the announcement, the changes are intended to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.” The most important changes relate to

Written by: Brett Lawrence, Esq. On November 12, 2020, Vodafone, the multinational telecommunications company, was fined €12.25 million by Garante, Italy’s data protection authority. The fine is the third largest ordered by the regulator. Garante’s investigation was prompted by hundreds of complaints of unwanted telephone calls by Vodafone promoting its services. The investigation unveiled an information

Written by: Brett Lawrence, Esq. As of 2016, Russia requires all technology companies who collect and process the personal data of Russian citizens to store that data on servers located in Russia. Recently, Russian authorities discovered that Facebook was not complying with this law and subsequently levied a fine of 4 million ruble ($53,000) against the

Written by: Charles R. Langhorne IV, Esq. In November, the U.S. Federal Trade Commission (the “FTC”) released a Consent Agreement outlining the terms of the settlement the FTC reached with Zoom communications regarding alleged unfair and deceptive practices. The Complaint by the FTC which led to the Consent Agreement, alleged that Zoom mislead users in 3

Written by: Brett Lawrence, Esq. Last December, we discussed India’s proposed Personal Data Protection Bill and the implications of its data localization requirement. It appears Turkey has now promulgated a similar requirement. Overview On July 29, 2020, Turkey’s legislature, the Turkish Grand National Assembly, approved the passing of Law No. 5651, an amendment to the country’s

Written by: Richard Sheinis, Esq. A lawsuit has been filed with a court in the Netherlands challenging Uber’s alleged practice of using automated systems to identify fraudulent activity and terminate drivers based on that process, also known as “Robo-Firing”. This practice, which Uber denies, would potentially violate Article 22 of the GDPR.  Article 22 protects data

Written by: Charles R. Langhorne IV, Esq. Recently three plaintiffs filed a class-action lawsuit alleging that Amazon violated Illinois’ Biometric Information Privacy Act (“BIPA”), by collecting and storing “voiceprints” without the users’ consent. Voiceprints Amazon has a software product called Amazon Connect that companies use to run call-centers. One company with whom Amazon has partnered Pindrop

Written by: Rich Sheinis, Esq. and Brett Lawrence, Esq. The votes are in and California’s citizens have spoken, the California Privacy Rights Act (“CPRA”) is now law. Known as CCPA 2.0, CPRA increases the privacy obligations of businesses already subject to the requirements of California’s 2018 California Consumer Privacy Act (“CCPA”). Though not nearly discussed

Written by: Richard Sheinis, Esq. Sen. Roger Wicker, R-Miss., along with three other Republican senators who are members of the Senate Commerce Committee, has introduced yet another national privacy legislation bill, known as the SAFE DATA Act. The full name of the bill is the “Setting an American Framework to Ensure Data Access, Transparency and

Written by: Charles R. Langhorne IV, Esq. In August 2020, the Irish Data Protection Commission (the “DPC”) issued a preliminary order to Facebook requiring Facebook to suspend data transfers to the U.S. that involve personal data of EU residents. This is the DPC’s first action to enforce the Schrems II ruling issued by the Court

Written by: Charles R. Langhorne IV, Esq. On October 1, 2020, the Data Protection Authority of Hamburg (“DPA”), announced a fine of €35.3 million ($41.3 million) against multinational retail company H&M. The fine is based on excessive monitoring of H&M employees in Germany in violation of GDPR. This is the second-largest fine a single company

Written by Brett Lawrence, Esq.  Although the upcoming presidential election is currently dominating the political and media discourse, in the data privacy and security world, California’s 2020 ballot has been the recipient of much discussion. This is because the California Privacy Rights Act (“CPRA”) is on this year’s November ballot and can be potentially voted

Written by: Richard Sheinis, Esq. German authorities are investigating the death of a patient following a ransomware attack on a hospital in Germany.  The unknown perpetrators potentially face charges of negligent manslaughter.  Last Friday, a patient in need of urgent medical care was re-routed from the Düsseldorf University Hospital, to a hospital more than 30

Written by: Richard Sheinis, Esq. Many of you are probably asking what is the “Payment Services Directive 2 (PSD2)”, before worrying about being ready for it!  PSD2 is a Directive from the European Parliament (Directive (EU) 2015/2366) intended to modernize Europe’s payment services for the benefit of consumers and business, and to facilitate innovation, competition, and

Written by: Richard Sheinis, Esq. It has been almost two (2) months since the EU Court of Justice struck down the EU-US Privacy Shield.  At the same time, while holding that the Standard Contract Clauses (“SCC”) in principle are still valid, the Court cautioned that SCC must still provide the level of protection guaranteed by the

Written by: Charles R. Langhorne IV, Esq. In a wild turn of events over a few days at the end of August, Brazil’s Lei Geral de Proteção de Dados Pessoais (“LGPD”) will take effect on September 16, 2020, barring a presidential veto or another act of the Brazilian legislature. What is the LGPD? The LGPD is

Written by: Charles R. Langhorne IV, Esq. Businesses subject to the California Consumer Privacy Act (“CCPA”) can breathe a small sigh of relief. On August 30, 2020, the California Legislature passed AB 1281. AB 1281 extends the business-to-business and employee personal information carve outs until January 1, 2022. The bill is now headed to the Governor’s

Written by: Brett Lawrence, Esq. The utility of biometric data is more prevalent than it has ever been, primarily because developing technology has created a broad swath of convenient uses for it. It can help law enforcement authorities quickly target wanted individuals and also secure a business’ access to proprietary information. The best and most

Written by: Charles R. Langhorne IV, Esq. and Brock Wolf Last month, Canada’s Supreme Court upheld the constitutionality of provisions of its Genetic Non-discrimination Act (“GNDA”) with a 5-4 decision. In 2017, Canada’s federal government enacted the GNDA, establishing rules for businesses regarding genetic testing for diseases. Specifically, the GNDA prohibits requiring an individual to undergo

Written by: Charles R. Langhorne IV, Esq. and Brock Wolf Last month, the Court of Justice of the European Union (“CJEU”), Europe’s top court, struck down the EU-US Privacy Shield Framework. The Privacy Shield was created to allow businesses to transfer personal data to the United States from the European Union (“EU”). The decision not

Written by: Richard Sheinis, Esq. On August 4, 2020, yet more data privacy legislation was introduced by Senators Bernie Sanders and Jeff Merkley.  Titled “The National Biometric Information Privacy Act of 2020,”  this continues the trend of law makers introducing piecemeal, and frequently punitive, data privacy legislation rather than working on a single comprehensive data

Written by: Brett Lawrence, Esq. and Brock Wolf Early last month, Walmart joined Minted Inc., Zoom, TikTok, and Salesforce.com to become the largest company targeted by a class action lawsuit following a data breach under the California Consumer Privacy Act (“CCPA”). On July 10, 2020, shortly after CCPA enforcement began on July 1, Lavarious Gardiner

Written by: Brett Lawrence, Esq. On July 16, 2020, the Court of Justice of the European Union (“CJEU”), Europe’s top court, struck down the EU-US Privacy Shield Framework. The Privacy Shield was created to allow businesses to transfer personal data to the United States from the European Union (“EU”). The CJEU premised its decision invalidating

Written by: Brett Lawrence, Esq. and Brock Wolf After deliberating a draft Data Security Law from June 28 to June 30, 2020, China’s Standing Committee of the National People’s Congress (“NPC”) published the draft law on July 2, 2020. The draft law calls for China to develop a “standard, interconnected and interactive, secure and controllable”

Written by: Charles R. Langhorne IV, Esq. South Africa’s newest data privacy law, the Protection of Personal Information Act (“PoPIA”) is now in effect. There is a 12-month grace period, and enforcement will not begin until July 1, 2021. The PoPIA applies to businesses that process personal information in South Africa, whether or not they

Written by: Richard Sheinis, Esq. In the last fifteen (15) months, no less than six (6) data privacy Bills have been introduced in the Senate.  Two of these Bills are specifically related to data collection and use in response to COVID-19.  This does not include the Data Accountability and Transparency Act of 2020, announced by

Written by: Brett Lawrence, Esq. As businesses continue to prepare for the enforcement of the California Consumer Privacy Act (“CCPA”), which will begin on July 1, 2020, new privacy legislation is already on the way. On June 24, 2020, the Office of the Secretary of State of California announced that the California Privacy Rights Act

Written by: Richard Sheinis, Esq. Thailand’s Personal Data Protection Act was passed in May 2019, and was scheduled to go into effect May 27, 2020.  The Act is very similar to the European Union’s General Data Protection Regulation. Only a few days before the Act was to become effective, it was decided that 22 types

Written by: Brett Lawrence, Esq. On May 4, 2020, Hungary issued a governmental decree suspending the rights of data subjects under Articles 15 to 22 of the General Data Protection Regulation (“GDPR”) in an attempt to contain the spread of the COVID-19 pandemic. Such articles include giving individuals, whose personal data has been collected, the

Written by: Charles R. Langhorne IV, Esq. Brazil’s new data privacy law, the “LGPD,” was set to go into effect on August 15, 2020. The LGPD is based largely on the European Union’s GDPR. Due to the impact COVID-19 has had on businesses, the effective and enforcement dates have been delayed. Keeping track of the

Written by: Richard Sheinis, Esq. A Dutch court has ruled that a grandmother is violating the EU’s General Data Protection Regulation by posting photographs of her grandchildren on her social media account without the consent of the children’s parents. The court’s ruling arose from a complaint filed by the children’s mother, who wanted the photographs

Written by: Charles R. Langhorne IV, Esq. Washington D.C. amended its data breach notification statute at the end of March. The new law is set to take effect by June 13, 2020. This is the first update to the law since it was passed in 2007. Personal Information Defined Washington D.C. is following the national

Written by: Brett Lawrence, Esq.  On April 14, 2020, The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced it will exercise further enforcement discretion in easing back penalties for failing to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The enforcement discretion has retroactive effect beginning

Written by: Charles R. Langhorne, IV, Esq. As we continue to wait for the ePrivacy Regulation, the European Union is being left to govern cookie consent procedures on their own. Some individual member states are taking it upon themselves to issue guidance, while others sit back and wait. I wrote an article late last year outlining

Written by: Charles R. Langhorne, IV, Esq. The California Consumer Privacy Act (“CCPA”) is not set to be enforced until at least July, but just last week the group that spearheaded the CCPA ballot initiative in 2018 has submitted 900,000 signatures to put a new initiative, the California Privacy Rights Act (“CPRA”) on the November

Written by: Richard Sheinis, Esq. Unlike the United States, where Senators are first introducing legislation to deal with the use of personal information in the context of COVID-19, the European Data Protection Board (“EDPB”) relies on established legislation to govern the use of location data and contact tracing tools.  (Hint: the U.S. needs to pass

Written by: Richard Sheinis, Esq. On April 30, 2020, Republican Senators Wicker (MS), Thune (SD), Moran (KS) and Blackburn (TN), announced the introduction of the “COVID-19 Consumer Data Protection Act,” intended to protect health, geolocation and proximity data. These types of personal data are related to contact tracing, the process of identifying persons with whom

Written by: Richard Sheinis, Esq. Many countries are using geolocation data from phones to track COVID-19.  Singapore, the United Kingdom and Israel have developed their own apps for tracking people’s movements.  In Europe, mobile phone companies such as Vodafone, have agreed to share location data. The European Data Protection Board has appointed a group of

Written by: Charles R. Langhorne IV, Esq. The COVID-19 world that we are living in is has changed the perspective of many businesses from proactive to reactive. Businesses (rightly so) are concerned with making payroll so that their employees can continue to pay their mortgages as opposed to preparing the company for impending data privacy

Written by: Sean Cox, Esq. The COVID-19 pandemic and the widespread shelter in place orders have, temporarily at least, changed how humans interact. Luckily, there are more options today than ever before which allow many to maintain a modicum of normalcy. Companies, schools, churches, families, and friends have turned to video conferencing solutions to stay

Written by: Richard Sheinis, Esq.  On March 17 a coalition of 35 advertising groups sent California Attorney General Xavier Becerra a letter calling for a delay in the enforcement of the California Consumer Privacy Act (“CCPA”) because of COVID-19.  Enforcement of the CCPA is currently scheduled to begin July 1.  The Attorney General’s office refused

Written by: Chase Langhorne, Esq. The U.S. Department of Health and Human Services (“HHS”) released a bulletin this week waiving sanctions and penalties as of March 15, 2020 for non-compliance with certain provisions of HIPAA. The waiver centers around allowing people on the front lines to adequately handle and manage COVID-19 cases. Specifically, HHS is

Written by: Chase Langhorne, Esq. On February 21, 2020, Croatia released its proposal to attempt to move the ePrivacy Regulation across the finish line. The ePrivacy Regulation was proposed in 2017 with the main purpose of regulating personal data as it relates to internet cookies. The initial plan was for it to pass at the same

On February 24, 2020, Egypt’s Parliament passed the Personal Data Protection Law (“PDPL”). The law has many similarities to the European Union’s General Data Protection Regulation (“GDPR”). Scope The PDPL applies to Egyptian citizens and non-Egyptian citizens residing in Egypt. This is similar to GDPR, but slightly more limiting because GDPR applies to any person

Written by: Sean Cox, Esq. The California Consumer Privacy Act of 2018 (“CCPA”) officially went into effect on January 1, 2020. According to the California Attorney General, enforcement will begin on July 1, 2020. One of the most important provisions of the CCPA allows consumers to opt-out of the sale of their personal information. Among

Written by: Richard Sheinis, Esq. In this business, we are all familiar with GDPR’s right to erasure (commonly called “the right to be forgotten”) granted by the GDPR.  The question that often comes up is when a data subject exercises their right to erasure, does the organization also have to erase the data subject’s personal

Written by: Richard Sheinis, Esq. Now that the UK has a withdrawal agreement with the EU, what will this mean for data privacy for personal data in the UK, as well as for personal data that is transferred between the UK and other countries.  UK’s Information Commissioner’s Office (“ICO”) has provided some answers.  For the

Written by: Chase Langhorne, Esq. Ireland’s Data Protection Commission (DPC) has opened two separate investigations into Google and Tinder, respectively, for GDPR violations. Google The investigation into Google centers around how Google treats location data collected from end users. “The Inquiry will set out to establish whether Google has a valid legal basis for processing

Written by: Richard Sheinis, Esq. On February 7, 2020 the California Attorney General published a “redline” version of the CCPA Regulations. These regulations are open for public comment until February 24, 2020. In the meantime, here are a few of the more important redline changes in the latest draft: The definition of household is clarified

Written by: Chase Langhorne, Esq. On November 26, 2017 Australia introduced the consumer data right (CDR) which was designed to give consumers greater control over their personal data. Since that time, Australians have been waiting for the Australian Competition and Consumer Commission (ACCC) to issue rules governing exactly how a consumer will be able to

Written by: Chase Langhorne, Esq. Starting on January 1, 2020 amendments to data breach notification statutes in Illinois, Oregon, and Texas take effect. Illinois The Personal Information Protection Act (“PIPA”) requires public and private entities that handle non-public personal information to notify affected Illinois residents following a data breach. An amendment now requires public and

Written by: Sean Cox, Esq. On December 23, 2019, in a case of first impression, a unanimous Georgia Supreme Court reversed the trial court and Court of Appeals in a putative data breach class action, holding that there were sufficient allegations of a legally cognizable injury to survive a motion to dismiss. The case arose out

Written by: Richard Sheinis, Esq. Over the past year, Chinese regulators have sought to crack down on the collection and use of personal data by mobile apps. New regulations published jointly by China’s Cyberspace Administration, Ministry of industry and Information Technology, Ministry of Public Security, and State Administration for Market Regulation, address the illegal collection

Written by: Richard Sheinis, Esq. Doorstep Dispensaree, a London-based pharmacy which supplies medicine to individuals and care homes, left approximately 500,000 documents in unlocked containers stored in a courtyard at one of its premises.  Documents contained personal data including names, addresses, dates of birth, medical and prescription information.  The documents were not secure, and the

Written by: Richard Sheinis, Esq. The e-Privacy Regulation, which was supposed to be a close cousin to the General Data Protection Regulation, was first proposed by the European Commission in January 2017.  However, here we are nearly 3 years later, and the latest draft of the e-Privacy Regulation was once again been rejected by the

Written by: Richard Sheinis, Esq. In yet another attempt to pass federal privacy legislation, on November 26, U.S. Senator Maria Cantwell, D-Wash., introduced the Consumer Online Privacy Rights Act (“COPRA”).  COPRA would apply to information that identifies or is reasonably linked to an individual residing in the U.S. or a consumer device.  COPRA would generally

Written by: Chase Langhorne, Esq. In an ever-increasing data driven world, India’s proposed Personal Data Protection Bill (“PDPB”) took a step forward on December 4th when the Indian Prime Minister Narendra Modi approved the bill for tabling in parliament. The PDPB was first proposed in 2018 and is designed to protect the personal data of

Written by: Chase Langhorne, Esq. In May 2019 Singapore’s data protection authority, the Personal Data Protection Commission (“PDPC”) took steps to update its existing data protection legislation, the Personal Data Protection Act (2012). The PDPC issued a statement regarding their progress and introduced new data breach notification procedures that are expected to be a part

Written by: Chase Langhorne, Esq. A recent public records request to the California DMV shows that the California DMV is selling personal information drivers provide to receive a driver’s license to private companies to the tune of roughly $50 million per year. The reasoning provided by a representative of the California DMV is that “[i]nformation

Written by: Chase Langhorne, Esq. While we await the completion of the ePrivacy Regulation, countries are taking matters into their own hands by both publishing guidance and issuing fines related to cookie consent mechanisms on websites. The existing ePrivacy Directive was published in 2009. Upon the passage of GDPR in 2018, an updated ePrivacy Regulation

Written by: Chase Langhorne, Esq. On October 21, the European Data Protection Supervisor (“EDPS”) issued an update on its investigation that began in April 2019 into contracts between Microsoft and EU institutions. “EU institutions” are comprised of the following seven decision making bodies of the EU: the European Parliament, the European Council, the Council of

Written by: Sean Cox, Esq. When a company is hacked, an immediate thought is sometimes whether they can hack back. The next question is then, “Can we do that?” Hacking back describes striking back at the cyber criminal by accessing, damaging, or breaching the criminal’s own system. The reasons for hacking back can be several:

Written by: Richard Sheinis, Esq. A soccer team in Denmark is using facial recognition technology to stop unruly fans, apparently with the approval of the Danish Data Protection Agency (“DDPA”).  The technology is used to scan fans as they enter the stadium.  The scans are then compared against a list of banned troublemakers to determine

Written by: Richard Sheinis, Esq. More than 2,000 websites, including court websites and the national TV station, were knocked out by a massive cyber attack in the country of Georgia.  A state sponsored political attack is suspected as many of the website home pages were replaced with an image of former President Mikheil Saakashvili and the

Written by: Richard Sheinis, Esq. Singapore’s Personal Data Protection Commission (“PDPC”) has assessed two large fines against companies for data breaches.  The telecommunications company, Tingtel, has been fined $25,000 for a data breach involving its My Singtel mobile app.  A problem in the design of the mobile app allowed My Singtel users to potentially access

Written by: Richard Sheinis, Esq. With the California Consumer Privacy Act (“CCPA”) ready to go into effect in 2020, and other states lined up to follow with similar legislation, there has been a greater push for a federal privacy law.  Unless there is a federal privacy law that supersedes state law, businesses will be in

Written by: Richard Sheinis, Esq. German data protection authorities have published a new model for calculating fines under GDPR, which, is likely to lead to higher fines.  While this model is strictly being tested in Germany, since GDPR should be applied equally across the EU, it is possible that this model could be expanded to

Written by: Rich Sheinis, Esq.  On October 1, 2019, the CJEU issued a ruling establishing that consent to use cookies cannot be validly obtained through a pre-checked box.  In this particular case, an online gaming company, Planet49 GmbH, had a lottery which required internet users to provide personal data.  The web page contained a pre-ticked

Written by: Chase Langhorne, Esq. On September 16th the State Attorney General’s Office of Ecuador released a statement (Spanish) indicating that a privacy breach concerning the personal data of Ecuadorian citizens was being investigated. Specifically, servers belonging to Novaestrat, an Ecuadorian data analytics company. The breach was first discovered by the ethical-hacking group vpnMentor. Further

Written by: Chase Langhorne, Esq. On September 24 the Court of Justice of the European Union (CJEU) issued a landmark ruling on GDPR’s “right to be forgotten.” The case was brought by Google challenging an order, and subsequent fine, issued by the French Data Protection Authority (CNIL), over Google’s choice not to comply with CNIL’s

Written by: Richard Sheinis, Esq. The European Data Protection Board (“EDPB”) recently issued guidance on the use of video devices to process personal data. The guidelines are in draft form, and were open for public comment through September 9, 2019.  The final version of the guidelines is expected later this year. The use of video

Written by: Chase Langhorne, Esq. On August 8, Portugal’s long-awaited data protection law went into effect. The legislation was originally passed in June, but awaited Presidential signature and publication in the Official Journal. The official name of the legislation is known as “Lei de Execução do Regulamento Geral sobre a Proteção de Dados” (English translation:

Written by: Richard Sheinis, Esq. The Data Protection Law, 2017, (“DPL”) introduces globally-recognized principles surrounding the use of personal information to the Cayman Islands.  Similar to the GDPR and other data privacy legislation, individuals will have several data access rights.  These rights include the right to be informed, the right to access their data, the

Written by: Chase Langhorne, Esq.  Ransomware attacks are plaguing businesses all over the world and, unfortunately, show no signs of slowing down. The scenario goes something like this: you come into work, pour a cup of coffee, go to check your email and nothing seems to work. You cannot open your email, nor any files

Written by: Richard Sheinis, Esq. Fashion ID is an online retailer whose website used a plug-in to feature a Facebook “Like” button.  As a result of the plug-in, when a user lands on Fashion ID’s website, information about the user’s IP address and browser string is automatically transferred to Facebook.  This transfer of information occurs

Written by: Richard Sheinis, Esq. The Ninth Circuit has ruled that a case against Facebook for violating the Illinois Biometric Information Privacy Act can proceed as a class action.  The lawsuit stems out of Facebook’s “Tag Suggestions” feature.  When a Facebook user enables the Tag Suggestions feature, Facebook uses facial recognition technology to analyze whether

Written by: Chase Langhorne, Esq. Artificial Intelligence (“AI”) devices can make everyday life easier. They can tell us the temperature outside, set a timer, and even order a pizza; but what is happening to all the data being collected by these devices? Think of everything an AI device hears in your living room while waiting

Written by: Anthony E. Stewart, Esq. Earlier this year, Arkansas Governor Asa Hutchinson signed HB 1943, which amends the Personal Information Protection Act.  It goes into effect on July 23, 2019.  The new law expands the definition of ‘personal information,’ imposes additional reporting obligations, and enacts specific retention requirements.  It continues to apply to any

Written by: Anthony E. Stewart, Esq. Does your business have a website?  If so, it will likely need to comply with yet another new online privacy law that goes into effect in a little over three short months.  Nevada recently passed SB220, which amends its existing online privacy law and provides Nevada residents the ability,

Written by: Anthony E. Stewart, Esq. California and New York are not the only states making waves in the world of technology and privacy.  Earlier this month, Governor Janet Mills of Maine signed into law one of the nation’s strictest internet privacy protection bills – An Act To Protect the Privacy of Online Customer Information.

Written by: Richard Sheinis, Esq. New York’s SHIELD Act has passed the New York Senate, and now awaits passage in the Assembly before it goes to the Governor to sign into law.  While the Act contains new rules regarding data breaches and data breach notification, businesses should be most concerned about the increased geographic coverage

Written by: Anthony E. Stewart, Esq. India’s draft privacy law, Personal Data Protection Bill, 2018, is an important step as India moves toward a digital economy; however, it is one of the more controversial privacy laws amongst privacy experts.  Critics have accused India Prime Minister Narendra Modi’s Bharatiya Janata Party of creating a “surveillance state”

As the first year of GDPR’s governance comes to a close, the hysteria has subsided, but the reality of the reach of GDPR is all the more real. Since its May 25, 2018 effective date European State Data Protection Authorities (“DPA”) have received more than 64,000 data breach notifications. Those 64,000 notifications have resulted in more

Written by: Chase Langhorne, Esq. It may come as a surprise, but only 11 states have constitutional provisions that contain an explicit right to privacy. Specifically, California voters amended their state constitution to include the right of privacy among the inalienable rights of all people in 1972. In 2018, the California legislature passed the  California

Written by: Anthony E. Stewart, Esq. Your cell phone rings.  You look down, and to your delight, it’s your daughter.  She’s in college now and remembering to ‘give mom a call every once in a while’ seems to be an impossible task.  You quickly answer, and your delight immediately turns to terror: “We have your daughter,”

Atlanta attorney Anthony Stewart created this graphic that reflects the summary of the HIPAA breaches that were reported to the U.S. Department of Health and Human Services during the first quarter of 2019.

Written by: Richard Sheinis, Esq. In a recent case, Dittman v. The University of Pittsburgh Medical Center, the Pennsylvania Supreme Court found that the Medical Center owed a duty to their employees to exercise reasonable care in collecting and storing their personal and financial information on its computer systems. Many other courts around the country have

Written by: Anthony E. Stewart, Esq. Any organization subject to Canada’s Personal Information Protection and Electronic Document Act (PIPEDA) will have new data breach notification rules to follow starting tomorrow. This change will affect businesses of all sizes and may affect U.S. companies that process Canadians’ personal information even if their operations are solely on the

Written by: Anthony E. Stewart, Esq. Brazil is one of the latest countries to implement comprehensive data privacy regulation. Brazilian President Michel Temer recently signed into law the General Law of Protection of Personal Data, which goes into effect in February, 2020. The new law imposes detailed rules for the collection, processing, and storage of personal data,

Written by: Anthony E. Stewart, Esq. The Federal Bureau of Investigations (FBI) has issued a warning about a phishing scam that is targeting employees who receive their paychecks by direct deposit. Cybercriminals are targeting the online payroll accounts of employees around the country in a variety of industries, especially those in education, healthcare, and commercial aviation. Here’s how

Written by: Anthony E. Stewart, Esq.  The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance for disposing of technology that contains sensitive information, such as financial or protected health information.  While the OCR’s intended audience is limited to covered entities and business associates subject to HIPAA, all organizations that store or

Written by: Sean Cox, Esq. On June 26, 2017, the Georgia Court of Appeals issued an opinion in Collins, et al. v. Athens Orthopedic Clinic, A18A0296. This is the first Georgia appellate decision squarely addressing the issue of standing in a data breach case. Since the United States Supreme Court decision in Spokeo, Inc. v. Robins, 578 U.S. ___

Written by: Anthony E. Stewart, Esq. Last month, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) provided guidance regarding software vulnerabilities and patching. In simple terms, a software vulnerability is a weakness, design or implementation error that can lead to an unexpected and undesirable event, compromising the security of a system. After a

Written by: Richard Sheinis, Esq. On June 28, 2018 California legislators enacted the California Consumer Privacy Act of 2018, granting new protections for consumers’ online data. The law does not take effect until January 1, 2020. It can still be amended by the California Legislature prior to that date, but don’t expect too much to change

Written by: Rich Sheinis, Esq. The wave of data protection that is the EU General Data Protection Regulation (“GDPR”) has hit the shores of the U.S. with states passing GDPR look-a-like legislation. All 50 states have data breach notification statutes, which require notification of affected individuals after a breach. The new trend, following the lead of GDPR, is

Written by: Anthony E. Stewart, Esq. The Internal Revenue Service (IRS) and state tax agencies are warning employers about one of the most dangerous phishing scams in the tax community. Cybercriminals are targeting organizations nationwide and tricking payroll personnel into disclosing the sensitive personal information of an organization’s entire workforce. Last year, more than 200 employers

Written by: Richard Sheinis, Esq. On January 8, 2018, North Carolina Attorney General Josh Stein, and State Representative Jason Saine, proposed new data breach legislation entitled, “Act to Strengthen Identity Theft Protections” to update the current North Carolina data breach law. This legislation is in response to the recent data breaches at Equifax and Uber, the

Written by: Anthony E. Stewart, Esq. Ransomware attacks, like other cyber-attacks, are occurring more and more frequently, and healthcare entities are common targets.  The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has issued a quick-response checklist and infographic detailing steps a HIPAA covered entity or its business associate should take to respond to a cyber-related

Featured on Hospitality Upgrade Magazine’s Tech Talk. Written by: Sam Crochet, Esq. In my June column, we discussed why the General Data Protection Regulation (GDPR) matters to the hospitality industry and the technical/organizational steps members should take to comply with the regulation. Practically speaking, any U.S. company desirous of European customers must comply with the GDPR as of May

Featured on Hospitality Upgrade Magazine’s Tech Talk. Written by: Sam Crochet, Esq. US companies collect, analyze, and leverage consumer data to optimize efficiency, advertise and, hopefully, increase profits. However, with the rise of data breach incidents, varying laws and consumer demand pressure companies to secure networks, scrutinize vendor usage—such as security of one cloud processor versus another, and

Written by: Sean Cox, Esq. Having a single person responsible for a company’s data privacy and security has long been good business practice, but for many it will soon be a legal requirement. The GDPR requires that organizations under its auspices appoint a Data Protection Officer (“DPO”). These requirements apply to more than just companies located

Written by: Sean Cox, Esq. A recent decision from the Federal 4th Circuit Court of Appeals is likely to make it much harder for plaintiffs within its borders bringing lawsuits following a data breach. In Beck v. McDonald1), the 4th Circuit Court of Appeals held that allegations of enhanced risk of future identity theft following a data

Written by: Sam Crochet, Esq. In-house counsels are facing growing pressure to perform risk assessments and address internal policies to avoid data breaches for a new reason (as if they needed one). Data breach plaintiffs, depending on the state, may now find their cases welcome in state courts despite struggling to prove a clear “injury” in

Written by: Richard Sheinis, Esq. A mistake is nothing more than an opportunity to learn. Of course, you have to take advantage of that opportunity. Children’s Medical Center of Dallas failure to take that opportunity has led to a HIPAA civil monetary penalty of $3.2 million. In 2010, Children’s filed a report with OCR indicating the

Written by: Richard Sheinis, Esq. Vizio, Inc., one of the world’s largest manufacturers of internet connected televisions has agreed to pay $2.2 million to settle charges by the Federal Trade Commission and the New Jersey Attorney General that it installed software on its TVs to collect viewing data on 11 million consumer TVs without the consumers’

Written by: Richard Sheinis, Esq. The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) has agreed to a $2.2 million settlement with MAPFRE Life Insurance Company of Puerto Rico for potential non-compliance with the HIPAA Security Rule. MAPFRE filed a report with HHS stating a “pen drive” containing ePHI of 2,209 individuals

Written by: Richard Sheinis, Esq. The importance of timely reporting breaches of Protected Health Information (“PHI”) is now underscored by the U.S. Department of Health and Human Services (“HHS”) first ever enforcement action against a medical provider for failing to timely report a breach. Presence Health, a health care network with approximately 150 locations, including hospitals,

Written by: Richard Sheinis, Esq. An Atlanta court has dismissed a shareholder derivative suit against Home Depot’s CEO and Board Chairman, Executive Vice-President and Chief Information Officer, and several members of the Board of Directors, arising from the 2014 breach which affected the credit card data of 56 million customers. The suit by Home Depot shareholders

Written by: Richard Sheinis, Esq. The University of Massachusetts Amherst is paying $650,000 to OCR to settle allegations of HIPAA violations that occurred in 2013. UMass neglected to designate their Center for Language, Speech and Hearing as a health care component (Oops!), and neglected to have the most basic electronic security in place, including a firewall.

Written by: Sam Crochet, Esq. St. Jude Medical Inc., a producer of remote-access pacemakers and implantable defibrillators, is under intense scrutiny for what cybersecurity researchers have deemed a negligent risk of attack. A California patient has filed a federal class action suit alleging the manufacturer failed to provide adequate cybersecurity controls for its implants. St. Jude

Written by: Tiffany Winks, Esq. On Tuesday, August 23, 2016, a Federal Judge in Atlanta awarded a whopping $7.5 million in legal fees to consumers’ lawyers in a lawsuit against Home Depot for its 2014 data breach.  Not only did the Court award these substantial attorney’s fees, but it also tipped its hat to the lawyers

Written by: Richard Sheinis, Esq. The Georgia Court of Appeals recently held the line against data breach cases when it affirmed the dismissal of a class action against the Georgia Department of Labor.1)  Thomas McConnell had filed a class action against the Georgia Department of Labor after a department employee sent a spreadsheet with the name, Social

Written by: Sam Crochet, Esq. Two class actions currently pending in the Third Circuit Court of Appeals, In re Horizon Healthcare Services Inc. Data Breach Litigation and Storm v. Paytime, will impact appellate courts’ future evaluations of “standing.” In Horizon Healthcare, the theft of laptops compromised the information of 839,000 individuals. The Plaintiffs alleged the imminent risk of harm from

Written by Sam Crochet, Esq. Last month, the defense community scored a victory in the ongoing debate as to when theft of an individual’s data becomes a concrete injury for purposes of establishing “standing” to sue. In Torres v. Wendy’s, the Florida Plaintiff filed a federal class action against the fast food chain following an early-2016 data

Written by: Richard Sheinis, Esq.  On July 29, 2016 the Federal Trade Commission issued an Opinion and final Order reversing the decision by an Administrative Law Judge (ALJ) that had dismissed FTC charges against medical testing laboratory LabMD, Inc.  The Commission concluded that LabMD’s data security practices were unreasonable and constituted an unfair trade practice that

Written by: Richard Sheinis, Esq. Today, August 1, is the first day that the U.S. Department of Commerce is accepting self-certifications under the EU-US Privacy Shield.  The Privacy Shield, which essentially takes the place of the invalidated Safe Harbor, allows for the transfer of personal information from the EU to the U.S.  The self-certification process is

Written by: Sam Crochet, Esq. Technology is developing at an explosive pace, which is creating endless opportunities for improvement industry-to-industry. For years we have remotely accessed information from our smartphones, but now we are on the front wave of remotely accessing physical devices themselves. Doctors have the capability of adjusting patients’ insulin pumps without the need

Written by :  Richard Sheinis, Esq. Over the last several months I have written about the dangers of hacker’s compromising various types of internet connected medical devices used by hospitals, and other medical providers. TrapX Security has now issued Part 2 of their “Anatomy of Attack” series, addressing the hacking of medical devices (http://deceive.trapx.com/rs/929-JEW-675/images/AOA_Report_TrapX_MEDJACK.2.pdf?aliId=1419599). This is

Written by: Richard Sheinis, Esq.  On Monday, July 11, HHS issued a “Fact Sheet” on ransomware and HIPAA. While we know that the frequency of ransomware attacks has gone through the roof, HHS brought us some sobering figures. Since early 2016 there have been 4,000 daily ransomware attacks reported in the U.S. This represents a 300%

Written by: Richard Sheinis, Esq. The Sixth Circuit Court of Appeals recently upheld a dismissal of a lawsuit in which a plaintiff tried to use the improper accessing of her protected health information (“PHI”) as a basis for a claim under the False Claims Act.  In Sheldon v. Kettering Health Network, 2016 U.S. App. LEXIS 4236 (2016),

Written by: Tiffany Winks, Esq. On Monday, April 11, 2016, the 4th Circuit ruled in Travelers Insurance v. Portal Healthcare Solutions that Travelers had a duty to defend Portal in a class action related to Portal posting patients’ medical records on the internet. A class action lawsuit was filed against Portal alleging patients’ medical records were accessible on

Written by: Tiffany Winks, Esq. On March 24, 2015, the Fourth Circuit Court of Appeals heard oral arguments as to whether a Commercial General Liability insurance policy provides coverage for a data breach.  The case on appeal is Travelers Indemnity v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, (E.D. Va. 2014).  The District Court had

Written by: Richard Sheinis, Esq. Senate Bill 2005, amending Tennessee’s data breach notification law, was signed by the Governor on March 24, 2016. The new law is effective July 1, 2016. The main changes to the current law (Tennessee Code Annotated, Section 47-18-2107) are as follows: Notification of a data breach must be provided to affected

Written by: Patrick Powell, Esq. On March 21, 2016, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program.  Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR beginning the audit process. The Health Information Technology for Economic

By: Richard Sheinis, Esq. Two medical providers recently paid large settlements to the Department of Health and Human Services’ Office for Civil Rights because of HIPAA violations. Both involved thefts of laptops, an issue I see with some regularity. In one case, The Feinstein Institute for Medical Research in Manhasset, L.I., a research arm for Northwell

Written by: Richard Sheinis, Esq. On January 20, 2016, the “Georgia Personal Data Security Act” was introduced in the State Senate. The current Georgia breach notification law is one of the weakest in the country. It only applies to “information brokers” and “data collectors” that maintain computerized personal information of individuals.  An “information broker”, such as

Written by: Richard Sheinis, Esq. The FDA has issued this draft guidance to add to its other guidance documents on cybersecurity and medical devices, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, and “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. It is starting to feel like a Harry Potter series. The essence of

Written by: Patrick Powell, Esq. Under HIPAA, patients have the right to access and obtain a copy of their health information from physicians, hospitals, and insurers.  However, recent reports have concluded individuals often face barriers to accessing their information, even from entities required under HIPAA to provide the data. Understanding HIPAA’s requirements regarding patients’ access to

Written by: Richard Sheinis, Esq. The Georgia Court of Appeals just issued an opinion in a case that provides a good lesson on the importance of protecting data against employee theft. In Lyman v. Cellchem Int’l, LLC,1 two former employees of Cellchem were accused of using a thumb drive to copy confidential computer files, including financial data

Written by: Richard Sheinis, Esq. Last week I posted a short blog to let everyone know that a consolidated text of the new EU General Data Protection Regulation (“GDPR”) was released by the European Parliament, and the Council of the European Union.  Now it is time to give you a more in depth look at the

Written by: Richard Sheinis,Esq. The European Parliament and Council have issued a consolidated text of the new General Data Protection Regulation (“GDPR”).  I will be reviewing the text and will provide a complete analysis in the coming days, but this article from the IAPP is a good initial look, https://iapp.org/news/a/gdpr-we-have-agreement/. Stay tuned for more analysis, and how

Written by: Richard Sheinis, Esq. In a precursor of things to come, earlier this month the CERT Division of the Software Engineering institute based at Carnegie Melon University has warned that the Epiphany Cardio Server is vulnerable to hacking. The Cardio Server gathers medical data and diagnostic test results from different medical devices, and makes the

Written by: Richard Sheinis, Esq. In a surprising ruling, the FTC has taken a big hit to its self-appointed power to regulate the data security practices of every business in the country. On Friday, November 13, the FTC Chief Administrative Law Judge Michael Chappell dismissed the FTC’s complaint alleging that LabMD failed to provide reasonable and

By: Richard Sheinis, Esq. The medical industry is taking advantage of wireless technology to change the very premise of how case has been provided for hundreds of years. Regardless of whether a doctor was performing bloodletting in the 1700’s or an appendectomy in 2000, the one constant was that the patient and doctor always had to

Written by: Richard Sheinis, Esq. In a ruling that can have great ramifications for technology companies, and almost any U.S. company that does business in the EU, the EU Court of Justice has ruled that the Safe Harbor provisions, which for years has allowed companies to transfer personal data from the EU to the U.S., is

Written by: Richard Sheinis, Esq. On Friday of last week, President Obama announced that he and Chinese President Xi Jinping reached a “common understanding” not to conduct or support state sponsored hacking. “We have agreed that neither the U.S. or Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property including trade secrets or

In a classic case of “social engineering” hackers are using the Syrian refugee crisis to scam people out of money and information. Whenever a humanitarian crises hits, hackers will set up fake websites, send phishing e-mails, and use social media such as Facebook to encourage people to donate money or see the latest news on

This week the FBI said an e-mail scam that tricks businesses into wiring funds to hackers has increased 270% since the beginning of 2015. The FBI has named the scam “Business E-Mail Compromise” or “BEC”. The scam occurs when a hacker infiltrates the e-mail of a company executive. The hacker will then send an e-mail,

On August 24, in FTC v. Wyndham Worldwide Corp., the Third Circuit Court of Appeals found that the FTC had authority to regulate cyber security under the “unfairness” prong of Section 5 of the Federal Trade Practices Act. The background of the case is this: On three (3) occasions in 2008 and 2009 hackers successfully penetrated

Ubiquiti Networks, Inc. was recently the victim of a cyber scam in which the thieves sent spoof communications to executives to trick them into wiring funds to the fraudsters to the tune of $46.7 million. Go to Krebs on Security, http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/, for a good historical perspective on this scam, but the way it works is this:

In a warning that is the first of its kind, on July 31, 2015, the FDA encouraged healthcare facilities to stop using the Hospira Symbiq Infusion System due to cybersecurity vulnerabilities. (http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm) The infusion system is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. It operates

Up until now, most lawsuits against retailers by customers whose personal information was stolen by hackers in a data breach, were dismissed by the courts in the early stages of litigation because the theft of personal information, such as credit card numbers, in and of itself was not considered a sufficient injury to confer “standing”

When I was a kid, my mother would always tell me it doesn’t pay to sneak around because I would always get caught. Never has this advice rang so true as when I read about a website for married people seeking affairs that was hacked this week. (Karma?) Avid Life Media, which owns Toronto based

In recent posts I have discussed the need for security to keep hackers from injecting malware into medical devices. Now, TrapX Laboratories has issued a paper on an attack vector called MEDJACK, or “Medical Device Hi-Jack” (http://trapx.com/solutions/industry-2/healthcare/). TrapX explains that medical devices are “key pivot points” on a healthcare network. They are the weakest link

Earlier this month I published a Post on, “The Importance of Cyber Security in Telemedicine”, highlighting the importance of security for medical devices that can be hacked. Almost as if on cue, or more likely the result of lucky timing, on May 21, 2015, the IEEE Cybersecurity Initiative (www.cybersecurity.ieee.org) published, “Building Code for Medical Device Software

Telemedicine is coming to a hospital or medical office near you. What is telemedicine? Simply put, telemedicine is when the medical provider is in one location and the patient is in another. The medical professional uses telecommunication technology, often times via the internet, to provide medical care to the patient. Unfortunately, any time information travels

As many of you know, ransomware is a malware that infects Windows systems and encrypts files to make them inaccessible and unusable. At the time of the infection, the hacker demands payment in exchange for the decryption key. Even if the ransom is paid, the decryption key is not always received. In a nice development,

In January, President Obama announced that he would release a draft Consumer Privacy Bill intended to give consumers more control over how data about them is collected and used. The draft Bill was released on February 27, 2015, and already there is no shortage of critics, including the President’s own Federal Trade Commission. (http://wapo.st/192KVXA) The

In January 2014, President Obama appointed John Podesta, Counselor to the President, to lead a review of big data and privacy. On February 5, 2015, the Big Data and Privacy Working Group issued an interim report detailing their progress. Unfortunately, the report demonstrates the government cannot resist the temptation to put its clamps on progress

Many Sony executives are embarrassed, to say the least, by their e-mails, which have been made public as a result of their data breach. (http://variety.com/2014/biz/news/leaked-sony-emails-reveal-jokes-about-obama-and-race-1201376676/). I have preached to businesses for a long time that they should make it clear to employees that they do not have an expectation of privacy if they use a

By now, most of us have heard about the health tracking capabilities of HealthKit, part of Apple’s latest iPhone operating system, iOS 8. HealthKit offers the ability of users to track and share personal health and medical data such as diet, exercise and activity. The Apple Watch will have a heart rate sensor, GPS, and

Most of us are aware of the litigation between the FTC and Wyndham Hotels arising out of the data breaches experienced by Wyndham between 2008 and 2010, resulting in hackers stealing the personal information of over 600,000 customers. In a less publicized case arising out of these data breaches, Wyndham was sued by a shareholder

On October 2, 2014, the FDA issued Guidance identifying cyber security issues that manufacturers of medical devices should consider in the design and development of their medical devices, as well as in preparing pre-market submissions for the devices. The goal is to reduce the risk to patients by decreasing the likelihood that device functionality is

Assembly Bill 1710 has strengthened California’s original security breach notification law, first passed in 2003. The Bill expands the applicability of the law to any company that merely maintains personal information of a California resident. The existing law had only been applicable to companies that own or license personal information. Companies that maintain such personal

California Governor Jerry Brown has signed into law Senate Bill 1177, the Student Online Personal Information Protection Act (SOPIPA), restricting collection and marketing uses of K-12 student data. The Bill requires the operator of an internet website, online service or mobile application to implement and maintain reasonable security procedures and practices to protect the student

On September 17, 2014, the FTC announced the review site Yelp, Inc., and mobile app developer TinyCo, Inc., in separate enforcement actions agreed to settle charges that they each violated COPPA. Yelp agreed to pay a $450,000.00 penalty, and TinyCo agreed to pay $300,000.00. COPPA (Children’s Online Privacy Protection Act) requires companies that use the

In the event you collect any personal data while doing business in Singapore, the Personal Data Protection Act in Singapore requires that as of July 2, 2014, organizations collecting and handling personal data in Singapore must have a Data Protection Officer. The Data Protection Officer is responsible for responding to inquiries and complaints relating to

Verizon has released its latest Data Breach Investigations Report, and its 2014 edition is better than ever! Verizon studied 1,367 confirmed data breaches, and 63,437 security incidents in 95 countries. A breach is defined as an incident that results in the disclosure or potential exposure of data. An incident is a security event that compromises

On March 13 the Ponemon Institute issued its Fourth Annual Study on patient privacy & data security. This study has come to be a respected and well received assessment of the privacy and security of patient information in health care. The study is based upon a survey of 91 health care providers of different sizes.

In technology years, the HIPAA Security Rule is a dinosaur. HIPAA was a brainchild of the  enacted in 1996, largely to address health care access, “portability”, and privacy. The final rule on security standards was issued in 2003, to specifically address the security of Electronic Protected Health Information (“PHI”). Where was the Internet and mobility

On February 12, 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cyber Security”, which called for a set of industry standards and best practices to help organizations manage cyber security risk.  Pursuant to this Order, on February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the “Framework for Improving Critical

As businesses accumulate more and more data, the chances are that a lot of this data becomes old, inaccurate, inactive, stale, or just plain not needed.  The recent data breach at Adobe™ is a good lesson in why we should have specific procedures in place to delete data we no longer need.  Adobe has offered

   The North Carolina House recently passed the Job and Education Privacy Act (House Bill 846), which would prohibit employers from requesting that an employee or job applicant grant access to their personal electronic account or social networking account.  The law would also prohibit employers from tracking an employee’s personal electronic communication device, such as

The 2013 Verizon Data Breach Investigation Report is now available.  As in past years, the Report provides useful information regarding trends in data breaches, and tips for protecting your company.  The following are highlights from the Report: 1. SOURCE OF INFORMATION FOR THE REPORT Verizon receives information from 19 global organizations, including law enforcement agencies,

In a tale of two courts, two federal courts have recently gone in opposite directions on the issue of class certification in data privacy and data breach lawsuits.  In In Re Hannaford Bros. Co. Customer Data Security Breach Litigation[1], the court refused to certify a class to pursue claims arising out of a data breach of

On February 12, 2013, President Obama, dissatisfied with Congress’ failure to pass legislation to protect the infrastructure that is critical to the Country’s operation, signed an Executive Order (EO) titled, “Improving Critical Infrastructure Cyber Security.”  The immediate questions that pop into the brain trust of many companies are, “Does this apply to us?” and “Do

A recent study by the Ponemon Institute revealed that employees are causing company’s to lose intellectual property (IP) with startling frequency. Perhaps the most troubling aspect of this behavior is the lack of knowledge of the companies that their IP is at risk. The study results, based on survey responses of 3,317 people in the

Each year since 2004, Verizon has released a Data Breach Investigative Report.  The 2012 Report (based on 2011 data) is now available.  The Report, which contains a compilation and analysis of reported breaches, should be of interest to business owners, insurers, auditors, security experts, and others involved in this field.  This Special Edition of Data Protection