The Data Privacy & Cybersecurity Blog explores legal developments, trends, and business strategies around data protection, retention, privacy, reporting obligations, risk management, how to respond to hacking or security breaches, what to disclose and when, and other agenda-setting topics.

The insight features tips to help clients identify data protection concerns, assure that their businesses are in compliance, and develop proactive plans that reduce the risk of data security breaches. We also weigh in on breaking news such as cyberattacks, ransomware, phishing, viruses, and other matters.

Recent Posts

Singapore’s Amendments to Its Cybersecurity Laws

The Cyber Security Agency of Singapore released amendments to its cybersecurity laws on May 7, reinterpreting how critical information infrastructure is defined, identified, and secured.

Federal Trade Commission (FTC) Updates

FTC final rules, business guidance, warnings, and enforcement actions keep rolling in. Check out the latest round up of Federal Trade Commission (FTC) updates in the data privacy sector.

EDPB Task Force Issues Report on ChatGPT Compliance with GDPR

The EDPB recently issued a report on the work done by the ChatGPT Taskforce offering guidance on how AI programs might be evaluated for GDPR compliance going forward…

Vermont Data Privacy Act (VDPA) H.121: Manifest Destiny Data Protection

Vermont’s new Data Privacy Act is poised to be the second strongest in the U.S., focusing on protecting consumers and children from aggressive data gathering and addictive algorithms. Learn about the bill’s key provisions, compliance requirements, and potential impact on your business.

China’s New Regulations for Cross-Border Transfers

In March 2024, the Cyberspace Administration of China published new regulations on the cross-border data flows. These regulations aim to loosen the constraints of the compliance burden companies face while having operations in China…

FTC Updates the Health Breach Notification Rule: Health-Related Websites & Mobile Apps Beware

The FTC recently updated the Health Breach Notification Rule regarding the disclosure of health related information among websites and mobile applications.

Privacy Dynamics Woven into Recent Foreign Aid Package

In April 2024, the “Foreign Adversary Controlled Applications Act” and “Protecting Americans’ Data from Foreign Adversaries Act of 2024” were signed into legislation, resulting in numerous data privacy matters being affected…

A Quick & Easy Guide to California’s Suite of Proposed AI Regulations

California rolled out 31 new Artificial Intelligence bills affecting almost every level of commerce. Find out how they may affect your business, human resource operations, healthcare, schools, and more.

Navigating the Updated OCR Guidance on Online Tracking Technologies: Key Insights

The recent update issued by OCR on March 18, 2024, revised the initial guidance from December 1, 2022, providing clearer directives for HIPAA covered entities and business associates regarding the deployment of online tracking tools.

A Closer Look: EU’s Finalized AI Act & What It Means for the U.S.

Touted as the world’s first comprehensive legal framework of its kind, the AI Act will go into effect in stages over the next three years. The AI Act will apply to both businesses operating within the EU and to any AI developers or creators whose AI systems are used in EU countries and raises a few questions…

Meta’s “Pay or Consent” Model Instills Consumer Protection Issues in European Union

The EU Consumer Protection Agency has rallied against Meta’s “Pay or Consent” model, claiming it is entirely too aggressive and coercive, fundamentally undermining the principles of GDPR.

Compromise Brings EU Artificial Intelligence Act One Step Closer to Final

On February 13, 2024, EU member states voted unanimously in favor of the proposed EU AI Act, the result of extensive negotiations and compromises between member states and is now expected to be formally adopted in March or April of this year.

LockBit Takedown & Pseudo-Reemergence Continue to Crystallize the Economic Impacts of Ransomware-as-a-Service

In the ongoing global hunt for cybercriminals, the past thirty days have been illuminating for some, unsurprising for others, and climactic for all following the takedown of LockBit.

FTC Moves to Modernize Children’s Online Privacy Protection Rule

After almost four years of review and 175,000 public comments later, the FTC unveiled its plan to update the Children’s Online Privacy Protection Rule (COPPA Rule) on December 20, 2023, after the Commission voted 3-0. The last COPPA revision was made in 2013…

EU’s Cookie Reduction Pledge: How It Affects Your Business

The EU’s cookie reduction pledge represents a significant move towards enhanced digital privacy. While offering more control over cookies, the emergence of alternative tracking methods like device fingerprinting and contextual targeting highlights new complexity, reminding companies that users are no longer data-naïve.

Forecasting 2024 Global Privacy Legislative Developments

Global legislative developments in the privacy sphere were abundant in 2023. Privacy professionals from around the world predict that legislation pertaining to data privacy and cyber security will continue to flourish in 2024, and this post explores those predictions.

The World’s First Comprehensive AI Law — the EU AI Act — is a Landmark in AI Regulation

Globally, business owners are asking how the European Union’s AI Act affects their business. This article will delve into the Act and how businesses will be affected globally, with an emphasis on the U.S.

HHS Warnings Trigger Class Actions Against Medical Providers for Use of Online Tracking Technologies

After roughly a year of multiple warnings by the HHS concerning the usage of online tracking technologies and associated privacy and security risks, class action lawsuits have begun to be filed…

The FTC Shows Its Dislike of Facial Recognition Technology

In May 2023, the FTC issued a warning that it would be closely monitoring the use of biometric information technology, including those powered by machine learning, because they raise significant consumer privacy and data security concerns and have the potential for bias and discrimination. On December 19, the FTC made good on its promise by

California Privacy Protection Agency Board Approves Legislative Proposal to Require Browsers to Offer Opt-out Preference Signals

On December 8, 2023, the California Privacy Protection Agency (CPPA) Board voted 5-0 at its meeting to advance a legislative proposal to require browser vendors to include a feature that allows users to exercise their California privacy rights through opt-out preference signals. This recent unanimous decision marks a significant stride toward fortifying consumer privacy rights in the digital realm

Justice Department Disrupts Prolific AlphV/Blackcat Ransomware Variant

On December 19, 2023, the FBI announced its investigation into Blackcat group, also known as AlphV or Noberus, and that it gained visibility into AlphV’s computer network due in part to assistance provided by an informant. “Law enforcement engaged a confidential human source who routinely provides reliable information related to ongoing cybercrime investigations,” the FBI

Another Year Wasted for U.S. Federal Data Privacy Legislation

As the rest of the world continues to move forward with national data privacy legislation, the United States continues its well-established habit of proposing piecemeal data privacy laws that go nowhere

California Privacy Protection Agency (CPPA) Publishes Revised Draft Cybersecurity Audit Regulations in Advance of December Board Meeting

On November 8, 2023, the CPPA published an updated draft of its cybersecurity audit regulations, intended, in part, to facilitate board discussion and public participation during the upcoming CPPA board meeting…

EU-UK Data Privacy Round Up

November was a busy month for data privacy. See below for updates to the EU AI Act, the Information Commissioner’s Office’s (ICO) response regarding third party cookies, the ICO’s appeal of Clearview ruling, and the Italy data protection authority’s (DPA) training probe

HHS Publishes New Cybersecurity Resources

The U.S. Department of Health and Human Services (HHS) Office of Information Security recently published new cybersecurity resources with the goal of mitigating common cybersecurity threats in the health care sector. HHS Resources Webinars: These are spotlighted periodically and noticed to subscribers. The next webinar spotlights Health Industry Cybersecurity Practices 2023 changes as it relates

Not Sneaky Enough: Google Pays $391.5M Privacy Violation Settlement

Written by: Savannah Liner Avera, Esq. Connecticut Attorney General William Tong announced a historic settlement with Google regarding its predatory disregard for users’ location tracking preferences. Google will pay $391.5 million to 40 states in a privacy violation settlement for continuing to track users after opting out of a feature called location history. Background This

Canada’s Consumer Protection Privacy Act (CPPA) at Least One Year Away

Written by: Richard Sheinis, Esq. Canada’s Federal Privacy Law, the Personal Information Protection and Electronics Documents Act (PIPEDA) is over 22 years old.  Its replacement, proposed Bill C-27, which introduces the Consumer Protection Privacy Act (CPPA) is still at least one year away from being passed. The CPPA is part of Canada’s Digital Charter Implementation

European Union Considering a Complete Ban on Facial Recognition Technology

Written by: Gabriel Lopez, Esq.  Earlier this month, European Union (EU) lawmakers began political debate on the EU’s Artificial Intelligence Act (AI Act). The legislation focuses on regulating the use of artificial intelligence in society. The AI Act seeks to introduce legal obligations commensurate with the potential harm, societal or otherwise, that may come with

Snapchat Agrees to $35 Million Settlement with Illinois Residents

Written by: Gabriel Lopez, Esq. A $35 million settlement between the residents of Illinois and Snapchat has been reached following a class action lawsuit over the collection of biometric data. According to the complaint filed on May 11, 2022, for alleged violations of Illinois’ Biometric Information Privacy Act, the company allegedly collected biometric data through

Virginia Amends the Virginia Consumer Data Protection Act (“VCDPA”)

Written by: Richard Sheinis, Esq. As many of you know, the VCDPA is scheduled to go into effect on January 1, 2023.  In advance of the effective date, the Virginia Legislature has passed several amendments to the Act.  The amendments are as follows: A new exemption to the right to delete when the personal data

Shopify and Leger Facing Second Class Action Over 2020 Data Breach

Written by Joseph Stepina, Esq. Canadian e-commerce company, Shopify Inc., faces a new class action lawsuit over a 2020 data breach in which hackers were able to access personally identifiable information of over 270,000 individuals. Shopify contracted with Leger, who sells SAS cryptocurrency hardware wallets, to store its customers’ personal information. In addition, the hackers

The FTC’s Full-Court (Cafe)Press

Written by: Brock Wolf, Esq. Last month, the Federal Trade Commission (“FTC”) announced a proposed settlement with the online retailer of customized merchandise, CafePress. This settlement follows allegations that the company failed to implement reasonable security measures and attempted to cover up a 2019 data breach. The proposed settlement would call for CafePress to pay

Indiana Amends Its Data Breach Notification Law

Written by: Brock Wolf, Esq. Indiana Governor Eric Holcomb signed into law an amendment to Indiana’s data breach notification statute. The amendment, which takes effect on July 1, 2022, implements a forty-five (45) day deadline for reporting a breach to affected individuals and the Indiana Attorney General. Indiana’s breach notification law now requires entities to

Ransomware Group Conti Faces Data Leak of Its Own

Written by: Joseph Stepina, Esq. Notorious ransomware group Conti has, itself, been the target of cyberattacks after it announced its allegiance to Russia and its support of Russia’s ongoing invasion of Ukraine.  Conti is famous for conducting ransomware attacks on a variety of business and governmental entities including Ireland’s national health service, Shutterfly, and fashion

U.S. Senate Unanimously Passes the Strengthening American Cybersecurity Act

Written by: Brock Wolf, Esq. On March 1, 2022, the United States Senate unanimously passed the Strengthening American Cybersecurity Act.  This package of three bills aims to strengthen U.S. cybersecurity infrastructure by enhancing incident reporting requirements, tightening cybersecurity requirements for federal agencies and calling for federal agencies to migrate to cloud-based networks. One of the

California Privacy Rights Act Regulations Delayed

Written by: Brock Wolf, Esq.  Last month, on February 17, the California Privacy Protection Agency (“CPPA”) announced at a board meeting that the publication of final regulations under the California Privacy Rights Act (“CPRA”) will be delayed.  Under the CPRA, regulations were to be finalized by July 1, 2022.  The goal was to provide businesses

Utah About To Become The Fourth State To Pass Privacy Law

Written by: Richard Sheinis, Esq.  On March 3, 2022 the Utah Consumer Privacy Act (“UCPA”) was passed by the Utah legislature and sent to the Governor to sign, which he is expected to do.  Most of you will be familiar with the requirements of the UCPA as they are similar to recently passed privacy laws

Fourth Time’s the Charm? Washington State Legislature Contemplating Comprehensive Data Privacy Bills

Written by: Brock Wolf, Esq. Washington is among the states expected to pass a comprehensive data privacy law this year. At least, that has been the headline since 2019, when the Washington Privacy Act was first introduced in the legislature. Now, for the fourth year in a row, the legislature will attempt to pass a

Illinois McDonald’s Enter $50 Million Settlement for Alleged BIPA Violation

Written by: Brock Wolf, Esq. Illinois’ Biometric Information Privacy Act (“BIPA”) is arguably the nation’s strictest when it comes to biometric information. Biometric information protected by BIPA includes fingerprints, retina or iris scans, hand scans, facial recognition, DNA and other unique biological information. Passed in 2008, BIPA requires that before companies may collect or otherwise

The Algorithmic Accountability Act of 2022 Is Introduced

Written by: Richard Sheinis, Esq. Several Democratic legislators have introduced the Algorithmic Accountability Act of 2022 (the “Act”). This legislation is a redo of the 2019 Algorithmic Accountability Act. While this piece of legislation will likely die on the vine, like so many personal data related bills before it, it demonstrates a disturbing trend to

The Turf War Over Personal Data Continues

Written by: Richard Sheinis, Esq. As many of our readers know, the transfer of personal data from the EU to countries outside the EU is heavily regulated by the GDPR. Companies that transfer personal data from the EU to the US typically use Standard Contractual Clauses, which are intended to provide some assurance that personal data

Privacy Allegations Lead to $18.4 Million in Settlements for Boston Hospitals

Written by: Brock Wolf, Esq. Mass General Brigham Incorporated and its affiliate healthcare providers (“Mass General”) agreed to pay $18.4 million to settle a class-action against the healthcare system. While healthcare providers around the nation are falling victim to data breaches and ransomware attacks, this lawsuit has a different origin. Instead, this class-action stems from

European Cookie Rules Continue To Evolve

Written by: Richard Sheinis, Esq. CNIL, the French Data Privacy Supervisory Authority, has fined Google 150 Million Euros, and Facebook 60 Million Euros, for having websites that do not make refusing cookies as easy as accepting them.  Prior GDPR guidance, and rulings from various supervisory authorities, required that websites using cookies have a cookie banner

Indian Data Protection Bill Nearing Passage

Written by: Brock Wolf, Esq. Last month, India’s Joint Parliamentary Committee submitted its report on India’s draft Data Protection Bill (the “Bill”) to Parliament. The report, which comes after two (2) years of deliberations, contains the Joint Parliamentary Committee’s recommendations and a revised draft of the Bill. In 2017, the Supreme Court of India declared

FTC Starts Process to Adopt Privacy Rules

Written by: Richard Sheinis, Esq. In September 2021, Senator Richard Blumenthal and eight other Democratic Senators sent a letter to FTC Chair Lina Kahn requesting that the agency begin a rulemaking process to address data privacy.  Blumenthal and the other Senators stated that consumer privacy had become a consumer crisis with tech companies routinely breaking

Log4j Vulnerability Sweeps the Globe

Written by: Brock Wolf, Esq. Earlier this month, on December 9, 2021, a critical vulnerability was discovered in the Apache Software Foundation’s  (“Apache”) Log4j code, potentially providing threat actors with access to millions of computers and devices worldwide. On December 10, the director of cybersecurity at the National Security Agency (NSA) and the Department of

New EDPB Guidance on International Data Transfers

Written by: Alyssa J. Feliciano, Esq. The European Data Protection Board (“EDPB”) released new guidelines in November to clarify when a processing operation should be classified as an international data transfer based upon Article 3 and Chapter V of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”). The guidelines are intended to create a

California Continues to Update and Enforce Privacy Laws

Written by: Brock Wolf, Esq. and Alyssa J. Feliciano, Esq. California continues to update its privacy policies. Changes and clarifications are constantly being announced, making it imperative for businesses to stay vigilant in their practices. Notably, the California Privacy Protection Agency subcommittee (the “Agency”), which was created under the California Privacy Rights Act (“CPRA”), proposed

Yet Another Senator Introduces Data Privacy Legislation

Written by: Richard Sheinis, Esq. Last month I wrote about the need for federal data privacy legislation.  Although numerous Senators have introduced such legislation, nothing much seems to happen after the initial introduction.  Adding to the list, Senator Catherine Cortez Masto (D-Nev.) is introducing the Digital Accountability and Transparency to Advance (DATA) Privacy Act.  There

Saudi Arabia Passes Personal Data Protection Law

Written by: Brett Lawrence, Esq. On September 16, 2021 by Royal Decree, Saudi Arabia implemented the Personal Data Protection Law (“PDPL”). The PDPL becomes effective on March 23, 2022 and will be enforced by the Saudi Data and Artificial Intelligence Authority (“SDAIA”). Regulated businesses have until March 23, 2023 before the PDPL is enforced. We

Can’t Congress Pass a Law for Data Privacy?

Written by: Richard Sheinis, Esq. The U.S. is lagging further and further behind the rest of the world when it comes to the privacy of personal data.  The EU’s General Data Protection Regulation (GDPR), which became effective in 2018, has become the “gold standard” for data privacy.  Many countries have used the GDPR as the model

Proposed Ransom Disclosure Act

Written by: Alyssa Feliciano, Esq. Representative Deborah Ross [D] and Senator Elizabeth Warren [D] proposed the Ransom Disclosure Act (“RSA”), to provide DHS with information regarding ransomware attacks and subsequent payments that are made by covered entities.  The goal of the RSA, according to Rep. Ross and Sen. Warren, is to provide DHS with data

California Privacy Update

Written by: Brett Lawrence, Esq. 1. California’s Genetic Information Privacy Act On October 6, 2021, California passed the Genetic Information Privacy Act (“GIPA”). Under GIPA, California residents have greater control over how their genetic information will be collected and used by specific companies. GIPA becomes effective on January 1, 2022. GIPA applies to “direct-to-consumer genetic testing

EDPB Releases Opinion on South Korea Draft Adequacy Decision

Written by: Alyssa Feliciano, Esq. On September 24, 2021, the European Data Protection Board (“EDPB”) released an opinion on the draft adequacy decision for South Korea, which in large part was positive for the country.  There were certain areas of concerns that were pointed out by the EDPB.  Once the EDPB’s stated issues are addressed

China Passes the Personal Information Protection Law

Written by: Brett Lawrence, Esq. On August 20, 2021, China passed its Personal Information Protection Law (“PIPL”). This is China’s first general and broadly sweeping privacy law regulating the collection, processing, and transferring of personal information, similar to the European Union’s General Data Protection Regulation (“GDPR”). PIPL takes effect on November 1, 2021, less than

Irish DPA Fines Whatsapp $225 Million Euro For Transparency Violations

Written by: Richard Sheinis, Esq. We are all aware of the requirements under several laws that a company’s website must have a link to the company’s privacy policy explaining how the company treats personal information. The oxymoronic part of the privacy policy requirement, however, is that laws require more and more information to be included

South Carolina Federal Court Denies Dismissal of CCPA Claims in Class Action

Written by: Alyssa Feliciano, Esq. A federal judge in South Carolina denied a motion to dismiss claims in a class action lawsuit brought under the California Consumer Privacy Act (“CCPA”). The class action suit was brought against Blackbaud, following a ransomware attack in early 2020 that left countless individual’s data compromised.  Blackbaud attempted to have

Federal District Court Rejects Plaintiff’s Attempt to Bring UK GDPR Lawsuit in US Court

Written by: Alyssa Feliciano, Esq. On August 16, 2021, a California federal district court dismissed what would have been the first case brought by a British or EU resident to the US regarding the interpretation and enforcement of GDPR. The Plaintiff, a UK resident, alleged that US-based company, PubMatic, placed unique and therefore individuating identifiers

California Requires Global Privacy Control Signals Opt-Out

Written by: Alyssa Feliciano, Esq. The CCPA gives authority to its Attorney General (“AG”) to determine how businesses must comply with the opt-out of the sale of personal information requirement under the law. California’s recently inaugurated AG, Rob Bonta, announced that businesses will be required to accept Global Privacy Control (“GPC”) signals as an opt-out

Uniform Law Commission Publishes Proposed Uniform Personal Data Protection Act

Written by: Brett Lawrence, Esq. In July 2020, the Uniform Law Commission (“ULC”) voted to approve and recommend the proposed Uniform Personal Data Protection Act (“UPDPA”). Like the Uniform Commercial Code, the UPDPA is a model law designed as a cut-and-paste piece of legislation that states can tailor and subsequently adopt to their liking. The ULC

Amazon Receives $887 Million EU Fine for Data Privacy Violations

Written by: Alyssa Feliciano, Esq. On July 16, 2021, the EU’s Commission Nationale pour le Protection des Données (“CNPD”) fined Amazon the equivalent of $887 million dollars after it determined that Amazon was processing personal data in violation of the GDPR.  Amazon representatives released a statement that the finding was without merit, citing that Amazon

European Data Protection Board Issues Guidance Clarifying Controller-Processor Relationship

Written by: Charles R. Langhorne IV, Esq. On July 7, 2021, the European Data Protection Board (“EDPB”) issued guidance further clarifying the relationship between controllers, joint controllers, and processors, under the General Data Protection Regulation (“GDPR”). This guidance is an update to the guidance issued by the Article 29 working party on February 16, 2010. The

The European Protection Board Issues Guidance On Supplementary Measures For The Cross-Border Transfer Of Personal Data

Written by: Richard Sheinis, Esq. Most of you know that on June 4, 2021, the European Commission (“EC”) adopted two (2) new sets of Standard Contractual Clauses (“SCC”) for the cross-border transfer of personal data from the EU.  The new SCC are due to a general need for updating the existing SCC, as well as

New York City Passes Biometric Law

Written by: Brett Lawrence, Esq. and Alyssa J. Feliciano, Esq. On July 9, 2021, New York City’s biometric data law (the “Law”) became enforceable. The Law requires specific businesses to notify customers when their biometric data is being collected or shared. The Law further prohibits the selling of biometric data. Biometric Data Defined The Law defines

Colorado Privacy Act (“CPA”)

Written by: Charles R. Langhorne IV, Esq. and Alyssa J. Feliciano, Esq. CURRENT STATUS The Bill passed and has been signed by the Governor. EFFECTIVE DATE July 1, 2023 TO WHOM DOES CPA APPLY? The CPA applies if a business meets one the following circumstances: Requirement 1: Conducts business in Colorado; or Produces commercial products or services

New York’s New Guidance on Preventing Ransomware

Written by: Brett Lawrence, Esq. On June 30, 2021, the New York Department of Financial Services (“DFS”) issued new guidance on ransomware prevention. Noting the increase in ransomware attacks and increases in the cost of cybercrime, DFS issued nine (9) specific security controls that every business should implement to remove common weaknesses exploited by ransomware

Nevada Amends Privacy Law for Opting Out of the Sale of Personal Information

Written by: Charles R. Langhorne IV, Esq. and Alyssa J. Feliciano, Esq. Nevada law already allows individuals to “opt out” of allowing a business to sell their personal information.  On June 2, 2021, Nevada Governor, Steve Sisolak, signed SB 260, which amended the definition of “sale”.  This change means that the existing law will become broader

Representative Ted Lieu Once Again Introduces The “Ensuring National Constitutional Rights For Your Private Telecommunications (ENCRYPT) Act”

Written by: Richard Sheinis, Esq. This Bill was first introduced in 2016 in response to a dispute between the FBI and Apple in which the FBI sought to have Apple provide access to the locked mobile phone of a suspect in a mass shooting in San Bernardino, California.  The Act has been reintroduced each year since

EU Commission Issues New Standard Contractual Clauses

Written by: Charles R. Langhorne IV, Esq. On June 4, 2021, the European Commission issued the long awaited new version standard contractual clauses (“SCCs”). In fact, the Commission issued two (2) different sets of SCCs. Governing transfers of personal data within the European Union. Officially cited as: C(2021) 3701. Governing transfers of personal data outside the

President Biden Issues Executive Order Improving Cybersecurity

Written by: Brett Lawrence, Esq. On May 12, 2021, President Joe Biden signed an executive order to improve the nation’s cybersecurity and protect the federal government’s networks (the “Order”). In their official statement, the White House expressly mentioned that the Colonial Pipeline and other cybersecurity incidents were “sobering reminders” that malicious cyber activity remains prevalent. The

North Carolina Introduces Consumer Privacy Act

Written by: Charles R. Langhorne IV, Esq. On April 7, 2021, North Carolina joined the race to enact state privacy law, by introducing the North Carolina Consumer Privacy Act (the “Act”). The Act was introduced by Senators DeAndrea Salvador (D), Ben Clark (D), and Joyce Waddell (D). Notably, all of the sponsoring senators are Democrats, which

Microsoft Allows Customers to Choose EU for Data Processing & Storage

Written by: Brett Lawrence, Esq. On May 6, 2021, Microsoft announced it will allow its commercial and public sector customers in the European Union (“EU”) to process and store all of their personal data in the EU. This implementation will be completed by the end of 2022 and is called the “EU Data Boundary for

EDPB Adopts Two Opinions on the Draft UK Adequacy Decisions

Written by: Brett Lawrence, Esq. On April 14, 2021, the European Data Protection Board (“EDPB”) announced it had adopted two opinions in support of the draft UK adequacy decisions. The opinions stem from the EDPB’s review of the European Commission’s draft adequacy decisions for the General Data Protection Regulation (“GDPR”) and the Law Enforcement Directive (“LED”).

The FTC Is Looking For Truth, Fairness, And Equity In The Use of Artificial Intelligence

Written by: Richard Sheinis, Esq. On April 19, 2021 the FTC issued what might be called guidance, but is more of a warning, regarding the use of artificial intelligence.  The FTC cautions against using AI in a way that produces discriminatory outcomes. The FTC states that in order to avoid bias and prejudice, the data

New York DFS Issues Cyber Insurance Risk Framework

Written by: Charles R. Langhorne IV, Esq. Back in March the New York Department of Financial Services (“NY DFS”) issued Circular Letter No. 2 (2021) providing guidance to insurers offering cyber insurance in New York. The guidance provides a framework that could very well become required of insurers at a later date. The guidance urges

Approved CCPA Regulations and Appointees to CPRA Privacy Protection Agency

Written by: Brett Lawrence, Esq. 1. CCPA Regulations Effective as of March 15, 2021, California’s Office of Administrative Law approved additional California Consumer Privacy Act (“CCPA”) regulations. The regulations provide the following: Offline Notification. Any business who sells personal information of a consumer that has been collected “offline” must provide proper consumer notification through an offline

French Supervisory Authority To Enforce Its Ad Tracker (“Cookie”) Guideline

Written by: Richard Sheinis, Esq. As of April 1, 2021, the French Supervisory Authority, Commision Nationale de l’Informatique et des libertes (“CNIL”) will enforce its cookie and ad tracker guidelines.  CNIL had previously announced it would give companies until March 31, 2021 to adjust their ad tracker and cookie practices to come into compliance. Most

Federal District Court Dismisses Walmart Data Breach Class Action

Written by: Brett Lawrence, Esq. On March 5, 2021, the Federal District Court for the Northern District of California granted Walmart’s motion to dismiss the plaintiff’s class action lawsuit for exposed customer personal data. This was one of the first major lawsuits alleging violations under the California Consumer Privacy Act (“CCPA”). We previously discussed this

Facebook Ordered to Pay $650 Million For Violation of Illinois’ Biometric Information Privacy Act

Written by: Richard Sheinis, Esq. The Biometric Information Privacy Act (“BIPA”) is an Illinois statute that prohibits the use of biometric identifiers or information without prior notification and written consent.   Facebook ran into trouble when a lawsuit was filed in 2015 alleging Facebook violated BIPA by tagging photos using facial recognition without their consent. Facebook

Brazil and EU Data Breach Notification Guidance

Written by: Brett Lawrence, Esq. Brazil and the European Union recently issued further guidance on the procedures for handling and reporting a data breach. While Brazil finally published guidance before the law is to take effect, the European Union (“EU”) issued contextualized guidance for the types of data breaches that controllers usually experience. Brazil Brazil’s data

Canada Industry Group Releases Digital Advertising Policies

Written by: Charles R. Langhorne, IV, Esq. In 2020, Canada announced that its legislature was planning to revamp the existing federal legislation (PIPEDA). The understanding is that it will lead to a more GDPR-esque framework of data privacy. The goal of these policies is to govern the direction of IAB Canada’s role in shaping the

Ecuador Data Privacy Law Debated in Congress

Written by: Brett Lawrence, Esq. Ecuador may soon be another country to enact general data privacy legislation. Introduced in September 2019, Ecuador’s Data Protection Bill (the “Bill”) nearly mirrors the European Union’s General Data Protection Regulation (“GDPR”). The Bill has 76 articles and 12 chapters; we summarize some of the fundamental provisions below. Jurisdictional Reach

5th Circuit Overturns $4.3 Million HIPAA Penalty

Written by: Brett Lawrence, Esq. On January 14, 2021, the United States Court of Appeals for the 5th Circuit overturned a $4.348 million fine issued by the Department of Health and Human Services (“HHS”) for alleged HIPAA violations against the University of Texas M.D. Anderson Cancer Center. Factual Background The case arose as a result

FTC Settles Two Data Privacy Allegations

Written by: Brett Lawrence, Esq. Last month, the Federal Trade Commission (“FTC”) settled two allegations against two companies surrounding the unfair and deceptive use of facial recognition software and disclosure of health data. Everalbum, Inc. The FTC alleged that Everalbum, Inc., a California-based developer of a photo app called “Ever,” deceived consumers about its use

States Introducing Privacy Legislation

Written by: Charles R. Langhorne IV, Esq. 2021 is off to a hot start with many states introducing private sector privacy legislation. In this article I will outline: Virginia Washington Oklahoma New York Minnesota Virginia Virginia seems to be on track to win the race for the quickest to pass a privacy law. The Consumer

What Is The Status Of Personal Data Transfers Between the EU and the UK?

Written by: Richard Sheinis, Esq. On December 24, 2020, the EU-UK Trade Cooperation Agreement was announced.  This Agreement contained an adequacy “bridge” so that the EU will treat the UK as an adequate jurisdiction for purposes of the protection of personal data for up to 6 months.  During this period, the EU is to assess

New York Proposes Biometric Privacy Law

Written by: Charles R. Langhorne IV, Esq. On January 6, 2021, New York legislators introduced the Biometric Privacy Act (“BPA”) to protect the rights of New York residents whose biometric information has been collected, used, or stored by a private entity. Not surprisingly, BPA does not apply to state or local government entities. BPA imposes

EU Council Releases Draft ePrivacy Regulation

Written by: Brett Lawrence, Esq. On January 5, 2021, the Council of the European Union released a new draft version of the ePrivacy Regulation. The draft regulation is intended to replace the current ePrivacy Directive since the European Commission approved the first draft ePrivacy Regulation back in January 2017. In fact, this new draft version

No Solution Yet For The Transfer of Personal Data from EU to the US

Written by: Richard Sheinis, Esq. The transatlantic transfer of personal data from the EU to the US is still a mess.  Since the EU Court of Justice struck down the EU-US Privacy Shield in July 2020, and called into question the validity of the EU’s standard contractual clauses, a solution to allow transfer of personal

Proposed Changes to HIPAA Privacy Rule

Written by: Sean Cox, Esq. On December 10, 2020, the Trump administration announced proposed changes to the HIPAA privacy rule. According to the announcement, the changes are intended to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.” The most important changes relate to

Vodafone Fined €12.25 Million by Italian Data Protection Authority

Written by: Brett Lawrence, Esq. On November 12, 2020, Vodafone, the multinational telecommunications company, was fined €12.25 million by Garante, Italy’s data protection authority. The fine is the third largest ordered by the regulator. Garante’s investigation was prompted by hundreds of complaints of unwanted telephone calls by Vodafone promoting its services. The investigation unveiled an information

Facebook Fined $50,000 for Violating Russian Data Localization Law

Written by: Brett Lawrence, Esq. As of 2016, Russia requires all technology companies who collect and process the personal data of Russian citizens to store that data on servers located in Russia. Recently, Russian authorities discovered that Facebook was not complying with this law and subsequently levied a fine of 4 million ruble ($53,000) against the

Zoom Settles Alleged Unfair & Deceptive Practices with Federal Trade Commission

Written by: Charles R. Langhorne IV, Esq. In November, the U.S. Federal Trade Commission (the “FTC”) released a Consent Agreement outlining the terms of the settlement the FTC reached with Zoom communications regarding alleged unfair and deceptive practices. The Complaint by the FTC which led to the Consent Agreement, alleged that Zoom mislead users in 3

Turkey Places Data Localization Requirement on Social Network Providers

Written by: Brett Lawrence, Esq. Last December, we discussed India’s proposed Personal Data Protection Bill and the implications of its data localization requirement. It appears Turkey has now promulgated a similar requirement. Overview On July 29, 2020, Turkey’s legislature, the Turkish Grand National Assembly, approved the passing of Law No. 5651, an amendment to the country’s

European Lawsuit Accuses Uber of “Robo-Firing” Drivers

Written by: Richard Sheinis, Esq. A lawsuit has been filed with a court in the Netherlands challenging Uber’s alleged practice of using automated systems to identify fraudulent activity and terminate drivers based on that process, also known as “Robo-Firing”. This practice, which Uber denies, would potentially violate Article 22 of the GDPR.  Article 22 protects data

Amazon Subject of Illinois Biometric Information Privacy Act Lawsuit

Written by: Charles R. Langhorne IV, Esq. Recently three plaintiffs filed a class-action lawsuit alleging that Amazon violated Illinois’ Biometric Information Privacy Act (“BIPA”), by collecting and storing “voiceprints” without the users’ consent. Voiceprints Amazon has a software product called Amazon Connect that companies use to run call-centers. One company with whom Amazon has partnered Pindrop

California Privacy Rights Act Passed By California Voters

Written by: Rich Sheinis, Esq. and Brett Lawrence, Esq. The votes are in and California’s citizens have spoken, the California Privacy Rights Act (“CPRA”) is now law. Known as CCPA 2.0, CPRA increases the privacy obligations of businesses already subject to the requirements of California’s 2018 California Consumer Privacy Act (“CCPA”). Though not nearly discussed

U.S. National Privacy Legislation Introduced: The SAFE DATA Act

Written by: Richard Sheinis, Esq. Sen. Roger Wicker, R-Miss., along with three other Republican senators who are members of the Senate Commerce Committee, has introduced yet another national privacy legislation bill, known as the SAFE DATA Act. The full name of the bill is the “Setting an American Framework to Ensure Data Access, Transparency and

Facebook Appeals Order from Irish Data Protection Commission

Written by: Charles R. Langhorne IV, Esq. In August 2020, the Irish Data Protection Commission (the “DPC”) issued a preliminary order to Facebook requiring Facebook to suspend data transfers to the U.S. that involve personal data of EU residents. This is the DPC’s first action to enforce the Schrems II ruling issued by the Court

H&M Fined for GDPR Violation

Written by: Charles R. Langhorne IV, Esq. On October 1, 2020, the Data Protection Authority of Hamburg (“DPA”), announced a fine of €35.3 million ($41.3 million) against multinational retail company H&M. The fine is based on excessive monitoring of H&M employees in Germany in violation of GDPR. This is the second-largest fine a single company

California’s CPRA Is Appearing on Next Month’s Election Ballot

Written by Brett Lawrence, Esq.  Although the upcoming presidential election is currently dominating the political and media discourse, in the data privacy and security world, California’s 2020 ballot has been the recipient of much discussion. This is because the California Privacy Rights Act (“CPRA”) is on this year’s November ballot and can be potentially voted

Patient Death Attributed to Hospital Ransomware Attack

Written by: Richard Sheinis, Esq. German authorities are investigating the death of a patient following a ransomware attack on a hospital in Germany.  The unknown perpetrators potentially face charges of negligent manslaughter.  Last Friday, a patient in need of urgent medical care was re-routed from the Düsseldorf University Hospital, to a hospital more than 30

Is the European Hospitality Industry Ready for the Payment Services Directive 2?

Written by: Richard Sheinis, Esq. Many of you are probably asking what is the “Payment Services Directive 2 (PSD2)”, before worrying about being ready for it!  PSD2 is a Directive from the European Parliament (Directive (EU) 2015/2366) intended to modernize Europe’s payment services for the benefit of consumers and business, and to facilitate innovation, competition, and

Update In the Post-Schrems II Era and Guidance for the Use of Standard Contract Clauses

Written by: Richard Sheinis, Esq. It has been almost two (2) months since the EU Court of Justice struck down the EU-US Privacy Shield.  At the same time, while holding that the Standard Contract Clauses (“SCC”) in principle are still valid, the Court cautioned that SCC must still provide the level of protection guaranteed by the

Brazil’s LGPD To Take Effect In September

Written by: Charles R. Langhorne IV, Esq. In a wild turn of events over a few days at the end of August, Brazil’s Lei Geral de Proteção de Dados Pessoais (“LGPD”) will take effect on September 16, 2020, barring a presidential veto or another act of the Brazilian legislature. What is the LGPD? The LGPD is

CCPA Employee Carve Out Delayed Until 2022

Written by: Charles R. Langhorne IV, Esq. Businesses subject to the California Consumer Privacy Act (“CCPA”) can breathe a small sigh of relief. On August 30, 2020, the California Legislature passed AB 1281. AB 1281 extends the business-to-business and employee personal information carve outs until January 1, 2022. The bill is now headed to the Governor’s

2020 Biometric Data Update

Written by: Brett Lawrence, Esq. The utility of biometric data is more prevalent than it has ever been, primarily because developing technology has created a broad swath of convenient uses for it. It can help law enforcement authorities quickly target wanted individuals and also secure a business’ access to proprietary information. The best and most

Canada’s Supreme Court Addresses Genetic Data Privacy in Split Decision

Written by: Charles R. Langhorne IV, Esq. and Brock Wolf Last month, Canada’s Supreme Court upheld the constitutionality of provisions of its Genetic Non-discrimination Act (“GNDA”) with a 5-4 decision. In 2017, Canada’s federal government enacted the GNDA, establishing rules for businesses regarding genetic testing for diseases. Specifically, the GNDA prohibits requiring an individual to undergo

EDPB Issues FAQs After Schrems Decision

Written by: Charles R. Langhorne IV, Esq. and Brock Wolf Last month, the Court of Justice of the European Union (“CJEU”), Europe’s top court, struck down the EU-US Privacy Shield Framework. The Privacy Shield was created to allow businesses to transfer personal data to the United States from the European Union (“EU”). The decision not

Legislation Introduced to Put Limits on Use of Facial Recognition

Written by: Richard Sheinis, Esq. On August 4, 2020, yet more data privacy legislation was introduced by Senators Bernie Sanders and Jeff Merkley.  Titled “The National Biometric Information Privacy Act of 2020,”  this continues the trend of law makers introducing piecemeal, and frequently punitive, data privacy legislation rather than working on a single comprehensive data

Early CCPA Litigation is Underway as Walmart Faces Class Action Lawsuit

Written by: Brett Lawrence, Esq. and Brock Wolf Early last month, Walmart joined Minted Inc., Zoom, TikTok, and Salesforce.com to become the largest company targeted by a class action lawsuit following a data breach under the California Consumer Privacy Act (“CCPA”). On July 10, 2020, shortly after CCPA enforcement began on July 1, Lavarious Gardiner

EU High Court Invalidates EU-US Privacy Shield Framework

Written by: Brett Lawrence, Esq. On July 16, 2020, the Court of Justice of the European Union (“CJEU”), Europe’s top court, struck down the EU-US Privacy Shield Framework. The Privacy Shield was created to allow businesses to transfer personal data to the United States from the European Union (“EU”). The CJEU premised its decision invalidating

China Publishes Draft Data Security Law

Written by: Brett Lawrence, Esq. and Brock Wolf After deliberating a draft Data Security Law from June 28 to June 30, 2020, China’s Standing Committee of the National People’s Congress (“NPC”) published the draft law on July 2, 2020. The draft law calls for China to develop a “standard, interconnected and interactive, secure and controllable”

South Africa’s Data Privacy Law Is Now In Effect

Written by: Charles R. Langhorne IV, Esq. South Africa’s newest data privacy law, the Protection of Personal Information Act (“PoPIA”) is now in effect. There is a 12-month grace period, and enforcement will not begin until July 1, 2021. The PoPIA applies to businesses that process personal information in South Africa, whether or not they

Congress is All Talk And No Action When It Comes To Data Privacy

Written by: Richard Sheinis, Esq. In the last fifteen (15) months, no less than six (6) data privacy Bills have been introduced in the Senate.  Two of these Bills are specifically related to data collection and use in response to COVID-19.  This does not include the Data Accountability and Transparency Act of 2020, announced by

CPRA to Appear on California’s November 2020 Election Ballot

Written by: Brett Lawrence, Esq. As businesses continue to prepare for the enforcement of the California Consumer Privacy Act (“CCPA”), which will begin on July 1, 2020, new privacy legislation is already on the way. On June 24, 2020, the Office of the Secretary of State of California announced that the California Privacy Rights Act

Thailand Delays Data Protection Law Because of COVID-19

Written by: Richard Sheinis, Esq. Thailand’s Personal Data Protection Act was passed in May 2019, and was scheduled to go into effect May 27, 2020.  The Act is very similar to the European Union’s General Data Protection Regulation. Only a few days before the Act was to become effective, it was decided that 22 types

EDPB Issues Statement on Hungary’s Decree to Suspend Rights Bestowed to Data Subjects Under the GDPR

Written by: Brett Lawrence, Esq. On May 4, 2020, Hungary issued a governmental decree suspending the rights of data subjects under Articles 15 to 22 of the General Data Protection Regulation (“GDPR”) in an attempt to contain the spread of the COVID-19 pandemic. Such articles include giving individuals, whose personal data has been collected, the

Brazilian LGPD Effective and Enforcement Dates in Flux

Written by: Charles R. Langhorne IV, Esq. Brazil’s new data privacy law, the “LGPD,” was set to go into effect on August 15, 2020. The LGPD is based largely on the European Union’s GDPR. Due to the impact COVID-19 has had on businesses, the effective and enforcement dates have been delayed. Keeping track of the

Dutch Court Goes Too Far In Enforcing Privacy Regulation

Written by: Richard Sheinis, Esq. A Dutch court has ruled that a grandmother is violating the EU’s General Data Protection Regulation by posting photographs of her grandchildren on her social media account without the consent of the children’s parents. The court’s ruling arose from a complaint filed by the children’s mother, who wanted the photographs

Washington D.C. Amends Data Breach Notification Statute

Written by: Charles R. Langhorne IV, Esq. Washington D.C. amended its data breach notification statute at the end of March. The new law is set to take effect by June 13, 2020. This is the first update to the law since it was passed in 2007. Personal Information Defined Washington D.C. is following the national

HHS Reduces Enforcement of HIPAA Violations for COVID-19 Community Based Testing Sites

Written by: Brett Lawrence, Esq.  On April 14, 2020, The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced it will exercise further enforcement discretion in easing back penalties for failing to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The enforcement discretion has retroactive effect beginning

European Data Protection Board Calls Out Adtech Industry Over Cookie Consent Practices

Written by: Charles R. Langhorne, IV, Esq. As we continue to wait for the ePrivacy Regulation, the European Union is being left to govern cookie consent procedures on their own. Some individual member states are taking it upon themselves to issue guidance, while others sit back and wait. I wrote an article late last year outlining

CCPA 2.0 May Be On the November Ballot

Written by: Charles R. Langhorne, IV, Esq. The California Consumer Privacy Act (“CCPA”) is not set to be enforced until at least July, but just last week the group that spearheaded the CCPA ballot initiative in 2018 has submitted 900,000 signatures to put a new initiative, the California Privacy Rights Act (“CPRA”) on the November

European Data Protection Board Issues Guidelines On The Use of Location Data and Contact Tracing Tools In the Context of COVID-19

Written by: Richard Sheinis, Esq. Unlike the United States, where Senators are first introducing legislation to deal with the use of personal information in the context of COVID-19, the European Data Protection Board (“EDPB”) relies on established legislation to govern the use of location data and contact tracing tools.  (Hint: the U.S. needs to pass

Senators Introduce Bill to Protect Personal Data Amidst COVID-19

Written by: Richard Sheinis, Esq. On April 30, 2020, Republican Senators Wicker (MS), Thune (SD), Moran (KS) and Blackburn (TN), announced the introduction of the “COVID-19 Consumer Data Protection Act,” intended to protect health, geolocation and proximity data. These types of personal data are related to contact tracing, the process of identifying persons with whom

Are Countries Willing To Bend The Privacy Rules To Track COVID-19

Written by: Richard Sheinis, Esq. Many countries are using geolocation data from phones to track COVID-19.  Singapore, the United Kingdom and Israel have developed their own apps for tracking people’s movements.  In Europe, mobile phone companies such as Vodafone, have agreed to share location data. The European Data Protection Board has appointed a group of

New York’s S.H.I.E.L.D. Act Is Here

Written by: Charles R. Langhorne IV, Esq. The COVID-19 world that we are living in is has changed the perspective of many businesses from proactive to reactive. Businesses (rightly so) are concerned with making payroll so that their employees can continue to pay their mortgages as opposed to preparing the company for impending data privacy

Security Advice for Zoom Videoconferencing

Written by: Sean Cox, Esq. The COVID-19 pandemic and the widespread shelter in place orders have, temporarily at least, changed how humans interact. Luckily, there are more options today than ever before which allow many to maintain a modicum of normalcy. Companies, schools, churches, families, and friends have turned to video conferencing solutions to stay

California Attorney General Fiddles While Rome Burns

Written by: Richard Sheinis, Esq.  On March 17 a coalition of 35 advertising groups sent California Attorney General Xavier Becerra a letter calling for a delay in the enforcement of the California Consumer Privacy Act (“CCPA”) because of COVID-19.  Enforcement of the CCPA is currently scheduled to begin July 1.  The Attorney General’s office refused

HHS Releases Bulletin Waiving Certain Provisions of HIPAA

Written by: Chase Langhorne, Esq. The U.S. Department of Health and Human Services (“HHS”) released a bulletin this week waiving sanctions and penalties as of March 15, 2020 for non-compliance with certain provisions of HIPAA. The waiver centers around allowing people on the front lines to adequately handle and manage COVID-19 cases. Specifically, HHS is


Written by: Chase Langhorne, Esq. On February 21, 2020, Croatia released its proposal to attempt to move the ePrivacy Regulation across the finish line. The ePrivacy Regulation was proposed in 2017 with the main purpose of regulating personal data as it relates to internet cookies. The initial plan was for it to pass at the same

Egypt Passes Personal Data Protection Law

On February 24, 2020, Egypt’s Parliament passed the Personal Data Protection Law (“PDPL”). The law has many similarities to the European Union’s General Data Protection Regulation (“GDPR”). Scope The PDPL applies to Egyptian citizens and non-Egyptian citizens residing in Egypt. This is similar to GDPR, but slightly more limiting because GDPR applies to any person


Written by: Sean Cox, Esq. The California Consumer Privacy Act of 2018 (“CCPA”) officially went into effect on January 1, 2020. According to the California Attorney General, enforcement will begin on July 1, 2020. One of the most important provisions of the CCPA allows consumers to opt-out of the sale of their personal information. Among

We All Know About GDPR’s Right to Erasure, Does This Mean You Have to Delete Data From Backups As Well?

Written by: Richard Sheinis, Esq. In this business, we are all familiar with GDPR’s right to erasure (commonly called “the right to be forgotten”) granted by the GDPR.  The question that often comes up is when a data subject exercises their right to erasure, does the organization also have to erase the data subject’s personal

Brexit Is Here, so What Does That Mean for Data Privacy?

Written by: Richard Sheinis, Esq. Now that the UK has a withdrawal agreement with the EU, what will this mean for data privacy for personal data in the UK, as well as for personal data that is transferred between the UK and other countries.  UK’s Information Commissioner’s Office (“ICO”) has provided some answers.  For the

The Irish DPA Has Opened Investigations Into Google and Tinder

Written by: Chase Langhorne, Esq. Ireland’s Data Protection Commission (DPC) has opened two separate investigations into Google and Tinder, respectively, for GDPR violations. Google The investigation into Google centers around how Google treats location data collected from end users. “The Inquiry will set out to establish whether Google has a valid legal basis for processing

CA Attorney General Issues New Draft of CCPA Regulations

Written by: Richard Sheinis, Esq. On February 7, 2020 the California Attorney General published a “redline” version of the CCPA Regulations. These regulations are open for public comment until February 24, 2020. In the meantime, here are a few of the more important redline changes in the latest draft: The definition of household is clarified

Australia Finalizes Consumer Data Rights Rules

Written by: Chase Langhorne, Esq. On November 26, 2017 Australia introduced the consumer data right (CDR) which was designed to give consumers greater control over their personal data. Since that time, Australians have been waiting for the Australian Competition and Consumer Commission (ACCC) to issue rules governing exactly how a consumer will be able to

State Data Breach Notification Updates

Written by: Chase Langhorne, Esq. Starting on January 1, 2020 amendments to data breach notification statutes in Illinois, Oregon, and Texas take effect. Illinois The Personal Information Protection Act (“PIPA”) requires public and private entities that handle non-public personal information to notify affected Illinois residents following a data breach. An amendment now requires public and

Georgia Data Breach Class Action

Written by: Sean Cox, Esq. On December 23, 2019, in a case of first impression, a unanimous Georgia Supreme Court reversed the trial court and Court of Appeals in a putative data breach class action, holding that there were sufficient allegations of a legally cognizable injury to survive a motion to dismiss. The case arose out

New Rules in China to Prevent the Illegal Collection of Personal Information By Mobile Apps

Written by: Richard Sheinis, Esq. Over the past year, Chinese regulators have sought to crack down on the collection and use of personal data by mobile apps. New regulations published jointly by China’s Cyberspace Administration, Ministry of industry and Information Technology, Ministry of Public Security, and State Administration for Market Regulation, address the illegal collection

Doorstep Dispensaree Gets UK Fine for GDPR Violations

Written by: Richard Sheinis, Esq. Doorstep Dispensaree, a London-based pharmacy which supplies medicine to individuals and care homes, left approximately 500,000 documents in unlocked containers stored in a courtyard at one of its premises.  Documents contained personal data including names, addresses, dates of birth, medical and prescription information.  The documents were not secure, and the

The e-Privacy Regulation Strikes Out Again

Written by: Richard Sheinis, Esq. The e-Privacy Regulation, which was supposed to be a close cousin to the General Data Protection Regulation, was first proposed by the European Commission in January 2017.  However, here we are nearly 3 years later, and the latest draft of the e-Privacy Regulation was once again been rejected by the

Another Attempt at Federal Privacy Legislation

Written by: Richard Sheinis, Esq. In yet another attempt to pass federal privacy legislation, on November 26, U.S. Senator Maria Cantwell, D-Wash., introduced the Consumer Online Privacy Rights Act (“COPRA”).  COPRA would apply to information that identifies or is reasonably linked to an individual residing in the U.S. or a consumer device.  COPRA would generally

India’s Data Protection Law Takes a Step Forward

Written by: Chase Langhorne, Esq. In an ever-increasing data driven world, India’s proposed Personal Data Protection Bill (“PDPB”) took a step forward on December 4th when the Indian Prime Minister Narendra Modi approved the bill for tabling in parliament. The PDPB was first proposed in 2018 and is designed to protect the personal data of

Singapore Takes Next Steps Towards Updating Its Data Protection Law

Written by: Chase Langhorne, Esq. In May 2019 Singapore’s data protection authority, the Personal Data Protection Commission (“PDPC”) took steps to update its existing data protection legislation, the Personal Data Protection Act (2012). The PDPC issued a statement regarding their progress and introduced new data breach notification procedures that are expected to be a part

California DMV Sells Personal Information

Written by: Chase Langhorne, Esq. A recent public records request to the California DMV shows that the California DMV is selling personal information drivers provide to receive a driver’s license to private companies to the tune of roughly $50 million per year. The reasoning provided by a representative of the California DMV is that “[i]nformation

Cookies – The Need For Regulation

Written by: Chase Langhorne, Esq. While we await the completion of the ePrivacy Regulation, countries are taking matters into their own hands by both publishing guidance and issuing fines related to cookie consent mechanisms on websites. The existing ePrivacy Directive was published in 2009. Upon the passage of GDPR in 2018, an updated ePrivacy Regulation

EU Investigations into Microsoft

Written by: Chase Langhorne, Esq. On October 21, the European Data Protection Supervisor (“EDPS”) issued an update on its investigation that began in April 2019 into contracts between Microsoft and EU institutions. “EU institutions” are comprised of the following seven decision making bodies of the EU: the European Parliament, the European Council, the Council of

Fighting Fire With Fire: Legal And Ethical Issues of Active Defense and Hacking Back

Written by: Sean Cox, Esq. When a company is hacked, an immediate thought is sometimes whether they can hack back. The next question is then, “Can we do that?” Hacking back describes striking back at the cyber criminal by accessing, damaging, or breaching the criminal’s own system. The reasons for hacking back can be several:

Facial Recognition Technology and GDPR Compliance

Written by: Richard Sheinis, Esq. A soccer team in Denmark is using facial recognition technology to stop unruly fans, apparently with the approval of the Danish Data Protection Agency (“DDPA”).  The technology is used to scan fans as they enter the stadium.  The scans are then compared against a list of banned troublemakers to determine

Country of Georgia Hit by Massive Cyber Attack

Written by: Richard Sheinis, Esq. More than 2,000 websites, including court websites and the national TV station, were knocked out by a massive cyber attack in the country of Georgia.  A state sponsored political attack is suspected as many of the website home pages were replaced with an image of former President Mikheil Saakashvili and the

Singapore’s Privacy Watchdog Issues Two Fines

Written by: Richard Sheinis, Esq. Singapore’s Personal Data Protection Commission (“PDPC”) has assessed two large fines against companies for data breaches.  The telecommunications company, Tingtel, has been fined $25,000 for a data breach involving its My Singtel mobile app.  A problem in the design of the mobile app allowed My Singtel users to potentially access

U.S. Federal Legislation on Data Privacy Unlikely This Year

Written by: Richard Sheinis, Esq. With the California Consumer Privacy Act (“CCPA”) ready to go into effect in 2020, and other states lined up to follow with similar legislation, there has been a greater push for a federal privacy law.  Unless there is a federal privacy law that supersedes state law, businesses will be in

German Data Protection Authorities Releases a New Model to Calculate FDPR Fines

Written by: Richard Sheinis, Esq. German data protection authorities have published a new model for calculating fines under GDPR, which, is likely to lead to higher fines.  While this model is strictly being tested in Germany, since GDPR should be applied equally across the EU, it is possible that this model could be expanded to

The Court of Justice of the European Union Issues a Ruling on Cookie Consent Requirements

Written by: Rich Sheinis, Esq.  On October 1, 2019, the CJEU issued a ruling establishing that consent to use cookies cannot be validly obtained through a pre-checked box.  In this particular case, an online gaming company, Planet49 GmbH, had a lottery which required internet users to provide personal data.  The web page contained a pre-ticked

Ecuador Data Breach

Written by: Chase Langhorne, Esq. On September 16th the State Attorney General’s Office of Ecuador released a statement (Spanish) indicating that a privacy breach concerning the personal data of Ecuadorian citizens was being investigated. Specifically, servers belonging to Novaestrat, an Ecuadorian data analytics company. The breach was first discovered by the ethical-hacking group vpnMentor. Further

The Court of Justice of the European Union Issues a Ruling on the Right to be Forgotten

Written by: Chase Langhorne, Esq. On September 24 the Court of Justice of the European Union (CJEU) issued a landmark ruling on GDPR’s “right to be forgotten.” The case was brought by Google challenging an order, and subsequent fine, issued by the French Data Protection Authority (CNIL), over Google’s choice not to comply with CNIL’s


Written by: Richard Sheinis, Esq. The European Data Protection Board (“EDPB”) recently issued guidance on the use of video devices to process personal data. The guidelines are in draft form, and were open for public comment through September 9, 2019.  The final version of the guidelines is expected later this year. The use of video

Portugal’s GDPR Law is Now in Effect

Written by: Chase Langhorne, Esq. On August 8, Portugal’s long-awaited data protection law went into effect. The legislation was originally passed in June, but awaited Presidential signature and publication in the Official Journal. The official name of the legislation is known as “Lei de Execução do Regulamento Geral sobre a Proteção de Dados” (English translation:


Written by: Richard Sheinis, Esq. The Data Protection Law, 2017, (“DPL”) introduces globally-recognized principles surrounding the use of personal information to the Cayman Islands.  Similar to the GDPR and other data privacy legislation, individuals will have several data access rights.  These rights include the right to be informed, the right to access their data, the

Ransomware on the Rise

Written by: Chase Langhorne, Esq.  Ransomware attacks are plaguing businesses all over the world and, unfortunately, show no signs of slowing down. The scenario goes something like this: you come into work, pour a cup of coffee, go to check your email and nothing seems to work. You cannot open your email, nor any files

EU Court of Justice Rules Using Facebook’s “Like” Button Creates a Joint Data Controller Relationship

Written by: Richard Sheinis, Esq. Fashion ID is an online retailer whose website used a plug-in to feature a Facebook “Like” button.  As a result of the plug-in, when a user lands on Fashion ID’s website, information about the user’s IP address and browser string is automatically transferred to Facebook.  This transfer of information occurs

Class Action Proceeds Against Facebook for Violation of Illinois Biometric Information Privacy Act (“BIPA”)

Written by: Richard Sheinis, Esq. The Ninth Circuit has ruled that a case against Facebook for violating the Illinois Biometric Information Privacy Act can proceed as a class action.  The lawsuit stems out of Facebook’s “Tag Suggestions” feature.  When a Facebook user enables the Tag Suggestions feature, Facebook uses facial recognition technology to analyze whether

German DPA Tackles Artificial Intelligence

Written by: Chase Langhorne, Esq. Artificial Intelligence (“AI”) devices can make everyday life easier. They can tell us the temperature outside, set a timer, and even order a pizza; but what is happening to all the data being collected by these devices? Think of everything an AI device hears in your living room while waiting

Arkansas’s New Breach Reporting Requirements Go Into Effect This Month

Written by: Anthony E. Stewart, Esq. Earlier this year, Arkansas Governor Asa Hutchinson signed HB 1943, which amends the Personal Information Protection Act.  It goes into effect on July 23, 2019.  The new law expands the definition of ‘personal information,’ imposes additional reporting obligations, and enacts specific retention requirements.  It continues to apply to any

Nevada’s New Privacy Law Goes Into Effect in October

Written by: Anthony E. Stewart, Esq. Does your business have a website?  If so, it will likely need to comply with yet another new online privacy law that goes into effect in a little over three short months.  Nevada recently passed SB220, which amends its existing online privacy law and provides Nevada residents the ability,

Maine Enacts Internet Privacy Legislation to Go Into Effect Next Year

Written by: Anthony E. Stewart, Esq. California and New York are not the only states making waves in the world of technology and privacy.  Earlier this month, Governor Janet Mills of Maine signed into law one of the nation’s strictest internet privacy protection bills – An Act To Protect the Privacy of Online Customer Information.

Why Businesses Throughout The Country Should Be Worried About New York’s SHIELD Act

Written by: Richard Sheinis, Esq. New York’s SHIELD Act has passed the New York Senate, and now awaits passage in the Assembly before it goes to the Governor to sign into law.  While the Act contains new rules regarding data breaches and data breach notification, businesses should be most concerned about the increased geographic coverage

India’s Controversial Personal Data Protection Bill, If Passed, Goes Into Effect in 2020

Written by: Anthony E. Stewart, Esq. India’s draft privacy law, Personal Data Protection Bill, 2018, is an important step as India moves toward a digital economy; however, it is one of the more controversial privacy laws amongst privacy experts.  Critics have accused India Prime Minister Narendra Modi’s Bharatiya Janata Party of creating a “surveillance state”

GDPR: A Year in Review and the Need for Clarity

As the first year of GDPR’s governance comes to a close, the hysteria has subsided, but the reality of the reach of GDPR is all the more real. Since its May 25, 2018 effective date European State Data Protection Authorities (“DPA”) have received more than 64,000 data breach notifications. Those 64,000 notifications have resulted in more

California Consumer Privacy Act of 2018

Written by: Chase Langhorne, Esq. It may come as a surprise, but only 11 states have constitutional provisions that contain an explicit right to privacy. Specifically, California voters amended their state constitution to include the right of privacy among the inalienable rights of all people in 1972. In 2018, the California legislature passed the  California

Scam Alert: Virtual Kidnappings Are on the Rise

Written by: Anthony E. Stewart, Esq. Your cell phone rings.  You look down, and to your delight, it’s your daughter.  She’s in college now and remembering to ‘give mom a call every once in a while’ seems to be an impossible task.  You quickly answer, and your delight immediately turns to terror: “We have your daughter,”

HIPAA Breaches Reported to HHS During the First Quarter of 2019

Atlanta attorney Anthony Stewart created this graphic that reflects the summary of the HIPAA breaches that were reported to the U.S. Department of Health and Human Services during the first quarter of 2019.

Pennsylvania Court Holds Employer Liable For Breach Of Employees’ Personal Information

Written by: Richard Sheinis, Esq. In a recent case, Dittman v. The University of Pittsburgh Medical Center, the Pennsylvania Supreme Court found that the Medical Center owed a duty to their employees to exercise reasonable care in collecting and storing their personal and financial information on its computer systems. Many other courts around the country have

Canada’s Breach Notification Rules Go Into Effect Nov. 1

Written by: Anthony E. Stewart, Esq. Any organization subject to Canada’s Personal Information Protection and Electronic Document Act (PIPEDA) will have new data breach notification rules to follow starting tomorrow. This change will affect businesses of all sizes and may affect U.S. companies that process Canadians’ personal information even if their operations are solely on the

Brazil’s General Data Privacy Law Goes Into Effect in 2020

Written by: Anthony E. Stewart, Esq. Brazil is one of the latest countries to implement comprehensive data privacy regulation. Brazilian President Michel Temer recently signed into law the General Law of Protection of Personal Data, which goes into effect in February, 2020. The new law imposes detailed rules for the collection, processing, and storage of personal data,

Dangerous Phishing Scam Targeting Employees’ Direct Payroll Deposits

Written by: Anthony E. Stewart, Esq. The Federal Bureau of Investigations (FBI) has issued a warning about a phishing scam that is targeting employees who receive their paychecks by direct deposit. Cybercriminals are targeting the online payroll accounts of employees around the country in a variety of industries, especially those in education, healthcare, and commercial aviation. Here’s how

HHS Issues Guidance on Disposing of Electronic Devices and Media with Personal Data

Written by: Anthony E. Stewart, Esq.  The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance for disposing of technology that contains sensitive information, such as financial or protected health information.  While the OCR’s intended audience is limited to covered entities and business associates subject to HIPAA, all organizations that store or

Georgia Court of Appeals Makes First Foray Into Standing in Data Breach Suits

Written by: Sean Cox, Esq. On June 26, 2017, the Georgia Court of Appeals issued an opinion in Collins, et al. v. Athens Orthopedic Clinic, A18A0296. This is the first Georgia appellate decision squarely addressing the issue of standing in a data breach case. Since the United States Supreme Court decision in Spokeo, Inc. v. Robins, 578 U.S. ___

OCR Issues Guidance on Software Vulnerabilities and Patching

Written by: Anthony E. Stewart, Esq. Last month, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) provided guidance regarding software vulnerabilities and patching. In simple terms, a software vulnerability is a weakness, design or implementation error that can lead to an unexpected and undesirable event, compromising the security of a system. After a

Wave of “GDPR like” Data Privacy Legislation continues with California’s Sweeping New Data Privacy Law

Written by: Richard Sheinis, Esq. On June 28, 2018 California legislators enacted the California Consumer Privacy Act of 2018, granting new protections for consumers’ online data. The law does not take effect until January 1, 2020. It can still be amended by the California Legislature prior to that date, but don’t expect too much to change

GDPR Wave Hits the U.S.

Written by: Rich Sheinis, Esq. The wave of data protection that is the EU General Data Protection Regulation (“GDPR”) has hit the shores of the U.S. with states passing GDPR look-a-like legislation. All 50 states have data breach notification statutes, which require notification of affected individuals after a breach. The new trend, following the lead of GDPR, is

Dangerous Phishing Scam Targeting Employers This Tax Season

Written by: Anthony E. Stewart, Esq. The Internal Revenue Service (IRS) and state tax agencies are warning employers about one of the most dangerous phishing scams in the tax community. Cybercriminals are targeting organizations nationwide and tricking payroll personnel into disclosing the sensitive personal information of an organization’s entire workforce. Last year, more than 200 employers

North Carolina Introduces New Data Breach Legislation

Written by: Richard Sheinis, Esq. On January 8, 2018, North Carolina Attorney General Josh Stein, and State Representative Jason Saine, proposed new data breach legislation entitled, “Act to Strengthen Identity Theft Protections” to update the current North Carolina data breach law. This legislation is in response to the recent data breaches at Equifax and Uber, the

Cyber Attack Quick-Response Checklist for HIPAA Covered Entities

Written by: Anthony E. Stewart, Esq. Ransomware attacks, like other cyber-attacks, are occurring more and more frequently, and healthcare entities are common targets.  The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has issued a quick-response checklist and infographic detailing steps a HIPAA covered entity or its business associate should take to respond to a cyber-related

PART 2: The European Union’s General Data Protection Regulation: Two Important Steps to Take

Featured on Hospitality Upgrade Magazine’s Tech Talk. Written by: Sam Crochet, Esq. In my June column, we discussed why the General Data Protection Regulation (GDPR) matters to the hospitality industry and the technical/organizational steps members should take to comply with the regulation. Practically speaking, any U.S. company desirous of European customers must comply with the GDPR as of May

The European Union’s General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?

Featured on Hospitality Upgrade Magazine’s Tech Talk. Written by: Sam Crochet, Esq. US companies collect, analyze, and leverage consumer data to optimize efficiency, advertise and, hopefully, increase profits. However, with the rise of data breach incidents, varying laws and consumer demand pressure companies to secure networks, scrutinize vendor usage—such as security of one cloud processor versus another, and

Advice on Selecting a Data Protection Officer

Written by: Sean Cox, Esq. Having a single person responsible for a company’s data privacy and security has long been good business practice, but for many it will soon be a legal requirement. The GDPR requires that organizations under its auspices appoint a Data Protection Officer (“DPO”). These requirements apply to more than just companies located

4th Circuit Severely Limits Data Breach Lawsuits

Written by: Sean Cox, Esq. A recent decision from the Federal 4th Circuit Court of Appeals is likely to make it much harder for plaintiffs within its borders bringing lawsuits following a data breach. In Beck v. McDonald1), the 4th Circuit Court of Appeals held that allegations of enhanced risk of future identity theft following a data

Data Breach Plaintiffs Find New Ways Around Landmark Supreme Court Decision

Written by: Sam Crochet, Esq. In-house counsels are facing growing pressure to perform risk assessments and address internal policies to avoid data breaches for a new reason (as if they needed one). Data breach plaintiffs, depending on the state, may now find their cases welcome in state courts despite struggling to prove a clear “injury” in

Failure To Learn From Own Mistakes Leads To $3.2 Million HIPAA Penalty

Written by: Richard Sheinis, Esq. A mistake is nothing more than an opportunity to learn. Of course, you have to take advantage of that opportunity. Children’s Medical Center of Dallas failure to take that opportunity has led to a HIPAA civil monetary penalty of $3.2 million. In 2010, Children’s filed a report with OCR indicating the

FTC Fines VIZIO $2.2 Million For Collecting Viewer Data Without Consent

Written by: Richard Sheinis, Esq. Vizio, Inc., one of the world’s largest manufacturers of internet connected televisions has agreed to pay $2.2 million to settle charges by the Federal Trade Commission and the New Jersey Attorney General that it installed software on its TVs to collect viewing data on 11 million consumer TVs without the consumers’

OCR Gives Another Expensive Lesson in HIPAA Security Compliance

Written by: Richard Sheinis, Esq. The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) has agreed to a $2.2 million settlement with MAPFRE Life Insurance Company of Puerto Rico for potential non-compliance with the HIPAA Security Rule. MAPFRE filed a report with HHS stating a “pen drive” containing ePHI of 2,209 individuals

Medical Provider To Pay $475,000 For Failing To Timely Report The Loss Of PHI

Written by: Richard Sheinis, Esq. The importance of timely reporting breaches of Protected Health Information (“PHI”) is now underscored by the U.S. Department of Health and Human Services (“HHS”) first ever enforcement action against a medical provider for failing to timely report a breach. Presence Health, a health care network with approximately 150 locations, including hospitals,

Court Dismisses Shareholder Derivative Suit Over 2014 Home Depot Breach

Written by: Richard Sheinis, Esq. An Atlanta court has dismissed a shareholder derivative suit against Home Depot’s CEO and Board Chairman, Executive Vice-President and Chief Information Officer, and several members of the Board of Directors, arising from the 2014 breach which affected the credit card data of 56 million customers. The suit by Home Depot shareholders

UMass To Pay $650,000 For HIPAA Violations

Written by: Richard Sheinis, Esq. The University of Massachusetts Amherst is paying $650,000 to OCR to settle allegations of HIPAA violations that occurred in 2013. UMass neglected to designate their Center for Language, Speech and Hearing as a health care component (Oops!), and neglected to have the most basic electronic security in place, including a firewall.

Minnesota Pacemaker Manufacturer Faces Class Action for Cyberattack Risks

Written by: Sam Crochet, Esq. St. Jude Medical Inc., a producer of remote-access pacemakers and implantable defibrillators, is under intense scrutiny for what cybersecurity researchers have deemed a negligent risk of attack. A California patient has filed a federal class action suit alleging the manufacturer failed to provide adequate cybersecurity controls for its implants. St. Jude

Home Depot Gets Nailed with $7.5 Million in Legal Fees In Data Breach Class Action

Written by: Tiffany Winks, Esq. On Tuesday, August 23, 2016, a Federal Judge in Atlanta awarded a whopping $7.5 million in legal fees to consumers’ lawyers in a lawsuit against Home Depot for its 2014 data breach.  Not only did the Court award these substantial attorney’s fees, but it also tipped its hat to the lawyers

Court of Appeals Affirms Dismissal of Class Action Data Breach Case

Written by: Richard Sheinis, Esq. The Georgia Court of Appeals recently held the line against data breach cases when it affirmed the dismissal of a class action against the Georgia Department of Labor.1)  Thomas McConnell had filed a class action against the Georgia Department of Labor after a department employee sent a spreadsheet with the name, Social

Third Circuit Court of Appeals to Rule on Key “Standing” Issue in Data Breach Cases

Written by: Sam Crochet, Esq. Two class actions currently pending in the Third Circuit Court of Appeals, In re Horizon Healthcare Services Inc. Data Breach Litigation and Storm v. Paytime, will impact appellate courts’ future evaluations of “standing.” In Horizon Healthcare, the theft of laptops compromised the information of 839,000 individuals. The Plaintiffs alleged the imminent risk of harm from

Judge Dismisses Data Breach Class Action Against Wendy’s for Lack of Standing

Written by Sam Crochet, Esq. Last month, the defense community scored a victory in the ongoing debate as to when theft of an individual’s data becomes a concrete injury for purposes of establishing “standing” to sue. In Torres v. Wendy’s, the Florida Plaintiff filed a federal class action against the fast food chain following an early-2016 data

LabMD’s Win Over The FTC Is Short Lived

Written by: Richard Sheinis, Esq.  On July 29, 2016 the Federal Trade Commission issued an Opinion and final Order reversing the decision by an Administrative Law Judge (ALJ) that had dismissed FTC charges against medical testing laboratory LabMD, Inc.  The Commission concluded that LabMD’s data security practices were unreasonable and constituted an unfair trade practice that

EU-US Privacy Shield Self-Certification Starts Today

Written by: Richard Sheinis, Esq. Today, August 1, is the first day that the U.S. Department of Commerce is accepting self-certifications under the EU-US Privacy Shield.  The Privacy Shield, which essentially takes the place of the invalidated Safe Harbor, allows for the transfer of personal information from the EU to the U.S.  The self-certification process is

The “Internet of Things”: An Inconvenient Truth

Written by: Sam Crochet, Esq. Technology is developing at an explosive pace, which is creating endless opportunities for improvement industry-to-industry. For years we have remotely accessed information from our smartphones, but now we are on the front wave of remotely accessing physical devices themselves. Doctors have the capability of adjusting patients’ insulin pumps without the need

Medjacking, Part 2

Written by :  Richard Sheinis, Esq. Over the last several months I have written about the dangers of hacker’s compromising various types of internet connected medical devices used by hospitals, and other medical providers. TrapX Security has now issued Part 2 of their “Anatomy of Attack” series, addressing the hacking of medical devices (http://deceive.trapx.com/rs/929-JEW-675/images/AOA_Report_TrapX_MEDJACK.2.pdf?aliId=1419599). This is

HHS Issues Guidance On Ransomware And HIPAA

Written by: Richard Sheinis, Esq.  On Monday, July 11, HHS issued a “Fact Sheet” on ransomware and HIPAA. While we know that the frequency of ransomware attacks has gone through the roof, HHS brought us some sobering figures. Since early 2016 there have been 4,000 daily ransomware attacks reported in the U.S. This represents a 300%

Sixth Circuit Shuts Down End Run By Plaintiff Using A HIPAA Breach To Claim Violations Of The False Claims Act

Written by: Richard Sheinis, Esq. The Sixth Circuit Court of Appeals recently upheld a dismissal of a lawsuit in which a plaintiff tried to use the improper accessing of her protected health information (“PHI”) as a basis for a claim under the False Claims Act.  In Sheldon v. Kettering Health Network, 2016 U.S. App. LEXIS 4236 (2016),

4th Circuit Rules Insurer Must Defend Insured Against Class Action Data Breach

Written by: Tiffany Winks, Esq. On Monday, April 11, 2016, the 4th Circuit ruled in Travelers Insurance v. Portal Healthcare Solutions that Travelers had a duty to defend Portal in a class action related to Portal posting patients’ medical records on the internet. A class action lawsuit was filed against Portal alleging patients’ medical records were accessible on

Fourth Circuit To Decide If Commercial General Liability Policy Covers Internet Publication of Medical Records

Written by: Tiffany Winks, Esq. On March 24, 2015, the Fourth Circuit Court of Appeals heard oral arguments as to whether a Commercial General Liability insurance policy provides coverage for a data breach.  The case on appeal is Travelers Indemnity v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, (E.D. Va. 2014).  The District Court had

Tennessee Amends Breach Notification Statute

Written by: Richard Sheinis, Esq. Senate Bill 2005, amending Tennessee’s data breach notification law, was signed by the Governor on March 24, 2016. The new law is effective July 1, 2016. The main changes to the current law (Tennessee Code Annotated, Section 47-18-2107) are as follows: Notification of a data breach must be provided to affected

It Pays to be Ready: HIPAA Phase II Audits Underway Now

Written by: Patrick Powell, Esq. On March 21, 2016, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program.  Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR beginning the audit process. The Health Information Technology for Economic

If This Does Not Convince You Of The Importance Of HIPAA Compliance, Nothing Will

By: Richard Sheinis, Esq. Two medical providers recently paid large settlements to the Department of Health and Human Services’ Office for Civil Rights because of HIPAA violations. Both involved thefts of laptops, an issue I see with some regularity. In one case, The Feinstein Institute for Medical Research in Manhasset, L.I., a research arm for Northwell

New Bill To Strengthen Georgia’s Data Breach Notification Law Introduced In State Senate

Written by: Richard Sheinis, Esq. On January 20, 2016, the “Georgia Personal Data Security Act” was introduced in the State Senate. The current Georgia breach notification law is one of the weakest in the country. It only applies to “information brokers” and “data collectors” that maintain computerized personal information of individuals.  An “information broker”, such as

FDA Issues Draft Guidance for Postmarket Management of Cybersecurity in Medical Devices

Written by: Richard Sheinis, Esq. The FDA has issued this draft guidance to add to its other guidance documents on cybersecurity and medical devices, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, and “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. It is starting to feel like a Harry Potter series. The essence of

HHS Clarifies Patients’ Right To Health Data

Written by: Patrick Powell, Esq. Under HIPAA, patients have the right to access and obtain a copy of their health information from physicians, hospitals, and insurers.  However, recent reports have concluded individuals often face barriers to accessing their information, even from entities required under HIPAA to provide the data. Understanding HIPAA’s requirements regarding patients’ access to

Employee Theft Gives A Lesson In Data Security

Written by: Richard Sheinis, Esq. The Georgia Court of Appeals just issued an opinion in a case that provides a good lesson on the importance of protecting data against employee theft. In Lyman v. Cellchem Int’l, LLC,1 two former employees of Cellchem were accused of using a thumb drive to copy confidential computer files, including financial data

Preview of the New EU General Data Protection Regulation

Written by: Richard Sheinis, Esq. Last week I posted a short blog to let everyone know that a consolidated text of the new EU General Data Protection Regulation (“GDPR”) was released by the European Parliament, and the Council of the European Union.  Now it is time to give you a more in depth look at the

EU Provides A Look Into The New General Data Protection Regulation

Written by: Richard Sheinis,Esq. The European Parliament and Council have issued a consolidated text of the new General Data Protection Regulation (“GDPR”).  I will be reviewing the text and will provide a complete analysis in the coming days, but this article from the IAPP is a good initial look, https://iapp.org/news/a/gdpr-we-have-agreement/. Stay tuned for more analysis, and how

Warning of Another Medical Device Vulnerable to Hacking

Written by: Richard Sheinis, Esq. In a precursor of things to come, earlier this month the CERT Division of the Software Engineering institute based at Carnegie Melon University has warned that the Epiphany Cardio Server is vulnerable to hacking. The Cardio Server gathers medical data and diagnostic test results from different medical devices, and makes the

LabMD Defeats FTC

Written by: Richard Sheinis, Esq. In a surprising ruling, the FTC has taken a big hit to its self-appointed power to regulate the data security practices of every business in the country. On Friday, November 13, the FTC Chief Administrative Law Judge Michael Chappell dismissed the FTC’s complaint alleging that LabMD failed to provide reasonable and

Defending The Technology Based Medical Malpractice Case Of The Future

By: Richard Sheinis, Esq. The medical industry is taking advantage of wireless technology to change the very premise of how case has been provided for hundreds of years. Regardless of whether a doctor was performing bloodletting in the 1700’s or an appendectomy in 2000, the one constant was that the patient and doctor always had to

EU Court of Justice Declares the US Safe Harbor for the Transfer of Data to Be Invalid

Written by: Richard Sheinis, Esq. In a ruling that can have great ramifications for technology companies, and almost any U.S. company that does business in the EU, the EU Court of Justice has ruled that the Safe Harbor provisions, which for years has allowed companies to transfer personal data from the EU to the U.S., is

Obama and Chinese President Reach Agreement to Stop State Sponsored Hacking. Really?

Written by: Richard Sheinis, Esq. On Friday of last week, President Obama announced that he and Chinese President Xi Jinping reached a “common understanding” not to conduct or support state sponsored hacking. “We have agreed that neither the U.S. or Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property including trade secrets or

Hackers Use Syrian Refugee Crisis to Scam You

In a classic case of “social engineering” hackers are using the Syrian refugee crisis to scam people out of money and information. Whenever a humanitarian crises hits, hackers will set up fake websites, send phishing e-mails, and use social media such as Facebook to encourage people to donate money or see the latest news on

E-Mail Scam Tricking Businesses Into Wiring Funds to Hackers Grows 270%

This week the FBI said an e-mail scam that tricks businesses into wiring funds to hackers has increased 270% since the beginning of 2015. The FBI has named the scam “Business E-Mail Compromise” or “BEC”. The scam occurs when a hacker infiltrates the e-mail of a company executive. The hacker will then send an e-mail,

Third Circuit Rules in Favor of FTC Having Authority to Regulate Data Security

On August 24, in FTC v. Wyndham Worldwide Corp., the Third Circuit Court of Appeals found that the FTC had authority to regulate cyber security under the “unfairness” prong of Section 5 of the Federal Trade Practices Act. The background of the case is this: On three (3) occasions in 2008 and 2009 hackers successfully penetrated

Cyber Scam Gets Executive to Wire Funds to the Hackers

Ubiquiti Networks, Inc. was recently the victim of a cyber scam in which the thieves sent spoof communications to executives to trick them into wiring funds to the fraudsters to the tune of $46.7 million. Go to Krebs on Security, http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/, for a good historical perspective on this scam, but the way it works is this:

FDA Urges Hospitals to Discontinue Use of Hospira Infusion System Due to Cybersecurity Vulnerabilities

In a warning that is the first of its kind, on July 31, 2015, the FDA encouraged healthcare facilities to stop using the Hospira Symbiq Infusion System due to cybersecurity vulnerabilities. (http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm) The infusion system is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. It operates

Have the Flood Gates Been Opened for Cyber Breach Lawsuits?

Up until now, most lawsuits against retailers by customers whose personal information was stolen by hackers in a data breach, were dismissed by the courts in the early stages of litigation because the theft of personal information, such as credit card numbers, in and of itself was not considered a sufficient injury to confer “standing”

Cyber Cheating on Your Spouse Just Doesn’t Pay

When I was a kid, my mother would always tell me it doesn’t pay to sneak around because I would always get caught. Never has this advice rang so true as when I read about a website for married people seeking affairs that was hacked this week. (Karma?) Avid Life Media, which owns Toronto based

Medjacking. . . Hackers Hi-Jacking Medical Devices

In recent posts I have discussed the need for security to keep hackers from injecting malware into medical devices. Now, TrapX Laboratories has issued a paper on an attack vector called MEDJACK, or “Medical Device Hi-Jack” (http://trapx.com/solutions/industry-2/healthcare/). TrapX explains that medical devices are “key pivot points” on a healthcare network. They are the weakest link

Building Code for Medical Device Software Security

Earlier this month I published a Post on, “The Importance of Cyber Security in Telemedicine”, highlighting the importance of security for medical devices that can be hacked. Almost as if on cue, or more likely the result of lucky timing, on May 21, 2015, the IEEE Cybersecurity Initiative (www.cybersecurity.ieee.org) published, “Building Code for Medical Device Software

The Importance Of Cyber Security In Telemedicine

Telemedicine is coming to a hospital or medical office near you. What is telemedicine? Simply put, telemedicine is when the medical provider is in one location and the patient is in another. The medical professional uses telecommunication technology, often times via the internet, to provide medical care to the patient. Unfortunately, any time information travels

A Tool To Unlock Ransomware

As many of you know, ransomware is a malware that infects Windows systems and encrypts files to make them inaccessible and unusable. At the time of the infection, the hacker demands payment in exchange for the decryption key. Even if the ransom is paid, the decryption key is not always received. In a nice development,

The Real Reason The FTC Does Not Like The White House’s Consumer Privacy Bill

In January, President Obama announced that he would release a draft Consumer Privacy Bill intended to give consumers more control over how data about them is collected and used. The draft Bill was released on February 27, 2015, and already there is no shortage of critics, including the President’s own Federal Trade Commission. (http://wapo.st/192KVXA) The

President’s Big Data and Privacy Working Group Interim Report Is Troubling

In January 2014, President Obama appointed John Podesta, Counselor to the President, to lead a review of big data and privacy. On February 5, 2015, the Big Data and Privacy Working Group issued an interim report detailing their progress. Unfortunately, the report demonstrates the government cannot resist the temptation to put its clamps on progress

A Simple Lesson for Employers and Employees Courtesy of the Sony Data Breach

Many Sony executives are embarrassed, to say the least, by their e-mails, which have been made public as a result of their data breach. (http://variety.com/2014/biz/news/leaked-sony-emails-reveal-jokes-about-obama-and-race-1201376676/). I have preached to businesses for a long time that they should make it clear to employees that they do not have an expectation of privacy if they use a

The Inevitable Showdown to Control the Data from Your Fitness App

By now, most of us have heard about the health tracking capabilities of HealthKit, part of Apple’s latest iPhone operating system, iOS 8. HealthKit offers the ability of users to track and share personal health and medical data such as diet, exercise and activity. The Apple Watch will have a heart rate sensor, GPS, and

The Other Wyndham Hotel Case

Most of us are aware of the litigation between the FTC and Wyndham Hotels arising out of the data breaches experienced by Wyndham between 2008 and 2010, resulting in hackers stealing the personal information of over 600,000 customers. In a less publicized case arising out of these data breaches, Wyndham was sued by a shareholder


On October 2, 2014, the FDA issued Guidance identifying cyber security issues that manufacturers of medical devices should consider in the design and development of their medical devices, as well as in preparing pre-market submissions for the devices. The goal is to reduce the risk to patients by decreasing the likelihood that device functionality is


Assembly Bill 1710 has strengthened California’s original security breach notification law, first passed in 2003. The Bill expands the applicability of the law to any company that merely maintains personal information of a California resident. The existing law had only been applicable to companies that own or license personal information. Companies that maintain such personal


California Governor Jerry Brown has signed into law Senate Bill 1177, the Student Online Personal Information Protection Act (SOPIPA), restricting collection and marketing uses of K-12 student data. The Bill requires the operator of an internet website, online service or mobile application to implement and maintain reasonable security procedures and practices to protect the student

Yelp and TinyCo Settle FTC Charges of COPPA Violations

On September 17, 2014, the FTC announced the review site Yelp, Inc., and mobile app developer TinyCo, Inc., in separate enforcement actions agreed to settle charges that they each violated COPPA. Yelp agreed to pay a $450,000.00 penalty, and TinyCo agreed to pay $300,000.00. COPPA (Children’s Online Privacy Protection Act) requires companies that use the

Doing Business in Singapore?

In the event you collect any personal data while doing business in Singapore, the Personal Data Protection Act in Singapore requires that as of July 2, 2014, organizations collecting and handling personal data in Singapore must have a Data Protection Officer. The Data Protection Officer is responsible for responding to inquiries and complaints relating to

Verizon 2014 Data Breach Investigations Report Is Here

Verizon has released its latest Data Breach Investigations Report, and its 2014 edition is better than ever! Verizon studied 1,367 confirmed data breaches, and 63,437 security incidents in 95 countries. A breach is defined as an incident that results in the disclosure or potential exposure of data. An incident is a security event that compromises

Ponemon Institute Issues its Fourth Annual Study On Patient Privacy & Data Security

On March 13 the Ponemon Institute issued its Fourth Annual Study on patient privacy & data security. This study has come to be a respected and well received assessment of the privacy and security of patient information in health care. The study is based upon a survey of 91 health care providers of different sizes.


In technology years, the HIPAA Security Rule is a dinosaur. HIPAA was a brainchild of the  enacted in 1996, largely to address health care access, “portability”, and privacy. The final rule on security standards was issued in 2003, to specifically address the security of Electronic Protected Health Information (“PHI”). Where was the Internet and mobility

NIST Issues Standards for Critical Infrastructure Cyber Security

On February 12, 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cyber Security”, which called for a set of industry standards and best practices to help organizations manage cyber security risk.  Pursuant to this Order, on February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the “Framework for Improving Critical

What Are You Doing With Your Old Data?

As businesses accumulate more and more data, the chances are that a lot of this data becomes old, inaccurate, inactive, stale, or just plain not needed.  The recent data breach at Adobe™ is a good lesson in why we should have specific procedures in place to delete data we no longer need.  Adobe has offered

North Carolina is the Latest State to Propose Barring Employers from Accessing Employee Social Media Accounts . . . and Why These Laws Can be Troublesome for Business

   The North Carolina House recently passed the Job and Education Privacy Act (House Bill 846), which would prohibit employers from requesting that an employee or job applicant grant access to their personal electronic account or social networking account.  The law would also prohibit employers from tracking an employee’s personal electronic communication device, such as


The 2013 Verizon Data Breach Investigation Report is now available.  As in past years, the Report provides useful information regarding trends in data breaches, and tips for protecting your company.  The following are highlights from the Report: 1. SOURCE OF INFORMATION FOR THE REPORT Verizon receives information from 19 global organizations, including law enforcement agencies,


In a tale of two courts, two federal courts have recently gone in opposite directions on the issue of class certification in data privacy and data breach lawsuits.  In In Re Hannaford Bros. Co. Customer Data Security Breach Litigation[1], the court refused to certify a class to pursue claims arising out of a data breach of


On February 12, 2013, President Obama, dissatisfied with Congress’ failure to pass legislation to protect the infrastructure that is critical to the Country’s operation, signed an Executive Order (EO) titled, “Improving Critical Infrastructure Cyber Security.”  The immediate questions that pop into the brain trust of many companies are, “Does this apply to us?” and “Do


A recent study by the Ponemon Institute revealed that employees are causing company’s to lose intellectual property (IP) with startling frequency. Perhaps the most troubling aspect of this behavior is the lack of knowledge of the companies that their IP is at risk. The study results, based on survey responses of 3,317 people in the

2012 Verizon Data Breach Investigative Report

Each year since 2004, Verizon has released a Data Breach Investigative Report.  The 2012 Report (based on 2011 data) is now available.  The Report, which contains a compilation and analysis of reported breaches, should be of interest to business owners, insurers, auditors, security experts, and others involved in this field.  This Special Edition of Data Protection