Ding Dong the CCPA Private Right of Action is (Mostly) Dead!

Rachel Tarko HudsonCraig CardonSnehal DesaiLiisa ThomasBy Rachel Tarko Hudson, Craig Cardon, Snehal Desai and Liisa Thomas on Posted in CCPA

Whether your favorite movie is The Wizard of Oz or The Princess Bride, we can all agree there is some good news about the California Consumer Privacy Act (CCPA) this Friday afternoon! SB 561 appears to have (mostly) died in the Senate Appropriations Committee during a hearing held yesterday. While the act as originally drafted only provided for Attorney General enforcement (except for one section addressing data security breaches), SB 561 added a private right of action as well as statutory damages for any violation of the act. This amendment clearly would have significantly increased the risks of any failure to comply with CCPA, no matter how small. But remember the words of Miracle Max – “There’s a big difference between mostly dead and all dead. Mostly dead is slightly alive.” So while it is possible that another amendment could be introduced at a later date, for now at least, the act will likely remain as drafted with enforcement coming only from the AG’s office, except in data breaches. Continue Reading

New Jersey Breach Notice Law Expands To Cover Online Account Breaches

Elfin NoceLiisa ThomasKari RollinsBy Elfin Noce, Liisa Thomas and Kari Rollins on Posted in Data Breach, Data Security

New Jersey joins a growing list of states that include user name, email address or any other identifier in combination with any password or security question and answer would permit access to an online account as personal information that, if breached, would give rise to a duty to notify. Other states that include these identifiers as “triggering” of their states’ breach notice statutes include Alabama, Arizona, California, Colorado, Delaware, Florida, Nebraska, Nevada, Puerto Rico, South Dakota and Wyoming. This legislation was recently signed by Governor Phil Murphy and will be effective September 1, 2019. Continue Reading

HHS Reduces Penalties for HIPAA Violations; Distinguishes Based on Culpability

Matthew ShatzkesBy Susan Ingargiola and Matthew Shatzkes on Posted in Healthcare Privacy

The U.S. Department of Health and Human Services recently published a Notice of Enforcement Discretion that markedly reduced HIPAA-related penalties. According to the Notice, effective immediately, HHS will change how it applies regulations concerning the assessment of Civil Money Penalties under HIPAA. Prior to issuance of the Notice, HHS regulations applied the same $1.5 million cumulative annual CMP limit across all categories of violations (which are based on the level of culpability of the violator). In other words, if a company found itself in violation of HIPAA, the penalties for which it would be responsible could be no more than $1.5 million per year regardless of the category of violation and regardless of the number of violations the company had committed. Continue Reading

Utah Requires Law Enforcement Search Warrants

Elfin NoceBy Elfin Noce on Posted in Consumer Privacy, Data Security

Effective this week, law enforcement in Utah will need a search warrant to obtain for certain electronic records. The new state legislation looks to expand privacy protections for content that consumers store online. Generally, the third-party doctrine limits the protection this type of information receives under Fourth Amendment protections against unreasonable searches and seizures. The rationale being that individuals have already voluntarily disclosed this information to the service provider and, thus, have no reasonable expectation of privacy in that information. This new law seeks to chip away at the third-party doctrine, as consumers are putting more and more of their personal information online in the hands of service providers with the expectation that the information to stay private. What this means in practice is that state and local law enforcement in Utah will need to meet a greater burden of proof to access this content. Continue Reading

HHS Announces First HIPAA Breach Settlement of 2019; 300,000 Patients Affected

Matthew ShatzkesBy Matthew Shatzkes and Susan Ingargiola on Posted in Healthcare Privacy

On May 6, 2019, the U.S. Department of Health and Human Services announced that Touchstone Medical Imaging will pay $3 million to settle potential HIPAA violations associated with a breach that exposed more than 300,000 patients’ Protected Health Information. The breach occurred in May 2014. One of Touchstone’s servers allowed uncontrolled access to patients’ PHI. As a result, Touchstone patients’ PHI was visible on the Internet. During its investigation, HHS determined that Touchstone did not thoroughly investigate the breach until several months after it was informed of the breach by law enforcement. HHS also found that the company did not conduct an accurate analysis of potential risks to the confidentiality of its PHI and did not have business associate agreements in place with its vendors. Continue Reading

North Dakota Data Misuse Law Amended

Liisa ThomasBy Liisa Thomas on Posted in Data Security

North Dakota criminal law currently contains penalties for misusing the personal information of another. That law has been expanded, and beginning August 1, 2019, it is a class B felony to use a skimmer or scanning device to try get information from a payment card, credit card, or state ID without the permission of the authorized card holder. Also changing August 1 are more elements in the definition of personal information. Namely, payment card information, biometric data, and other “numbers, documents or information that can be used to access another person’s financial records.” Existing elements in the law included social security numbers, employee ID, mother’s maiden name, and the like. Continue Reading

Washington’s Breach Law Amended, Effective March 2020

Liisa ThomasBy Liisa Thomas on Posted in Data Breach

Washington joins Massachusetts as the second state this year to amend its data breach notification law. The amendments will not take effect, however, until March 1, 2020. As amended, the definition of personal information has been expanded to include name and date of birth, making Washington only the second state (North Dakota being the other) with this element in its law. Also included are name and student and military ID number, passport number; name and health insurance numbers or medical information; and name and biometric information. Also included in the definition of personal information are now login credentials. Continue Reading

CFTC Allows Certain Dealers and Merchants to Avoid Annual Privacy Notice

Liisa ThomasBy Liisa Thomas on Posted in Uncategorized

Beginning May 28, 2019 certain dealers and merchants will be able to avoid sending out an annual privacy notice, under a revision the Commodity Futures Trading Commission has made to its GLB privacy regulations. Under GLB, financial institutions must send customers annual privacy notices. The law applies to futures commission merchants, commodities trading advisors, commodity pool operators, and introducing brokers through regulations enforced by the CFTC. The CFTC, unlike other regulators that enforce GLB, had not prior to this amendment permitted regulated entities to avoid an annual notice. Other regulators had done so, pursuant to a 2015 amendment to GLB, in certain proscribed circumstances. Continue Reading

EDPB Seeks Comment On Online Services Guidance

Liisa ThomasBy Liisa Thomas on Posted in EU Privacy, GDPR

The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being funded through advertising dollars, for example). The EDPB guidance points out that these services typically fall under the provision of GDPR that permits processing of personal information when it is “necessary to perform a contract.” In that regard, the guidance attempts to scope out processing that is necessary in the contractual realm. Information might be processed under one of the other legal basis that exists under GDPR, as the EDPB highlights throughout the guidance, including legitimate interest and consent. This guidance thus provides businesses with ideas about when processing might fall under the “necessary for a contract” basis as opposed to another legal basis. Continue Reading

UK ICO Fines Parenting Club £400,000 Over Breach Involving PII of Mothers and Babies

Liisa ThomasBy Liisa Thomas on Posted in Behavioral Advertising, Children's Privacy, EU Privacy, Online Privacy

The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member information with third parties like Acxiom and Equifax). Here, in reaching its conclusion that the company had violated UK privacy laws, the ICO found the volume of sharing in which Bounty engaged “unprecedented,” and accused the company of both “careless data-sharing” as well as violations of the UK law that pre-dated GDPR (the violation having occurred prior to the law’s May 2018 implementation date). Interestingly, the violation has been described by commentators as a “data breach,” although it did not involve the typical “hacker” scenario that one thinks of when contemplating a breach. Instead, the company collected information and shared it with third parties without appropriate notice and consent. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree