Posted in Biometrics, Employee PrivacyA lawsuit against US Cold Storage under the Biometric Information Privacy Act was recently dismissed because, the court held, the violations of the law were merely technical. As a result, the plaintiff did not have sufficient standing. This decision echoes the other cases we have reported on recently. Continue Reading
2018 saw two new members of APEC’s Cross Border Privacy Rules (CBPR) system: Australia and Chinese Taipei. They join the US, Mexico, Canada, Japan, South Korea and Singapore. As we have reported on previously, the CBPR system is meant to help companies transfer information between participating countries. In the coming months, Australia’s Attorney General plans to work with businesses to implement the system. The Chinese Development Council also plans to work with China’s ministries and departments to boost discussions about privacy protection with other countries. The system has often been compared to other cross-border schemes, including the Privacy Shield (see our update to that program). Companies join by completing self-assessments and participating with an “accountability agent” (in the US, there is only one approved accountability agent). Continue Reading
Posted in EU Privacy, FTC, Privacy ShieldOver the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program. The program, which as we have reported on previously gives participating US companies a mechanism to receive personal information from EU entities. The program is reviewed annually by the EU to determine if, from an EU perspective, it continues to provide “adequate levels of privacy protection.” In December the EU concluded in its report (and accompanying working document) that the program continues to provide sufficient protection levels. The EU commission noted in reaching its conclusion that the Department of Commerce has increased its scrutiny of privacy policies (looking to see if companies are posting correct complaint forms), and pursuing companies who were mentioning their adherence to the program before the certification had been finalized by the Department of Commerce. Continue Reading
Posted in CCPA, Consumer PrivacyIn support of the California AG’s work towards drafting regulations under the California Consumer Privacy Act, a series of public forums are being held throughout California. The AG has invited the public to participate and provide comments either at, before or after the events, the first of which was held this week (January 8, in San Francisco). The next events are to be held January 14 (San Diego), January 24 (Riverside), January 25 (Los Angeles), February 5 (Sacramento), and February 13 (Fresno). As a reminder, as we have reported on in the past, the AG has until July 1, 2020 to adopt regulations. Continue Reading
Posted in Data SecurityIt is common for individuals to see the “padlock icon” on their browser bar when visiting a website, and assume they are safe. Sadly, this assumption is no longer valid. As we approach Data Privacy Day (January 28, 2019) many companies are taking extra steps to train employees about steps they can take to protect themselves – and their organizations. Here’s one to pass along to the team. Continue Reading
Posted in California Privacy, CCPA, Consumer PrivacyEveryone who has been paying attention to privacy news knows that January 1, 2020 is the implementation date of the California Consumer Protection Act, and July 1, 2020 is the current deadline for enforcement to begin. July 2020 is also the current deadline for the California AG to implement regulations under CCPA. Read more about the law in our blog post from last year. What should companies do over the coming months to get ready for what looks like a sweeping new set of requirements? Two big ones: keep a 12 month look-back of data processing activities and take stock of what you collect and how you use it. Over the coming months you will also want to look at how you might handle rights requests, and take the CCPA into account for your 2019 and 2020 budgeting. This graphic can help you communicate the importance of CCPA to internal stakeholders. Continue Reading
Posted in Cybersecurity, Data Protection, Data SecurityThe U.S. Government is increasingly taking the initiative to alert companies to the cybersecurity risks of certain foreign corporations. Whether by issuing binding directives on agencies, passing laws or promulgating regulations that include prohibitions on the use of these companies’ products – including by government contractors, the Government is becoming less reluctant to interfere in the private market in favor of warning American companies of the cybersecurity dangers out there. Continue Reading
Posted in Data Breach, Data SecurityOn January 1, 2019 Vermont’s breach notice law will include obligations specific to data brokers. A “data broker” is defined as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Under the law, data brokers must keep a record of “data broker breaches” and annually tell this information to the state. Brokers will need to provide this as part of a new annual registration process. The registration also requires data brokers to explain how they let individuals opt-out of having information collected, stored or sold. Finally, data brokers also have to develop and maintain a comprehensive information security program. Continue Reading
Posted in Data Breach, Healthcare PrivacyA Florida staffing agency which provides physicians to hospitals and nursing homes, has agreed to a $500,000 settlement with the U.S. Department of Health and Human Services, Office for Civil Rights. The settlement comes after an investigation revealed that the company, Advanced Care Hospitalists, disclosed the protected health information of 9,255 people to a third-party billing company without having a business associate agreement in place. Specifically, patient names, date of births and social security numbers were provided to the billing company. The settlement followed a data breach at the billing company. Namely, the PHI was exposed on the billing company’s website. Continue Reading
Posted in Data Breach, Data SecurityIn another change to US state breach notice laws in 2019, South Carolina will have new breach notice requirements for insurance companies. The requirements follow the National Association of Insurance Commissioners’ Insurance Data Security Model Law. South Carolina was the first to adopt the model text into law, and it is this law that is going into effect on January 1, 2019. South Carolina joins others states, including Connecticut and New York, to have breach notice requirements for insurance companies. The law will be a supplement to the requirements that financial companies, including insurance companies, already face under Gramm-Leach-Bliley Act. Continue Reading
