Elfin Noce

Elfin Noce is an associate in the Intellectual Property Practice Group in the firm's Washington, D.C. office. He also is a member of the Privacy and Cybersecurity Team.

Contact:

A Wake-Up Call for Data Privacy in the Telecom Sector

By Elfin Noce, Drew Svor & Ethan Lamb on June 24, 2024

Posted in Communications Privacy, US Privacy

The FCC continues to take a more active role in privacy with its enforcement of the customer propriety network information (“CPNI”) regulations. Recently, the FCC released Forfeiture Orders against the three largest mobile network operators for failing to safeguard CPNI. As we wrote about in our sister blog, violating FCC CPNI rules came with the cost of $57.3 million, $46.9 million, $12.2 million, and $80.1 million in fines to AT&T, Verizon, Sprint, and T-Mobile respectively.Continue Reading A Wake-Up Call for Data Privacy in the Telecom Sector

Don’t Forget Deception: FTC and Biometrics

By Liisa Thomas, Elfin Noce & Michael Sutton on June 13, 2023

Posted in Biometrics, FTC, Tracking, US Privacy

With the ongoing BIPA litigation activity in Illinois surrounding collection of biometrics, it can be easy to forget that other issues might surround this practice. Last month the FTC reminded companies not to forget general privacy and data security concerns. Concerns as most know, it enforces under Section 5 of the FTC Act (which prohibits deception and unfairness).Continue Reading Don’t Forget Deception: FTC and Biometrics

EyeMed Data Breach Multistate Settlement

By Liisa Thomas & Elfin Noce on May 18, 2023

Posted in Data Breach, Data Security, Florida Privacy, New Jersey Privacy, US Privacy

EyeMed recently entered into a settlement with the Attorneys General of Oregon, New Jersey, Florida and Pennsylvania around a 2020 breach of an EyeMed email account that contained the data of more than 2 million individuals. As we previously reported, EyeMed entered into settlement with NYDFS over this breach in October of 2022. Continue Reading EyeMed Data Breach Multistate Settlement

White House Releases Guidance on AI

By Elfin Noce on November 10, 2022

Posted in Artificial Intelligence, Tracking, US Privacy

The White House recently released its Blueprint for an AI Bill of Rights in an effort to guide the discussion on the design, use and deployment of AI in systems that impact the American public. The Blueprint outlines the following five guiding principles:Continue Reading White House Releases Guidance on AI

NYDFS’s $4.5 Million EyeMed Cyber Settlement Reminder To Industry

By Elfin Noce on November 1, 2022

Posted in Data Breach, Data Security, Financial Privacy, New York Privacy

In a recent settlement with the New York Department of Financial Services, EyeMed Vision Care LLC agreed to pay a $4.5 million penalty and undertake remedial measures to increase its cybersecurity. This includes undertaking an action plan based on a comprehensive risk assessment, subject to the review and approval of NYFSD.Continue Reading NYDFS’s $4.5 Million EyeMed Cyber Settlement Reminder To Industry

Implications of SEC’s Scrutiny of Data Use Representations

By Liisa Thomas, Kari Rollins, Sarah Aberg & Elfin Noce on November 16, 2021

Posted in SEC, US Privacy

The SEC’s enforcement action with a leading seller of market data (App Annie Inc.) signals its concern with misleading data use representations. While the data at issue was not “personally identifiable” information, but instead corporate confidential information, the SEC’s concerns mirrored those that we have previously seen from that agency, as well as others, regarding representations made about personal information.
Continue Reading Implications of SEC’s Scrutiny of Data Use Representations

Connecticut Enacts New Cybersecurity Safe Harbor

By Elfin Noce on July 22, 2021

Posted in Data Breach, Data Security

Connecticut recently enacted cybersecurity legislation that provides a safe harbor for businesses that implement a written cybersecurity program. Under the legislation, set to go in effect on October 1, 2021, punitive damages will not be assessed on a business that has suffered a data breach, in the event that there are causes of action alleging a failure to implement reasonable cybersecurity controls, which failure resulted in the breach.
Continue Reading Connecticut Enacts New Cybersecurity Safe Harbor

NYDFS Issues Supply Chain Management Guidance

By Liisa Thomas, Kari Rollins & Elfin Noce on May 25, 2021

Posted in Cybersecurity, Data Security, New York Privacy

NYDFS Issues Supply Chain Management Guidance

The New York State Department of Financial Services recently issued recommendations to financial institutions in the aftermath of the SolarWinds cyberattack. In that attack, hackers inserted malware into SolarWinds software which was then distributed to SolarWinds’ customers (many of which were financial institutions). After discovery, SolarWinds released a series of hot fixes to address vulnerabilities in their software associated with the attack. Although NYDFS found that most companies responded quickly to patch the vulnerabilities, it did identify additional steps to reduce supply chain risk:
Continue Reading NYDFS Issues Supply Chain Management Guidance

What Does the Fifth Circuit’s Vacating of HHS HIPAA Fines Mean for Companies This Year?

By Elfin Noce, Liisa Thomas & Susan Ingargiola on February 8, 2021

Posted in Data Breach, Data Security, Digital Health, FTC, Healthcare Privacy

Will HHS’ approach for imposing penalties in the aftermath of a data breach become a little clearer in 2021? This is a distinct possibility in the wake of a Fifth Circuit decision vacating penalties against MD Anderson Cancer Center. The hospital suffered three data breaches, leading HHS to impose over $4 million in civil penalties. That fine was reversed recently by the Fifth Circuit as arbitrary, capricious, and contrary to law.
Continue Reading What Does the Fifth Circuit’s Vacating of HHS HIPAA Fines Mean for Companies This Year?

FTC Settles Over Alleged Failure to Manage Service Providers

By Elfin Noce & Liisa Thomas on January 7, 2021

Posted in Data Breach, Data Security, FTC

The FTC recently settled with Ascension Data & Analytics for failure to oversee service providers. Ascension provides services to mortgage companies within its corporate family of entities. According to the complaint, Ascension uses third parties to provide some of its services. One of those, OpticsML, had access to tax returns for approximately 60,000 customers. OpticsML stored the information on a cloud-based server which server was publicly accessible for a year. During that time the tax documents were accessed by unauthorized individuals. The originating IP addresses were in Russia and China. Although the security incident was that of OpticsML, the FTC alleged that Ascension violated the Gramm-Leach-Bliley Act’s Safeguards Rule. Namely, the company failed to properly oversee its service providers and it failed to adequately assess risk. In particular, the FTC alleged that:
Continue Reading FTC Settles Over Alleged Failure to Manage Service Providers

FTC Settles with Travel Services Provider Over Security Issues

By Liisa Thomas & Elfin Noce on December 28, 2020

Posted in Data Security, FTC, US Privacy

Alleging unfair and deceptive practices in violation of the FTC Act, the FTC recently entered into a settlement agreement with SkyMed International, Inc. The company sells travel emergency plans to individuals who sustain medical emergencies or injuries while traveling internationally, and has signed up -according to the FTC- thousands of consumers. During the sign-up process individuals provided the company with sensitive health information.
Continue Reading FTC Settles with Travel Services Provider Over Security Issues

Eye On Privacy