Florida has become the latest state to enact a comprehensive privacy law this year when SB 262 was signed by Governor DeSantis last week. It combines some new, and some familiar, provisions. It has also passed a child privacy law, similar to parts of California’s Age Appropriate Design Act, going into effect July 1, 2024.
The digital health sector has been rapidly growing, and the demand is not expected to diminish. Those in the industry will want to keep in mind some key legal concerns in the coming year, which we outline in this recent article. Privacy and cybersecurity features among these, and include more than just HIPAA concerns. There is an ever-growing patchwork of state and federal privacy laws that are being applied to the industry. At the same time, cyber threat actors are finding ways to attack even the most prepared companies in the digital health space.
Continue Reading Digital Health Trends and Privacy: What to Watch in 2022
Federal banking regulators issued a final rule that impacts how banks and other regulated entities report certain data incidents. Those subject to these new reporting requirements include U.S. banks and bank service providers. The rule is effective April 1, 2022, and covered entities are expected to comply with the final rule by May 1, 2022. The new requirements reflect ongoing concern to identify and stop computer security incidents before they become systemic.
Continue Reading Beginning in May 2022 Banks Will Have 36 Hours to Disclose Certain Types of Cyber Incidents
Echoing other agencies in recent weeks, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued an alert sharing resources to address and protect institutions against the recent influx of ransomware attacks. Resources included a White House Memo urging companies to strengthen their commitment to cybersecurity.
Continue Reading OCR Urges Private Sector to Beef Up Ransomware Protections
For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.
Continue Reading SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations
How The EU Data Privacy Regulation Will Affect American Companies’ Data Collection and Processing Practices – and Their Revenue
For American companies who do business in Europe or who process the personal data of EU residents, the world of data privacy and security is about to get much more complicated. While U.S. privacy law is unsettled, with rapidly proliferating state and federal laws and regulations and uncertainty as to how strictly they will be enforced, the rules in the European Union are tough and about to get much tougher. The General Data Protection Regulation (EU) 2016/679 (GDPR), slated to take effect in May 2018, will give consumers in the EU substantially more control over how their personal data is used. The increased control includes the right to:
- access any personal data that has been collected,
- obtain confirmation about whether an individual’s data is being processed, and
- require that the data be “erased” if the consumer withdraws consent.
Much has been written about the challenges and issues that companies will face when implementing new policies and adjusting to the obligations of the new European General Data Protection Regulation, GDPR in short. The following paragraphs will give you the gist of the new Regulation and the essential elements that you must take into consideration in your endeavors to adjust to the GDPR, which will take effect across the EU as of May 25, 2018. There is enough time for your organization to adjust, but work must start now. Our key approach in implementing new obligations and making the necessary adjustments to this new European framework for personal data collection and processing is based on two simple rules: simplicity and efficiency.
Continue Reading What You Really Need To Know About The GDPR
Last Thursday, in a vote split along party lines, the Federal Communications Commission (“FCC”) approved a new regulatory regime staking its claim to privacy regulation of both fixed and mobile Internet service providers (“ISPs”) like Comcast, Verizon, and AT&T. The FCC’s rules follow its decision in the Open Internet Order, released last year and analyzed here, to classify broadband Internet access service as a common-carrier telecommunications service. The FCC’s new rules are intended to give consumers control over the ways in which ISPs use and share their customers’ private information. While the FCC has yet to release its Report and Order, the FCC’s Fact Sheet and statements by the commissioners indicate that the new privacy rules in many respects track the proposed rules the FCC put forward earlier this year, which seek to make the FCC the “toughest” privacy regulator in the Internet ecosystem by imposing on ISPs significantly more onerous and restrictive requirements for use and collection of consumer data than the Federal Trade Commission (“FTC”) imposes on its non-ISP competitors.
Continue Reading FCC Issues New Privacy Rules for Internet Service Providers: Safeguarding Consumers or Lulling Them Into A False Sense of Privacy?
In May, the U.S. Supreme Court issued its opinion in Spokeo v. Robins, providing guidance on the “injury-in-fact” aspect of the constitutional standing requirement for putative class action plaintiffs. 136 S. Ct. 1540 (2016), as revised (May 24, 2016). Spokeo was quickly hailed by both plaintiff- and defense-side lawyers as a major victory, but in truth provided something for everyone. It requires, for example, that a plaintiff allege “a concrete injury even in the context of a statutory violation . . .” and not merely a “bare procedural violation, divorced from any concrete harm.” Id. at 1543, 1549. Further, a “concrete” injury must “actually exist” and be “real, and not abstract.” Id. at 1548. On the other hand, a “concrete” injury is not “necessarily synonymous with ‘tangible.’” Id. at 1549. Ways to determine whether “intangible” harm qualifies as “concrete” include: (1) evaluating whether the alleged harm “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit” and (2) looking to the judgment of Congress which “has the power to define injuries and articulate chains of causation that will give rise to a case or controversy where none existed before.” Id.…
Continue Reading Update on Data Breach and Data Privacy Class Actions Post-Spokeo
1. Illinois and Texas recently enacted laws regulating the collection and use of biometric information (e., information based on an individual’s biometric identifiers, such as iris scans, fingerprints, voiceprints, or facial geometry) and a number of other states, including New York and California, are considering adopting such statutes. The Illinois Biometric Information Privacy Act (“BIPA”) permits private rights of action and provides for statutory damages ranging from $1,000 to $5,000 per violation. The Texas analog, entitled Capture or Use of Biometric Identifier (“CUBI”), is enforceable only by the state attorney general and permits civil penalties up to $25,000 per violation.
Continue Reading Six Things You Need to Know Before Collecting Biometric Information
On April 6, 2016, National Telecommunications and Information Administration (NTIA) issued a federal notice to request public comment on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things (IoT). (RFC at http://www.ntia.doc.gov/files/ntia/publications/fr_rfc_iot_04062016.pdf).
Comments are due on May 23, 2016.…