The New York Department of Financial Service recently clarified security incident notification requirements and the use of multi-factor authentication. On its FAQ page, the NYDFS added two new questions and answers for...more
The use of apps, wearables, and other devices used to track health and wellness data have continued to rise. The FTC again signaled its focus on this growing industry in a statement on the scope of the Health Breach...more
9/21/2021
/ Breach Notification Rule ,
Data Privacy ,
Digital Health ,
Digital Privacy Act ,
Enforcement ,
Federal Trade Commission (FTC) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Mobile Health Apps ,
Personally Identifiable Information ,
PHI
The California AG recently reminded companies in the healthcare industry of potential data breach notification obligations beyond HIPAA. As ransomware attacks continue to rise, particularly in healthcare, companies should...more
As discussed in our sister blog, CARU’s revised Ad Guidelines go into effect on January 1, 2022. While the core principles of the guidelines have not changed, they now include new content to account for today’s advertising...more
8/27/2021
/ Advertising ,
CARU ,
COPPA ,
Federal Trade Commission (FTC) ,
Mobile Apps ,
Online Gaming ,
Online Safety for Children ,
Parental Consent ,
Personally Identifiable Information ,
Privacy Policy ,
Social Media ,
Terms of Service
The SEC recently announced a settlement with Pearson plc where the company has agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber incident. According to the order, Pearson made misleading...more
In addition to recently passing a cybersecurity safe harbor law, Connecticut also updated its data breach notification law. Connecticut joins Texas in passing changes to breach notification requirements this year. There are...more
Colorado recently joined Virginia and California in passing a more comprehensive privacy law. The Colorado Privacy Act (CPA) will go into effect July 1, 2023. This is six months after Virginia’s law (CDPA) and California’s...more
7/14/2021
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Colorado ,
Consumer Privacy Rights ,
Data Protection ,
Data Security ,
Enforcement ,
Federal Trade Commission (FTC) ,
Financial Institutions ,
General Data Protection Regulation (GDPR) ,
Liability ,
New Legislation ,
Privacy Laws ,
State and Local Government
New York City recently enacted a biometric ordinance that is set to come into effect July 9, 2021. With this ordinance, NYC joins other cities (like Portland) in regulating the use of biometric information. The ordinance may...more
Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new...more
6/17/2021
/ Cross-Border ,
Data Security ,
Data Transfers ,
EU ,
EU-US Privacy Shield ,
European Economic Area (EEA) ,
FISA ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Schrems I & Schrems II ,
Standard Contractual Clauses
Nevada’s governor recently approved an amendment to their privacy law. As we covered previously, generally, this law affords consumers a right to opt out of the “sale” of their data to third parties. The amendment broadens...more
6/15/2021
/ Consumer Privacy Rights ,
Corporate Counsel ,
Data Brokers ,
Data Buyers ,
Data Privacy ,
Data Selling ,
Nevada ,
New Amendments ,
Opt-Outs ,
Privacy Laws ,
State and Local Government ,
Third-Party
The Supreme Court’s recent decision in Van Buren addressed the meaning of the term “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA). The Court held, in a criminal case that alleged that the person...more
Recently, the National Institute of Standards and Technology (NIST) requested comments to its Resource Guide for implementing the HIPAA Security Rule. (i.e., SP 800-66). This Guide, first released in 2008, summarizes the...more
China is continuing to move forward with its first comprehensive privacy law. China recently issued a second version of the draft Personal Information Protection Law (Draft PIPL) which will be open for public comments until...more
5/14/2021
/ Breach Notification Rule ,
China ,
Cross-Border ,
Cybersecurity ,
Data Breach ,
Data Localization Law ,
Data Privacy ,
Data Security ,
Data Transfers ,
General Data Protection Regulation (GDPR) ,
Penalties ,
Personal Information ,
Popular ,
Proposed Regulation
Maine and North Dakota recently adopted the National Association of Insurance Commissioners (NAIC) data security model law. They join at least 11 others states who have already adopted the model law. The model law applies to...more
Utah recently amended its breach notice law to provide certain defenses to companies who suffer a data breach. It is now the second state, after Ohio, to include such provisions. Specifically, entities that create and...more
Artificial intelligence continues to remain a focus in 2021, as we predicted at the start of the year. From the FTC, to the EU, to others, regulators of all kinds are paying attention to companies’ use of these tools. In the...more
4/6/2021
/ Artificial Intelligence ,
Business Strategies ,
Cybersecurity ,
Data Privacy ,
Data Security ,
FDIC ,
Federal Trade Commission (FTC) ,
Government Agencies ,
Popular ,
Public Comment ,
Regulatory Requirements
Utah recently signed into law SB 227, creating the Genetic Information Privacy Act (GIPA). The law, which is anticipated to go into effect in May 2021, is aimed at protecting genetic data collected from direct-to-consumer...more
4/2/2021
/ Consent ,
Consumer Privacy Rights ,
Data Protection ,
Data Use Policies ,
Direct to Consumer Sales ,
Disclosure Requirements ,
DNA ,
Federal Trade Commission (FTC) ,
Food and Drug Administration (FDA) ,
Genetic Materials ,
Genetic Testing ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Life Sciences ,
New Legislation ,
Notice Requirements ,
Privacy Laws ,
State and Local Government
Utah’s governor recently signed into law SB 227, creating the Genetic Information Privacy Act (GIPA). The law, which is anticipated to go into effect in May, is aimed at protecting genetic data collected from...more
3/30/2021
/ Consent ,
Consumer Privacy Rights ,
Consumer Protection Laws ,
Data Security ,
Data Use Policies ,
Enforcement Actions ,
Generic ,
Healthcare ,
Notice Requirements ,
Personal Information ,
Privacy Laws ,
Section 5 ,
State and Local Government ,
State Privacy Laws
On March 15, 2021, the California Office of Administrative Law (“OAL”) approved additional regulations to the CCPA. These regulations were originally proposed at the end of 2020 (which we covered here). The changes are...more
Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s...more
3/9/2021
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
CDPA ,
Consumer Privacy Rights ,
Data Privacy ,
Enforcement Actions ,
Exemptions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Penalties ,
Personal Information ,
Privacy Laws ,
Virginia
Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s...more
Many digital health app developers offering health and wellness solutions directly to consumers may find themselves in a space unregulated by the Health Insurance Portability and Accountability Act (“HIPAA”). While...more
The FTC recently settled with Flo Health, Inc., a popular fertility-tracking app, based on promises made about how health data would be shared. In its complaint, the FTC alleged that while Flo promised to keep users’ health...more
At the beginning of February, the US Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) appointed Professor Kevin Fu as the first ever Acting Director of Medical Device Cybersecurity. Fu’s...more
Many supervisory authorities across Europe have reported increasing numbers of data breach notifications since the introduction of GDPR. While most companies are now familiar with the 72-hour reporting obligation for...more
2/1/2021
/ Cybersecurity ,
Data Breach ,
Data Management ,
Data Protection ,
Employee Training ,
Employer Liability Issues ,
EU ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Notification Requirements ,
Policies and Procedures