Arizona recently amended its breach notice law to change the regulator notification requirements. Starting this summer, depending on the scope of the incident, the Arizona Department of Homeland Security will need to be...more
Indiana has made a minor amendment to its data breach notification law. Starting July 1, companies who are obligated to notify under the law must do so (to affected individuals and the Indiana Attorney General) without...more
The New York State Attorney General’s finding that EyeMed Vision Care LLC had failed to protect customer data in violation of the NY SHIELD Act provides insights for companies on how to protect information. New York’s SHIELD...more
The New York AG recently issued information about steps companies can take to protect against credential stuffing attacks, and how to handle them if they occur. The guidance makes up a majority of a larger AG report on...more
Just as we thought 2022 was going to be significantly different than 2021, December 2021 and January 2022 events have thrown us for another (pandemic) loop. We anticipate that some of the privacy and cybersecurity...more
1/12/2022
/ Artificial Intelligence ,
Auto-Dialed Calls ,
Biometric Information ,
Biometric Information Privacy Act ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
CAN-SPAM Act ,
CARU ,
CDPA ,
Consumer Privacy Rights ,
COPPA ,
Cross-Border Transactions ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Employee Tracking ,
EU ,
FCC ,
Federal Trade Commission (FTC) ,
Food and Drug Administration (FDA) ,
General Data Protection Regulation (GDPR) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Identity Theft ,
Machine Learning ,
Mobile Privacy ,
Ransomware ,
SCOTUS ,
TCPA
Federal banking regulators issued a final rule that impacts how banks and other regulated entities report certain data incidents. Those subject to these new reporting requirements include U.S. banks and bank service...more
The SEC’s enforcement action with a leading seller of market data (App Annie Inc.) signals its concern with misleading data use representations. While the data at issue was not “personally identifiable” information, but...more
The FTC recently announced a final rule updating its GLBA Safeguards Rule to “strengthen the data security safeguards” of consumer financial information. The FTC reported that it was making these changes in response to...more
California recently updated both its data security and breach notice laws to include genetic data. With the passage of AB 825, the data security law now includes in the definition of “personal information” genetic data. The...more
10/18/2021
/ Amended Legislation ,
Biometric Information ,
California ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Digital Health ,
Healthcare ,
Personal Information ,
Privacy Laws
In the wake of increased ransomware attacks over the course of the last several months, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has updated a guidance it released last year on potential...more
10/5/2021
/ Compliance ,
Cryptocurrency ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Security ,
New Guidance ,
Office of Foreign Assets Control (OFAC) ,
Penalties ,
Popular ,
Ransomware ,
Sanctions ,
U.S. Treasury
The FTC recently settled with a surveillance app operator over allegations that the company facilitated the secret harvesting of personal information. According to the FTC, the main users of Support King, LLC’s “SpyFone” app...more
The SEC recently announced a settlement with Pearson plc where the company has agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber incident. According to the order, Pearson made misleading...more
The Georgia Supreme Court recently concluded that Georgia’s equivalent of the CFAA should be viewed narrowly, similar to the US Supreme Court’s recent, similar decision in Van Buren. In Kinslow v. State, the Georgia Supreme...more
Texas’s data breach notification law was recently amended to require the state’s Attorney General to post notice of data breaches on a public website within 30 days of receiving notice of the data breach. It also requires...more
MoviePass, a movie subscription service, has agreed to a proposed settlement with the FTC over alleged deception and lack of security allegations. The now-defunct company not only allegedly marketed its service as a “one...more
China is continuing to move forward with its first comprehensive privacy law. China recently issued a second version of the draft Personal Information Protection Law (Draft PIPL) which will be open for public comments until...more
5/14/2021
/ Breach Notification Rule ,
China ,
Cross-Border ,
Cybersecurity ,
Data Breach ,
Data Localization Law ,
Data Privacy ,
Data Security ,
Data Transfers ,
General Data Protection Regulation (GDPR) ,
Penalties ,
Personal Information ,
Popular ,
Proposed Regulation
The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release,...more
Utah recently amended its breach notice law to provide certain defenses to companies who suffer a data breach. It is now the second state, after Ohio, to include such provisions. Specifically, entities that create and...more
Will HHS’ approach for imposing penalties in the aftermath of a data breach become a little clearer in 2021? This is a distinct possibility in the wake of a Fifth Circuit decision vacating penalties against MD Anderson Cancer...more
2/9/2021
/ Civil Monetary Penalty ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
HIPAA Security Rule ,
HITECH Act ,
Hospitals ,
Reversal
A class action lawsuit filed against PayPal in connection with a breach it suffered in 2017 was dismissed recently because the plaintiffs did not adequately allege PayPal’s intent to deceive investors. The litigation began...more
The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates. The report represents the periodic audit that the...more
The operator of CafePress, an online retailer that sells customizable mugs and other products, has reached an agreement with New York State Attorney General Letitia James and six other State Attorneys Generals to settle...more
The FTC recently settled with Ascension Data & Analytics for failure to oversee service providers. Ascension provides services to mortgage companies within its corporate family of entities. According to the complaint,...more
The travel giant Sabre Corp. has reached an agreement with multiple State Attorneys General to pay $2.4 million and make certain changes in its cybersecurity policies to settle a multi-state investigation into a 2017 data...more
1/5/2021
/ Credit Cards ,
Customers ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Investigations ,
Online Marketplace ,
Online Payments ,
Online Platforms ,
Settlement ,
State Attorneys General
Late this summer the New York Department of Financial Services (NYDFS) announced its first enforcement action since the cybersecurity rules went into effect in March 2017. The action was brought against First American Title...more
9/24/2020
/ Cybersecurity ,
Data Breach ,
Data Protection ,
Enforcement Actions ,
Financial Services Industry ,
First American Title Insurance Co. ,
Internal Investigations ,
Non-Public Information ,
NYDFS ,
Popular ,
State Attorneys General