On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy. (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: compliance with HIPAA. In other words, violation of HIPAA can lead to a state law claim in Connecticut, but the decision does NOT create a private right of action under HIPAA. Continue reading
The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon. The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity. It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.
We set out below four key points that you should know about this new Bill. Continue reading
Illegal robocalls are a “scourge.” So says FCC Chairman Ajit Pai, and most consumers likely agree. Both the FCC and the FTC (each of which has jurisdiction over some aspects of telemarketing regulation) are actively pursuing ways to curb illegal and fraudulent robocalls. The FCC issued a report and order in November 2017 authorizing telecommunications providers to block certain types of calls considered “highly likely to be illegitimate.” In late January 2018, the FTC responded with a staff letter expressing support for the FCC’s efforts and offering suggestions for addressing erroneously blocked calls. Continue reading
February 15, 2018, is quickly approaching and any entity subject to New York’s cybersecurity regulation (23 NYCRR Part 500) must file its first annual certification of compliance with the New York State Department of Financial Services (DFS) by that date. New York imposes cybersecurity requirements on all entities (covered entities) subject to the jurisdiction of the DFS, which include not only banks and insurers, but also any persons regulated by the DFS, including the newest DFS licensees, those engaged in virtual currency business activity. Continue reading
Privacy compliance will become even more important for all companies in Australia now that the mandatory data breach notification scheme has been enacted.
From 22 February 2018, certain data breaches (known as “eligible data breaches”) will need to be notified to the Australian Privacy Commissioner and affected individuals. Previously, notification of data breaches was optional. Continue reading
On 29 December 2017 the Standardization Administration of China issued an Information Security Technology – Personal Information Security Specification（GB/T 35273-2017）(the “Specification”), which will come into effect on 1 May 2018. Continue reading
This week, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January 2018 newsletter focusing on “cyber extortion.” Cyber extortion often involves an attacker gaining access to an organization’s computer system, stealing sensitive information, and threatening to publish the information. Healthcare and public health organizations are often the targets of these attacks, so affected data frequently includes protected health information, or PHI. The OCR newsletter indicates that incidents of cyber extortion have been steadily increasing over the past several years and will continue to disrupt many organizations. Continue reading
A new state law places California businesses on the front line in responding to federal immigration enforcement actions. Effective January 1, 2018, AB 450 requires California employers to protect employees and their private information from warrantless “workplace raids” and I-9 form demands, and to warn employees who become targets of an immigration investigation. Continue reading
The National Defense Authorization Act of 2018 (NDAA), signed into law in December 2017, did not only authorize United States defense spending for the 2018 fiscal year – it also contained a section devoted to unmanned aerial systems. Continue reading
Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in light of Congress’s inaction regarding data breach legislation. Continue reading