September 2016

The U.S. Court of Appeals for the Eleventh Circuit—one of the highest federal courts below the Supreme Court—recently affirmed a decision in Silverpop Systems, Inc. v. Leading Market Technologies, Inc. finding that all damages flowing from a vendor’s data breach were barred by a standard provision in IT service contracts, disclaiming all liability for consequential damages.

The court’s analysis could apply to almost any breach of data provided to a vendor under an IT service contract, and highlights the need to carefully scrutinize a proposed waiver of consequential damages when confidential or sensitive data is involved in the contract.

The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in which Covered Entities and Business Associates were working to ensure that their data protection practices comply  with the new set of HIPAA Omnibus rules.  The OCR has made clear that it is not focused merely on large institutions or hospital systems.  In August, the OCR announced that breaches affecting fewer than 500 individuals will be subject to investigation by its regional offices. Thus, even entities with small incidents or small amounts of protected health information (PHI), such as employee health plans, could see a higher rate of enforcement and a higher possibility of major fines if they fail to comply with HIPAA.  Also within the OCR’s sights are Business Associates, as the Omnibus rule empowered the OCR to directly investigate and enforce Business Associates’ compliance with HIPAA’s requirements that the Omnibus rule extended to these entities.

The Australian Federal Parliament commenced sitting on August 30, 2016, and the long-proposed mandatory data breach notification legislation is again on the newly-elected Coalition Government’s agenda. Currently, the Australian Privacy Act 1988 (Cth) does not require an organisation or agency to notify an individual of a data breach involving their personal information, but this looks likely to change soon.