On February 17, 2023, the Illinois Supreme Court decided, by a 4-3 vote, that each time a private entity scans or transmits an individual’s biometric information without complying with Illinois Biometric Information Privacy Act (BIPA), that constitutes a separate violation under BIPA. (Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. Feb. 17 2023).) … Continue reading
Over a year ago the FTC fired the first warning shot – the FTC health breach notification rule would be used as the basis for enforcement actions where sites and apps shared health information without a user’s permission. Following suit, a few months ago, OCR announced guidance of its own that expanded the class of … Continue reading
On November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data. In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its … Continue reading
HHS: Online trackers without prior authorization and BAAs can violate HIPAA By Steve Roosa, Sue Ross, Dan Rosenzweig On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”). In the … Continue reading
2022 has been a record year for Illinois Biometric Information Privacy Act (“BIPA”) litigation. Since its enactment in 2008, BIPA has been one of the most litigated privacy-related laws with some of the highest penalties. However, it wasn’t until last month that the first BIPA jury verdict was ever rendered. The award, a whopping $228 … Continue reading
It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”). The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties. Indeed, Snap joins a string of other companies that have already … Continue reading
On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard. Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy … Continue reading
On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification expectations, but in blog post published by the FTC’s CTO and Division of Privacy and Identity Protection, … Continue reading
On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading
On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency. They also shared their projected timeline for rulemaking. The California Privacy Protection Agency (CPPA) is the new agency charged with enforcing the California Privacy Rights Act (CPRA). The big news is that the Board … Continue reading
Illinois’ Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Passed in 2008, BIPA sets out requirements for private entities, including employers, that collect, use, store, and share biometric information. It’s also one of the most popular class action suits today – hundreds, if not thousands of … Continue reading
On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading
On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading
Although the bill to amend the California Consumer Privacy Act (CCPA) to extend the so-called “B-to-B” and “employee” exceptions for one more year has garnered many headlines, the California legislature passed a second CCPA amendment (AB 713) that will be of interest to anyone involved in medical research as the new bill would ease some … Continue reading
Schrems II calls into question all transfers of personal information out of the EU that involve export to a country without an adequacy finding. While this affects countries in every region of the world, it does have particular ramifications for the US. US companies are likely to bear the brunt of this decision. First, because … Continue reading
On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA). The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA. In the press … Continue reading
In a 12-hour marathon hearing, the California Senate Judiciary Committee on July 9, 2019, debated, struck down, scaled back and put back on the negotiating table key amendments to the California Consumer Privacy Act (“CCPA”). Read below to find out what happened to the much-anticipated “employee exception” bill, “customer loyalty program” bill, and the bill … Continue reading
In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New … Continue reading
On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”).… Continue reading
On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside … Continue reading
This is the Data Protection Report’s fifth post in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the … Continue reading
Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here. Like their European counterparts, these state laws are intended to provide consumers with … Continue reading
This is a Data Protection Report post in a series of blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts. On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give … Continue reading
On June 22, 2018, the US Supreme Court issued a 5-4 decision in Carpenter v. United States, holding that the federal government needs a warrant to access cellphone location records. In the decision, the Court agreed that there should be a higher standard for accessing location records due to their intrusive nature.… Continue reading