Susan Ross (US)

Subscribe to all posts by Susan Ross (US)

Biden restricts U.S. government use of commercial spyware

By Steve Roosa (US), Susan Ross (US), Daniel Rosenzweig (US) and Gerar Mazarakis (US) on April 20, 2023 Posted in General

Governments state that they use commercial spyware exclusively for criminal investigations, but critics claim such spyware has purportedly been used for human rights abuses targeting journalists, human rights defenders, lawyers, and political dissidents. Moreover, the U.S. Government and its employees have been allegedly targeted by such spyware. To set an example for governments globally—both authoritarian … Continue reading

Privacy law is becoming more technically sophisticated. So should you.

By Steve Roosa (US), Daniel Rosenzweig (US) and Susan Ross (US) on March 22, 2023 Posted in Compliance and risk management, Privacy law

As privacy laws and requirements become more technically sophisticated, businesses may want to consider how they can follow suit.… Continue reading

FTC proposed consent order prohibits perpetual retention of personal information

By David Kessler (US), Susan Ross (US) and Susana Medeiros (US) on March 21, 2023 Posted in General

We had previously written about an FTC proposed consent order that would prohibit a company from perpetual retention of personal health information. On March 2, 2023, the FTC announced a complaint and proposed consent with BetterHelp, Inc. that would prohibit the company from perpetual retention of personal information—a broader category. Also unlike the previous matter, … Continue reading

BIPA damages accrue per transaction

By Anna Rudawski (US) and Susan Ross (US) on March 1, 2023 Posted in BIPA

On February 17, 2023, the Illinois Supreme Court decided, by a 4-3 vote, that each time a private entity scans or transmits an individual’s biometric information without complying with Illinois Biometric Information Privacy Act (BIPA), that constitutes a separate violation under BIPA. (Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. Feb. 17 2023).) … Continue reading

“Forever and forever, farewell”: FTC prohibits indefinite retention of PHI in consent order

By David Kessler (US), Susan Ross (US) and Susana Medeiros (US) on February 15, 2023 Posted in General

On February 1, 2023, the Federal Trade Commission announced a complaint and stipulated order with GoodRx, with the FTC using for the first time its interpretation of the Health Breach Notification Rule. Under the Rule, the FTC interpreted a “breach” to include disclosures of personal health information without notice to the individual and consent by … Continue reading

ICYMI – Late December in privacy and cybersecurity

By David Kessler (US) and Susan Ross (US) on January 30, 2023 Posted in Cybersecurity, Privacy law

Late December and early January tend to be a busy time for everyone, so you may have missed a privacy update or two during that time. We have set out some updates in the form of questions, with some links where you can find more information. Answers are below. 1. Colorado issued a revised draft … Continue reading

BIPA and the record retention requirement

By David Kessler (US), Anna Rudawski (US), Susan Ross (US) and Susana Medeiros (US) on December 6, 2022 Posted in BIPA

On November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data. In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its … Continue reading

HHS: Online trackers without prior authorization and BAAs can violate HIPAA

By Steve Roosa (US), Anna Rudawski (US), Susan Ross (US) and Daniel Rosenzweig (US) on December 5, 2022 Posted in Compliance and risk management

HHS: Online trackers without prior authorization and BAAs can violate HIPAA By Steve Roosa, Sue Ross, Dan Rosenzweig On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”). In the … Continue reading

NYDFS proposes significant cybersecurity regulation amendments

By Dan Pepper (US) and Susan Ross (US) on November 14, 2022 Posted in Cybersecurity

On November 9, 2022, the New York Department of Financial Services (NYDFS) officially proposed changes to its cybersecurity regulation and opened a 60-day public comment period. NYDFS had issued a “pre-proposed” version of the changes in July of this year, which we had summarized here. NYDFS retained many of those earlier proposed changes, and made … Continue reading

Ignoring cyber threats can affect your job—and haunt your next one

By Susan Ross (US) on November 3, 2022 Posted in Cybersecurity

On October 21, 2022, the US Department of Health and Human Services, along with the FBI and the Cybersecurity Infrastructure and Security Agency (CISA), issued a bulletin warning that a cyber threat actor group known as “Daixin Team,” is actively targeting US businesses, predominantly in the healthcare and public health sectors, with ransomware and data … Continue reading

NYDFS settles with EyeMed for $4.5 million

By David Kessler (US) and Susan Ross (US) on October 24, 2022 Posted in Cybersecurity, Data breach

On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed seven violations of the NYDFS Cybersecurity Regulation, including failure to have an appropriate annual risk … Continue reading

First part of EU/ US Transatlantic Data Protection Framework published today

By Marcus Evans (UK), Lara White (UK) and Susan Ross (US) on October 7, 2022 Posted in Data Transfer

On 7 October 2022, the US White House published the Executive Order on enhancing safeguards for United States signals intelligence activities. This action is the first part of the US legal apparatus required for the EU Commission to find certain transfers to the US to be adequate. It is also likely in due course to … Continue reading

California Age-Appropriate Design Code Act

By David Kessler (US), Susan Ross (US) and Daniel Rosenzweig (US) on September 23, 2022 Posted in Privacy law

On September 15, 2022, California’s Governor Newsom signed A.B. 2273, known as the California Age-Appropriate Design Code Act (“CADC”). The law, to be codified at Cal. Civ. §§ 1798.99.28 – 1798.99.40, will go into effect on July 1, 2024, but businesses that will be affected by it will need to be in compliance by that … Continue reading

NYDFS proposes significant cybersecurity regulation amendments

By Dan Pepper (US), Susan Ross (US) and Patrick Burke (US) on August 11, 2022 Posted in Cybersecurity

On July 29, 2022, the New York Department of Financial Services (NYDFS) announced a “pre-proposed outreach” of material proposed changes to almost every section of its cybersecurity regulations, and would affect each entity covered by the current regulations of 23 NYCRR Part 500. Because this version is the “preposed” copy of the changes, there is … Continue reading

More New York SHIELD Act guidance

By David Kessler (US) and Susan Ross (US) on July 12, 2022 Posted in Cybersecurity

On June 20, 2022, the New York Attorney General (NYAG) announced a consent agreement (called an Assurance of Discontinuance) with Northeast grocery chain Wegmans for, among other things, violations of the SHIELD Act requirements. Wegmans does not confirm or deny the NYAG’s findings. In brief, on April 5, 2021, a security researcher contacted Wegmans about … Continue reading

Apply the law where breached servers are located?

By David Kessler (US) and Susan Ross (US) on July 8, 2022 Posted in Data breach

On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were located—in this case, Massachusetts. In re Blackbaud, Inc. Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JFA, … Continue reading

New PCI DSS v4.0 – Flexibility added

By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on May 16, 2022 Posted in Cybersecurity

On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making. In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

Another fine for over-retention of data

By David Kessler (US) and Susan Ross (US) on April 7, 2022 Posted in Compliance and risk management

A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed. The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here. The second regulator was the New … Continue reading

New York SHIELD Act $600,000 settlement

By David Kessler (US) and Susan Ross (US) on February 8, 2022 Posted in Cybersecurity

On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates … Continue reading

US banking regulators promulgate a final rule for 36-hour notice of breach

By David Kessler (US), David Kitchen (US), Tim Byrne (US) and Susan Ross (US) on November 23, 2021 Posted in Data breach

On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of … Continue reading

Notice of employer electronic monitoring

By David Kessler (US), Susan Ross (US) and Laura Hunt (US) on November 17, 2021 Posted in Privacy law

On November 8, 2021, New York became the third state to require private employers to provide employees with notice of employer monitoring of phone, email, and internet access/usage. New York’s new law (SB 2628) goes into effect on May 7, 2022. New York joins Connecticut and Delaware, whose laws are already in effect. Unfortunately for … Continue reading

Customers Can Pursue Negligence Claims Directly Against Vendor

By David Kessler (US), Susan Ross (US) and Kevin Lefton (US) on October 29, 2021 Posted in Data breach

On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers. In re Blackbaud, Inc. Customer … Continue reading

What dogs can teach companies about privacy and security

By David Kessler (US) and Susan Ross (US) on September 28, 2021 Posted in Cybersecurity

You may not believe that dogs have much to do with privacy and security, but on September 20, 2021, New Jersey’s highest state court ruled that dog owners’ names and addresses were public and therefore not exempt from disclosure by a city dog licensing authority, but other information (such as dog breed and name) raised … Continue reading