Governments state that they use commercial spyware exclusively for criminal investigations, but critics claim such spyware has purportedly been used for human rights abuses targeting journalists, human rights defenders, lawyers, and political dissidents. Moreover, the U.S. Government and its employees have been allegedly targeted by such spyware. To set an example for governments globally—both authoritarian … Continue reading
We had previously written about an FTC proposed consent order that would prohibit a company from perpetual retention of personal health information. On March 2, 2023, the FTC announced a complaint and proposed consent with BetterHelp, Inc. that would prohibit the company from perpetual retention of personal information—a broader category. Also unlike the previous matter, … Continue reading
On February 17, 2023, the Illinois Supreme Court decided, by a 4-3 vote, that each time a private entity scans or transmits an individual’s biometric information without complying with Illinois Biometric Information Privacy Act (BIPA), that constitutes a separate violation under BIPA. (Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. Feb. 17 2023).) … Continue reading
On February 1, 2023, the Federal Trade Commission announced a complaint and stipulated order with GoodRx, with the FTC using for the first time its interpretation of the Health Breach Notification Rule. Under the Rule, the FTC interpreted a “breach” to include disclosures of personal health information without notice to the individual and consent by … Continue reading
Late December and early January tend to be a busy time for everyone, so you may have missed a privacy update or two during that time. We have set out some updates in the form of questions, with some links where you can find more information. Answers are below. 1. Colorado issued a revised draft … Continue reading
On November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data. In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its … Continue reading
HHS: Online trackers without prior authorization and BAAs can violate HIPAA By Steve Roosa, Sue Ross, Dan Rosenzweig On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”). In the … Continue reading
On November 9, 2022, the New York Department of Financial Services (NYDFS) officially proposed changes to its cybersecurity regulation and opened a 60-day public comment period. NYDFS had issued a “pre-proposed” version of the changes in July of this year, which we had summarized here. NYDFS retained many of those earlier proposed changes, and made … Continue reading
On October 21, 2022, the US Department of Health and Human Services, along with the FBI and the Cybersecurity Infrastructure and Security Agency (CISA), issued a bulletin warning that a cyber threat actor group known as “Daixin Team,” is actively targeting US businesses, predominantly in the healthcare and public health sectors, with ransomware and data … Continue reading
On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed seven violations of the NYDFS Cybersecurity Regulation, including failure to have an appropriate annual risk … Continue reading
On 7 October 2022, the US White House published the Executive Order on enhancing safeguards for United States signals intelligence activities. This action is the first part of the US legal apparatus required for the EU Commission to find certain transfers to the US to be adequate. It is also likely in due course to … Continue reading
On September 15, 2022, California’s Governor Newsom signed A.B. 2273, known as the California Age-Appropriate Design Code Act (“CADC”). The law, to be codified at Cal. Civ. §§ 1798.99.28 – 1798.99.40, will go into effect on July 1, 2024, but businesses that will be affected by it will need to be in compliance by that … Continue reading
On July 29, 2022, the New York Department of Financial Services (NYDFS) announced a “pre-proposed outreach” of material proposed changes to almost every section of its cybersecurity regulations, and would affect each entity covered by the current regulations of 23 NYCRR Part 500. Because this version is the “preposed” copy of the changes, there is … Continue reading
On June 20, 2022, the New York Attorney General (NYAG) announced a consent agreement (called an Assurance of Discontinuance) with Northeast grocery chain Wegmans for, among other things, violations of the SHIELD Act requirements. Wegmans does not confirm or deny the NYAG’s findings. In brief, on April 5, 2021, a security researcher contacted Wegmans about … Continue reading
On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were located—in this case, Massachusetts. In re Blackbaud, Inc. Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JFA, … Continue reading
On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making. In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading
A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed. The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here. The second regulator was the New … Continue reading
On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates … Continue reading
On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of … Continue reading
On November 8, 2021, New York became the third state to require private employers to provide employees with notice of employer monitoring of phone, email, and internet access/usage. New York’s new law (SB 2628) goes into effect on May 7, 2022. New York joins Connecticut and Delaware, whose laws are already in effect. Unfortunately for … Continue reading
On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers. In re Blackbaud, Inc. Customer … Continue reading
You may not believe that dogs have much to do with privacy and security, but on September 20, 2021, New Jersey’s highest state court ruled that dog owners’ names and addresses were public and therefore not exempt from disclosure by a city dog licensing authority, but other information (such as dog breed and name) raised … Continue reading
The declining cost of electronic data storage may have caused some company executives to conclude that retaining personal data forever is “cheap.” Perhaps the CNIL’s €1.75 million (USD $2,051,930) penalty for over-retention will lead to a different view. The matter involved one of France’s largest insurers, SGAM AG2R LA MONDIALE, which was subject to an … Continue reading