over-retention

New York hospitals have new cybersecurity requirements

By David Kessler (US), Susan Ross (US) & Remi Gambino (US) on October 23, 2024

On October 2, 2024, the New York State Department of Health (DOH) published a new cybersecurity regulation (10 NYCRR 405.46) for all general hospitals licensed pursuant to article 28 of the Public Health Law. Although most of the regulation will…

New York Department of Financial Services addresses cybersecurity risks from artificial intelligence

By David Kessler (US), Susan Ross (US), Kelly Atherton (US) & Gerar Mazarakis (US) on October 17, 2024

On October 16, 2024, the New York Department of Financial Services (“NYDFS” or “DFS”) issued guidance raising awareness about combatting cybersecurity risks arising from artificial intelligence (“AI”) used by DFS licensees, such as insurers and virtual currency businesses. Risks revolve…

Two FTC complaints that over-retention of personal data violates Section 5

By Susan Ross (US) & David Kessler (US) on February 13, 2024

On January 18, 2024, the U.S. Federal Trade Commission announced a complaint and proposed consent order with InMarket Media, LLC, a digital marketing platform and data aggregator. Less than two weeks later, on February 1, the FTC announced a complaint…

$8 million penalty to NYDFS – and another case of over-retention

By Susan Ross (US) & David Kessler (US) on January 18, 2024

2024 was not a happy new year for Genesis Global Trading, Inc. (“GGT”). On January 3, 2024, the New York Department of Financial Services announced a consent order with GGT, where GGT agreed to pay NYDFS $8 million and to…

NYDFS settles with EyeMed for $4.5 million

By David Kessler (US) & Susan Ross (US) on October 24, 2022

On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed…

Another fine for over-retention of data

By David Kessler (US) & Susan Ross (US) on April 7, 2022

A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed. The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here. The second regulator was the New York Attorney General in January of 2022, which we described here. And the third is the U.S. Federal Trade Commission, which issued a proposed consent with the current and former owners of CafePress on March 15.

Over-retention of personal data

By David Kessler (US), Marcus Evans (UK) & Susan Ross (US) on September 23, 2021

The declining cost of electronic data storage may have caused some company executives to conclude that retaining personal data forever is “cheap.” Perhaps the CNIL’s €1.75 million (USD $2,051,930) penalty for over-retention will lead to a different view.

The matter…

Data Protection Report