Once Again…California Sets the Tone for U.S. Data Privacy

Just when you thought you’d heard enough of newly enacted data privacy and security laws (“GDPR” ring a bell?), there’s more news on that front.

The California legislature recently passed The California Consumer Privacy Act of 2018 (CCPA). According to a report by the International Association of Privacy Professionals, CCPA will affect over 500,000 U.S. businesses. And that’s a conservative estimate.

Undoubtedly, CCPA’s enactment was influenced by the EU’s General Data Protection Regulation (GDPR) and recent high-profile events such as the Facebook-Cambridge Analytica scandal (Cambridge Analytica is even mentioned by name in CCPA’s text). As California has done in the past, the Golden State is forging new legislative ground: CCPA is the most consumer-friendly online privacy law in the U.S.

Continue Reading

Data Breach Damages Need Only Be a “Trifle”

What sort of damages must be pleaded to survive a motion to dismiss in a data breach class action?

Recently, the Court of Appeals for the Seventh Circuit in Dieffenbach v. Barnes & Noble answered that question. In short, the court held that at the pleadings stage, damages may be just a “trifle.”

The case arose when Barnes & Noble experienced a data breach that resulted from the compromise of its point of sale system in 63 of its company stores. The data thieves acquired customers’ names, credit card numbers, expiration dates, and PIN numbers. Two Barnes & Noble customers brought a data breach class action, alleging they suffered damages arising from the data breach, specifically: (1) paying for credit-monitoring services; (2) the lost time value of their money; and (3) their own time and inconvenience in resolving problems with their financial accounts resulting from the data breach. Continue Reading

GDPR Enforcement Day is Here!

Today, May 25, 2018, is a historic day in the global data privacy and security world as it is the effective day of the European Union’s (EU) General Data Protection Regulation (GDPR), a regulation designed to protect the “personal data” of EU residents by mandating standards for processing, using, and storing that data. Many organizations do not realize the full magnitude of what the GDPR requires, and non-compliance can cost organizations dearly. However, we are here to help.

Continue Reading

“So, don’t ask me no questions and I won’t tell you no lies:” Physician Receives Criminal Conviction for HIPAA Violations and Obstructing a Criminal Health Care Investigation  

On April 30, 2018 a Massachusetts physician was convicted by a federal jury for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and obstructing a criminal health care investigation after impermissibly disclosing protected health information and lying to federal agents during a criminal health care investigation. Continue Reading

Data Privacy and Security 2018 First Quarter Update

We have already provided you with the update on Health Information Technology, Privacy and Security 2018 First Quarter Update but we did not want the non-health care entities to feel left out! As such, we have assembled a few other noteworthy events in the data privacy and security world from the first quarter of 2018. Continue Reading

Health Information Technology, Privacy and Security 2018 First Quarter Update

Is it April already? Where has the time gone? We have all heard about Facebook’s woes, but you have been so busy, you have probably missed a few of the other recent developments in health IT and data privacy and security. We have you covered with a roundup of some of the significant and interesting guidance and events from the first quarter of 2018. Continue Reading

One Is the Loneliest Number: Alabama Becomes the Final State to Pass Data Breach Notification Law

On March 28, 2018, exactly one week after South Dakota enacted a data breach notification law, and a little over sixteen years since California became the first state to pass a data breach law, Alabama became the fiftieth and final state to pass a data breach notification law. Until recently, Alabama and South Dakota were the only states that did not have data breach notification laws.

Under Senate Bill 318, any person or business entity, including government entities, who handle electronically stored “sensitive personally identifying information” regarding Alabama residents must comply with the new data breach notification law. The law is effective on June 1, 2018 (which is, incidentally, one month before the South Dakota law goes into effect). Continue Reading

South Dakota Officially the 49th State to Pass Data Breach Notification Law

On March 21, 2018, South Dakota became the forty-ninth state to enact a data breach notification law when Senate Bill 62 was signed by the governor. South Dakota’s breach notification law is effective July 1, 2018. In 2002, California became the first state to enact a data breach law, and since then, nearly every state has followed suit. Up until this point, the lone stragglers were South Dakota and Alabama (more on Alabama below). Continue Reading

Proposed Federal Cybersecurity Rules

Stockmarket Group-Person with Pen-700_440The Federal Reserve Board, FDIC, and OCC issued an advance notice of proposed rulemaking (the “Proposed Rules”) on October 19 for enhanced cybersecurity standards on large banks (those with assets totaling $50 billion or more), non-bank financial companies, financial market infrastructures, financial market utilities, and third party providers that service those entities. The Proposed Rules address five key areas: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.  Continue Reading

OCR Will Increase Focus on Smaller Breaches

Abstract code background

Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities with breaches affecting fewer than 500 individuals. Previously, OCR’s Regional Offices focused their attention on investigating all reported breaches involving the PHI of 500 or more individuals. Continue Reading

LexBlog