On August 21, 2017, the United States Court of Appeals for the Eighth Circuit affirmed the dismissal of a putative class action arising from the Scottrade data breach. Notably, however, the Eighth Circuit did not agree with the trial court’s ruling that the plaintiff lacked Article III standing, instead dismissing the case with prejudice for failure to state a claim. … Continue Reading
On June 5, 2017, an Illinois federal court ordered satellite television provider Dish Network to pay a record 280 million dollars in civil penalties for violations of the FTC’s Telemarketing Sales Rule, the Telephone Consumer Protection Act and state law.… Continue Reading
On May 12, 2017, a massive ransomware attack, known as “WannaCry,” began affecting tens of thousands of computer systems in over 100 countries. These types of incidents can have significant legal implications for affected entities and industries for whom data access and continuity is critical. As affected entities work to understand and respond to the threat of ransomware, we address some of the key legal considerations.… Continue Reading
On May 11, 2017, President Trump signed an executive order that seeks to improve the federal government’s cybersecurity posture and better protect the nation’s critical infrastructure from cyber attacks.… Continue Reading
On May 2, 2017, the United States Court of Appeals for the Second Circuit issued a summary order affirming dismissal of a putative consumer class action against Michaels Stores, Inc. for lack of Article III standing.… Continue Reading
On April 24, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights announced that it had entered into a resolution agreement with CardioNet, Inc., stemming from gaps in policies and procedures uncovered after CardioNet reported breaches of unsecured electronic protected health information.… Continue Reading
On April 12, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with Metro Community Provider Network that stemmed from MCPN’s lack of a risk analysis and risk management plan that addressed risks and vulnerabilities to protected health information. … Continue Reading
On April 3, 2017, President Trump signed a bill which nullifies the Broadband Consumer Privacy Rules promulgated by the FCC in October 2016 . … Continue Reading
On March 17, 2017, the Federal Trade Commission announced that Upromise, Inc., agreed to pay 500,000 dollars to settle allegations that it violated the terms of a 2012 consent order that required Upromise to provide notice to consumers regarding its data collection and use practices, and obtain third-party audits.… Continue Reading
On March 1, 2017, the Federal Communications Commission, under the new leadership of Chairman Ajit Pai, voted 2-1 to issue a temporary stay of the data security obligations of the FCC’s Broadband Consumer Privacy Rules, which were to go into effect March 2, 2017. The temporary stay will remain in place until the FCC is able to act on pending petitions for reconsideration. … Continue Reading
On February 22, 2017, the Federal Trade Commission announced that it had reached settlement agreements with three U.S. companies charged with deceiving consumers about their participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system.… Continue Reading
On February 17, 2017, Horizon Blue Cross Blue Shield of New Jersey agreed to pay 1.1 million dollars as part of a settlement with the New Jersey Division of Consumer Affairs regarding allegations that Horizon did not adequately protect the privacy of nearly 690,000 policyholders. … Continue Reading
On February 16, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with Memorial Healthcare System that emphasized the importance of audit controls in preventing breaches of protected health information. The 5.5 million dollar settlement with Memorial is the fourth enforcement action taken by OCR in 2017, and matches the largest civil monetary ever imposed against a single covered entity.… Continue Reading
On January 25, 2017, President Trump issued an Executive Order entitled "Enhancing Public Safety in the Interior of the United States." This blog entry provides highlights on the Executive Order.… Continue Reading
On January 18, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with MAPFRE Life Insurance Company of Puerto Rico relating to a breach of protected health information contained on a portable storage device. This is the second enforcement action taken by OCR in 2017, following the action taken against Presence Health earlier this month for failing to make timely breach notifications.… Continue Reading
On January 18, 2017, the Department of Homeland Security issued an updated National Cyber Incident Response Plan as directed by the Presidential Policy Directive 41, issued this past summer, and the National Cybersecurity Protection Act of 2014. … Continue Reading
On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act to require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers.… Continue Reading
On January 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with Presence Health stemming from the entity’s failure to notify affected individuals, the media and OCR within 60 days of discovering a breach. This marks the first OCR settlement of 2017 and the first enforcement action relating to untimely breach reporting by a HIPAA covered entity.… Continue Reading
Last month, the Federal Energy Regulatory Commission published its final Regulations Implementing FAST Act Section 61003-Critical Electric Infrastructure Security and Amending Critical Energy Infrastructure Information. The CEII Regulations are intended to implement new authority granted to FERC by the Fixing America’s Surface Transportation Act, which became law in December 2015.… Continue Reading
On January 3, 2017, the Office of Management and Budget issued a memorandum advising federal agencies on how to prepare for and respond to a breach of personally identifiable information.… Continue Reading
Recently, the U.S. Department of Treasury’s Financial Crimes Enforcement Network issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime.… Continue Reading
The National Highway Safety Administration (“NHTSA”) recently issued non-binding guidance that outlines best practices for automobile manufacturers to address automobile cybersecurity. The guidance, entitled Cybersecurity Best Practices for Modern Vehicles (the “Cybersecurity Guidance”), was recently previewed in correspondence with the House of Representatives’ Committee on Energy and Commerce (“Energy and Commerce Committee”).… Continue Reading
On October 27, 2016, the Federal Communications Commission announced the adoption of rules that require broadband Internet Service Providers to take steps to protect consumer privacy. … Continue Reading
Earlier this month, the Department of Health and Human Services’ Office for Civil Rights issued guidance for HIPAA-covered entities that use cloud computing services involving electronic protected health information. … Continue Reading
