On July 25, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights announced the release of an updated web tool that highlights recent data breaches of health information. … Continue Reading
On July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for eight purposes. … Continue Reading
On July 5, 2017, the FTC announced that Blue Global Media, LLC agreed to settle charges that it misled consumers into filling out loan applications and then sold those applications, including sensitive personal information contained therein, to other entities without verifying how consumers’ information would be used or whether it would remain secure.… Continue Reading
On June 23, 2017, Anthem Inc., the nation’s second largest health insurer, reached a record 115 million dollar settlement in a class action lawsuit arising out of a 2015 data breach that exposed the personal information of more than 78 million people. Among other things, the settlement creates a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers. … Continue Reading
As companies in the EU and the U.S. prepare for the application of the EU General Data Protection Regulation in May 2018, Hunton & Williams’ Global Privacy and Cybersecurity partner Aaron Simpson discusses the key, significant changes from the EU Directive that companies must comply with before next year. This blog entry contains a link to the full 30-minute webinar. … Continue Reading
On June 21, 2017, the Federal Trade Commission updated its guidance for complying with the Children’s Online Privacy Protection Act. The FTC enforces the COPPA Rule, which sets requirements regarding children’s privacy and safety online.… Continue Reading
The U.S. Department of Health and Human Services' Office for Civil Rights and the Health Care Industry Cybersecurity Task Force have published important materials addressing cybersecurity in the health care industry. This blog entry provides highlights on these materials.… Continue Reading
On June 5, 2017, an Illinois federal court ordered satellite television provider Dish Network to pay a record 280 million dollars in civil penalties for violations of the FTC’s Telemarketing Sales Rule, the Telephone Consumer Protection Act and state law.… Continue Reading
On June 2, 2017, in preparation for the first annual review of the EU-U.S. Privacy Shield framework, the European Commission has sent questionnaires to trade associations and other groups to seek information from their Privacy Shield-certified members on the experiences of such organizations during the first year of the Privacy Shield.… Continue Reading
On June 1, 2017, the new Cybersecurity Law went into effect in China. This post takes stock of (1) which measures have been passed so far, (2) which ones go into effect on June 1 and (3) which ones are in progress but have yet to be promulgated.… Continue Reading
Recently, the Colorado Division of Securities published cybersecurity regulations for broker-dealers and investment advisers regulated by the Division. Colorado’s cybersecurity regulations follow similar regulations enacted in New York that apply to certain state-regulated financial institutions.… Continue Reading
On May 25, 2017, Oregon Governor Kate Brown signed into law H.B. 2090, which updates Oregon’s Unlawful Trade Practices Act by holding companies liable for making misrepresentations on their websites or in their consumer agreements about how they will use, disclose, collect, maintain, delete or dispose of consumer information.… Continue Reading
On May 10, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a 2.4 million dollar civil monetary penalty against Memorial Hermann Health System for alleged violations of the Health Insurance Portability and Accountability Act of 1996 Privacy Rule. … Continue Reading
On May 12, 2017, a massive ransomware attack, known as “WannaCry,” began affecting tens of thousands of computer systems in over 100 countries. These types of incidents can have significant legal implications for affected entities and industries for whom data access and continuity is critical. As affected entities work to understand and respond to the threat of ransomware, we address some of the key legal considerations.… Continue Reading
On April 24, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights announced that it had entered into a resolution agreement with CardioNet, Inc., stemming from gaps in policies and procedures uncovered after CardioNet reported breaches of unsecured electronic protected health information.… Continue Reading
Earlier this month, the New York State Department of Financial Services published FAQs and key dates for its cybersecurity regulation for financial institutions that became effective on March 1, 2017.… Continue Reading
On April 12, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with Metro Community Provider Network that stemmed from MCPN’s lack of a risk analysis and risk management plan that addressed risks and vulnerabilities to protected health information. … Continue Reading
On April 6, 2017, New York Attorney General Eric T. Schneiderman announced that privacy compliance company TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. According to Attorney General Schneiderman, the enforcement action taken by the NY AG is the first to target a privacy compliance company over children’s privacy.… Continue Reading
On April 12, 2017, the Centre for Information Policy Leadership at Hunton & Williams LLP issued a discussion paper on Certifications, Seals and Marks under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms which sets forth recommendations concerning the implementation of the EU GDPR’s provisions on the development and use of certification mechanisms.… Continue Reading
On April 4, 2017, the Article 29 Working Party adopted its draft Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. The Guidelines aim to clarify when a data protection impact assessment is required under the EU GDPR.… Continue Reading
On April 4, 2017, the Article 29 Working Party adopted an Opinion on the Proposed Regulation of the European Commission for the ePrivacy Regulation. The Proposed ePrivacy Regulation is intended to replace the ePrivacy Directive and to increase harmonization of ePrivacy rules in the EU. … Continue Reading
Haim Ravia and Dotan Hammer of Pearl Cohen Zedek Latzer Baratz recently published an article outlining Israel’s new Protection of Privacy Regulations, passed by the Knesset on March 21, 2017. The Regulations will impose mandatory comprehensive data security and breach notification requirements on anyone who owns, manages or maintains a database containing personal data in Israel.… Continue Reading
On March 7, 2017, Hunton & Williams LLP hosted a webinar with Beijing partner Bing Maisog on China’s new Cybersecurity Law. China’s new Cybersecurity Law will impose new restrictions on information flows from operators of key information infrastructure, and will become effective in June 2017.… Continue Reading
On March 17, 2017, retailer Neiman Marcus agreed to pay 1.6 million dollars as part of a proposed settlement to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers.… Continue Reading
