On June 12, 2018, Vietnam’s parliament approved a new cybersecurity law  that contains data localization requirements, among other obligations. Technology companies doing business in the country will be required to operate a local office and store information about Vietnam-based users within the country. The law also requires social media companies to remove offensive content from their online service within 24 hours at the request of the Ministry of Information and Communications and the Ministry of Public Security’s cybersecurity task force. Companies could face substantial penalties for failure to disclose information upon governmental request. In addition, the law bans internet users in Vietnam from organizing people for anti-state purposes and imposes broad restrictions on using speech to distort the country’s history or achievements. As reported in BNA Privacy Law Watch, the law will take effect on January 1, 2019.

The Department of Health and Human Services (“HHS”) recently published two advance notices of proposed rulemaking that address the accounting of disclosures and the potential distribution of civil monetary penalties to affected individuals.

Continue Reading HHS Publishes Advance Notices of Proposed Rulemaking on Accounting of Disclosures and Civil Monetary Penalties

On April 11, 2018, Arizona amended its data breach notification law (the “amended law”). The amended law will require persons, companies and government agencies doing business in the state to notify affected individuals within 45 days of determining that a breach has resulted in or is reasonably likely to result in substantial economic loss to affected individuals. The old law only required notification “in the most expedient manner possible and without unreasonable delay.” The amended law also broadens the definition of personal information and requires regulatory notice and notice to the consumer reporting agencies (“CRAs”) under certain circumstances. Continue Reading Arizona Amends Data Breach Notification Law

On May 16, 2018, the Irish Data Protection Bill 2018 (the “Bill”) entered the final committee stage in Dáil Éireann (the lower house and principal chamber of the Irish legislature). The Bill was passed by the Seanad (the upper house of the legislature) at the end of March 2018. In the current stage, final statements on the Bill will be made before it is signed into law by the President. Continue Reading Irish Data Protection Bill in Final Committee Stage Before the Irish Legislature

The Federal Trade Commission has modified its 2017 settlement with Uber Technologies, Inc. (“Uber”) after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach, which took place during the time that the FTC was investigating an earlier, 2014 breach. The 2016 breach occurred when intruders used an access key that an Uber engineer had posted on GitHub to download more than 47 million user names, including related email addresses or phone numbers, as well as more than 600,000 drivers’ names and license numbers. The FTC alleged that after Uber learned of the breach, it paid the intruders a $100,000 ransom through its “bug bounty” program. The bug bounty program is intended to reward responsible disclosure of security vulnerabilities. Continue Reading FTC Revises Its Security Settlement with Uber

On February 13, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it entered into a resolution agreement with the receiver appointed to liquidate the assets of Filefax, Inc. (“Filefax”) in order to settle potential violations of HIPAA. Filefax offered medical record storage, maintenance and delivery services for covered entities, and had gone out of business during the course of OCR’s investigation.  Continue Reading Unsecured PHI Leads to OCR Settlement with Closed Business

On February 12, 2018, in a settled enforcement action, the U.S. Commodity Futures Trading Commission (“CFTC”) charged a registered futures commission merchant (“FCM”) with violations of CFTC regulations relating to an ongoing data breach. Specifically, the FCM failed to diligently supervise an information technology provider’s (“IT vendor’s”) implementation of certain provisions in the FCM’s written information systems security program. Though not unprecedented, this case represents a rare CFTC enforcement action premised on a cybersecurity failure at a CFTC-registered entity. Continue Reading CFTC Brings Cybersecurity Enforcement Action

On February 5, 2018, the Federal Trade Commission (“FTC”) announced its most recent Children’s Online Privacy Protection Act (“COPPA”) case against Explore Talent, an online service marketed to aspiring actors and models. According to the FTC’s complaint, Explore Talent provided a free platform for consumers to find information about upcoming auditions, casting calls and other opportunities. The company also offered a monthly fee-based “pro” service that promised to provide consumers with access to specific opportunities. Users who registered online were asked to input a host of personal information including full name, email, telephone number, mailing address and photo; they also were asked to provide their eye color, hair color, body type, measurements, gender, ethnicity, age range and birth date. Continue Reading FTC Brings Its Thirtieth COPPA Case, Against Online Talent Agency

On February 1, 2018, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a settlement with dialysis clinic operator, Fresenius Medical Care (“Fresenius”). Fresenius will pay OCR $3.5 million to settle claims brought under Health Insurance Portability and Accountability Act rules, alleging that lax security practices led to five breaches of electronic protected health information. Continue Reading HHS Announces $3.5 Million Settlement with Fresenius Medical Care