On November 22, 2016, the Department of Health and Human Services announced a $650,000 settlement with University of Massachusetts Amherst, resulting from alleged violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules. … Continue Reading
On November 23, 2016, Bloomberg BNA reported that the Hague Administrative Court in the Netherlands upheld a decision by the Dutch Data Protection Authority that WhatsApp was in breach of the Dutch Data Protection Act. … Continue Reading
On November 14, 2016, Lincoln Financial Securities Corp., a subsidiary of Lincoln Financial Group, entered into a settlement with the Financial Industry Regulatory Authority, requiring LFS to pay a 650,000 dollar fine and implement stronger cybersecurity protocols following a 2012 hack into its cloud-based server.… Continue Reading
On November 7, 2016, Adobe Systems Inc. entered into an assurance of voluntary compliance with 15 state Attorneys General to settle allegations that the company lacked proper measures to protect its systems from a 2013 cyber attack that resulted in the theft of the personal information of millions of customers. … Continue Reading
On November 1, 2016, the FTC announced that a group of entities known as the Consumer Education Group settled FTC charges that, between late 2013 and 2015, it made millions of telemarketing calls, including pre-recorded robocalls, to consumers on the national Do Not Call Registry, in violation of the Telemarketing Sales Rule.… Continue Reading
On October 7, 2016, the French Digital Republic Bill (the “Bill”) was enacted after a final vote from the Senate. The Bill aligns the French legal data protection framework with the EU General Data Protection Regulation (“GDPR”) requirements before the GDPR becomes applicable in May 2018.… Continue Reading
Recently, the Cyberspace Administration of China published for public comment a draft of the Regulations on the Online Protection of Minors. The Draft Regulations are open for comment until October 31, 2016.… Continue Reading
On October 13, 2016, Elizabeth Denham, the UK Information Commissioner, suggested at a House of Commons Public Bill Committee meeting that directors of companies who violate data protection laws should be personally liable to pay fines.… Continue Reading
On August 30, 2016, the First-tier Tribunal (Information Rights) (the “Tribunal”) dismissed an appeal from UK telecoms company TalkTalk Telecom Group PLC (“TalkTalk”) regarding a monetary penalty notice issued to it on February 17, 2016, by the UK Information Commissioner’s Office (“ICO”). The ICO had issued the monetary penalty notice to TalkTalk, for the amount … Continue Reading
On August 4, 2016, the U.S. Department of Health and Human Services' Office for Civil Rights entered into a resolution agreement with Advocate Health Care Network over alleged HIPAA violations. The multimillion dollar settlement with Advocate is the largest settlement to date against a single covered entity.… Continue Reading
The U.S. Department of Health and Human Services’ Office for Civil Rights recently entered into resolution agreements with two large public health centers over alleged HIPAA violations.… Continue Reading
On June 30, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights announced that it had settled potential HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia. This is the first enforcement action OCR has taken against a business associate since the HIPAA Omnibus Rule was enacted in 2013.… Continue Reading
On June 30, 2016, a joint committee composed of representatives from both chambers of the French Parliament reached a common position on the French ‘Digital Republic’ Bill that rejects the data localization amendment previously approved by the French Senate, but significantly amends other aspects of the French Data Protection Act. … Continue Reading
On June 29, 2016, the Federal Trade Commission announced that, to account for inflation, it is increasing the civil penalty maximums for certain violations of the FTC Act effective August 1, 2016. … Continue Reading
On June 22, 2016, the Federal Trade Commission announced that it reached a settlement with a mobile advertising company, InMobi, to resolve charges that the company deceptively tracked hundreds of millions of consumers’ locations without their knowledge or consent. Among other requirements, the settlement orders the company to pay 950,000 dollars in civil penalties. … Continue Reading
On June 8, 2016, the Federal Trade Commission announced that Practice Fusion, an electronic health records company, agreed to settle FTC charges that the company misled consumers about the privacy of doctor reviews submitted to the company. … Continue Reading
Recently, Aegerion Pharmaceuticals announced that it will enter into several settlements and plead guilty to two misdemeanors in connection with alleged violations of HIPAA, drug marketing regulations and securities laws. The criminal charges stem from the company’s marketing of a cholesterol drug called Juxtapid. Aegerion allegedly failed to comply with risk evaluation and management strategies and … Continue Reading
The U.S. Department of Health and Human Services’ Office for Civil Rights recently announced resolution agreements with Raleigh Orthopaedic Clinic, P.A., and New York-Presbyterian Hospital for HIPAA Privacy Rule violations.… Continue Reading
After four years of drafting and negotiations, the long awaited EU General Data Protection Regulation has been adopted at the EU level. This blog entry highlights key aspects of the Regulation.… Continue Reading
In March 2016, the Department of Health and Human Services announced resolution agreements with North Memorial Health Care of Minnesota and The Feinstein Institute for Medical Research over potential violations of the HIPAA Privacy Rule.… Continue Reading
On February 27, 2016, the Consumer Financial Protection Bureau reached a settlement with Dwolla, Inc., an online payment system company, to resolve claims that the company made false representations regarding its data security practices in violation of the Consumer Financial Protection Act. Among other things, the consent order imposes a 100,000 dollar fine on Dwolla. This marks the first data security-related fine imposed by the CFPB. … Continue Reading
On February 3, 2016, the U.S. Department of Health and Human Services Office for Civil Rights announced that an Administrative Law Judge ruled that Lincare, Inc. violated the HIPAA Privacy Rule and ordered the company to pay 239,800 dollars to OCR.… Continue Reading
Taiwan’s Office of the President recently issued an order to promulgate certain amendments to Taiwan’s Personal Data Protection Law. The Amendments revise 12 articles in the PDPL concerning the collection and use of sensitive personal data, the form of consent for the collection of non-sensitive personal data, and the imposition of criminal liability for certain violations of the PDPL. … Continue Reading
On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc., agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data.… Continue Reading
