The Attorney General (AG) for California just settled a California Consumer Privacy Act (CCPA) enforcement case against Sephora for $1.2 million. While Sephora denies liability in the settlement, the outcome of this settlement should send shivers down most companies’ spines who may engage in some of the same conduct that landed Sephora in trouble. Read below for some of the major takeaways from this landmark decision.
The “Happiest Place on Earth” was hacked. Well, its Instagram and Facebook accounts, anyway.
On Friday, June 17, 2022, the Center for American and International Law’s 57th Academy of American and International Law welcomed attorney Shawn Tuma; Mark Michels, Santa Clara University School of Law; and Micah Skidmore, Haynes and Boone; to lead a cyber breach crisis workshop. Jessica Lee and Haley Stevers, 2022 Summer Associates at Spencer Fane, were also present to help facilitate the event.
The Securities and Exchange Commission sanctioned eight registered broker-dealer and investment advisory firms this week for failures in their cybersecurity policies and procedures. Those failures resulted in email account takeovers, which exposed the personal information of thousands of customers and clients at each firm. Those firms paid penalties ranging from $200,000 to $300,000.
The threat of ransomware attacks against all American businesses is so great that on June 2, 2021, the White House issued a memo to all corporate executives and business leaders with the subject “What We Urge You To Do To Protect Against The Threat of Ransomware.” This is the first time such a memo has ever been issued. That is how serious the threat of ransomware attacks is to our nation.
On April 14, 2021, the Department of Labor’s Employee Benefits Security Administration (“EBSA”) issued cybersecurity guidance for retirement plan fiduciaries and service providers, as well as plan participants. In the guidance, the EBSA states that ERISA fiduciaries are required to take appropriate steps to mitigate internal and external cybersecurity threats to plan participants and retirement plan assets. To assist fiduciaries and service providers in fulfilling this obligation, the EBSA issued two documents that describe cybersecurity best practices – Cybersecurity Program Best Practices and Tips for Hiring a Service Provider. The EBSA also issued some basic rules – Online Security Tips – to help participants reduce the risk of fraud and loss to their retirement accounts.
Nearly Half of all Businesses hit by Cyber Attacks in 2020
43% of businesses in the United States and Europe were hit with a cyber attack in 2020, an increase of 5% from 2019 which was 38%, according to Hiscox’s Cyber Readiness Report. Businesses cannot ignore this threat and must face it head-on. All businesses should now have an operational and maturing cyber risk management program in place that is led by their trusted cyber legal counsel.
The United States Department of Health and Human Services reached an agreement with Lifespan Health System Affiliated Covered Entity (Lifespan ACE) in which Lifespan agreed to pay $1,040,000 and adopt a corrective action plan in the wake of its data breach that exposed over 20,431 patients’ protected health information. The breach occurred when an employee’s unencrypted laptop was stolen which contained electronic protected health information (ePHI) including: patients’ names, medical record numbers, demographic information, and medication information.
Section 3221 of the CARES Act, signed into law on March 27, 2020, sets the stage for HHS to make significant changes to 42 C.F.R. Part 2, governing the confidentiality of Substance Use Disorder (“SUD”) records. Under the Act, HHS has 12 months to work with appropriate Federal agencies to make revisions to 42 C.F.R. Part 2 consistent with Section 3221’s mandates.
By now everyone has now heard of — and likely used — Zoom for staying connected during the COVID-19 pandemic. In what may have been a brilliant strategy to gain market share during adverse times, Zoom offered its videoconferencing service for free to schools, organizations, businesses, and individuals as a means of staying connected while the world is exercising social distancing and it seems as if everyone is now using Zoom.