Our previous article “Does the CCPA Apply to My Company?”[i] outlined some questions to help determine if your company is included in the definition of business for the CCPA. Here, we give a brief overview of the law and discuss both its potential effects and enforcement.
The United States Department of Health and Human Services reached an agreement with Touchstone Medical Imaging in which Touchstone agreed to pay $3 million and adopt a corrective action plan in the wake of its data breach that exposed over 300,000 patients’ protected health information.
You read it correctly: The United States Government has deemed an online dating application to be a national security concern. The dating application Grindr has earned notoriety for being the gay equivalent to Tinder (a dating “hook up” application for straight people). Grindr has gained remarkable success. The application boasts of having 27 million registered users as well as an average of 3.3 million daily users.
Late last year California passed the California Consumer Privacy Act of 2018 (“CCPA”) aimed at granting certain rights and protections to California consumers and also imposing obligations and limitations on businesses in an effort to provide consumers more control over their personal information. The CCPA becomes effective January 1, 2020, and companies across the nation are marking their calendars in anticipation of privacy practice changes reminiscent of those ushered in by the European Union’s GDPR last year. Although the CCPA is often compared to the GDPR, the two privacy laws are different and compliance with one does not ensure compliance with the other. In undertaking compliance measures, the initial inquiry companies should analyze is the question of whether the CCPA applies to the company.
Does your organization provide substance use treatment services or receive information from a treatment program that identifies an individual as having a substance use disorder? If so, your organization may be subject to 42 C.F.R. Part 2 and may have obligations to amend contractual provisions to maintain compliance.
Lawyers, like others in business, must comply with the data security and data breach notification laws of the 50 states that are applicable to their practices. But, according to the American Bar Association, their obligations do not end there. On October 17, 2018, the ABA issued Ethics Opinion 483 titled Lawyers’ Ethical Obligations After an Electronic Data Breach or Cyberattack.
Consumer-facing privacy notices carry legal consequences and a carefully drafted privacy notice may function to save a company in data privacy litigation or regulatory actions. Accordingly, several reasons exist for companies to frequently revisit privacy notices.
The recent Yahoo! settlement marks a substantial step in data breach shareholder derivative litigation that increases the risk for officers and directors of companies that have a data breach. On January 9, 2019, Yahoo! Agreed to pay a total of $29 million to its shareholders to settle a lawsuit against several former directors and officers alleging that their poor management of the company led to the data breaches which substantially impacted the company’s value.
The Supreme Court of Illinois recently held that every Illinois citizen has a private right of action to enforce violations of the Illinois Biometric Information Privacy Act (“BIPA”) without alleging or showing actual harm. Businesses collecting, using and storing the biometric data of Illinois consumers take notice: there are over 12 million regulators with the power to enforce this law against you. But don’t worry too much, the state’s high court promises that “Compliance should not be difficult.”
Texas law requires businesses to implement and maintain reasonable cybersecurity, which they should do so with a written program for managing cyber risk and protecting sensitive customer information. This warning came from the state’s Attorney General following his office’s $1.5 Million settlement with Neiman Marcus over its 2013 data breach.