For many U.S. organizations, figuring out whether – and to what extent – Europe’s General Data Protection Regulation (“GDPR”) applies to your operations has caused a lot of headaches. Do you have an “establishment in the [European] Union”? Are you “offering…goods and services…to…data subjects in the Union”? Are you “monitoring” the behavior of data subjects in the Union? How will these terms be interpreted and enforced?
South Carolina has recently enacted a new insurance data security law entitled the South Carolina Insurance Data Security Act. The new legislation generally applies to licensees (any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of South Carolina) with ten or more employees or independent contractors.
As we enter 2019, social media is flooded with resolutions for self-improvement, let us propose a few:
Three major changes to Colorado data privacy laws became effective September 1, 2018. These affect virtually all business collecting personally identifying information (PII) from Colorado residents:
A Missouri federal court granted a motion to dismiss this week in a case against a provider and medical record processing company. In the case, a patient alleged that a “search and retrieval” fee imposed in response to a patients request for access to medical records violated the Missouri Merchandizing Practices Act. In dismissing the claim, the court only addressed Missouri law as the allegations did not involve alleged violations of HIPAA. The outcome in this Missouri case is similar to the outcome in an unrelated Tennessee case against the same medical records company that was dismissed earlier this summer. The Tennessee case alleged multiple violations of Tennessee law relating to the fees imposed for access to medical records, using HIPAA as the standard for medical records fees. In dismissing the case, the Tennessee court found that neither HIPAA nor Tennessee law provide a private cause of action for excessive medical record fees. The Tennessee case is pending appeal.
In the wake of the record setting $16 Million dollar settlement and resolution agreement with Anthem, Inc, the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) released a new version of their Security Risk Assessment tool. The new tool and recent settlement agreement renew the emphasis of OCR on the performance of HIPAA Security Risk Assessments by covered entities and their business associates.
The burgeoning multi-billion dollar cyber insurance market is expected to continue its 25%+ annual growth over the next few years. Despite this dramatic growth, the market is plagued with uncertainty over the meaning of key policy terms and scope of coverage. The lack of both uniformity in cyber policy language and judicial guidance interpreting policy language prevent companies from confidently assessing their loss exposure in the event of a major data breach.
On March 2, 2016, the CFPB finalized a Consent Order with Dwolla, an online payment platform, for violations of the CFPA. It is the CFPB’s first enforcement action related to data privacy and security. It is notable because Dwolla appears to have become an enforcement target due solely to its robust claims about security, and not due to any data breach. It also places obligations on Dwolla’s Board to become responsible for data privacy and security in the company.
The past week has seen two key developments in EU-US data privacy relations — the US enacted the Judicial Redress Act into law, and EU and US officials published the proposed EU-US Privacy Shield protocol for transatlantic data transfers. While the Privacy Shield still has a gauntlet of EU bureaucracy to navigate, companies that relied on Safe Harbor should begin to plan now to comply with the robust new requirements of Privacy Shield, or implement other measures to satisfy the EU Privacy Directive to import EU data to the US.
As part of a massive new initiative, Obama establishes the Federal Privacy Council and a national commission on cybersecurity