Spencer Fane LLP Logo
Latest Posts

Connecticut’s New Privacy Act: Another New Layer of Complexity for Privacy Compliance

On July 1, 2023, the Connecticut Privacy Act will take effect adding another legislative layer of complexity to running a business.

Colorado’s Privacy Act: Do Not Be Caught Off-Guard

The Colorado Privacy Act (CPA) will change the landscape for a wide range of businesses doing business in Colorado or with Colorado residents on July 1, 2023. With only five months until this law takes effect, companies should move rapidly to ensure they are in full compliance with the new act. Failure to comply with the CPA can result in severe economic punishment for violators. 

FTC Provides a Wake-Up Call for Companies with Lax Privacy Policy Compliance

How confident are you that your website privacy policy accurately explains what you’re doing with your customer’s data? You now have another 1,500,000 reasons to potentially worry, because the FTC recently slapped GoodRx with a $1.5 million penalty for privacy violations. While this is the first time a regulatory penalty has been handed out under the FTC’s Health Breach Notification Rule, more enforcement actions are anticipated. This particular penalty related to the prescription drug discount company GoodRx Holdings Inc. failing to accurately notify consumers of its disclosures of personal health information to Facebook, Google, and other companies.

Landmark $1.2M Sephora Settlement Highlights the Importance of CCPA Compliance

The Attorney General (AG) for California just settled a California Consumer Privacy Act (CCPA) enforcement case against Sephora for $1.2 million. While Sephora denies liability in the settlement, the outcome of this settlement should send shivers down most companies’ spines who may engage in some of the same conduct that landed Sephora in trouble. Read below for some of the major takeaways from this landmark decision.

What We Learned from the Hack of Disney’s Instagram (And, How You Can Avoid It)

The “Happiest Place on Earth” was hacked. Well, its Instagram and Facebook accounts, anyway.

Top Eight Things to Remember During a Cybersecurity Crisis

On Friday, June 17, 2022, the Center for American and International Law’s 57th Academy of American and International Law welcomed attorney Shawn Tuma; Mark Michels, Santa Clara University School of Law; and Micah Skidmore, Haynes and Boone; to lead a cyber breach crisis workshop. Jessica Lee and Haley Stevers, 2022 Summer Associates at Spencer Fane, were also present to help facilitate the event.

SEC Sanctions Broker-Dealers, Investment Advisory Firms for Deficient Cybersecurity Procedures

The Securities and Exchange Commission sanctioned eight registered broker-dealer and investment advisory firms this week for failures in their cybersecurity policies and procedures. Those failures resulted in email account takeovers, which exposed the personal information of thousands of customers and clients at each firm. Those firms paid penalties ranging from $200,000 to $300,000.

Five Best Practices the White House Urges all Businesses to Take to Mitigate Risk of Ransomware Attacks

The threat of ransomware attacks against all American businesses is so great that on June 2, 2021, the White House issued a memo to all corporate executives and business leaders with the subject “What We Urge You To Do To Protect Against The Threat of Ransomware.” This is the first time such a memo has ever been issued. That is how serious the threat of ransomware attacks is to our nation.

DOL Issues Cybersecurity Guidance

On April 14, 2021, the Department of Labor’s Employee Benefits Security Administration (“EBSA”) issued cybersecurity guidance for retirement plan fiduciaries and service providers, as well as plan participants.  In the guidance, the EBSA states that ERISA fiduciaries are required to take appropriate steps to mitigate internal and external cybersecurity threats to plan participants and retirement plan assets.   To assist fiduciaries  and service providers in fulfilling this obligation, the EBSA issued two documents that describe cybersecurity best practices – Cybersecurity Program Best Practices and Tips for Hiring a Service Provider.  The EBSA also issued some basic rules – Online Security Tips – to help participants reduce the risk of fraud and loss to their retirement accounts.

Three Quick Steps to Help Prepare Your Business for Cyber Threats

Nearly Half of all Businesses hit by Cyber Attacks in 2020

43% of businesses in the United States and Europe were hit with a cyber attack in 2020, an increase of 5% from 2019 which was 38%, according to Hiscox’s Cyber Readiness Report. Businesses cannot ignore this threat and must face it head-on. All businesses should now have an operational and maturing cyber risk management program in place that is led by their trusted cyber legal counsel.

$1,040,000 HIPAA Settlement for Stolen Unencrypted Laptop Breach — Why?

The United States Department of Health and Human Services reached an agreement with Lifespan Health System Affiliated Covered Entity (Lifespan ACE) in which Lifespan agreed to pay $1,040,000 and adopt a corrective action plan in the wake of its data breach that exposed over 20,431 patients’ protected health information. The breach occurred when an employee’s unencrypted laptop was stolen which contained electronic protected health information (ePHI) including: patients’ names, medical record numbers, demographic information, and medication information.

The CARES Act and Substance Use Disorder Records: Confidentiality Updates

Section 3221 of the CARES Act, signed into law on March 27, 2020, sets the stage for HHS to make significant changes to 42 C.F.R. Part 2, governing the confidentiality of Substance Use Disorder (“SUD”) records. Under the Act, HHS has 12 months to work with appropriate Federal agencies to make revisions to 42 C.F.R. Part 2 consistent with Section 3221’s mandates.

Understanding the Cyber and Privacy Risks Of Zoom and Tips For Using It More Securely

By now everyone has now heard of — and likely used — Zoom for staying connected during the COVID-19 pandemic. In what may have been a brilliant strategy to gain market share during adverse times, Zoom offered its videoconferencing service for free to schools, organizations, businesses, and individuals as a means of staying connected while the world is exercising social distancing and it seems as if everyone is now using Zoom.

DC Federal Court Limits Former OCR Guidance on Medical Record Fees

The DC Federal District Court issued an opinion in Ciox Health, LLC v. Azar, et al., Case No. 18-CV-00040 (D.D.C. January 23, 2020) that reverses portions of guidance issued by the Office for Civil Rights (“OCR”) in 2016 related to the fees that a healthcare provider may charge for medical records that are requested by a patient and directed to a third party.  The original HIPAA Privacy Rule included provisions that a “covered entity” (1) must provide patients the right to access his or her protected health information (“PHI”) within a designated record set and (2) could only charge a reasonable cost-based fee for such access. In 2009, the HITECH Act amended HIPAA to provide that a patient could request that the patient’s access to PHI maintained in an electronic health record (“EHR”) be directed to a third party.  In 2013, the Omnibus Rule further broadened the third party directive and allowed patients to make this third party directive for access to PHI contained in any format.  Lastly, in 2016, OCR issued guidance that applied the fee limitation from the original HIPAA Privacy Rule to situations in which the patient directs the PHI to a third party.

CCPA, It’s Not Just Alphabet Soup

Our previous article “Does the CCPA Apply to My Company?”[i] outlined some questions to help determine if your company is included in the definition of business for the CCPA. Here, we give a brief overview of the law and discuss both its potential effects and enforcement.

One Key Takeaway from $3 Million Penalty by HHS for Exposing 300,000 Patient Records

The United States Department of Health and Human Services reached an agreement with Touchstone Medical Imaging in which Touchstone agreed to pay $3 million and adopt a corrective action plan in the wake of its data breach that exposed over 300,000 patients’ protected health information.

Dating Application Triggers National Security Concerns

You read it correctly:  The United States Government has deemed an online dating application to be a national security concern. The dating application Grindr has earned notoriety for being the gay equivalent to Tinder (a dating “hook up” application for straight people). Grindr has gained remarkable success. The application boasts of having 27 million registered users as well as an average of 3.3 million daily users.

Does the CCPA Apply to My Company?

Late last year California passed the California Consumer Privacy Act of 2018 (“CCPA”) aimed at granting certain rights and protections to California consumers and also imposing obligations and limitations on businesses in an effort to provide consumers more control over their personal information. The CCPA becomes effective January 1, 2020, and companies across the nation are marking their calendars in anticipation of privacy practice changes reminiscent of those ushered in by the European Union’s GDPR last year. Although the CCPA is often compared to the GDPR, the two privacy laws are different and compliance with one does not ensure compliance with the other. In undertaking compliance measures, the initial inquiry companies should analyze is the question of whether the CCPA applies to the company.

Maintaining Compliance with Substance Use Disorder Information

Does your organization provide substance use treatment services or receive information from a treatment program that identifies an individual as having a substance use disorder?  If so, your organization may be subject to 42 C.F.R. Part 2 and may have obligations to amend contractual provisions to maintain compliance.

ABA Explains Lawyers’ Ethical Obligations for Data Security and Data Breach

Lawyers, like others in business, must comply with the data security and data breach notification laws of the 50 states that are applicable to their practices. But, according to the American Bar Association, their obligations do not end there. On October 17, 2018, the ABA issued Ethics Opinion 483 titled Lawyers’ Ethical Obligations After an Electronic Data Breach or Cyberattack

Revisit Privacy Notices for the New Year

Consumer-facing privacy notices carry legal consequences and a carefully drafted privacy notice may function to save a company in data privacy litigation or regulatory actions. Accordingly, several reasons exist for companies to frequently revisit privacy notices.

Yahoo! Data Breach Settlement Increases Risk for Companies’ Directors and Officers

The recent Yahoo! settlement marks a substantial step in data breach shareholder derivative litigation that increases the risk for officers and directors of companies that have a data breach. On January 9, 2019, Yahoo! Agreed to pay a total of $29 million to its shareholders to settle a lawsuit against several former directors and officers alleging that their poor management of the company led to the data breaches which substantially impacted the company’s value.

Illinois: Land of 12 Million Biometric Privacy Regulators

The Supreme Court of Illinois recently held that every Illinois citizen has a private right of action to enforce violations of the Illinois Biometric Information Privacy Act (“BIPA”) without alleging or showing actual harm. Businesses collecting, using and storing the biometric data of Illinois consumers take notice:  there are over 12 million regulators with the power to enforce this law against you. But don’t worry too much, the state’s high court promises that “Compliance should not be difficult.”

Texas Businesses Must Implement and Maintain Reasonable Cybersecurity Safeguards According to State Attorney General

Texas law requires businesses to implement and maintain reasonable cybersecurity, which they should do so with a written program for managing cyber risk and protecting sensitive customer information. This warning came from the state’s Attorney General following his office’s $1.5 Million settlement with Neiman Marcus over its 2013 data breach.

Pennsylvania Employers Have a Duty to Safeguard Employees’ Data, Says High Court

Late last year, the Supreme Court of Pennsylvania ruled that employers have a legal duty to safeguard employee’s sensitive personal information stored on an internet-accessible computer system and that the state’s economic loss doctrine allowed the plaintiffs in Dittman to recover for purely monetary damages. 

Protect Your Company Against W-2 Business Email Compromise Attacks During Tax Season

The most likely “cyber attack” that your company will face will come in the form of an email. One of the most common forms of email attack is the business email compromise (BEC) and the most popular time of the year for the W-2 version of BEC is right now — tax season.

EDPB Guidance on GDPR’s Jurisdictional Scope

For many U.S. organizations, figuring out whether – and to what extent – Europe’s General Data Protection Regulation (“GDPR”) applies to your operations has caused a lot of headaches. Do you have an “establishment in the [European] Union”? Are you “offering…goods and services…to…data subjects in the Union”? Are you “monitoring” the behavior of data subjects in the Union? How will these terms be interpreted and enforced?

New South Carolina Insurance Data Security Act

South Carolina has recently enacted a new insurance data security law entitled the South Carolina Insurance Data Security Act. The new legislation generally applies to licensees (any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of South Carolina) with ten or more employees or independent contractors.

Cyber Resolutions for the New Year

As we enter 2019, social media is flooded with resolutions for self-improvement, let us propose a few:

Notice – Colorado Changes to Data Privacy Laws

Three major changes to Colorado data privacy laws became effective September 1, 2018.  These affect virtually all business collecting personally identifying information (PII)[1] from Colorado residents:

Updated Tools for Your HIPAA Toolkit: Medical Record Fees

A Missouri federal court granted a motion to dismiss this week in a case against a provider and medical record processing company.  In the case, a patient alleged that a “search and retrieval” fee imposed in response to a patients request for access to medical records violated the Missouri Merchandizing Practices Act.  In dismissing the claim, the court only addressed Missouri law as the allegations did not involve alleged violations of HIPAA.  The outcome in this Missouri case is similar to the outcome in an unrelated  Tennessee case against the same medical records company that was dismissed earlier this summer.  The Tennessee case alleged multiple violations of Tennessee law relating to the fees imposed for access to medical records, using HIPAA as the standard for medical records fees.  In dismissing the case, the Tennessee court found that neither HIPAA nor Tennessee law provide a private cause of action for excessive medical record fees.  The Tennessee case is pending appeal.

Updated Tools for Your HIPAA Toolkit: Security Risk Assessment

In the wake of the record setting $16 Million dollar settlement and resolution agreement with Anthem, Inc, the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) released a new version of their Security Risk Assessment tool.  The new tool and recent settlement agreement renew the emphasis of OCR on the performance of HIPAA Security Risk Assessments by covered entities and their business associates.  

Shopping for Cyber Insurance? Initial Lessons Learned from the Courts

The burgeoning multi-billion dollar cyber insurance market is expected to continue its 25%+ annual growth over the next few years. Despite this dramatic growth, the market is plagued with uncertainty over the meaning of key policy terms and scope of coverage. The lack of both uniformity in cyber policy language and judicial guidance interpreting policy language prevent companies from confidently assessing their loss exposure in the event of a major data breach.

Yet Another Data Sheriff In Town: CFPB Issues Its First Data Security Enforcement Action

On March 2, 2016, the CFPB finalized a Consent Order with Dwolla, an online payment platform, for violations of the CFPA.  It is the CFPB’s first enforcement action related to data privacy and security.  It is notable because Dwolla appears to have become an enforcement target due solely to its robust claims about security, and not due to any data breach.  It also places obligations on Dwolla’s Board to become responsible for data privacy and security in the company.

EU-US “Privacy Shield” Disclosed to the Public

The past week has seen two key developments in EU-US data privacy relations — the US enacted the Judicial Redress Act into law, and EU and US officials published the proposed EU-US Privacy Shield protocol for transatlantic data transfers.  While the Privacy Shield still has a gauntlet of EU bureaucracy to navigate, companies that relied on Safe Harbor should begin to plan now to comply with the robust new requirements of Privacy Shield, or implement other measures to satisfy the EU Privacy Directive to import EU data to the US.

President Obama Goes Big on Privacy and Cybersecurity

As part of a massive new initiative, Obama establishes the Federal Privacy Council and a national commission on cybersecurity

EU announces “Privacy Shield” agreement to replace Safe Harbor transatlantic data pact

  • U.S. organizations wishing to import data from EU subjects will be subject to much more “robust” privacy protocols
  • Final approval still faces hurdles

Safe Harbor Under Siege – Is This The End For The EU-U.S. Safe Harbor?

The EU-U.S. Safe Harbor Framework (“Safe Harbor”) has provided companies on both sides of the Atlantic an efficient means to transfer personal information to and from the EU and the U.S. Recently, however, the Safe Harbor has come under attack. EU officials have opined that modern U.S. policy has eroded protections afforded under the Safe Harbor, resulting in the Safe Harbor no longer offering “adequate” protection as required by the EU Data Protection Directive 95/46/EC (“EU Directive”). Most recently, and perhaps the most concerning, is the opinion from Advocate General Yves Bot of the European Court of Justice (“ECJ”), whereby Bot recommended the Safe Harbor be declared invalid.

Anthem Security Breach May Require Plan Sponsor Action

The well-publicized cyber-attack on Anthem, Inc.’s information technology system may require employers to take prompt action to protect the rights of their health plan participants. Although neither the scope nor the cause of the security breach has yet been determined, the attack has been described as both “massive” and “sophisticated.”

Updated Proposed Federal 30-day “Shot Clock” For Data Breach Notification

As we wrote yesterday, President Obama has called for legislation (the Personal Data Protection and Privacy Act) that will require notice of a data breach within 30 days of discovery by your company.

Proposed Federal 30-day “Shot Clock” For Data Breach Notification

In November we discussed the standards in place for whether and when a consumer must be notified of a data breach. The current answer is that almost all states have laws requiring notification, but the format and timing of the notification vary from state to state.

Banks: The Forgotten Victim of a Data Breach

Data breaches have become a phenomenon of late—with news seemingly breaking everyday on the latest victim and the potential harm to consumers. Often overlooked, however, is the impact that each new data breach has on banks.

Don’t Forget About HIPAA When Addressing Data Security

Among the many data security and breach laws that exist, covered health care providers and health plans must also contend with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

5 tips for procuring a cyber insurance policy

Cyber attacks are not only increasingly prominent, but are also increasingly costly. The financial impact of a data breach averages $10 million per occurrence. Data breach insurance coverage may help ameliorate these financial consequences and constitutes a vital part of a comprehensive data security strategy.

When must a company send a data breach notification?

In our last post, we discussed how to minimize your risk of a data breach. But what do you do if and when a data breach occurs? How will you know when to send a notification? Today, we’ll discuss just that.

Data Breach: Are You Prepared to Respond?

Data breaches are becoming an everyday occurrence. Just ask The Home Depot, Target and Schnuck’s. The number of companies reporting a data breach increased over 30% in the past two years. Experts agree that every company is susceptible to data breaches, and that it is not a question of if but when it will happen.

The Four I’s to proactively addressing data breach risks

You’ve been hearing about data breaches for quite some time now. It seems like there’s a new one every day. Most of the news focuses on credit card transactions, but regardless of your industry and the safeguards you use to protect your data, if you collect any type of information about your customers, you’re at risk.

47 results View Less