Spencer Fane LLP Logo

Data Privacy and Cybersecurity

Data Privacy and Cybersecurity Header Image

Dating Application Triggers National Security Concerns

You read it correctly:  The United States Government has deemed an online dating application to be a national security concern. The dating application Grindr has earned notoriety for being the gay equivalent to Tinder (a dating “hook up” application for straight people). Grindr has gained remarkable success. The application boasts of having 27 million registered users as well as an average of 3.3 million daily users.

Does the CCPA Apply to My Company?

Late last year California passed the California Consumer Privacy Act of 2018 (“CCPA”) aimed at granting certain rights and protections to California consumers and also imposing obligations and limitations on businesses in an effort to provide consumers more control over their personal information. The CCPA becomes effective January 1, 2020, and companies across the nation are marking their calendars in anticipation of privacy practice changes reminiscent of those ushered in by the European Union’s GDPR last year. Although the CCPA is often compared to the GDPR, the two privacy laws are different and compliance with one does not ensure compliance with the other. In undertaking compliance measures, the initial inquiry companies should analyze is the question of whether the CCPA applies to the company.

Maintaining Compliance with Substance Use Disorder Information

Does your organization provide substance use treatment services or receive information from a treatment program that identifies an individual as having a substance use disorder?  If so, your organization may be subject to 42 C.F.R. Part 2 and may have obligations to amend contractual provisions to maintain compliance.

ABA Explains Lawyers’ Ethical Obligations for Data Security and Data Breach

Lawyers, like others in business, must comply with the data security and data breach notification laws of the 50 states that are applicable to their practices. But, according to the American Bar Association, their obligations do not end there. On October 17, 2018, the ABA issued Ethics Opinion 483 titled Lawyers’ Ethical Obligations After an Electronic Data Breach or Cyberattack

Revisit Privacy Notices for the New Year

Consumer-facing privacy notices carry legal consequences and a carefully drafted privacy notice may function to save a company in data privacy litigation or regulatory actions. Accordingly, several reasons exist for companies to frequently revisit privacy notices.

Yahoo! Data Breach Settlement Increases Risk for Companies’ Directors and Officers

The recent Yahoo! settlement marks a substantial step in data breach shareholder derivative litigation that increases the risk for officers and directors of companies that have a data breach. On January 9, 2019, Yahoo! Agreed to pay a total of $29 million to its shareholders to settle a lawsuit against several former directors and officers alleging that their poor management of the company led to the data breaches which substantially impacted the company’s value.

Illinois: Land of 12 Million Biometric Privacy Regulators

The Supreme Court of Illinois recently held that every Illinois citizen has a private right of action to enforce violations of the Illinois Biometric Information Privacy Act (“BIPA”) without alleging or showing actual harm. Businesses collecting, using and storing the biometric data of Illinois consumers take notice:  there are over 12 million regulators with the power to enforce this law against you. But don’t worry too much, the state’s high court promises that “Compliance should not be difficult.”

Texas Businesses Must Implement and Maintain Reasonable Cybersecurity Safeguards According to State Attorney General

Texas law requires businesses to implement and maintain reasonable cybersecurity, which they should do so with a written program for managing cyber risk and protecting sensitive customer information. This warning came from the state’s Attorney General following his office’s $1.5 Million settlement with Neiman Marcus over its 2013 data breach.

Cyber Hygiene Checklist

“[T]he relevant inquiry here is a cost-benefit analysis, that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.”
– FTC v. Wyndham, (3rd Cir. Aug. 24, 2015)

Pennsylvania Employers Have a Duty to Safeguard Employees’ Data, Says High Court

Late last year, the Supreme Court of Pennsylvania ruled that employers have a legal duty to safeguard employee’s sensitive personal information stored on an internet-accessible computer system and that the state’s economic loss doctrine allowed the plaintiffs in Dittman to recover for purely monetary damages. 

Protect Your Company Against W-2 Business Email Compromise Attacks During Tax Season

The most likely “cyber attack” that your company will face will come in the form of an email. One of the most common forms of email attack is the business email compromise (BEC) and the most popular time of the year for the W-2 version of BEC is right now — tax season.

Cyber Incident Response Checklist

“Firms must adopt written policies to protect their clients’ private information . . . they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
– S.E.C. v. R.T. Jones Capital Equities Mgt.

EDPB Guidance on GDPR’s Jurisdictional Scope

For many U.S. organizations, figuring out whether – and to what extent – Europe’s General Data Protection Regulation (“GDPR”) applies to your operations has caused a lot of headaches. Do you have an “establishment in the [European] Union”? Are you “offering…goods and services…to…data subjects in the Union”? Are you “monitoring” the behavior of data subjects in the Union? How will these terms be interpreted and enforced?

New South Carolina Insurance Data Security Act

South Carolina has recently enacted a new insurance data security law entitled the South Carolina Insurance Data Security Act. The new legislation generally applies to licensees (any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered, under the insurance laws of South Carolina) with ten or more employees or independent contractors.

Cyber Resolutions for the New Year

As we enter 2019, social media is flooded with resolutions for self-improvement, let us propose a few:

Notice – Colorado Changes to Data Privacy Laws

Three major changes to Colorado data privacy laws became effective September 1, 2018.  These affect virtually all business collecting personally identifying information (PII)[1] from Colorado residents:

Updated Tools for Your HIPAA Toolkit: Medical Record Fees

A Missouri federal court granted a motion to dismiss this week in a case against a provider and medical record processing company.  In the case, a patient alleged that a “search and retrieval” fee imposed in response to a patients request for access to medical records violated the Missouri Merchandizing Practices Act.  In dismissing the claim, the court only addressed Missouri law as the allegations did not involve alleged violations of HIPAA.  The outcome in this Missouri case is similar to the outcome in an unrelated  Tennessee case against the same medical records company that was dismissed earlier this summer.  The Tennessee case alleged multiple violations of Tennessee law relating to the fees imposed for access to medical records, using HIPAA as the standard for medical records fees.  In dismissing the case, the Tennessee court found that neither HIPAA nor Tennessee law provide a private cause of action for excessive medical record fees.  The Tennessee case is pending appeal.

Updated Tools for Your HIPAA Toolkit: Security Risk Assessment

In the wake of the record setting $16 Million dollar settlement and resolution agreement with Anthem, Inc, the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) released a new version of their Security Risk Assessment tool.  The new tool and recent settlement agreement renew the emphasis of OCR on the performance of HIPAA Security Risk Assessments by covered entities and their business associates.  

The Data Breach Tide is Shifting Toward Proactive Security Obligations

When an organization faces a security incident, it is thrown into a complicated analysis of forty-seven state breach notification laws.  With the laws based on the residence of the affected consumer, consideration must be given to the variances in the definition of a breach that triggers notification; the content, timing, and manner of notification; additional regulatory, credit agency, or media communications; and potential litigation or enforcement.  Thus, the states in which an organization provides goods or services and collects personal information can have a significant impact on obligations following a security incident.

New Colorado Consumer Data Privacy Law Impacts Governmental Entities

On May 29, 2018, Colorado Governor John Hickenlooper signed House Bill 18-1128 (the “Consumer Privacy Law”) which expanded protections of consumer data and placed additional requirements on covered and governmental entities that maintain, own, or license personal identifiable information.  The Consumer Privacy Law’s new requirements will take effect on September 1, 2018.

The Consumer Privacy Law has unique requirements for covered entities and governmental entities.  A general discussion of how the law impacts governmental entities follows.

Shopping for Cyber Insurance? Initial Lessons Learned from the Courts

The burgeoning multi-billion dollar cyber insurance market is expected to continue its 25%+ annual growth over the next few years. Despite this dramatic growth, the market is plagued with uncertainty over the meaning of key policy terms and scope of coverage. The lack of both uniformity in cyber policy language and judicial guidance interpreting policy language prevent companies from confidently assessing their loss exposure in the event of a major data breach.

Yet Another Data Sheriff In Town: CFPB Issues Its First Data Security Enforcement Action

On March 2, 2016, the CFPB finalized a Consent Order with Dwolla, an online payment platform, for violations of the CFPA.  It is the CFPB’s first enforcement action related to data privacy and security.  It is notable because Dwolla appears to have become an enforcement target due solely to its robust claims about security, and not due to any data breach.  It also places obligations on Dwolla’s Board to become responsible for data privacy and security in the company.

EU-US “Privacy Shield” Disclosed to the Public

The past week has seen two key developments in EU-US data privacy relations — the US enacted the Judicial Redress Act into law, and EU and US officials published the proposed EU-US Privacy Shield protocol for transatlantic data transfers.  While the Privacy Shield still has a gauntlet of EU bureaucracy to navigate, companies that relied on Safe Harbor should begin to plan now to comply with the robust new requirements of Privacy Shield, or implement other measures to satisfy the EU Privacy Directive to import EU data to the US.

President Obama Goes Big on Privacy and Cybersecurity

As part of a massive new initiative, Obama establishes the Federal Privacy Council and a national commission on cybersecurity

EU announces “Privacy Shield” agreement to replace Safe Harbor transatlantic data pact

  • U.S. organizations wishing to import data from EU subjects will be subject to much more “robust” privacy protocols
  • Final approval still faces hurdles

Pat Whalen Publishes Data Breach Notification Article in BankNews

Spencer Fane Chairman Pat Whalen was featured as a guest author in this month’s issue of BankNews magazine providing insights and updates on the protocol for handling data breach notifications. The article, titled “When to Send a Data Breach Notification,” discusses the laws surrounding security breaches and the responsibility of companies to determine when notification of customers is both necessary and required by law.