Happy (belated) New Year! 2020 marks the second anniversary of CyberAdviser.  In the word of data privacy and cybersecurity, a great deal has happened over that span of time, including the enactment of the GDPR,  BDLC (Brazil’s new privacy law), and the CCPA, the continued expansion of data breach and biometrics litigation, important US federal and state enforcement activity, enactment of the CLOUD Act, guidance from the Supreme Court regarding Article III standing (especially critical in…

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, recently announced the following three major improvements that have been made to FTC orders in data security cases: Specificity: To counter past criticisms that FTC orders to implement comprehensive information security programs were too vague, FTC orders will now require specific security safeguards that address specific allegations in the complaint brought against each company. Third-party assessor accountability: FTC orders will now give the FTC authority…

On November 22nd, the CFPB issued a press release announcing that a stipulated final judgment and order (Order) were filed in the U.S. District Court for the Southern District of New York against Sterling Infosystems, Inc. (Sterling) to resolve allegations that the employment background screening company violated the Fair Credit Reporting Act (FCRA).…

In this podcast, Ballard Spahr consumer financial services partner Chris Willis talks with Scott Ferris, CEO of Attunely, a provider of machine learning (ML) and artificial intelligence (AI) technology to the debt collection industry.  The podcast addresses how changes in consumer behavior have impacted collections, technology’s role in collections,  how ML/AI can improve profitability, and impediments to adopting ML/AI.  Phil Yannella, Leader of Ballard’s Privacy & Data Security Group, also discusses how the GDPR, CCPA and…

Following on the heels of a few relatively small HIPAA settlements, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it has imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for its failure to meet HIPAA privacy and security requirements.  The OCR announcement and accompanying information detail violations that included: The unauthorized access by an employee to the records of more than 24,000 patients over…

For businesses, one of the more worrisome scenarios under the CCPA occurs when they mistakenly provide personal information of a consumer to the wrong party in response to a consumer request, whether because of fraud or simple mistake. Because the definition of data breach under the CCPA is very broad, the unauthorized sharing of personal information with the wrong party could theoretically give rise to a civil cause of action with statutory penalties of $100-$750,…