CyberAdviser

Insights from the frontlines of privacy and data security law

The Equifax and Facebook-Cambridge Analytica scandals, coupled with the proliferation of state privacy and security laws such as the California Consumer Privacy Act (CCPA)—as well as proposed laws in Washington and Massachusetts—have increased demand for a comprehensive national privacy law.  Last week, the Senate announced plans to hold hearings to discuss a proposed privacy law.  The Government Accountability Office (GAO) has just released its report recommending that Congress develop comprehensive privacy legislation to enhance…
On February 7, 2019, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services published the resolution agreement for its final HIPAA settlement of 2018.  The resolution agreement cited two breach notifications that OCR received from the parent of several hospitals in California.  In 2013, the provider notified OCR of a breach that occurred when one of its contractors removed electronic security protections from a server.  This breach affected more…
The Illinois Supreme Court held on January 25, 2019, that plaintiffs filing suit under the Biometric Information Privacy Act—which regulates how private entities disclose and discard biometric identifiers—do not need actual damages for standing. The decision has serious implications for companies collecting biometric data from Illinois residents. The Act provides a private right of action to individuals “aggrieved” by any violation, allowing them to seek, among other remedies, liquidated or actual damages, attorneys’ fees, and…
The prevailing wisdom after last year’s enactment of the California Consumer Privacy Act (CCPA) was that it would result in other states enacting consumer privacy legislation. The perceived inevitability of a “50-state solution to privacy” motivated businesses previously opposed to federal privacy legislation to push for its enactment. With state legislatures now convening, we have identified what could be the first such proposed legislation in New York Senate Bill 224. The proposed legislation is…
As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019. Owning the Mega-Breach 2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst…
Just in case you needed a reminder that the California Consumer Privacy Act of 2018 (CCPA) will go into effect on January 1, 2020, the California Department of Justice announced that it will hold six statewide forums to collect feedback from stakeholders as part of its duty to promulgate regulations “that will establish procedures to facilitate consumers’ rights.” The meetings will be held between January 8, 2019 and February 15, 2019. Further information is available…
A relatively quiet year for HIPAA enforcement is ending with a small flourish.  The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days. The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to hospitals and nursing homes in Florida.  In 2014, ACH received notice from a local hospital that individually identifiable patient…
Hold the date: Phil Yannella, Ballard Spahr partner and co-chair of the firm’s Privacy & Data Security Group, will participate in an ACC webcast on Tuesday, December 4, 2018 titled “The State of US State Privacy Laws.” The webcast will focus on the recent proliferation of US state privacy and data security laws, some of which provide for a private right of action, and discuss how companies can provide “reasonable” security to customer and employee data.…
Since the General Data Protection Regulation (“GDPR”) took effect on May 25, 2018, US companies without facilities or employees in Europe have struggled to understand the extraterritorial scope of the GDPR. Under Article 3(2), US companies without an “establishment” in the EU are required to comply with the GDPR where their processing activities relate to the “offering of goods or services” to EU data subjects or where they “monitor” the behavior of EU data subjects.…
On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty.…