CyberAdviser

Insights from the frontlines of privacy and data security law

A relatively quiet year for HIPAA enforcement is ending with a small flourish.  The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days. The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to hospitals and nursing homes in Florida.  In 2014, ACH received notice from a local hospital that individually identifiable patient…
Hold the date: Phil Yannella, Ballard Spahr partner and co-chair of the firm’s Privacy & Data Security Group, will participate in an ACC webcast on Tuesday, December 4, 2018 titled “The State of US State Privacy Laws.” The webcast will focus on the recent proliferation of US state privacy and data security laws, some of which provide for a private right of action, and discuss how companies can provide “reasonable” security to customer and employee data.…
Since the General Data Protection Regulation (“GDPR”) took effect on May 25, 2018, US companies without facilities or employees in Europe have struggled to understand the extraterritorial scope of the GDPR. Under Article 3(2), US companies without an “establishment” in the EU are required to comply with the GDPR where their processing activities relate to the “offering of goods or services” to EU data subjects or where they “monitor” the behavior of EU data subjects.…
On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty.…
For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone,…
The U.S. Supreme Court’s grant this week of the petition for certiorari in a case involving the Telephone Communication Protection Act (TCPA) prohibition on unsolicited fax advertisements could have significant implications for the Federal Communication Commission’s (FCC) anticipated ruling on what constitutes an automatic telephone dialing system (ATDS) under the TCPA. The petitioner in PDR Network v. Carlton & Harris Chiropractic sent a fax in 2013 to a West Virginia chiropractor offering a free copy…
On November 13, 2018, Ballard Spahr lawyers presented a webinar on the SEC’s recent “Report of Investigation” into “business email compromises” affecting public companies. As noted in our prior blog post, the Report was prompted by the SEC’s investigation into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel. The SEC…
The U.S. Securities and Exchange Commission (SEC) has joined the government chorus in sounding the alarm about the rapid rise in “business email compromises” that are victimizing organizations across industry sectors. On October 16, 2018, the SEC released a “Report of Investigation” calling for public companies to reassess their internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds.”  In particular, the report focuses on certain types of “business…
The Federal Election Commission (FEC) released a draft advisory opinion (draft AO) yesterday, holding that a nonprofit corporation providing certain cybersecurity services to candidates and political parties are not in-kind contributions. Defending Digital Campaigns, Inc. (DDC) is a nonprofit corporation under Washington, D.C., law, exempt from federal income tax under § 501(c)(4). Its stated purpose is “to provide education and research for civic institutions on cybersecurity best practices and assist them in implementing technologies, processes,…
This month marks 15 years of observing National Cyber Security Awareness Month (NSCAM) in October. The program was started way back in 2004, by the U.S. Department of Homeland Security and the National Cyber Security Alliance to educate Americans about ways to stay safer and more secure online. Technology has transformed most aspects of daily life since 2004, when: Smartphones didn’t exist (Blackberry’s don’t count). Thefacebook.com was born in a Cambridge dorm room. Google launched…