The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of HIPAA’s privacy and security rules in the new administration, announcing a number of settlements of alleged violations in the first seven months of 2021.  This settlement activity followed a few other significant HIPAA developments that occurred in January of 2021, including HHS’s release of proposed regulations to the HIPAA Privacy Rule and a…

With a little over a year of enforcing the California Consumer Privacy Act (CCPA) under its belt, the Office of the California Attorney General (OAG) recently held a press conference to announce updates on its CCPA enforcement efforts and promote new tools relating to California consumers’ right to opt out of the sale of their personal information.…

Following in the footsteps of the Eastern District of Virginia’s Capital One decision last year and the District of D.C.’s Clark Hill decision earlier this year, the Eastern District of Pennsylvania has just ordered the production of a data breach forensic report and related communications.  In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021).  The Rutter’s decision is a reminder that although courts had generally…

On July 9, 2021, New York City’s biometric identifier information law became effective. The law, which was enacted in January 2021, addresses the collection and use of biometric identifier information (BII) by commercial establishments—meaning places of entertainment, retail stores, or food and drink establishments—to track customer activity. It creates a private right of action and subjects violators to statutory damages.…

On June 4, 2021, the European Commission adopted an updated and long-awaited set of standard contractual clauses (SCCs) for the international transfer of personal data. The previous SCCs were created prior to the implementation of the EU General Data Protection Regulation (GDPR) and required substantive revisions to bring them in line with the GDPR and the Court of Justice of the European Union’s July 2020 Schrems II decision (previously covered here).…

On June 14, the California Privacy Protection Agency (CPPA), the first state agency in the country dedicated to privacy, held its first public meeting. In her opening remarks, Acting Chairwoman Jennifer M. Urban introduced each of the Board members: John Christopher Thompson, Angela Sierra, Lydia de la Torre, and Vinhcent Le. The meeting covered an extensive agenda, available here, which highlighted the processes and procedures required by the Board to perform its duties, including…

In a long awaited opinion, the Supreme Court recently resolved a circuit split regarding the proper interpretation of a statute implicated in many post-employment disputes. Since its enactment, federal courts of appeal have been divided over the proper interpretation of the phrase “exceeds authorized access” under the Computer Fraud and Abuse Act (“CFAA”), a primarily criminal statute that also includes a civil cause of action where an individual accesses a protected computer without authorization or…