Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Blog Authors

Latest from Data Privacy Monitor

On January 10, Advocate General Maciej Szpunar released an opinion recommending that Google and other search engines should not be forced to apply the EU’s “right to be forgotten” beyond the EU.  The advocates general assist the judges of the Court of Justice of the European Union (CJEU), providing independent legal solutions to issues presented to the CJEU. The judges decide whether an official opinion from an advocate general is necessary. The judges are not…
In December 2018, Pagosa Springs Medical Center settled potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations and entered into a corrective action plan with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. The incident involved a former employee who continued to have remote access to Pagosa Springs Medical Center’s web-based scheduling calendar for two months after the employee’s termination, which resulted in 557…
Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card information of thousands of customers. On Jan. 10, 2014, Neiman Marcus publicly announced that it had experienced a security incident involving its payment processing system that may have resulted in unauthorized access to the payment…
Following other regulators, the National Futures Association (NFA) recently amended its cybersecurity guidance to, among other things, impose a new cybersecurity incident reporting requirement on members. Cybersecurity Incident Reporting. According to the amended guidance, members will be required to report to NFA any cybersecurity incident related to the member’s commodity interest business that resulted in (i) any loss of customer or counterparty funds, (ii) any loss of a member’s own capital, or (iii) the member…
While the inauguration of a polarizing new president dominated the news of Brazil around the beginning of the new year, outgoing President Michel Temer, before leaving office, issued an executive order that has important ramifications for Brazil’s recently enacted General Data Protection Regulation (Lei Geral de Proteção de Dados or LGPD). Provisional Measure No. 869/2018 (MP 869/2018), published Dec. 28, 2018, takes the vitally important step of creating Brazil’s National Data Protection Authority (ANPD), tasked…
On Jan. 1, 2019, a new Vermont law intended to protect consumers by imposing new requirements on “data brokers,” companies that aggregate and sell consumer information, and credit reporting agencies took effect. Under the new law, data brokers must comply with registration, information security safeguards and reporting requirements, while credit reporting agencies are prohibited from assessing fees for establishing or removing security freezes. The Vermont legislature’s intent in enacting the new law is fourfold: (1)…
The California Attorney General and the Department of Justice held the first public forum about the California Consumer Privacy Act (CCPA) on Tuesday, Jan. 8, in San Francisco. The public forums are part of the rulemaking process the attorney general’s office is undertaking pursuant to Section 1798.185 of the CCPA, which requires the attorney general to “solicit broad public participation and adopt regulations to further the purposes” of the CCPA. These forums are an opportunity…
On Jan. 10, 2019, Massachusetts Gov. Charlie Baker signed legislation that will significantly amend the state’s data breach notification law. The amendments become effective on April 11, 2019. One of the significant changes includes a new requirement to provide an offer of complimentary credit monitoring for “a period of not less than 18 months” when the data security incident involves a Massachusetts resident’s Social Security number. With this new obligation, Massachusetts joins Connecticut and Delaware…
BakerHostetler will post a series of blogs to fully explore the recommendations and guidance Health and Human Services provides healthcare organizations in its report. Cyberattacks continue to rise across industries, and healthcare is no different. Eighty percent of U.S. physicians reported having experienced some form of cyberattack. In 2017, cyberattacks cost small and midsize businesses an average of $2.2 million, with 60 percent of small businesses going out of business within six months of the…
The end of 2018 saw heightened activity surrounding the EU-U.S. Privacy Shield Framework.  This blog post provides a news roundup on the following developments: • The European Commission’s (the “Commission”) December 19th report (the “Report”) summarizing the second annual joint review that was held in October 2018. • The Report’s February 28, 2019 deadline for the U.S. to identify a nominee to permanently fill the Ombudsperson position required by the EU-U.S. Privacy Shield Framework. •…