On January 25, 2019, the Illinois Supreme Court ruled that a consumer need not demonstrate an adverse effect or specific harm, such as evidence that personal information was stolen or misused, to have standing to sue under the state’s Biometric Identity Protection Act (BIPA). The court held that a procedural violation of the law itself … Continue Reading
Cybersecurity awareness recently took center stage in the healthcare industry when the Department of Health and Human Services (HHS) issued comprehensive risk-prioritized cybersecurity best practices to combat top threats. HHS mapped this guidance to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, cross-referencing 88 individual sub-practices for healthcare organizations of all sizes. The … Continue Reading
Google recently defeated claims that it violated Illinois’s Biometric Identification Privacy Act (“BIPA”) by collecting and retaining facial scans created from photographs uploaded by Google Photos users without obtaining consent and complying with other statutory requirements. The federal court ultimately held that plaintiffs failed to allege a concrete injury sufficient for Article III standing. Finding … Continue Reading
In Illinois, the courts are grappling with an issue akin to the Article 3 standing issues that courts have been analyzing in post-breach cases for years, that is, whether a plaintiff must claim actual harm as a result of a statutory violation or whether the violation is sufficient by itself to support standing to sue.… Continue Reading
The Food and Drug Administration (FDA) has recently issued several cybersecurity and medical device initiatives as part of the agency’s increased focus on digital health. These initiatives include draft cybersecurity guidance for medical devices, increased coordination with the Department of Homeland Security, and the promotion of artificial intelligence. Elliot Golding and Jennifer Tharp provided an … Continue Reading
Amendments to California’s expansive Consumer Privacy Act of 2018 (“the Act”) include new provisions that may significantly impact the timing of enforcement and provide exemptions for large amounts of personal data regulated by other laws. The Act, signed into law in June, is a sweeping data privacy law that regulates the processing of personal data … Continue Reading
Personal location information held by a third party now receives heightened protection from disclosure to law enforcement Thanks to Timothy Ivory Carpenter, Cell Site Location Information (“CSLI”) is now part of our vernacular. More important, in light of the Supreme Court’s June 2018 ruling in Carpenter v. United States, a company’s collection and retention of … Continue Reading
California’s newly enacted Consumer Privacy Act of 2018 is the strictest of the US’s patchwork of privacy related regulations. The Act will impact any legal entity that (i) does business in California, (ii) is operated for the profit or financial benefit of its owners, (iii) collects consumers’ personal information and determines the purpose and means … Continue Reading
In an article posted in Law360 Expert Analysis on May 22, 2018, Squire Patton Boggs partner Elliot Golding describes how the rise of health care smart devices and tracking apps has intensified the focus on data privacy and cybersecurity within the health care industry. Subsequently, new and proposed government and regulatory initiatives are underway. Additional … Continue Reading
Elliot Golding, in a podcast interview with Healthcare InfoSecurity, discusses progressing healthcare privacy and security issues, especially complex issues involving Internet of Things (IoT) devices. Topic points include, new risks when connected devices link to legacy systems, the applicable regulatory environment, and other important issues companies operating in the health care space need to confront … Continue Reading
In a first of its kind, the SEC recently fined Yahoo US$35 million for failing to assess and disclose a 2014 data breach that affected over 500 million user accounts. What caused the SEC to charge Yahoo with cybersecurity-related disclosure violations? Our colleagues Tara Swaminatha and Coates Lear have prepared an analysis of this enforcement action, including … Continue Reading
With no central federal data breach law, states have taken the reins, passing an increasing number of laws that require both the protection of citizens’ private data and prompt notice of any breach of that privacy. Governors in the last two holdout states, South Dakota and Alabama, recently signed bills to enact laws governing data … Continue Reading
Overview of Recent Settlement Actions Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement. Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at … Continue Reading
In a Joint Statement issued this week, the Federal Financial Institutions Examination Council (“FFIEC”) – which comprises the principals of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee – cautioned the … Continue Reading
Our March 22, 2018 our readers were directed to a post published on our sister Anticorruption Blog which discussed the at the time proposed The CLOUD Act. The act was signed into law as part of the Omnibus Spending Bill on March 23, 2018. In Part 2 of her article, Ericka Johnson focuses on The … Continue Reading
In Part 1 of an upcoming series of posts on our sister Anticorruption Blog, DC-based associate Ericka Johnson explores the recently proposed CLOUD Act and the increasing gap between technology and the law. Of special interest to our readers, The CLOUD Act updates standards for when governments may be able to obtain information stored outside … Continue Reading
On February 27, 2018 the Supreme Court heard arguments surrounding the privacy of data stored abroad and the reach of U.S. search warrants to retrieve such data. While the Supreme Court decides the merits of United States v. Microsoft, Congress will debate on overhauling the Stored Communications Act (“SCA”) to reflect technological advances that were … Continue Reading
The HHS Office of Civil Rights announced earlier this month that a court appointed receiver for Illinois moving and storage company, Filefax, has entered into a resolution agreement and corrective action plan to settle alleged violations of the HIPAA Privacy and Security Rules. The receiver for Filefax, which went out of business during OCR’s investigation, … Continue Reading
Last month, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two helpful new HIPAA guidance documents regarding research uses and disclosures of PHI, fulfilling a mandate in the 21st Century Cures Act (Public Law 114-255) (the “Act”). Although the documents merely reaffirm prior guidance in many places, the documents also … Continue Reading
The latest data privacy Alert from the Squire Patton Boggs’ Data Protection & Cybersecurity team covers news from the week of 27 November 2017.… Continue Reading
There is an increasing recognition of the need to improve cybersecurity in the healthcare sector (particularly relating to medical devices). For example, the Chairman of the House of Representatives’ Committee on Energy and Commerce recently asked HHS in a formal letter to “develop a plan of action for creating, deploying, and leveraging [bill of materials] … Continue Reading
In Eichenberger-v.-ESPN., Case No. 15-35499 (Nov. 29, 2017), the United States Court of Appeals for the Ninth Circuit affirmed the district court judgment holding that the serial numbers on a consumer’s video streaming device and the titles of the videos an individual watches do not constitute personally identifiable information (PII) under the Video Privacy Protection … Continue Reading
In another lawsuit against Equifax, the Independent Community Bankers of America (ICBA), on behalf of thousands of community banks, seeks to hold Equifax accountable for the July 2017 data breach that potentially affected more than 145.5 million consumers. ICBA, along with Bank of Zachary and First State Bank, filed the class action last week in … Continue Reading
The latest data privacy Alert from the Squire Patton Boggs’ Data Protection & Cybersecurity team covers news from the week of 6 November 2017.… Continue Reading