In the first installation of our weekly series during National Cybersecurity Awareness Month, we examine information security plans (ISP) as part of an overall cybersecurity strategy. Regardless of the size or function of an organization, having an ISP is a critical planning and risk management tool and, depending on the business, it may be required by law. An ISP details the categories of data collected, the ways that data is processed or used, and the measures in place to protect it. An ISP should address different categories of data maintained by the organization, including employee data and customer data as well as sensitive business information like trade secrets. Continue Reading The Importance of Information Security Plans
Just days before the EU Commission reassesses the EU-US Privacy Shield program in light of the EU Parliament’s recent adequacy criticisms, the Federal Trade Commission (FTC) announced settlements with four companies allegedly falsely claiming participation in the program. One of the issues the EU Parliament cited this summer with the EU-US Privacy Shield program was lack of US oversight and enforcement. Continue Reading More FTC Privacy Shield Settlements, But Will It Be Enough For The EU?
On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country. California enacted the CCPA in June and it takes effect on January 1, 2020. Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses. Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles. Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months. Continue Reading California Governor Approves Revisions to Consumer Privacy Act
On September 20, the Department of Health and Human Services Office for Civil Rights (OCR) announced separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH) with penalties totaling $999,000. In each instance, a news story about ABC News filming a medical documentary (a Boston Globe article on BMC and BWH and a posting on MGH’s website) prompted OCR to conduct “a compliance review.” In all three separate investigations, OCR found deficiencies. While the BMC settlement agreement does not provide any details on the specifically alleged improper conduct, the BWH and MGH agreements note that both hospitals took measures to protect patient information but nonetheless OCR found the efforts to be inadequate. In those agreements, OCR implies that BWH and MGH obtained at least some written authorizations but disclosed information to the film crews before obtaining those authorizations. Continue Reading Boston-Area Hospitals Pay Nearly $1M in Penalties for Permitting Filming of “Boston Med”
In March of this year, we told you that the D.C. Circuit Court of Appeals issued a decision in ACA Int’l. v. FCC, wherein the court set aside two FCC interpretations of the Telephone Consumer Protection Act, or TCPA. Specifically, the court ruled that the FCC’s interpretation as to what constitutes an autodialer under the TCPA was unreasonably expansive, and that the FCC’s treatment of reassigned numbers was also overly broad.
On May 22, the United States District Court for the Northern District of Georgia, Atlanta Division, issued a decision further restricting the scope of the TCPA. By way of reminder, the Congress passed the TCPA in 1991 in an effort to curb robo calls. The case involved calls made by a debt collector to a former Comcast customer. She sued, claiming that the calls were impermissible under the TCPA. An essential aspect of the TCPA claim at issue was that the call must be made through the use of an “automatic telephone dialing system”, or ATDS, as defined in the statute. Continue Reading District Court Gives Narrow, Reasonable Scope to TCPA
Yesterday, the Securities and Exchange Commission (SEC) announced an important administrative settlement with Altaba (Yahoo) related to the company’s failure to disclose a major security breach to its users and investors. Under the terms of the settlement, the company agreed to pay a $35 million civil money penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts. Continue Reading Yahoo Settles Claims by SEC regarding 2014 Data Breach
In August, 2017, the Federal Trade Commission (“FTC”) proposed a settlement agreement with Uber stemming from its investigation of a 2014 data breach due to Uber’s “unreasonable security practices”. The lengthy investigation found that Uber’s employees were accessing customer’s personal information, and that there were security lapses in Uber’s third-party cloud storage service. That settlement agreement required Uber to implement a “comprehensive privacy program”; however, the agreement was withdrawn by the FTC and amended recently. Why, you ask? Uber experienced a second data breach in 2016, while the investigation from the 2014 breach was well underway. The 2016 breach was a result of those same security lapses in the third-party cloud storage service and Uber waited over one year to report that second breach. Uber’s handling of the second breach continued its trail of misconduct, clearly demonstrating that the company had not learned its lesson. Continue Reading Uber Goes 0-2 in Data Breach Notifications
On March 28, Alabama’s governor signed into law a data breach notification law. It is the last state in the country to do so, closely trailing South Dakota. Fifteen years ago, California was the first state to enact a data breach notification law. The Alabama law applies to electronically stored “sensitive personally identifying information.” Such information involves a name plus at least one of the following: SSN, government issued identification number, financial account number, medical information, health insurance policy or identification, or email address and password that would permit access to an account containing any sensitive personally identifying information. Generally, notification to residents affected by a breach must be made within 45 days, although there are some exceptions. The law takes effect on May 1.
On March 16, a year and a half after hearing oral argument, the D.C. Circuit Court of Appeals issued a long-awaited decision overturning two of the Federal Communications Commission’s (FCC) far-reaching interpretations of the Telephone Consumer Protection Act of 1991 (TCPA). A number of regulated entities filed an action against the FCC challenging several of the FCC’s conclusions in a 2015 order related to cell phones. Continue Reading D.C. Circuit Reins in FCC’s Overbroad TCPA Interpretations
Yesterday, South Dakota’s Governor signed into law “An Act to provide for the notification related to a breach of certain data and to provide a penalty therefor.” Under the Act, when a “breach of system security” involves personal or protected information, the holder of the information must notify affected residents within 60 days and, if more than 250 individuals are affected, the holder must notify the state attorney general. The definition of personal information includes health information and certain other employer-specific identifying information. “Protected information” means information necessary to access an online account tied to financial account information. Alabama is now the only state without a law addressing data breach notification although such legislation is currently pending in that state.