On January 1, 2021, Congress enacted the Corporate Transparency Act as part of the Anti-Money Laundering Act of 2020 to “better enable critical national security, intelligence, and law enforcement efforts to counter money laundering, the financing of terrorism, and other illicit activity.” FinCEN issued the final rule on Beneficial Ownership Information Reporting Requirements on September 29, 2022 requiring a range of entities, primarily smaller, otherwise unregulated companies, to file a report with FinCEN identifying the entities’ beneficial owners—the persons who ultimately own or control the company—and provide similar identifying information about the persons who formed the entity. On December 16, 2022, FinCEN proposed the Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities rule laying out the protocols for access to the beneficial ownership database by authorized recipients, while still maintaining the highest levels of data protection and oversight.
Standing to Sue: Is Theft of Drivers’ License Numbers Sufficient to Allege Imminent Threat of Future Harm?
Judge Jeffrey White of the Northern District of California recently dismissed a putative class action lawsuit in which plaintiffs claimed they faced an imminent threat of future of harm in the form of identity theft and fraud because their personal information, specifically their driver’s license numbers, may have been compromised in a data breach. In doing so, the court determined that driver’s license numbers “are not as sensitive as social security numbers,” and that they don’t rise to the level of sensitive personal information “needed to establish a credible and imminent threat of future harm” for Article III standing. Greenstein et al v. Noblr Reciprocal Exchange, No. 4:2021cv04537 (N.D. Cal. 2022). Continue Reading
Travelling outside the EU: French Data Protection Authority Publishes a Checklist to Secure Phones and Laptops
Amid fresh fears about data protection, on November 14th, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertes (CNIL) published a checklist of recommended actions travellers should take to secure phones, computers and tablets when travelling outside the European Union.
HHS Bulletin: Covered Entities’ Disclosure of PHI Collected via Online Tracking Technologies Falls under HIPAA
On December 1, 2022, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a Bulletin to highlight the obligations of HIPAA-covered entities and business associates when using “online tracking technologies,” or what OCR describes as “script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app,” which is then analyzed by website owners, app operators or third parties to create user profiles or garner insights into users’ online activities. Continue Reading
Paying the Ransom in Response to a Ransomware Attack can Sometimes Backfire
One of the key decisions that needs to be made in the aftermath of a successful ransomware attack is whether or not the victim organization can or should pay the ransom. Of course, there are many considerations that go into such a decision – for example, whether the payment is legally permissible, the ease of system restoration absent paying the ransom, the harm that might result to the company or its consumers if systems cannot be timely restored, or whether there are reputational risks or ethical concerns, amongst many other considerations. Continue Reading
SolarWinds: A Lesson on How Companies Victimized by Data Breaches Can Quickly Become the Target of Litigation and Regulatory Investigations
In 2020, SolarWinds Corp., a company that provided information technology software to private and government entities, was the victim of a cybersecurity breach. Russian hackers are believed to have slipped malicious code into a SolarWinds software product called Orion, which was then used to infect, and in certain cases, compromise, SolarWinds customers. As a consequence, SolarWinds found itself the target of litigation, including a derivative suit before the Delaware Court of Chancery in Construction Industry Laborers Pension Fund v. Bingle. Continue Reading
Amazon’s Recent Acquisitions Highlight the Value of Consumer Data (and the Evolving Privacy Issues)
Roughly two weeks apart, on July 21, 2022 and August 5, 2022, respectively, Amazon made headlines for agreeing to acquire One Medical, “a human-centered and technology-powered primary care organization,” for approximately $3.9 billion and iRobot, a global consumer robot company, known for its creation of the Roomba vacuum, for approximately $1.7 billion. These proposed acquisitions have drawn the scrutiny of the Federal Trade Commission (FTC), which following President Biden’s 2021 Executive Order on antitrust and competition, has taken a more aggressive stance toward acquisitions by large technology companies in an effort to, in FTC Chair Lina Khan’s words, “prevent incumbents from unlawfully capturing control over emerging markets.” Continue Reading
