2022 Trends in Privacy and Data Security Law

As the National Security Agency (NSA) noted in its 2022 cybersecurity yearly review, “[c]yberspace is dangerous.”

Reports of sophisticated cyberattacks and ransomware threats were prevalent in the past year. The government, manufacturers, and others further developed standards for securing digital infrastructure like 5G, cloud services, cryptography, internet protocols, and internet of things (IoT) devices. In addition to keeping up with data security regulatory developments, in the absence of comprehensive federal data protection regulation, businesses face an increasing array of state privacy laws.

Organizations must keep up with the dynamic and increasing legal obligations governing privacy and data security, understand how they apply, monitor cyber risks and attack trends, and manage their compliance to minimize exposure.

Read our Practical Law article for an extensive overview of the past year’s privacy and data security legal developments and predictions for issue to look out for 2023.

Tags: cyber risk, cybersecurity, Data Privacy Laws, data security, internet of things (IoT), National Security Agency (NSA), privacy law, State Privacy Laws

FTC’s One-Two Punch on Data Tracking and Health Privacy

By Ryan P. Blaney and Jonathan Mollod on March 3, 2023 Posted in Data Privacy Laws, FTC Enforcement, HIPAA

On March 2, 2023, the Federal Trade Commission (FTC) announced that it had reached a $7.8 million settlement with mental health and online counseling platform, BetterHelp, Inc. (“BetterHelp”). The FTC alleged that BetterHelp shared consumers’ sensitive health data combined with other personal information (PI) with third party advertising platforms without first obtaining affirmative consent and allegedly contrary to certain privacy representations. The proposed order requires the company to pay $7.8 million in partial refunds to BetterHelp customers. This is the first time that the FTC has required a company to return money to its customers whose personal information was shared without consent. Going forward BetterHelp is not permitted to share sensitive health information and PI without obtaining affirmative consent from the patients and customers. BetterHelp is also required to overhaul its privacy program and request that any outside parties that received the consumers’ sensitive data delete such information. Continue Reading

Tags: consumer health data, data privacy, Data Privacy Laws, data tracking, FEDERAL TRADE COMMISSION (FTC), FTC, FTC enforcement, Health Breach Notification Rule, healthcare, HIPAA, personal information, personal information (PI), protected health information (PHI)

Shining a Light on the Corporate Transparency Act: FinCEN’s Rules for Beneficial Ownership Reporting

By Andrew Bettwy, Ryan P. Blaney, Stephanie Heilborn, Jeffrey A. Horwitz, Seetha Ramachandran, Yuval Tal, Elanit Snow, Amy Gordon and Portia Proctor on January 18, 2023 Posted in Cybersecurity, Data Privacy Laws, Legislation, Privacy Law, Privacy Litigation, SEC, Securities and Shareholder Litigation

On January 1, 2021, Congress enacted the Corporate Transparency Act as part of the Anti-Money Laundering Act of 2020 to “better enable critical national security, intelligence, and law enforcement efforts to counter money laundering, the financing of terrorism, and other illicit activity.” FinCEN issued the final rule on Beneficial Ownership Information Reporting Requirements on September 29, 2022 requiring a range of entities, primarily smaller, otherwise unregulated companies, to file a report with FinCEN identifying the entities’ beneficial owners—the persons who ultimately own or control the company—and provide similar identifying information about the persons who formed the entity. On December 16, 2022, FinCEN proposed the Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities rule laying out the protocols for access to the beneficial ownership database by authorized recipients, while still maintaining the highest levels of data protection and oversight.

Read the full client alert here.

Tags: ANTI-MONEY LAUNDERING (AML), BENEFICIAL OWNERSHIP INFORMATION (BOI), BENEFICIAL OWNERSHIP INFORMATION ACCESS AND SAFEGUARDS, CORPORATE TRANSPARENCY ACT, data protection, Financial Crimes Enforcement Network (FinCEN, FINANCIAL INSTITUTIONS, FINCEN, privacy law, REPORTING RULE, SECURITIES LAW, SECURITIES LITIGATION, WHITE COLLAR

Standing to Sue: Is Theft of Drivers’ License Numbers Sufficient to Allege Imminent Threat of Future Harm?

By Ryan P. Blaney, Margaret A. Dale, Nolan Goldberg and Amy Gordon on December 16, 2022 Posted in Data Breaches, Identity Theft, Invasion of Privacy, Privacy Law, Privacy Litigation

Judge Jeffrey White of the Northern District of California recently dismissed a putative class action lawsuit in which plaintiffs claimed they faced an imminent threat of future of harm in the form of identity theft and fraud because their personal information, specifically their driver’s license numbers, may have been compromised in a data breach. In doing so, the court determined that driver’s license numbers “are not as sensitive as social security numbers,” and that they don’t rise to the level of sensitive personal information “needed to establish a credible and imminent threat of future harm” for Article III standing. Greenstein et al v. Noblr Reciprocal Exchange, No. 4:2021cv04537 (N.D. Cal. 2022). Continue Reading

Tags: California Consumer Privacy Act of 2018 (“CCPA”), California privacy laws, cybersecurity compliance, data breach, identity theft, Ninth Circuit, personal information, privacy litigation

Travelling outside the EU: French Data Protection Authority Publishes a Checklist to Secure Phones and Laptops

By Mathilde Pépin on December 16, 2022 Posted in Cybersecurity, Data Breaches, Data Privacy Laws, European Union, France, International, Privacy Law

Amid fresh fears about data protection, on November 14th, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertes (CNIL) published a checklist of recommended actions travellers should take to secure phones, computers and tablets when travelling outside the European Union.

Read the full article on International Employment Lawyer.

HHS Bulletin: Covered Entities’ Disclosure of PHI Collected via Online Tracking Technologies Falls under HIPAA

By Ryan P. Blaney, Danielle Brooks and Jonathan Mollod on December 14, 2022 Posted in Data Privacy Laws, HIPAA, Mobile Privacy, Online Privacy, Privacy Law

On December 1, 2022, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a Bulletin to highlight the obligations of HIPAA-covered entities and business associates when using “online tracking technologies,” or what OCR describes as “script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app,” which is then analyzed by website owners, app operators or third parties to create user profiles or garner insights into users’ online activities. Continue Reading

Tags: 45 CFR 160.103, business associate agreement (BAA), Compliance, consumer protection laws, data collection, Data Privacy Laws, health care, HIPAA, HIPAA Privacy Rule, IIHI, individually identifiable health information, Mobile Tracking, OCR Bulletin, Office for Civil Rights (OCR), online tracking technologies, privacy law, protected health information (PHI), technology, U.S. Department of Health and Human Services (HHS)

Paying the Ransom in Response to a Ransomware Attack can Sometimes Backfire

By Nolan Goldberg and Margaret Ukwu on December 2, 2022 Posted in Cybersecurity, Data Privacy Laws, Privacy Law, Privacy Litigation

One of the key decisions that needs to be made in the aftermath of a successful ransomware attack is whether or not the victim organization can or should pay the ransom. Of course, there are many considerations that go into such a decision – for example, whether the payment is legally permissible, the ease of system restoration absent paying the ransom, the harm that might result to the company or its consumers if systems cannot be timely restored, or whether there are reputational risks or ethical concerns, amongst many other considerations. Continue Reading

Tags: Cyber Readiness Report 2022, cybersecurity risk, data breach, privacy law, ransomware, Ransomware attacks

This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.