Proskauer on Privacy

2022 Trends in Privacy and Data Security Law

As the National Security Agency (NSA) noted in its 2022 cybersecurity yearly review, “[c]yberspace is dangerous.”

Reports of sophisticated cyberattacks and ransomware threats were prevalent in the past year. The government, manufacturers, and others further developed standards for securing digital infrastructure like 5G, cloud services, cryptography, internet protocols, and internet of things (IoT) devices. In addition to keeping up with data security regulatory developments, in the absence of comprehensive federal data protection regulation, businesses face an increasing array of state privacy laws.

Organizations must keep up with the dynamic and increasing legal obligations governing privacy and data security, understand how they apply, monitor cyber risks and attack trends, and manage their compliance to minimize exposure.

Read our Practical Law article for an extensive overview of the past year’s privacy and data security legal developments and predictions for issue to look out for 2023.

FTC’s One-Two Punch on Data Tracking and Health Privacy

On March 2, 2023, the Federal Trade Commission (FTC) announced that it had reached a $7.8 million settlement with mental health and online counseling platform, BetterHelp, Inc. (“BetterHelp”). The FTC alleged that BetterHelp shared  consumers’ sensitive health data combined with other personal information (PI) with third party advertising platforms without first obtaining affirmative consent and allegedly contrary to certain privacy representations. The proposed order requires the company to pay $7.8 million in partial refunds to BetterHelp customers. This is the first time that the FTC has required a company to return money to its customers whose personal information was shared without consent. Going forward BetterHelp is not permitted to share sensitive health information and PI without obtaining affirmative consent from the patients and customers. BetterHelp is also required to overhaul its privacy program and request that any outside parties that received the consumers’ sensitive data delete such information. Continue Reading

Shining a Light on the Corporate Transparency Act: FinCEN’s Rules for Beneficial Ownership Reporting

On January 1, 2021, Congress enacted the Corporate Transparency Act as part of the Anti-Money Laundering Act of 2020 to “better enable critical national security, intelligence, and law enforcement efforts to counter money laundering, the financing of terrorism, and other illicit activity.” FinCEN issued the final rule on Beneficial Ownership Information Reporting Requirements on September 29, 2022 requiring a range of entities, primarily smaller, otherwise unregulated companies, to file a report with FinCEN identifying the entities’ beneficial owners—the persons who ultimately own or control the company—and provide similar identifying information about the persons who formed the entity. On December 16, 2022, FinCEN proposed the Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities rule laying out the protocols for access to the beneficial ownership database by authorized recipients, while still maintaining the highest levels of data protection and oversight.

Read the full client alert here.

Standing to Sue: Is Theft of Drivers’ License Numbers Sufficient to Allege Imminent Threat of Future Harm?

Judge Jeffrey White of the Northern District of California recently dismissed a putative class action lawsuit in which plaintiffs claimed they faced an imminent threat of future of harm in the form of identity theft and fraud because their personal information, specifically their driver’s license numbers, may have been compromised in a data breach.  In doing so, the court determined that driver’s license numbers “are not as sensitive as social security numbers,” and that they don’t rise to the level of sensitive personal information “needed to establish a credible and imminent threat of future harm” for Article III standing. Greenstein et al v. Noblr Reciprocal Exchange, No. 4:2021cv04537 (N.D. Cal. 2022). Continue Reading

Travelling outside the EU: French Data Protection Authority Publishes a Checklist to Secure Phones and Laptops

Amid fresh fears about data protection, on November 14th, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertes (CNIL) published a checklist of recommended actions travellers should take to secure phones, computers and tablets when travelling outside the European Union.

Read the full article on International Employment Lawyer.

HHS Bulletin: Covered Entities’ Disclosure of PHI Collected via Online Tracking Technologies Falls under HIPAA

On December 1, 2022, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a Bulletin to highlight the obligations of HIPAA-covered entities and business associates when using “online tracking technologies,” or what OCR describes as “script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app,” which is then analyzed by website owners, app operators or third parties to create user profiles or garner insights into users’ online activities. Continue Reading

Paying the Ransom in Response to a Ransomware Attack can Sometimes Backfire

One of the key decisions that needs to be made in the aftermath of a successful ransomware attack is whether or not the victim organization can or should pay the ransom.  Of course, there are many considerations that go into such a decision – for example, whether the payment is legally permissible, the ease of system restoration absent paying the ransom, the harm that might result to the company or its consumers if systems cannot be timely restored, or whether there are reputational risks or ethical concerns, amongst many other considerations. Continue Reading

LexBlog

This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.

OK