Privacy Law Blog

Category Archives: Legislation

Subscribe to Legislation RSS Feed

DOJ’s Civil Cyber-Fraud Initiative Secures More Than $9 Million in Two False Claims Act Settlements for Alleged Cybersecurity Violations

Last fall, the United States Department of Justice (“DOJ”) launched its Civil Cyber-Fraud Initiative (“CCFI”) as part of its effort to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” Led by the Civil Fraud Section of DOJ’s Commercial Litigation Branch, the CCFI leverages the False Claims Act (“FCA”) … Continue Reading

California Privacy Protection Agency Released Proposed CPRA Regulations

The California Privacy Protection Agency (the “Agency”) released draft regulations to the California Privacy Rights Act (“CPRA”) on May 31, 2022 (the “Proposed Regulations”). The Proposed Regulations are drafted as comments to the California Attorney General’s regulations for the California Consumer Privacy Act, California’s landmark privacy law, which was amended by CPRA.… Continue Reading

Department of Health and Human Services Issues Request for Information on Cybersecurity Standards

The Department of Health and Human Services (“HHS”) has issued a formal request for information from the public about how regulated entities are implementing industry recognized security practices. The request for information represents a chance for the private sector to contribute to HHS regulation. Interested parties have until June 6, 2022 to submit comments. HHS … Continue Reading

Growing Risks to Corporate Groups and the Global PE Industry from Robust European Privacy and Cybersecurity Enforcement

Since the EU General Data Protection Regulation (“GDPR”) came into effect in May 2018 there have been numerous high-profile enforcement actions (~US$880m is the largest GDPR fine to-date) and private litigation (including class-action type claims). Notable fines have included the ~US$25m fine levied in October 2020 by the UK’s GDPR regulator against Marriott International for … Continue Reading

ONC Releases Interoperability Frameworks

The 21st Century Cures Act directed the National Coordinator to “develop or support a trusted exchange framework, including a common agreement among health information networks nationally.” Fulfilling that mandate, the Office of the National Coordinator (“ONC”) for Health Information Technology released the “Trusted Exchange Framework and the Common Agreement” for health record interoperability. The two … Continue Reading

Preparing for the Final Version of the New EU Standard Contractual Clauses for International Data Transfers

It has been reported that European Commission will publish the final versions of new forms of Standard Contractual Clauses (“SCCs”) shortly (even potentially within the next few days). The Commission published draft versions of these SCCs and the implementing Commission Decisions in December 2020. These new SCCs are, arguably, the most significant development in European … Continue Reading

Regulatory Crackdown on Ransomware

In recent years, Ransomware has evolved from merely encrypting files/disabling networks in solicitation of ransom, to sophisticated attacks that often involve actual data access, theft and sometimes, the threat of publication. These sophisticated malware attacks frequently destroy backups and provide criminals even more leverage over their victims, coercing them to pay ransoms.  Ransomware does not … Continue Reading

One More Year: Attorney General Issues Final Regulations as CA Legislature Delays Some Compliance Obligations

Qualifying businesses have another year to complying with certain, major provisions of the CCPA. The CCPA, or the California Consumer Privacy Act of 2018, is a California law that gives California consumers, defined broadly to encompass all California residents, certain rights with respect to their personal information. Namely, it gives consumers the right to know … Continue Reading

HHS to Exercise Enforcement Discretion to Permit HIPAA Business Associates to Use and Disclose PHI to Public Health Authorities during the COVID-19 Health Crisis

On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services released a notification related to the discretion that OCR will exercise concerning HIPAA enforcement during the COVID-19 public health emergency. Effective immediately, OCR will not impose penalties for violations of certain provisions of the HIPAA Privacy … Continue Reading

Employees Will Be Exempted from Most Requirements of the Amended California Consumer Privacy Act… For Now

In an effort to give consumers more control over the data businesses collect from and about them, the California legislature passed the California Consumer Privacy Act (CCPA) in 2018 (and amended it a few months later). The CCPA gives consumers the right to know about and have deleted the data businesses have gathered about them, among … Continue Reading

CCPA Legislative Round-Up: Winners and Losers

Businesses and California consumers are one step closer to understanding what their respective obligations and rights are under the California Consumer Privacy Act of 2018 (the “CCPA”). The CCPA is California’s landmark legislation that seeks to give California consumers the rights to learn about and control certain aspects of how a business handles the personal … Continue Reading

The New SHIELD Act Changes Breach Notification Rules and Data Security Standards for New Yorkers’ Personal Information

Reflecting the movement to toughen data security laws on a state-by-state basis, on July 25, 2019, Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”). The Act amends New York State’s current data breach notification law, which covers breaches of certain personally-identifiable computerized data … Continue Reading

The European Parliament Approves EU-Wide Standard for Whistleblower Protection

Per our previous post, the European Parliament and the Member States agreed to adopt new rules that would set the standard for protecting whistleblowers across the EU from dismissal, demotion, and other forms of retaliation when they report breaches of various areas of EU law. According to a press release issued by the European Parliament … Continue Reading

EU Agrees to Set the Floor for Whistleblower Protection Across All Member States

According to a press release issued by the European Commission today, the European Parliament and the Member States have agreed to adopt new rules that set the standard for protecting individuals who blow the whistle on breaches of EU law from dismissal, demotion, and other forms of retaliation. This reform, which was first proposed by … Continue Reading

New York DFS Cybersecurity September 2018 Deadline

The New York Department of Financial Services cybersecurity regulation 23 NYCRR 500 (the “Regulation”) came into effect in March 2017 and established four staggered compliance deadlines for its various requirements. By the third deadline of September 3, 2018, Covered Entities are required to be in compliance with sections 500.06 (audit trails), 500.08 (application security), 500.13 … Continue Reading

South Dakota Passes Breach Notification Law, Leaving Alabama the Only U.S. State Without a Breach Notification Law

On March 21, 2018, South Dakota Governor Daugaard signed S.B. 62, enacting the state’s first data breach notification law, which will go into effect July 1, 2018. Previously, Alabama and South Dakota were the only U.S. states without data breach notification. As of July 2018, Alabama will be the last state without a data breach … Continue Reading

Colorado and Vermont Adopt Cybersecurity Rules Covering Broker-Dealers and Investment Advisers

State financial regulators in Colorado and Vermont recently adopted cybersecurity rules that apply to broker-dealers and investment advisers regulated by those states as well as certain other “securities professionals” in Vermont. The broad definition of “securities professional” in Vermont’s regulation (“any person providing investment-related services in Vermont”) could include entities that do not generally consider … Continue Reading

Update on FCC Privacy Rules

We previously reported on the FCC’s 2016 Privacy Order, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” impacting Internet service providers’ data privacy practices and obligations and the corresponding timeline for compliance. Intervening events, however, have made the rules imposed by the 2016 Privacy Order moot. On June 26, 2017, the FCC … Continue Reading

New York Department of Financial Services Provides Guidance on Cybersecurity Regulation; Colorado Financial Regulator Proposes Cybersecurity Rules Affecting Broker-Dealers and Investment Advisers

In April 2017, the New York Department of Financial Services (the “DFS”) released guidance on interpreting 23 NYCRR Part 500, its recently promulgated regulation that requires banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity programs (the “Regulation”), in the form of a frequently asked questions (“FAQ”) document … Continue Reading

New York Department of Financial Services Finalizes Cybersecurity Proposal

On February 16, 2017, the New York Department of Financial Services (the “DFS”) released a final version (the “Final Regulation”) of its proposed regulation, previously released in an earlier revised form on December 28, 2016, that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections … Continue Reading

Draft Privacy and Electronic Communications Regulation published by European Commission

The European Commission has released proposals for new legislation that seeks to create stronger privacy in electronic communications. The draft Privacy and Electronic Communications Regulation (the “Regulation”) is intended to replace the ePrivacy Directive (2002/58/EC) and will also bring the law in line with the new rules as set out in the General Data Protection … Continue Reading

New York Department of Financial Services Revises Cybersecurity Proposal: Greater Flexibility and Delayed Compliance Deadlines

As we previously reported, in December 2016 the New York Department of Financial Services (the “DFS”) announced that it was revising its proposed regulation that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Original Proposal”). On December 28, 2016, the DFS released a … Continue Reading
LexBlog

This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.

OK