We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation.  Thus far those results have had mixed results, as courts continue to dismiss data breach litigation on Article III standing grounds – although less frequently in the case of breaches involving malicious activity. A recent ruling from the Southern District of Illinois however may have blown open a new, potentially wide front in breach litigation. Continue Reading Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws

Imagine a breach in the privacy of protected health information.  The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA.  Courts have consistently held that HIPAA provides no private right of action.

In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated.  When hospitalized, she had been  asked to submit medical information on a computer.  She alleged that the information she entered was visible to another patient at a nearby computer station.  The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation.  It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.

The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract.  Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses.  Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation. Continue Reading HIPAA Enforcement: Where’s the Action?

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation. Continue Reading NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation

As we discussed in our prior alert, California voters had been poised to consider a citizen-initiated ballot measure that would have significantly expanded the privacy rights of California citizens and provided substantial penalties for noncompliant companies. In response to that ballot measure, the California legislature hastily pushed through privacy legislation despite the “grave, grave concerns” expressed by lawmakers.

Lawmakers were willing to enact the flawed legislation based on an assurance from the leader of the ballot measure that he would not submit the measure if the legislation was passed. However, because the deadline to submit ballot measures was June 28, 2018, lawmakers had to rush the legislation through both houses. And, since state law requires that legislation be in print for at least 72 hours before a vote, lawmakers had no opportunity to offer amendments.

Lawmakers were willing to engage in such a rushed course of action because, if the ballot measure had become law, both houses would have been required to approve any changes by a 70 percent vote instead of a simple majority. Also, because the legislation does not go into effect until January 1, 2020, lawmakers theoretically can fix any problems in the intervening time frame.

Despite its tumultuous legislative history, the legislation—titled the California Consumer Privacy Act of 2018—grants significant privacy rights to California residents. Any entity that does business in California and qualifies as a “business” under the Act will need to comply with the law or risk substantial financial penalty.

Continue Reading California Passes Legislation Significantly Changing Privacy Requirements for Entities Doing Business in the State

The Departmental Appeals Board of the Department of Health and Human Services (“Board”) has granted summary judgment against the University of Texas MD Anderson Cancer Center (“Center”) and upheld the imposition of $4.3 million dollars in penalties against the Center for violations of HIPAA’s privacy and security rules.  In this case, the personal medical data of more than 33,000 individuals was exposed through the theft of a laptop and the loss of unencrypted thumb drives.  None of these devices was encrypted, and the laptop was not password protected. Continue Reading Appeals Board Upholds $4.3 Million in HIPAA Penalties Against Hospital

On June 27, 2018, Ballard Spahr partner David Stauss will speak at the Practicing Law Institute’s inaugural Internet of Things Conference in San Francisco. The full-day conference is also available via webcast.

The program will bring together industry leaders to discuss various issues with the rapidly changing landscape of IoT devices.  In his panel, “Cybersecurity & Privacy: What are the Risks of IoT Devices and how Privacy Rights can be Protected,” Mr. Stauss and his co-panelists will explore the emerging government and industry regulation surrounding IoT devices, including FTC action and guidance and proposed state, federal and international laws and regulations.

Ballard Spahr has two complimentary passes available for the conference. Interested individuals should email Mr. Stauss directly at staussd@ballardspahr.com.

With more than double the number of required signatures well ahead of the verification deadline late this month, the citizen-initiated measure “The California Consumer Privacy Act of 2018” appears headed for the statewide ballot on November 6. If approved by a majority of Golden State voters, the ballot measure would greatly expand right-to-know and opt-out requirements, subjecting covered businesses to increased costs for compliance and strict liability for any violations.

Continue Reading California Voters Likely to Consider Enacting GDPR-Like Privacy Law in November

Last week, the Office of the Comptroller of the Currency (“OCC”) published the Spring 2018 Semiannual Risk Perspective (the “Report”), which uses up-to-date data to identify risks to U.S. banks and measure their compliance with applicable laws and regulations.  The Report concluded that some of the OCC’s primary concerns are with the elevation in operational risk “as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.”  The Report also focused on elevated compliance risk associated with bank efforts to “manage money-laundering risks in a complex environment.”

Many of the OCC’s observations and recommendations remained the same from its Fall 2017 report, leaving readers to wonder what will spur less conversation and potentially more action among OCC-supervised banks or concrete guidance by the OCC.  Regardless, a common thread running throughout both reports is the potential risk presented to financial institutions by emerging technologies, which carry the simultaneous blessing and curse of greater business opportunities, but also greater operational and compliance risks. Continue Reading OCC Semiannual Risk Perspective Highlights Cybersecurity, Fraud, Money Laundering Concerns

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are discussed below.

Continue Reading Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation