Ballard Spahr’s Privacy and Data Security Group will again be hosting its Colorado Cybersecurity Summit on September 18, 2018, at Ballard Spahr’s Denver office and via webinar.

Highlights will include a discussion with the Colorado Deputy Attorney General who will be responsible for enforcing Colorado’s groundbreaking new cybersecurity law, as well as the former Director of Legislative Affairs who ushered the law through the state legislature. The Summit will also feature panel discussions on the current state of GDPR, how the new California Consumer Privacy Act will affect businesses, and innovative ways to mitigate risk in a world with quickly changing technology.

The Summit is co-sponsored by IMA Financial Group, Kivu Consulting, Noosa Yogurt, and Colorado = Security.

CO CLE and IAPP CPE credits are pending. Uniform Certificates of Attendance will also be made available for the purpose of seeking CLE credit in other jurisdictions.

For more information and to register please click here.

 

The online world is increasingly shaped by forces beyond our control.  Algorithmic processing agents are used by a wide range of web publishers, online retailers and social media companies to determine the kinds of stories that are feature to online readers, the advertisements that are targeted to online shoppers, and the search results they see, to name just a few of the ways in which these hidden programs predict the shape and content of our online experience.

US and EU privacy regulators have developed different models for managing the potential negative impacts of online profiling. In a recent article for the ABA Journal of Media, Information and Communications Law, Ballard Partner Phil Yannella examines these differing approaches.

Thank you to everyone who attended our webinar on the California Consumer Privacy Act of 2018.  For those who were unable to attend, you can listen to the recording here and obtain a copy of the slide deck here.  To access the recording, please fill in the requested information under “Register Now,” select “Yes, I will attend,” and click “Register.”

One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard.  The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices.  Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable. Continue Reading What Does “Reasonable” Data Security Mean, Exactly?

Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history behind the eleventh-hour passage of the California Consumer Privacy Act (CCPA), so we won’t rehash that story here.  Instead, the focus of this post will be on the overlap between the CCPA and the GDPR.  Continue Reading Using the GDPR to Comply with the California Consumer Privacy Act

 

We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation.  Thus far those results have had mixed results, as courts continue to dismiss data breach litigation on Article III standing grounds – although less frequently in the case of breaches involving malicious activity. A recent ruling from the Southern District of Illinois however may have blown open a new, potentially wide front in breach litigation. Continue Reading Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws

Imagine a breach in the privacy of protected health information.  The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA.  Courts have consistently held that HIPAA provides no private right of action.

In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated.  When hospitalized, she had been  asked to submit medical information on a computer.  She alleged that the information she entered was visible to another patient at a nearby computer station.  The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation.  It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.

The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract.  Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses.  Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation. Continue Reading HIPAA Enforcement: Where’s the Action?

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation. Continue Reading NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation

As we discussed in our prior alert, California voters had been poised to consider a citizen-initiated ballot measure that would have significantly expanded the privacy rights of California citizens and provided substantial penalties for noncompliant companies. In response to that ballot measure, the California legislature hastily pushed through privacy legislation despite the “grave, grave concerns” expressed by lawmakers.

Lawmakers were willing to enact the flawed legislation based on an assurance from the leader of the ballot measure that he would not submit the measure if the legislation was passed. However, because the deadline to submit ballot measures was June 28, 2018, lawmakers had to rush the legislation through both houses. And, since state law requires that legislation be in print for at least 72 hours before a vote, lawmakers had no opportunity to offer amendments.

Lawmakers were willing to engage in such a rushed course of action because, if the ballot measure had become law, both houses would have been required to approve any changes by a 70 percent vote instead of a simple majority. Also, because the legislation does not go into effect until January 1, 2020, lawmakers theoretically can fix any problems in the intervening time frame.

Despite its tumultuous legislative history, the legislation—titled the California Consumer Privacy Act of 2018—grants significant privacy rights to California residents. Any entity that does business in California and qualifies as a “business” under the Act will need to comply with the law or risk substantial financial penalty.

Continue Reading California Passes Legislation Significantly Changing Privacy Requirements for Entities Doing Business in the State