As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.

Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach.  If enacted, Colorado would have the shortest time frame for disclosure in the country.

The bill’s sponsors also left little doubt that the proposed legislation was a reaction to the Equifax data breach. At a committee hearing held in Denver on February 14, co-sponsor Jeff Bridges (D-Arapahoe County) began his remarks by specifically identifying the Equifax breach as his motivation for sponsoring the bill. During his remarks, co-sponsor Cole Wist (R-Arapahoe County) stated that the legislation would provide some of the strongest protections for consumers in the country.

The Colorado legislature’s efforts are another reminder that states are continuing to take the lead in enacting privacy and cybersecurity legislation in the face of federal inaction.

For a discussion of the amended bill, see our alert – Update on Colorado’s Proposed Privacy and Cybersecurity Legislation. To listen to the committee hearing, including testimony from Ballard Spahr partner David Stauss, click here.

The GDPR’s impact on the ability of U.S. litigants to conduct discovery of EU personal data is an issue that has received scant legal analysis. In a recent article for The Legal Intelligencer, Philip N. Yannella discusses the challenges, and potential costs, awaiting U.S. litigants as they attempt to conduct EU discovery under the GDPR.

You can check out the article here.

Filefax, Inc., a health care records moving and storage company that served as a business associate, went into receivership in 2016.  But its receivership did not put an end to an OCR investigation into a HIPAA violation from 2015. Now, the receiver for Filefax has agreed to pay a fine of $100,000 and to properly store, inventory, and dispose of the medical records remaining in its possession under HHS supervision.

The investigation began with a complaint that OCR received about the exposure of a large volume of documents containing protected health information.  The investigation confirmed that an individual had left medical records of approximately 2,150 patients at a shredding and recycling facility and that Fllefax had either left the PHI in an unlocked truck in the Filefax parking lot or granted permission to a person to remove the PHI from Filefax and left the PHI, unsecured, outside the Filefax facility for that person to collect. Continue Reading Closure of Business Does Not Foreclose HIPAA Liabilities

The Commodity Futures Trading Commission (CFTC) has made another foray into data security, announcing today an order settling charges against AMP Global Clearing LLC (AMP) stemming from AMP’s failure to supervise the implementation of its information systems security program. Between June 21, 2016 and April 17, 2017, AMP stored thousands of customer records  in an improperly protected internal network. This fact was discovered after an unknown third-party, with no affiliation to AMP, accessed AMP’s network and copied 97,000 files containing personally identifiable information. The third party then contacted federal authorities, and later AMP.  Although AMP cooperated with the CFTC and worked to fix the issue, the CFTC later brought charges against the company for failing to supervise the implementation of critical provisions of AMP’s information systems security program. Continue Reading CFTC Settles Charges Against AMP Global Clearing for Failing to Supervise Implementation of its Security Program

The Philadelphia Eagles’ Super Bowl aspirations dimmed on a late autumn afternoon when two Ram defenders hammered their star quarterback, Carson Wentz, on a run to the end zone that was called back for a penalty. Wentz stayed in the game and threw a touchdown pass, but soon disappeared into the locker room for the remainder of the game. By mid-week, the medical reports confirmed what most Eagles fans already seemed to know: Wentz had torn ligaments in his knee and was finished for the season.

In the two weeks leading to the Super Bowl, sports media filled time and space with stories about the cut on Tom Brady’s hand and Rob Gronkowski’s expected clearance to play after suffering a concussion.

How, in the world of HIPAA privacy and security was so much medical information available for public consumption? Continue Reading What the Super Bowl Can Teach Us About HIPAA

The SEC Office of Compliance Inspections and Examinations (OCIE) has announced its 2018 examination priorities. Unsurprisingly, cybersecurity remains among the key priorities. OCIE has included cybersecurity as an examination topic since at least 2014.

OCIE released its 2018 priorities to “improve compliance, prevent fraud, monitor risk, and inform policy.” OCIE conducts the SEC’s National Exam Program (NEP), whose mission is to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that: (1) improve compliance; (2) prevent fraud; (3) monitor risk; and (4) inform policy. The results of the NEP’s examinations are used by the SEC to inform rulemaking initiatives, identify and monitor risks, improve industry practices and pursue misconduct. OCIE is responsible for conducting examinations of broker-dealers, investment advisers, transfer agents, and other SEC-regulated entities. Continue Reading SEC Continues to List Cybersecurity Among OCIE Examination Priorities

Massachusetts Attorney General Maura Healey has unveiled a new, “easier and more efficient” way to notify her office of data breaches. The Massachusetts Attorney General’s Office has created an online portal and web form for submitting data breach notifications.  An email announcing the changes was transmitted this week to attorneys who have previously filed data breach notices on behalf of clients. The email requested our “assistance in passing the message along,” which we are hereby doing.

Attorney General Healey stated, “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”  The Attorney General Office’s website will soon include a publicly accessible database of data breaches reported to the Office. Other states, including California and Maryland, have similar public databases.

Continue Reading Massachusetts Attorney General Launches Online Data Breach Reporting Portal

Lyft recently confirmed that it is investigating whether its employees were accessing its customer database without appropriate authorization to obtain personal information, including rides taken by Facebook CEO Mark Zuckerberg. The investigation was announced less than six months after Uber entered into a Federal Trade Commission (FTC) consent order to resolve allegations of similar behavior by its own employees.

The investigation demonstrates the importance of revisiting internal compliance measures in the wake of legal developments that may be relevant to a particular company or industry. Companies need to maintain comprehensive privacy programs to ensure the confidentiality of the personal information that they collect.  Such programs should include, at a minimum: Continue Reading Lyft Employees Demonstrate Need for Privacy Compliance Management

In the second part of a podcast series on autonomous driving vehicles, Philip N. Yannella, Co-Practice Leader of Ballard Spahr’s Privacy and Data Security Group, speaks to Joe Raczynski, a legal technologist and futurist for Thomson Reuters Legal, about the security and regulatory issues affecting driverless vehicles. Continue Reading Check Out Our Podcast on Autonomous Driving Vehicles

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) has announced its first settlement of a HIPAA breach in 2018. The settlement arose from five separate breaches by five different entities owned by Fresenius Medical Care, a large provider of kidney dialysis and other medical services. The breaches involved stolen computers, a stolen USB drive, and a missing hard drive, all occurring within a five-month span in 2012. Continue Reading OCR Announces HIPAA Settlement For Data Security Breaches