On October 27, the Federal Trade Commission (FTC) announced a final rule (Final Rule) and supplemental notice of proposed rulemaking (NPRM) to amend the Safeguards Rule promulgated under the Gramm-Leach-Bliley Act (GLBA), which requires covered financial institutions to implement certain security safeguards to protect their customers’ financial information against data breaches and cyberattacks. The FTC also issued another rule adopting largely technical revisions to the scope of its Privacy Rule, a separate GLBA rule that requires financial institutions to inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties.
Continue Reading FTC Strengthens GLBA Financial Safeguards and Privacy Rules
Philip N. Yannella
yannellap@ballardspahr.com | 215.864.8180 | view full bio
As Practice Leader of Ballard Spahr's Privacy and Data Security Group, and Practice Leader of the firm's E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.
Phil regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Phil serves on the advisory board for the ACC Foundation's Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.
California Passes Suite of New Privacy Laws
By Philip N. Yannella & Kelsey Fayer on
California continues to be at the vanguard of privacy protection. On October 11, 2021 California’s Governor Newsom signed several bills addressing privacy and data security. These new laws go into effect January 1, 2022 and include:
- AB 335, which adds an exemption to the California Consumer Privacy Act (CCPA) consumer personal information sales opt-out
…
FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices
By Philip N. Yannella & Doris Yuen on
Posted in Compliance, Data Breach, Federal Trade Commission (FTC), Health Care, Health Information Technology for Economic and Clinical Health Act (HITECH), Health Insurance Portability and Accountability Act (HIPAA), Internet of Things (IoT), Mobile Devices, Personal Information, Regulatory Compliance
On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources.
Continue Reading FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices
Federal Court Holds that Cloud Service Provider is Subject to CMIA
By Philip N. Yannella, Gregory P. Szewczyk & Eric K. Temmel on
Posted in Consumer Protection, Litigation
On August 12, 2021, the United States District Court for the District of South Carolina issued an opinion denying in part and granting in part a motion by Blackbaud to dismiss seven statutory claims brought by plaintiffs in a multidistrict consolidated action stemming from a ransomware attack. The most notable aspect of the opinion is the Court’s interpretation of the California Medical Information Act (CMIA), which may have the effect of broadening the scope of liability for California-based cloud service providers that suffer data breaches.
Continue Reading Federal Court Holds that Cloud Service Provider is Subject to CMIA
California Enforcement Updates and Privacy Tools Highlight Regulatory Scrutiny of Right to Opt Out
By Philip N. Yannella & Doris Yuen on
With a little over a year of enforcing the California Consumer Privacy Act (CCPA) under its belt, the Office of the California Attorney General (OAG) recently held a press conference to announce updates on its CCPA enforcement efforts and promote new tools relating to California consumers’ right to opt out of the sale of their personal information.
Continue Reading California Enforcement Updates and Privacy Tools Highlight Regulatory Scrutiny of Right to Opt Out
Another Federal Court Orders Production of Data Breach Forensic Report
By Gregory P. Szewczyk, Philip N. Yannella, Mo Pham-Khan & Emily Klode on
Posted in Data Breach, Litigation
Following in the footsteps of the Eastern District of Virginia’s Capital One decision last year and the District of D.C.’s Clark Hill decision earlier this year, the Eastern District of Pennsylvania has just ordered the production of a data breach forensic report and related communications. In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382,…
New York City’s Biometric Identifier Information Law Takes Effect
By Philip N. Yannella & Doris Yuen on
Posted in Biometrics, Data Protection
On July 9, 2021, New York City’s biometric identifier information law became effective. The law, which was enacted in January 2021, addresses the collection and use of biometric identifier information (BII) by commercial establishments—meaning places of entertainment, retail stores, or food and drink establishments—to track customer activity. It creates a private right of action and subjects violators to statutory damages.
Continue Reading New York City’s Biometric Identifier Information Law Takes Effect
Ballard Spahr Partner, Phil Yannella, Authors Book on Data Breach and Privacy Litigation
By Philip N. Yannella on
Phil Yannella, Ballard Spahr litigation partner and Practice Leader of Ballard’s Privacy & Data Security Group, recently authored a treatise on data breach and privacy litigation. The book, Cyber Litigation: Data Brach, Data Privacy & Digital Rights, is published by Thomson Reuters and is available now for purchase.
Continue Reading Ballard Spahr Partner, Phil Yannella, Authors Book on Data Breach and Privacy Litigation
The European Commission’s Adoption of New SCCs
By Philip N. Yannella, Mo Pham-Khan & Doris Yuen on
On June 4, 2021, the European Commission adopted an updated and long-awaited set of standard contractual clauses (SCCs) for the international transfer of personal data. The previous SCCs were created prior to the implementation of the EU General Data Protection Regulation (GDPR) and required substantive revisions to bring them in line with the GDPR and the Court of Justice of the European Union’s July 2020 Schrems II decision (previously covered here).
Continue Reading The European Commission’s Adoption of New SCCs
Supreme Court Limits the Scope of Computer Fraud and Abuse Act
By Philip N. Yannella on
Posted in Computer Fraud, Cybercrime
In a long awaited opinion, the Supreme Court recently resolved a circuit split regarding the proper interpretation of a statute implicated in many post-employment disputes. Since its enactment, federal courts of appeal have been divided over the proper interpretation of the phrase “exceeds authorized access” under the Computer Fraud and Abuse Act (“CFAA”), a primarily criminal statute that also includes a civil cause of action where an individual accesses a protected computer without authorization or exceeds authorized access. Some courts have held that the “exceeds authorized access” requirement only applies where the individual was authorized to access the computer itself but not the particular files or information that are the subject of the dispute.
Continue Reading Supreme Court Limits the Scope of Computer Fraud and Abuse Act