As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.

Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach.  If enacted, Colorado would have the shortest time frame for disclosure in the country.

The bill’s sponsors also left little doubt that the proposed legislation was a reaction to the Equifax data breach. At a committee hearing held in Denver on February 14, co-sponsor Jeff Bridges (D-Arapahoe County) began his remarks by specifically identifying the Equifax breach as his motivation for sponsoring the bill. During his remarks, co-sponsor Cole Wist (R-Arapahoe County) stated that the legislation would provide some of the strongest protections for consumers in the country.

The Colorado legislature’s efforts are another reminder that states are continuing to take the lead in enacting privacy and cybersecurity legislation in the face of federal inaction.

For a discussion of the amended bill, see our alert – Update on Colorado’s Proposed Privacy and Cybersecurity Legislation. To listen to the committee hearing, including testimony from Ballard Spahr partner David Stauss, click here.

Filefax, Inc., a health care records moving and storage company that served as a business associate, went into receivership in 2016.  But its receivership did not put an end to an OCR investigation into a HIPAA violation from 2015. Now, the receiver for Filefax has agreed to pay a fine of $100,000 and to properly store, inventory, and dispose of the medical records remaining in its possession under HHS supervision.

The investigation began with a complaint that OCR received about the exposure of a large volume of documents containing protected health information.  The investigation confirmed that an individual had left medical records of approximately 2,150 patients at a shredding and recycling facility and that Fllefax had either left the PHI in an unlocked truck in the Filefax parking lot or granted permission to a person to remove the PHI from Filefax and left the PHI, unsecured, outside the Filefax facility for that person to collect. Continue Reading Closure of Business Does Not Foreclose HIPAA Liabilities

Massachusetts Attorney General Maura Healey has unveiled a new, “easier and more efficient” way to notify her office of data breaches. The Massachusetts Attorney General’s Office has created an online portal and web form for submitting data breach notifications.  An email announcing the changes was transmitted this week to attorneys who have previously filed data breach notices on behalf of clients. The email requested our “assistance in passing the message along,” which we are hereby doing.

Attorney General Healey stated, “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”  The Attorney General Office’s website will soon include a publicly accessible database of data breaches reported to the Office. Other states, including California and Maryland, have similar public databases.

Continue Reading Massachusetts Attorney General Launches Online Data Breach Reporting Portal

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) has announced its first settlement of a HIPAA breach in 2018. The settlement arose from five separate breaches by five different entities owned by Fresenius Medical Care, a large provider of kidney dialysis and other medical services. The breaches involved stolen computers, a stolen USB drive, and a missing hard drive, all occurring within a five-month span in 2012. Continue Reading OCR Announces HIPAA Settlement For Data Security Breaches

Add South Dakota (site of Ballard’s newest office) and North Carolina to the list of states considering new data security legislation. South Dakota is poised to become the 49th state to enact a data breach notification law, while North Carolina is considering a very significant expansion of its existing law.

Will South Dakota Become No. 49?

The South Dakota Senate passed SB 62 on January 25, 2018. The bill, which now heads to the South Dakota House of Representatives, generally would require an “information holder” to notify South Dakota residents of any “breach of system security” involving their “personal or protected information.” Subject to certain exceptions, notification to South Dakota residents must be made “not later than sixty days from the discovery or notification of the breach of system security.” The South Dakota Attorney General and “all consumer reporting agencies as defined in 15 U.S.C. § 1681a” also must be notified of breaches involving more than 250 South Dakota residents. Notification to South Dakota residents is not required “if following appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.” Continue Reading South Dakota and North Carolina Consider New Data Security Legislation

The U.S. Supreme Court on Monday denied the petition for certiorari seeking review of the U.S. Court of Appeals for the Ninth Circuit’s most recent decision in Spokeo v. Robins (Spokeo II), foregoing an opportunity to clarify the confusion that has ensued since the Supreme Court’s 2016 decision in Spokeo (Spokeo I) on the issue of Article III standing. In Spokeo I, the Supreme Court held that intangible injury may satisfy the “concrete injury” requirement for standing, but lower courts have since struggled to apply the Court’s holding.

Click here to read Ballard Spahr’s full legal alert on this decision.

A bipartisan group of Colorado legislators proposed legislation that, if enacted, would significantly change the requirements for how Colorado entities protect, transfer, secure, and dispose of documents containing personal identifying information. The proposed legislation also would expand the types of information covered by the Colorado Breach Notification Law and add additional requirements for companies that have suffered a data breach, such as a 45-day deadline to provide notice to affected individuals. Click here for a discussion of the proposed legislation.

With the New Year comes new data breach compliance obligations! Two Mid-Atlantic states have cybersecurity related compliance statutes that have – or will soon – take effect. Are you ready?

New Year’s Day ushered into effect the amended Maryland Personal Information Protection Act, which expands the definition of “personal information,” creates a 45-day deadline for providing notice of a breach, allows for substitute service when the breach enables an individual’s e-mail to be accessed, and increases the class of information subject to Maryland’s destruction of records laws. To the customary litany of data elements comprising “personal information,” Maryland has added personal health and health insurance information, biometric data, online account credentials and passport/government ID numbers. The amended data destruction provision now applies to customer and employee/former employee records containing personal information. See our prior alert detailing the amendments here. Continue Reading New 2018 Data Breach Compliance Obligations Begin Going into Effect

2018 is shaping up to be a potentially momentous year for data privacy, with a number of pending cases whose impact could fundamentally alter the scope of future privacy lawsuits and criminal investigations. This post will take a look at some of these cases and their potential impact.

Carpenter v. United States

We’ll start with Carpenter, which is pending in the U.S. Supreme Court and focuses on whether the Fourth Amendment requires the government to secure a search warrant to obtain a criminal defendant’s cell phone records from his or her cellular service provider. Continue Reading Data Privacy Cases to Watch in 2018

Consumers are not the only ones suing retailers for payment card data breaches. The U.S. District Court for the Western District of Washington recently denied, in large part, a motion to dismiss a data breach class action brought by Veridian Credit Union, on behalf of itself and other financial institutions, against Eddie Bauer, LLC. The class action relates to a January 2016 payment card data breach that allegedly impacted “every Eddie Bauer store in the United States and Canada.”

The court dismissed Veridian’s negligence per se claim, but allowed Veridian’s negligence and state statutory claims to proceed. The court’s analysis of choice of law and negligence issues is worth a read. Continue Reading Federal Court Allows Credit Union Data Breach Class Action to Proceed Against Eddie Bauer