The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of HIPAA’s privacy and security rules in the new administration, announcing a number of settlements of alleged violations in the first seven months of 2021. This settlement activity followed a few other significant HIPAA developments
On January 6, 2021, a bipartisan group of New York state lawmakers released a copy of Assembly Bill 27 (AB 27), the New York Biometric Privacy Act. If New York passes AB 27, it will join Illinois, Texas, and Washington as states that have adopted laws that strictly regulate the notice, collection, and handling…
With the ongoing covid crisis leaving businesses of all sizes concerned about the short and medium term future, the intimidating task of considering a liquidation or restructuring is inevitably starting to become a reality. Although privacy in the bankruptcy context is nothing new—especially in the context of personally identifiable information (“PII”) held by a company—it…
Following on the heels of a few relatively small HIPAA settlements, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it has imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for its failure to meet HIPAA privacy and security requirements. The OCR announcement and accompanying…
On September 13, 2019—the last day of the legislative session—California lawmakers approved five amendments intended to clarify the scope of the California Consumer Privacy Act (the “CCPA”), but rejected several industry-backed proposals that would have exempted personal information used for targeted advertising and loyalty programs.
Five amendments passed: AB 25, 874, 1146, 1355, and 1564. …
Recently, legislators in Texas introduced two bills relating to consumer privacy and data protection: H.B. No. 4518, the Texas Consumer Privacy Act (“Texas CPA”) and H.B. No. 4390, the Texas Privacy Protection Act (“TPPA”). These bills bear a strong resemblance to the California Consumer Privacy Act (the “California CPA”), and would lay the groundwork for extensive administrative schemes protecting consumers’ rights to their personal information.
The Texas CPA bears strong similarity to California CPA. The Texas CPA, which, if adopted, would take effect September 1, 2020, applies to companies that do business and collect consumer data and:
- Derive at least 50% of their annual revenue selling consumers’ personal information; or
- Exceed $25 million in gross annual revenue (with that amount subject to adjustment by the Texas Attorney General every two years); or
- Buy, sell, or receive the personal information of at least 50,000 consumers, households, or devices for commercial purposes
- The Texas CPA would also apply to entities owned by companies that would be subject to the law. Similar to the California CPA, the Texas CPA contains express provisions governing rulemaking, implementation, and enforcement of the law. Notably, the legislation highlights various consumer rights, including (but not limited to):
- A consumer’s right to disclosure, from the business, of the personal information the business collected.
- A consumer’s right to deletion of the personal information that the business collected (with some limited, specific exceptions).
- A consumer’s right to opt out of the sale of his or her personal information.
On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty.…
Continue Reading Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data
With more than double the number of required signatures well ahead of the verification deadline late this month, the citizen-initiated measure “The California Consumer Privacy Act of 2018” appears headed for the statewide ballot on November 6. If approved by a majority of Golden State voters, the ballot measure would greatly expand right-to-know and opt-out requirements, subjecting covered businesses to increased costs for compliance and strict liability for any violations.
Continue Reading California Voters Likely to Consider Enacting GDPR-Like Privacy Law in November
The U.S. Court of Appeals for the Seventh Circuit has reinstated a data breach class action filed against Barnes & Noble (B&N). The litigation, styled as Dieffenbach v. Barnes & Noble, Inc., now heads back to the U.S. District Court for the Northern District of Illinois, which previously dismissed the complaint three times for lack of standing and/or failure to state a claim.
The lawsuit stems from a September 2012 data breach in which “skimmers” gained access to the payment card readers in B&N stores and siphoned off customer names, payment card numbers, expiration dates, and PINs. “Skimming” is an ‘old school’ hacking technique involving tampering with the PIN pad terminals to exfiltrate the payment card data that runs through them when a card is swiped. Payment card data was skimmed from PIN terminals in 63 B&N stores, located in 9 states.…
Continue Reading Seventh Circuit Reinstates Barnes & Noble Data Breach Class Action
In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor. A copy of the new law is available here. The most notable changes are as follows:
Continue Reading Oregon Amends Data Breach Notification and Information Security Laws