On August 24, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora over allegations that the cosmetic retailer had violated the California Consumer Privacy Act (CCPA). This first public enforcement action—and subsequent noncompliance letters the Attorney General sent to other retailers—clearly highlight the continued focus of regulators on online tracking practices and opt-out signals such
Real World Implications of Sephora
NYDFS Announces Draft Amendments to Cybersecurity Regulation
On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations. The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.
The Amendments contain three significant changes relating to ransomware. First, the Amendment specifically adds “the deployment of ransomware…
Webinar Recording – Dark Patterns: Legal & Regulatory Update
In this initial episode of Ballard Spahr’s new privacy and data security webcast series, Phil Yannella and Greg Szewczyk – co-chairs of the Privacy & Data Security Group – discuss regulatory scrutiny concerning the use of “dark patterns” to steer website visitors into purchasing products or making online choices they otherwise would not make.…
Financial Institutions Face Increasingly Stringent Federal Breach Reporting Requirements
The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting…
FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices
By Philip N. Yannella & Doris Yuen on
Posted in Compliance, Data Breach, Federal Trade Commission (FTC), Health Care, Health Information Technology for Economic and Clinical Health Act (HITECH), Health Insurance Portability and Accountability Act (HIPAA), Internet of Things (IoT), Mobile Devices, Personal Information, Regulatory Compliance
On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources. …
Continue Reading FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices
California Attorney General Shows No Sign of Slowing CCPA Rulemaking with Fourth Set of Proposed Modifications
The California Attorney General’s Office recently released a fourth set of proposed regulatory modifications to the California Consumer Privacy Act (the “CCPA”).
As background, the Attorney General’s Office had only just recently given notice of a third set of modifications on October 12, 2020. The third set of modifications revised the regulations relating to the…
California Voters Approve CPRA
On November 4, 2020, California voters approved of the ballot initiative Proposition 24, more commonly known as the California Privacy Rights Act (the “CPRA”). The CPRA goes into effect on January 1, 2023, and will expand several of the existing protections in the California Consumer Privacy Act (the “CCPA”).
As background, the original CCPA…
Ballard Spahr Q&A on Regulatory Risks Associated With Ransomware Negotiations
Posted in Cybersecurity, Ransomware, Regulatory Compliance
PDS Partners Phil Yannella and Greg Szewczyk recently participated in a Q&A with Net Diligence concerning the regulatory risks companies face when negotiating with ransomware threat actors. The Q&A is accessible on Net Diligence’s PDS blog.
Disclosing Information about the Novel Coronavirus under HIPAA
Health care providers, health plans, and others who are subject to HIPAA are sure to have questions about when they may disclose information about individuals who have contracted, or been exposed to, Coronavirus (COVID-19).
To address these questions, the Office of Civil Rights, U.S. Department of Health and Human Services, has issued guidance. First, it…
California AG Issues Modified CCPA Regulations
On Friday, February 7, 2020, the California Attorney General’s (AG) Office released modified regulations to the California Consumer Privacy Act (CCPA). The modified regulations incorporate amendments to the CCPA signed into law after the AG’s Office promulgated regulations in October 2019. The modified regulations also reflect public comments made during the initial comment period, which…