In this initial episode of Ballard Spahr’s new privacy and data security webcast series, Phil Yannella and Greg Szewczyk – co-chairs of the Privacy & Data Security Group – discuss regulatory scrutiny concerning the use of “dark patterns” to steer website visitors into purchasing products or making online choices they otherwise would not make. 

The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting

On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources.
Continue Reading  FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices

The California Attorney General’s Office recently released a fourth set of proposed regulatory modifications to the California Consumer Privacy Act (the “CCPA”).

As background, the Attorney General’s Office had only just recently given notice of a third set of modifications on October 12, 2020.  The third set of modifications revised the regulations relating to the

On November 4, 2020, California voters approved of the ballot initiative Proposition 24, more commonly known as the California Privacy Rights Act (the “CPRA”).  The CPRA goes into effect on January 1, 2023, and will expand several of the existing protections in the California Consumer Privacy Act (the “CCPA”).

As background, the original CCPA

Health care providers, health plans, and others who are subject to HIPAA are sure to have questions about when they may disclose information about individuals who have contracted, or been exposed to, Coronavirus (COVID-19).

To address these questions, the Office of Civil Rights, U.S. Department of Health and Human Services, has issued guidance.  First, it

On Friday, February 7, 2020, the California Attorney General’s (AG) Office released modified regulations to the California Consumer Privacy Act (CCPA).  The modified regulations incorporate amendments to the CCPA signed into law after the AG’s Office promulgated regulations in October 2019. The modified regulations also reflect public comments made during the initial comment period, which

Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines, arising from its violation of a 2012 consent order with the FTC. According to the FTC, this is the largest fine ever levied by a U.S. regulatory agency against a company for a privacy or data security violation by a factor of 20—and one of the largest penalties ever assessed by the U.S. government.

Continue Reading  Facebook to Pay $5 Billion for Violating 2012 FTC Consent Order

On November 13, 2018, Ballard Spahr lawyers presented a webinar on the SEC’s recent “Report of Investigation” into “business email compromises” affecting public companies.

As noted in our prior blog post, the Report was prompted by the SEC’s investigation into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel. The SEC investigated whether these companies violated Sections 13(b)(2)(B)(i) and (iii) of the Securities and Exchange Act of 1934. Although declining to pursue enforcement actions against the companies, the SEC emphasized its recent cybersecurity guidance, advising public companies that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.” (See our prior alert and blog post regarding the Interpretive Guidance).
Continue Reading  Listen to Our Webinar on “The SEC’s Special Report on Business Email Compromises: What It Means and What You Should Do”