Health care providers, health plans, and others who are subject to HIPAA are sure to have questions about when they may disclose information about individuals who have contracted, or been exposed to, Coronavirus (COVID-19).

To address these questions, the Office of Civil Rights, U.S. Department of Health and Human Services, has issued guidance.  First, it

On Friday, February 7, 2020, the California Attorney General’s (AG) Office released modified regulations to the California Consumer Privacy Act (CCPA).  The modified regulations incorporate amendments to the CCPA signed into law after the AG’s Office promulgated regulations in October 2019. The modified regulations also reflect public comments made during the initial comment period, which

Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines, arising from its violation of a 2012 consent order with the FTC. According to the FTC, this is the largest fine ever levied by a U.S. regulatory agency against a company for a privacy or data security violation by a factor of 20—and one of the largest penalties ever assessed by the U.S. government.
Continue Reading  Facebook to Pay $5 Billion for Violating 2012 FTC Consent Order

On November 13, 2018, Ballard Spahr lawyers presented a webinar on the SEC’s recent “Report of Investigation” into “business email compromises” affecting public companies.

As noted in our prior blog post, the Report was prompted by the SEC’s investigation into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel. The SEC investigated whether these companies violated Sections 13(b)(2)(B)(i) and (iii) of the Securities and Exchange Act of 1934. Although declining to pursue enforcement actions against the companies, the SEC emphasized its recent cybersecurity guidance, advising public companies that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.” (See our prior alert and blog post regarding the Interpretive Guidance).
Continue Reading  Listen to Our Webinar on “The SEC’s Special Report on Business Email Compromises: What It Means and What You Should Do”

The U.S. Securities and Exchange Commission (SEC) has joined the government chorus in sounding the alarm about the rapid rise in “business email compromises” that are victimizing organizations across industry sectors.

On October 16, 2018, the SEC released a “Report of Investigation” calling for public companies to reassess their internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds.”  In particular, the report focuses on certain types of “business email compromises” (BEC), in which a bad actor uses spoofed or compromised email accounts to trick an organization’s personnel into effectuating wire transfers to financial accounts controlled by fraudsters.
Continue Reading  SEC Special Report: Rampant Business Email Compromises Require Reassessment of Internal Accounting Controls

One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard.  The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices.  Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable.
Continue Reading  What Does “Reasonable” Data Security Mean, Exactly?

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.
Continue Reading  NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation

South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.

South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements.
Continue Reading  South Carolina Enacts First Insurance Data Security Act

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.
Continue Reading  The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)