On April 24, the Governor of Kansas signed into law Kansas Senate Bill 44, which enacts the Financial Institutions Information Security Act (the “Act”). The Act requires credit services organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions to comply with the requirements of the GLBA’s Safeguards Rule, as
Data security
The Cost of a Click: Microsoft fined 60 Million Euros by French Privacy Watchdog for French Data Protection Act Violations
On December 22, 2022, France’s National Commission for Technology and Freedoms (“CNIL”) fined Microsoft’s Irish subsidiary 60 million euro for failure to comply with Article 82 of the French Data Protection Law (known as the “Loi Informatique et Libertés”). Article 82 is France’s implementation of the EU’s ePrivacy Directive, and it generally requires that any…
Pennsylvania Amends Data Breach Notification Law
In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information. The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements. Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with…

FTC Extends Deadline by Six Months for Updated Safeguards Rule
On November 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some portions of the updated Safeguards Rule. The extension comes as a welcome relief to companies racing to meet the rapidly nearing effective date.
The FTC approved changes to the longstanding Safeguards Rule in…

Verdict in Favor of Plaintiffs in First BIPA Jury Trial – Potential Damages Still Unresolved
The jury returned a verdict in favor of the plaintiffs in the first trial for violations of the Illinois Biometric Privacy Act (“BIPA”), which was conducted in the District Court for the Northern District of Illinois. Rogers v. BNSF Ry. Co., No. 1:19-cv-03083. A jury found that BNSF Railway violated BIPA by maintaining an…
Webinar Recording – Crypto Breaches: Legal & Regulatory Update
The FTC recently reported that over $650 mm worth of cryptocurrency was stolen by hackers last year. Thus far, over $320 mm in cryptocurrency has been stolen by hackers this year. Not surprisingly, this surge in crypto breaches has led to litigation. In our monthly webcast series, Ballard partners Phil Yannella, Greg Szewczyk and…
A Fast Start: 2021 Begins With Major HIPAA Developments
The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA and the related Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
…
Continue Reading A Fast Start: 2021 Begins With Major HIPAA Developments
Hackers Capitalizing on Coronavirus
As people across the country and world try to figure out how to protect themselves against the spread of coronavirus, hackers are working hard to spread their own viruses. Indeed, various cybersecurity firms have reported that the amount of malicious emails containing the word “coronavirus” has significantly increased since the end of January.
Many of…
Health System Hit with More than $2 Million in Civil Penalties under HIPAA
Following on the heels of a few relatively small HIPAA settlements, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it has imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for its failure to meet HIPAA privacy and security requirements. The OCR announcement and accompanying…
Closure of Business Does Not Foreclose HIPAA Liabilities
Filefax, Inc., a health care records moving and storage company that served as a business associate, went into receivership in 2016. But its receivership did not put an end to an OCR investigation into a HIPAA violation from 2015. Now, the receiver for Filefax has agreed to pay a fine of $100,000 and to properly store, inventory, and dispose of the medical records remaining in its possession under HHS supervision.
The investigation began with a complaint that OCR received about the exposure of a large volume of documents containing protected health information. The investigation confirmed that an individual had left medical records of approximately 2,150 patients at a shredding and recycling facility and that Fllefax had either left the PHI in an unlocked truck in the Filefax parking lot or granted permission to a person to remove the PHI from Filefax and left the PHI, unsecured, outside the Filefax facility for that person to collect.
Continue Reading Closure of Business Does Not Foreclose HIPAA Liabilities