Archives: Data Protection

Subscribe to Data Protection RSS Feed

ACA’s Nondiscrimination Taglines and Notices Require Updating Your Notice of Privacy Practices

There has been confusion as to whether the Affordable Care Act’s nondiscrimination provision (“ACA”) affects a covered entity’s notice of privacy practices (“NPP”) or data breach notifications. OCR has issued guidance indicating that ACA does indeed impact NPPs. Moreover, breach notifications also likely are affected. Accordingly, i… Continue Reading

Employer-Sponsored Health Plan HIPAA Compliance Checklist

The administrative simplification provision of the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA) impose obligations on employer-sponsored group health plans. Given recent high-profile HIPAA enforcement actions, employers should understand their compliance
obligations. This checklist is inten… Continue Reading

Time to Update Your Privacy Statement for GDPR

Although the EU General Data Protection Regulation comes into force in May 2018, European regulators are still producing guidance and member states are still adopting legislation to accommodate national differences. Put simply, it is unclear how to prepare for the GDPR in relation to some issues. For other issues, however, companies can confidently ac… Continue Reading

Draft Cybersecurity Legislation Would Impose Substantial New Obligations on Vendors Selling Interconnected Devices to the U.S. Government

On Tuesday, August 1, 2017, a bipartisan group of four Senators from the Senate Cybersecurity Caucus introduced legislation designed to improve the cybersecurity of devices purchased by the U.S. government and – albeit indirectly – sold anywhere in the U.S. or the world.

The legislation – the “Internet of Things (IoT) Cybersecurity Improvemen… Continue Reading

How to Use the GDPR as Your Competitive Advantage: Focus on the Carrot, Not the Stick

How to use the GDPR as Your Competitive Advantage: Focus on the Carrot, Not the Stick

Ample bandwidth has been eaten by panicky commentary over the fines possible under the EU’s upcoming General Data Protection Regulation (GDPR). Sure, the GDPR arms EU data protection authorities with a hefty compliance stick. Yet the focus on exorbitant fines seems a bi… Continue Reading

The Chinese Government Issues Draft Cybersecurity Regulations to Protect Critical Information Infrastructure

On June 10, 2017, the Cyberspace Administration of China (the “CAC”) released the Draft Regulations on the Security Protection of Critical Information Infrastructure (the “Draft Regulations” 《关键信息基础设施安全保护条例(征求意见稿)》). The CAC is seeking public comments with a deadline of August 10, 201… Continue Reading

Washington’s New Biometric Privacy Law: What Businesses Need to Know

With the rise in hackings and data breaches, companies and government agencies are looking for ways to protect their data that offer more security than passwords. Because passwords are easily lost, stolen, guessed, and cracked by hackers, companies are shifting to the use of biological characteristics that uniquely identify you, called biometric iden… Continue Reading

(Connected) Toy Story: The FTC Updates the COPPA Compliance Plan

The Federal Trade Commission (“FTC”) recently issued an updated “Six-Step Compliance Plan for Businesses” (“Compliance Plan”) for entities subject to the Federal Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501-6506, to “reflect developments in the marketplace—for example, the introduction of int… Continue Reading

Data-Driven Marketing and the GDPR: the Data Brokers’ Conundrum

The digital marketing industry is powered by information about individuals (“personal data”) that pulses through a supply web. As this FTC infographic shows, some industries such as retail, energy, financial services, and health care, have direct relationships with those individuals. Other industries, such as data marketing, generally are at l… Continue Reading

Tick Tock Tick Tock, When a Breach Occurs, You’re on the Clock!

As a reminder that state attorneys general have enforcement authority over breach notifications, the New York Attorney General recently announced a $130,000 settlement for a failing to provide breach notification in a reasonable time. Organizations should ensure that they are prepared to quickly provide required notifications in the event of a breac… Continue Reading

Webinar Recording: New Guidance on HIPAA: Nine Changes to Make

New Guidance on HIPAA: Nine Changes to Make

While there have not been significant regulatory changes to HIPAA since 2013, that doesn’t mean that compliance can be static. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued guidance in several areas, ranging from an individual’s right of access to ransomware to vi… Continue Reading

GDPR matchup: The Health Insurance Portability and Accountability Act

This article first published in the IAPP’s Privacy Tracker blog.

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your effo… Continue Reading

China’s Cybersecurity Regulators Issue Procedural Rules to Strengthen Enforcement Power

For the past several years, the Cyberspace Administration of China (the “CAC”) has risen to a very important status among the Chinese national government’s agencies. However, it lacks a specific procedural law to empower it with specific enforcement actions. Against this background, the CAC issued the Provisions on Administrative Law Enforcem… Continue Reading

Public Still Must Be Kept Private Under HIPAA

A not-for-profit health care system recently agreed to pay the Department of Health and Human Services (HHS) $2.4 million as part of a settlement over potential Health Insurance Portability and Accountability Act (HIPAA) violations. The incident at issue involved the system releasing a patient’s name to the press, consumer advocacy groups, and poli… Continue Reading

A Draft Won’t Do: OCR Settles with CardioNet $2.5M for Failing to Finalize Policies and Procedures

On April 24, 2017, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias, has paid $2.5 million to settle alleged HIPAA violations. This is the first HIPAA settlement involving a remote … Continue Reading

Chinese Government Releases Overreaching Draft Regulations on Cross-Border Data Transfer

Last month, the Cyberspace Administration of China released draft regulations on the cross-border transfer of data in China. The draft regulations are available for public comment until May 11.

The purpose of these regulations is to specify the restrictions on cross-border data transfer that were established by the recent passage of China’s Cyb… Continue Reading

HIPAA Enforcement Actions by the Numbers

Protecting patient information is a central duty for both covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA).  Should an entity subject to HIPAA fail to protect patient information, it may face possible enforcement action from the U.S. Department of Health and Human Services’ Office for … Continue Reading

And Then There Were 48 (States): New Mexico Enacts a Security Breach Notification Statute

On April 6, 2017, New Mexico joined 47 states, D.C., Guam, Puerto Rico, and the U.S. Virgin Islands when Governor Susana Martinez signed House Bill 15, codifying the Data Breach Notification Act.  With New Mexico becoming the 48th state to enact a security breach notification statute, only Alabama and South Dakota have not codified requirements for repo… Continue Reading

It’s Official: Privacy and Security Rules from Wheeler Era Repealed

On Monday, April 3, President Trump signed a bill repealing the privacy and security rules introduced in the FCC’s October 2016 Order.  Under the terms of the Congressional Review Act (CRA), those rules have now been entirely repealed, the FCC is restricted from implementing “substantially similar” rules in the future, and the congressional act… Continue Reading

New FCC Stays ISP Data Security Rules from Wheeler Era

On Wednesday, the Chairman Pai-led FCC adopted an Order granting a stay of the data security rules that were adopted as part of the Commission’s 2016 Privacy Order spearheaded by former FCC Chairman Wheeler. The stay will maintain the data security rules that have been in place for several years, but suspend implementation of the expanded data security r… Continue Reading

New FCC Chairman Moves to Roll Back Privacy Rules for Internet Service Providers

Ever since the presidential election and the replacement of former Obama administration FCC Chairman Tom Wheeler with former Republican commissioner and now Chairman Ajit Pai, communications industry and privacy policy observers of all stripes have expected the new FCC to roll back much or all of the agency’s pre-election (October 2016) privacy Ord… Continue Reading

To Settle or Not to Settle – That Is the Question Raised by Recent HIPAA CMPs

On February 1, 2017, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Children’s Medical Center of Dallas (“Children’s”) has paid a civil monetary penalty (“CMP”) of $3.2 million to resolve multiple HIPAA violations over several years. This CMP announcement raises a number of question… Continue Reading

LexBlog