Podcast: AD-ttorneys@law: False Advertising or Just Puffing?

Absolute truth in advertising is something of a rarity, but not every untrue statement is false advertising. In this episode, BakerHostetler partner Randy Shaheen is going to ply you with pointers on avoiding puffery’s promotional pitfalls and potential problems.

Questions and Comments: rshaheen@bakerlaw.com

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

Happy First Birthday to the NIST Privacy Framework!

BakerHostetler partner Jeewon Serrato has contributed a NIST Privacy Framework’s CCPA Crosswalk and is featured in an animated video by the NIST which shows how the NIST Privacy Framework can be used by organizations to build trust with their customers, communicate better about privacy, and help meet their compliance obligations. Jeewon is also featured in NIST’s new 2-page Privacy Framework implementation guide. It offers some helpful guidelines for small and medium businesses looking to create or improve their privacy programs. For organizations that are looking to use the NIST Privacy Framework to comply with CCPA or to rationalize how the CCPA works with other legal and regulatory requirements, such as the GDPR, a link to the CCPA Crosswalk can be found on the NIST website home page.  NIST’s blog post provides information about how the Privacy Framework is getting global adoption.

Compliance and Cybersecurity Best Practices Rewarded with HIPAA Safe Harbor

On January 5, 2021, H.R. 7898 was signed into law with little fanfare, thereby amending the Health Information Technology for Economic and Clinical Health Act.[1] As the healthcare industry continues to serve as one of the top targets for cybersecurity threat actors, the amendment creates a “HIPAA safe harbor” that should hopefully provide some much-needed relief to those beleaguered covered entities and business associates that have spent years and significant dollars to implement cybersecurity best practices. This new safe harbor requires that, when calculating fines, evaluating audits or reviewing proposed mitigation steps, the Department of Health & Human Services (HHS) must consider whether the covered entity or business associate adequately demonstrated that it had in place “recognized security practices” for at least 12 months prior that would:

(1) Mitigate HIPAA fines.

(2) Result in the early, favorable termination of a HIPAA audit.

(3) Mitigate the remedies in a HIPAA resolution agreement with HHS.

Under the law, the term “recognized security practices” means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under … the NIST Act, the approaches promulgated under … the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” Thus, the new safe harbor has the potential to both significantly incentivize all entities subject to HIPAA to implement cybersecurity best practices as well as provide some long-overdue relief to those entities that experience a data security incident after having implemented robust security practices, as it recognizes that despite an entity’s best efforts, security incidents still occur, and highly punitive penalties may not be appropriate in such circumstances. While not specifically defined, our experience working with HHS in breach investigations is that HHS focuses on existing programs for assessing cyber security risks to electronic protected health information (ePHI) through annual security risk analyses, inventory of ePHI, risk management plans and the implementation of administrative, technical and physical safeguards to address those risks.

Continue Reading

Welcome to the Digital Transformation and Digital Economy Newsletter – January 2021 Issue

Across the economy, businesses are using digital technology to pivot into innovative service lines, accelerate growth and transform their businesses altogether. These businesses’ digital strategies and data assets play important roles in their success. In the healthcare industry, the COVID-19 pandemic provides a significant use case for interoperability of health information. Regulations are catching up to resolve this need, and healthcare industry actors are using their data assets accordingly.

In this issue, we are highlighting Kyle Gregory and how his practice intersects with these aspects of digital transformation and data economy.

Read more.

New York Legislature Introduces CCPA Clone with Private Right of Action

The 2021-22 New York State legislative session started off with a bang, featuring nearly a dozen consumer privacy bills introduced in the House and Senate on the opening day. A number of the proposals, including the New York Privacy Act and the Right to Know Act, are carbon copies of bills that were introduced in the 2019-20 legislative session but did not make it out of committee. Others, such as SB 567, which closely resembles the California Consumer Privacy Act (CCPA), are new this session. With a Democratic supermajority in the House and Senate, the New York Legislature appears poised to move forward with pro-consumer privacy legislation, though it remains to be seen whether the ongoing COVID-19 pandemic will continue to consume legislative focus this year.

Below, we provide a summary of the bills introduced on January 6 that have broad applicability to consumer privacy and are generally industry agnostic. Continue Reading

A Risk-Based Approach to the SolarWinds Vulnerability Disclosures

On December 13, 2020, SolarWinds disclosed that an unknown attacker compromised its network and inserted malicious code (referred to as the Sunburst vulnerability) into software updates for the Orion platform. In what will likely become known as one of the most widespread and damaging cyber attacks in history, approximately 18,000 private and government organizations installed the malicious code as part of their usual patching process. But based on current information, the attacker – which was likely a Russian intelligence service – used the vulnerability to infiltrate only a small fraction of the organizations that installed the malicious code. Therefore, most will find no evidence of further compromise.

Read more

Privacy and Product Counseling: 2020 in Review


Advising our clients on compliance with laws and regulations is, hands down, the most important aspect of our role as attorneys. In addition to seeking counsel on their obligations under laws and regulations, however – motivated by industry trends, utilization of and dependence on third-party services and platforms, and, this year, the COVID-19 pandemic – organizations increasingly seek us out for advice on third-party requirements and nonlegal or legal-adjacent issues. While compliance with the California Consumer Privacy Act (CCPA) and addressing issues arising out of the Schrems II judgment and the TikTok and WeChat executive orders, among others, dominated 2020, organizations faced an onslaught of other ancillary issues this year on which they sought our advice. Below, we have summarized a list of privacy and product counseling issues on which we have advised our clients this year. This is, of course, not an exhaustive list, but rather highlights some of the bigger privacy and product counseling issues our clients have faced, and on which we have advised them, in 2020.

Advising on these issues is a key part of our privacy and product counseling practice, which spans a number of our Digital Assets and Data Management (DADM) Practice Group teams, including our Privacy Governance and Technology Transactions, Advertising, Marketing and Digital Media, and Digital Transformation and Data Economy teams. This summary also serves as a preview for issues that organizations will continue to face in 2021. Continue Reading

Podcast: AD-ttorneys@law: Consumer Reviews: Paid? Fake? Negative?

Let’s be honest. Customer reviews and testimonials influence buying decisions — an online review can make or break the path to purchase. Amy Ralph Mudge is her authentic self as she outlines the legal framework and counts down an essential list of legal dos and don’ts.

Questions & Comments: amudge@bakerlaw.com

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

The New IoT Cybersecurity Act Is Here


Growing awareness regarding cybersecurity concerns with the Internet of Things (IoT) has achieved a milestone with the promulgation of the IoT Cybersecurity Improvement Act (the Act), which was signed into law by President Donald Trump on December 4, 2020. The Act requires the development, adoption and implementation of security standards for IoT devices by the federal government. Government contractors now have a new set of obligations relating to IoT cybersecurity compliance. Although the Act is the first federal law specifically targeting IoT cybersecurity, a California law requiring “reasonable” and “appropriate” IoT cybersecurity took effect January 1, 2020, and the U.K. also has IoT cybersecurity regulatory efforts underway. The Act was written in response to major distributed denial of service (DDoS) attacks, including one in 2016 in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, orchestrating their use in overwhelming and disrupting commercial web services. The threat hit closer to home for the federal government in 2017, when it was discovered that Chinese-made Internet-connected security cameras were using previously undetected communications backdoors to “call home” to their manufacturers, presenting a risk that what was visible to a camera’s lens was also visible to our geopolitical rivals. Continue Reading

Ted Kobus and Katherine Lowry Discuss Trajectory of IncuBaker in Q&A with The American Lawyer

Partner Ted Kobus, Chair of the Digital Assets and Data Management Group, and Director of Practice Services Katherine Lowry, are featured in a Q&A article published on Dec. 10, 2020 by The American Lawyer. In the article, “With Technology a Constant, BakerHostetler Unit Aims to Make Sense Of Options,” the pair discuss the goals, structure and future of IncuBaker, referred to as an “an ALSP-type service focused on data analytics and making sense of the legal tech marketplace.”

Read the article.