Archives: Enforcement

Subscribe to Enforcement RSS Feed

New Director of HHS Office for Civil Rights Announced: What could Lisa J. Pino’s appointment mean for future HIPAA enforcement?

Photo of Sara GoldsteinBy Sara Goldstein on Posted in Cybersecurity, Enforcement, Healthcare, HHS, HIPAA/HITECH
More than eight months into the Biden administration, the U.S. Department of Health & Human Services (HHS) announced the appointment of Lisa J. Pino as the new director of the Office for Civil Rights (OCR) on Sept. 27, 2021. As the new director of the OCR, Pino will be responsible for enforcing the Health Insurance … Continue Reading

FTC Issues Statement Warning Health Apps to Notify Consumers About Data Breaches

Photo of Melissa HewittBy Melissa Hewitt on Posted in Data Breaches, Enforcement, FTC, HIPAA/HITECH
The U.S. Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, warning that the decade-old Health Breach Notification Rule (the rule) – which applies to companies that handle personal health records or collect health data –  to notify consumers, the FTC and, in some cases, the media about data breaches. “In practical … Continue Reading

International Data Protection Update – Summer 2021

Photo of Nichole SterlingPhoto of Melinda L. McLellanPhoto of Andreas KaltsounisBy Nichole Sterling, Melinda L. McLellan and Andreas Kaltsounis on Posted in Data Protection, Enforcement, EU, GDPR, International Privacy Law
This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer. Asia-Pacific China’s Data Security Law and Personal Information Protection Law – This summer, the People’s Republic of China passed two new data protection laws. The Data Security Law (DSL) passed in June … Continue Reading

SEC Cybersecurity Actions Against Registered Firms for Business Email Compromises Emphasize Importance of MFA

Photo of Adam CohenPhoto of Jonathan A. FormanBy Adam Cohen and Jonathan A. Forman on Posted in Enforcement, Incident Response, Information Security, SEC
On August 30, 2021, the Securities and Exchange Commission (“SEC”) announced three settled orders against several investment advisers, broker-dealers, and dual registrants for violations of Regulation S-P allegedly resulting from business email compromises that each exposed or potentially exposed the personal information of thousands of customers.[1] These enforcement actions underscore the following lessons for broker-dealers and … Continue Reading

Ohio Proposes Comprehensive Privacy Legislation

Photo of Damon C. BarhorstPhoto of William BerglundBy Damon C. Barhorst and William Berglund on Posted in Consumer Data, Data Protection, Enforcement, Privacy, State Legislation
Ohio recently became the latest state to consider enacting comprehensive privacy legislation. On July 13, 2021, the Ohio Personal Privacy Act (House Bill 376) was introduced into the Ohio House of Representatives with the backing of Ohio Governor Mike DeWine and Lt. Governor Jon Husted. If passed, OPPA would establish consumer data rights for natural … Continue Reading

Belgian Authority Raises Red Flag for DPOs with Multiple Roles

Photo of Nichole SterlingPhoto of Andreas KaltsounisPhoto of Melinda L. McLellanBy Nichole Sterling, Andreas Kaltsounis and Melinda L. McLellan on Posted in Enforcement
Following its investigation of a personal data breach, the Belgian Data Protection Authority (DPA) issued a ruling on April 28, 2020, imposing a €50,000 fine on an organization for negligence in having appointed the company’s head of compliance, risk and audit as its data protection officer (DPO). This decision should cause entities to reconsider appointing … Continue Reading

SEC Updates Data Privacy and Cybersecurity Guidance for Registered Firms

Photo of Jonathan A. FormanPhoto of Matt FriedmanBy Jonathan A. Forman and Matt Friedman on Posted in Cybersecurity, Enforcement, Financial Privacy
On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P – Privacy Notices and Safeguard Policies,” highlighting its data privacy and cybersecurity observations from recent examinations of registered firms. Regulation S-P By … Continue Reading

EU Regulators Increase Focus on Cookie Practices

Photo of Jean ShinPhoto of Monique MatarBy Laura E. Jehl, Kyle R. Fath, Jean Shin and Monique Matar on Posted in Enforcement, GDPR
In the absence of cookies-related guidance and enforcement by regulators against ordinary website publishers and operators, many e-commerce sites, online publishers and other website operators have taken a “wait and see” approach with respect to implementing GDPR-compliant cookies consent procedures. Recent cookies-related regulatory guidance, however, from the Dutch data protection authority, Autoriteit Persoonsgegevens (“Dutch DPA”), … Continue Reading

BakerHostetler Comments On CCPA Rule Making For Clients

By Alan L. Friel on Posted in CCPA, Enforcement
The California attorney general (AG) has kicked of it process of promulgating regulations to interpret and implement California’s sweeping new privacy law. After a series of public hearings across the state, which we covered here and here, the AG closed the initial public comment period on March 8. Our clients have mostly sought to convey their … Continue Reading

Beware the Ides of March – Is Your NYDFS Cybersecurity Compliance in Order?

Photo of Jonathan A. FormanBy Eulonda Skyles and Jonathan A. Forman on Posted in Cybersecurity, Enforcement
March is now here and with it the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) is now in full force and effect, including requirements relating to Third Party Service Providers[1] (e.g., vendors, suppliers, agents). To comply with the regulation, banks, insurance companies, and other financial institutions and individuals who are, or … Continue Reading

Controversial Australian Encryption Act Denounced by Privacy and Cryptography Advocates

By Brian P. Bartish on Posted in Enforcement, International Privacy Law
Last week, Australia’s parliament passed a controversial act that will enable law enforcement and intelligence agencies to compel access to encrypted communications. In an explanatory memorandum, the Australian Parliament stated that the new act, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, is intended to combat “the challenges posed by ubiquitous encryption.” … Continue Reading

Cookies and Consent Under the EU GDPR

By David M. Brown on Posted in Enforcement, GDPR, Online Privacy
According to a recent story published by The Register, the U.K. data privacy watchdog, the Information Commissioner’s Office (ICO) has issued a warning to the U.S.-based newspaper The Washington Post (WaPo) about obtaining consent under the EU General Data Protection Regulation (GDPR) and allowing its readers to switch off tracking and cookies. Article 6(1) of … Continue Reading

EU-U.S. Privacy Shield Framework Joint Annual Review 2.0

By David M. Brown on Posted in Enforcement, International Privacy Law
As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework. Now the second annual review of the EU-U.S. Privacy Shield Framework is underway, and the FTC has announced several new enforcement actions, which … Continue Reading

Broker-Dealer and Investment Adviser Agrees to Settle SEC Enforcement Action Arising From a Data Security Incident

By Will R. Daugherty and John Busch on Posted in Enforcement, Incident Response
The U.S. Securities and Exchange Commission (SEC) recently announced a consent order settling an enforcement action brought by the SEC against Voya Financial Advisors Inc. (VFA) in connection with a data security incident that occurred in 2016. VFA is a registered broker-dealer and investment adviser with the SEC. The order memorializes the SEC’s agreement to … Continue Reading

Online Merchant Cited for Inadequate Interest-Based Advertising Disclosures

By Alan L. Friel and Kyle R. Fath on Posted in Advertising, Enforcement
Liftopia, an e-commerce platform that enables ski resorts to sell advance-purchase tickets online, was cited in a recent decision by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for failing to provide consumers with sufficient notice and choice relating to the collection of data for targeted ads and the serving of interest-based advertising … Continue Reading

Looking Back: The Federal Trade Commission Issues Annual Data Privacy Report for 2017

By John Busch on Posted in Cybersecurity, Enforcement, News
On Jan. 18, 2018, the Federal Trade Commission (FTC) published its Annual Privacy and Data Security Update. The update is helpful to businesses in that it recaps the efforts and areas of involvement the FTC has targeted in the past year as well as guides data protection strategies for 2018. The report provides a detailed … Continue Reading

Clock Ticking, European Commission Launches GDPR Implementation Guidance Website

Photo of Melinda L. McLellanBy Melinda L. McLellan and Aaron Lancaster on Posted in Enforcement, International Privacy Law
With only four months remaining until the EU General Data Protection Regulation takes effect on May 25, 2018, the European Commission has launched a new website offering guidance on requirements and implementation targeted at an array of stakeholders including Member State governments, businesses, data subjects, and other entities whose operations or data processing activities will … Continue Reading

From the Mouths of Babes: FTC Issues COPPA Enforcement Policy Regarding Voice Recordings

Photo of Carolina AlonsoPhoto of Melinda L. McLellanBy Carolina Alonso, Alan L. Friel and Melinda L. McLellan on Posted in Children’s Privacy, Enforcement, Internet of Things, Online Privacy
On October 23, the Federal Trade Commission (FTC) released new guidance on how the Children’s Online Privacy Protection Act (COPPA) Rule may apply to audio recordings of children’s voices collected by websites and online services. Reflecting the FTC’s recent focus on privacy and security concerns related to the Internet of Things (IoT), the nonbinding Enforcement … Continue Reading

Privacy Shield Update: Ahead of First Joint Review, Europeans Remain Skeptical as FTC Announces Enforcement Actions

Photo of Melinda L. McLellanBy Melinda L. McLellan and Emily R. Fedeles on Posted in Enforcement, International Privacy Law
On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of uncertainty surrounding the Framework’s future as EU officials and privacy advocates have questioned its efficacy and validity in the run-up to the … Continue Reading

Uber Settles With FTC Over Allegedly Deceptive Privacy And Data Security Practices

By Laura E. Jehl on Posted in Cybersecurity, Enforcement
Uber, the ride-hailing giant, agreed this week to implement a comprehensive privacy program and to undergo 20 years of privacy and data security audits in order to settle allegations by the Federal Trade Commission (FTC) that Uber did not keep its promises to protect customer data. The FTC had alleged two separate failures by Uber: … Continue Reading

FTC Announces Internal Process Reforms in Connection with Civil Investigative Demands

Photo of May Tal GongolevskyBy May Tal Gongolevsky and Csilla Boga-Lofaro on Posted in Enforcement
Has your company or client been served with a Civil Investigative Demand (CID)? Overwhelmed? Don’t despair – the future may be brighter, as the Federal Trade Commission (FTC) is now offering more clarity regarding its CID document requests process. On July 17, 2017 FTC Acting Chairman Maureen K. Ohlhausen issued a new internal process reform … Continue Reading

Oregon Expands Deceptive Trade Practices Act to Include Misrepresentations About PI Usage

By David Kitchen and Alan L. Friel on Posted in Enforcement, State Legislation
Effective January 1, 2018, Oregon will join Pennsylvania and Nebraska in expanding its definition of deceptive trade practices to explicitly include a material misstatement regarding the use of personal information. House Bill 2090 applies to statements “publishe[d] on a website … or in a consumer agreement related to a consumer transaction.” Like the other states’ … Continue Reading

Nevada Enacts Online Privacy Policy Law; Illinois ‘Right to Know’ Bill Carried Over

Photo of Melinda L. McLellanBy David Kitchen, Alan L. Friel and Melinda L. McLellan on Posted in Enforcement, Online Privacy, State Legislation
Nevada recently became the latest state to pass a law requiring operators of websites and online services to post a public notice regarding their privacy practices. California was the first state to pass such a law in 2004, and Delaware enacted a similar law effective January 1, 2016.  Similar to its predecessors, the new Nevada … Continue Reading

Deeper Dive: Security Incident Notification Under the New EU General Data Protection Regulation (GDPR)

Photo of Melinda L. McLellanPhoto of James A. ShererBy Melinda L. McLellan, James A. Sherer and Emily R. Fedeles on Posted in Cybersecurity, Data Breaches, Enforcement, International Privacy Law
As noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and … Continue Reading
LexBlog