Back in September, the Federal Trade Commission (FTC) issued (by a 3-2 vote) a policy statement (the Statement) regarding the oft-forgotten Health Breach Notification Rule (the Rule). I was at the FTC when the Statement was released and have since joined BakerHostetler. Around the time I joined BakerHostetler, my new colleague Melissa Hewitt published an … Continue Reading
More than eight months into the Biden administration, the U.S. Department of Health & Human Services (HHS) announced the appointment of Lisa J. Pino as the new director of the Office for Civil Rights (OCR) on Sept. 27, 2021. As the new director of the OCR, Pino will be responsible for enforcing the Health Insurance … Continue Reading
The U.S. Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, warning that the decade-old Health Breach Notification Rule (the rule) – which applies to companies that handle personal health records or collect health data – to notify consumers, the FTC and, in some cases, the media about data breaches. “In practical … Continue Reading
This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer. Asia-Pacific China’s Data Security Law and Personal Information Protection Law – This summer, the People’s Republic of China passed two new data protection laws. The Data Security Law (DSL) passed in June … Continue Reading
On August 30, 2021, the Securities and Exchange Commission (“SEC”) announced three settled orders against several investment advisers, broker-dealers, and dual registrants for violations of Regulation S-P allegedly resulting from business email compromises that each exposed or potentially exposed the personal information of thousands of customers.[1] These enforcement actions underscore the following lessons for broker-dealers and … Continue Reading
Ohio recently became the latest state to consider enacting comprehensive privacy legislation. On July 13, 2021, the Ohio Personal Privacy Act (House Bill 376) was introduced into the Ohio House of Representatives with the backing of Ohio Governor Mike DeWine and Lt. Governor Jon Husted. If passed, OPPA would establish consumer data rights for natural … Continue Reading
Following its investigation of a personal data breach, the Belgian Data Protection Authority (DPA) issued a ruling on April 28, 2020, imposing a €50,000 fine on an organization for negligence in having appointed the company’s head of compliance, risk and audit as its data protection officer (DPO). This decision should cause entities to reconsider appointing … Continue Reading
On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P – Privacy Notices and Safeguard Policies,” highlighting its data privacy and cybersecurity observations from recent examinations of registered firms. Regulation S-P By … Continue Reading
In the absence of cookies-related guidance and enforcement by regulators against ordinary website publishers and operators, many e-commerce sites, online publishers and other website operators have taken a “wait and see” approach with respect to implementing GDPR-compliant cookies consent procedures. Recent cookies-related regulatory guidance, however, from the Dutch data protection authority, Autoriteit Persoonsgegevens (“Dutch DPA”), … Continue Reading
The California attorney general (AG) has kicked of it process of promulgating regulations to interpret and implement California’s sweeping new privacy law. After a series of public hearings across the state, which we covered here and here, the AG closed the initial public comment period on March 8. Our clients have mostly sought to convey their … Continue Reading
March is now here and with it the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) is now in full force and effect, including requirements relating to Third Party Service Providers[1] (e.g., vendors, suppliers, agents). To comply with the regulation, banks, insurance companies, and other financial institutions and individuals who are, or … Continue Reading
Last week, Australia’s parliament passed a controversial act that will enable law enforcement and intelligence agencies to compel access to encrypted communications. In an explanatory memorandum, the Australian Parliament stated that the new act, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, is intended to combat “the challenges posed by ubiquitous encryption.” … Continue Reading
According to a recent story published by The Register, the U.K. data privacy watchdog, the Information Commissioner’s Office (ICO) has issued a warning to the U.S.-based newspaper The Washington Post (WaPo) about obtaining consent under the EU General Data Protection Regulation (GDPR) and allowing its readers to switch off tracking and cookies. Article 6(1) of … Continue Reading
As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework. Now the second annual review of the EU-U.S. Privacy Shield Framework is underway, and the FTC has announced several new enforcement actions, which … Continue Reading
The U.S. Securities and Exchange Commission (SEC) recently announced a consent order settling an enforcement action brought by the SEC against Voya Financial Advisors Inc. (VFA) in connection with a data security incident that occurred in 2016. VFA is a registered broker-dealer and investment adviser with the SEC. The order memorializes the SEC’s agreement to … Continue Reading
Liftopia, an e-commerce platform that enables ski resorts to sell advance-purchase tickets online, was cited in a recent decision by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for failing to provide consumers with sufficient notice and choice relating to the collection of data for targeted ads and the serving of interest-based advertising … Continue Reading
On Jan. 18, 2018, the Federal Trade Commission (FTC) published its Annual Privacy and Data Security Update. The update is helpful to businesses in that it recaps the efforts and areas of involvement the FTC has targeted in the past year as well as guides data protection strategies for 2018. The report provides a detailed … Continue Reading
With only four months remaining until the EU General Data Protection Regulation takes effect on May 25, 2018, the European Commission has launched a new website offering guidance on requirements and implementation targeted at an array of stakeholders including Member State governments, businesses, data subjects, and other entities whose operations or data processing activities will … Continue Reading
On October 23, the Federal Trade Commission (FTC) released new guidance on how the Children’s Online Privacy Protection Act (COPPA) Rule may apply to audio recordings of children’s voices collected by websites and online services. Reflecting the FTC’s recent focus on privacy and security concerns related to the Internet of Things (IoT), the nonbinding Enforcement … Continue Reading
On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of uncertainty surrounding the Framework’s future as EU officials and privacy advocates have questioned its efficacy and validity in the run-up to the … Continue Reading
Uber, the ride-hailing giant, agreed this week to implement a comprehensive privacy program and to undergo 20 years of privacy and data security audits in order to settle allegations by the Federal Trade Commission (FTC) that Uber did not keep its promises to protect customer data. The FTC had alleged two separate failures by Uber: … Continue Reading
Has your company or client been served with a Civil Investigative Demand (CID)? Overwhelmed? Don’t despair – the future may be brighter, as the Federal Trade Commission (FTC) is now offering more clarity regarding its CID document requests process. On July 17, 2017 FTC Acting Chairman Maureen K. Ohlhausen issued a new internal process reform … Continue Reading
Effective January 1, 2018, Oregon will join Pennsylvania and Nebraska in expanding its definition of deceptive trade practices to explicitly include a material misstatement regarding the use of personal information. House Bill 2090 applies to statements “publishe[d] on a website … or in a consumer agreement related to a consumer transaction.” Like the other states’ … Continue Reading
Nevada recently became the latest state to pass a law requiring operators of websites and online services to post a public notice regarding their privacy practices. California was the first state to pass such a law in 2004, and Delaware enacted a similar law effective January 1, 2016. Similar to its predecessors, the new Nevada … Continue Reading