On July 8, the California Privacy Protection Agency Board (CPPA, Agency or Board) announced the Notice of Proposed Rulemaking (NPRM), which begins the 45-day comment period for the draft regulations. As we previously reported, the California Privacy Rights Act (CPRA) draft regulations were released on May 27, and we had a heads-up about this rulemaking process. We have also reported previously the Road Map for CPRA Compliance. As the official 45-day comment period kicks off, this article covers what you need to know about the draft regulations as they were discussed by the Agency during its last public Board meeting and covered in the NPRM, including what we can expect in terms of enforcement. You can also access here the recording of the interview Jeewon Kim Serrato did on June 30 to hear Executive Director Ashkan Soltani and Acting General Counsel Brian Soublet discuss the rulemaking process and what the CPPA seeks to accomplish with the regulations.
On June 29, in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, the U.S. Department of Health & Human Services Office for Civil Rights (HHS OCR) issued guidance on when entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are permitted to share protected health information (PHI) without a patient’s authorization. HHS OCR focused specifically on disclosures required by law, disclosures for law enforcement purposes and disclosures to avert a serious threat to health or safety – among the few disclosures HIPAA expressly permits without first obtaining patient consent – likely in response to concerns that providers would be required to disclose patients’ impending or recent pregnancy terminations (spontaneous or otherwise) to law enforcement in states where abortions are banned or significantly restricted.
To help guide entities through the significant confusion and changes that will be evolving for the next several years, BakerHostetler has assembled the Dobbs Decision Task Force (DDTF), led by attorneys in five major areas (healthcare/health tech, privacy, labor and employment, employee benefits, and white collar).
Like many others, healthcare entities are facing immediate uncertainty in the wake of the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Org. (available at www.supremecourt.gov/opinions/21pdf/19-1392_6j37.pdf), as they are now caught between a variety of state and federal laws and guidance that seem to conflict.
Over the years, there have been very few class certification rulings in actions arising from data breach incidents. Of those that have been published, most have favored the defense. However, as we discussed in our 2022 Data Security Incident Response Report, the recent ruling in In re Brinker Data Incident Litigation (“Brinker”)granting class certification has emboldened plaintiffs’ firms, in both the number of their litigation filings and their negotiation tactics during mediations. This article provides more information about this recent class certification ruling.
It has been just over one year since Lina Khan was confirmed by the Senate and designated Federal Trade Commission (FTC) chair by the president. At the outset of her tenure, she had a Democratic majority, which ended in October 2021 when former Commissioner Rohit Chopra departed the FTC to take over as director of the Consumer Financial Protection Bureau. But in May, the Senate confirmed Alvaro Bedoya as the fifth commissioner in the narrowest of votes, giving back a Democratic majority to Chair Khan.
Since the Democratic majority has re-formed, not much has changed outwardly at the agency; indeed, almost every consumer protection and privacy case voted out in the past few months has been voted out unanimously, though with occasional concurring statements from some commissioners. But it is likely that we will see more partisan activity going forward, akin to what the agency saw when Chair Khan first took over.
There is no question that ransomware is here to stay. Thirty-seven percent of the matters we handled last year involved ransomware, compared to 27 percent of matters in 2020. In 2019, there were approximately 15 active ransomware threat actor groups. In 2021, we handled matters involving more than 80 different ransomware variants. Government entities and regulators have taken notice, spurred on by media attention to high-profile incidents. Threat actors are evolving, finding additional ways to put pressure on victims to pay. This means that organizations must also evolve to stay ahead of them. This has become even more apparent in recent months, with threat actor groups dissolving, reforming under new names, and even making public statements about current world affairs, including the war in Ukraine.
Courts across the United States continue to grapple with California’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA). While the contours of this law are being litigated on multiple fronts, one important, but not most discussed provision, is Section 1798.150(a)(1), the right to cure.
The CCPA, like other, similar California privacy laws, includes an opportunity to cure after notice. Cf. California Consumer Legal Remedies Act, Cal, Civ. Code. § 1770, et seq. (providing a 30-day cure period, but not eliminating a statutory class action by way of the cure). Specifically, an affected consumer must give a business thirty days’ notice of a CCPA violation prior to initiating any suit for individual or class-wide statutory damages. Importantly, “[I]f within the 30 days the business actuallycures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur,” the CCPA forbids an individual or class-wide statutory damages action against the business. While a consumer may always – without notice – file an action for actual money damages because of alleged CCPA violations. Preventing statutory damages can protect from greater liability. But what does it mean to “actually cure” the violation?
On May 26, 2022, the California Privacy Protection Agency (CPPA or the Agency) held a public board meeting to provide updates on the Agency’s rulemaking process. The next day, the CPPA released draft regulations for the California Privacy Rights Act (CPRA). This post includes initial impressions of the proposed regulations and how they square with the board’s discussion of the rulemaking process during the May 26 meeting. Our full analysis of the newly released proposed regulations is forthcoming.
On April 5th, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. Indeed, in addition to prohibiting said entities from paying ransoms, North Carolina’s new law actually goes so far as to prohibit a public entity from even communicating with threat actors in response to a ransomware incident. The law also requires any North Carolina public entity that experiences a ransomware incident to “consult with” the North Carolina Department of Information Technology, in accordance with G.S. 143B‑1379.
Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage campaign and the Colonial Pipeline ransomware attack. This article summarizes several U.S. government actions aiming to improve the nation’s cybersecurity and the government’s ability to track and respond to cyber incidents. Organizations subject to these actions will need to evaluate how such actions may apply to them and take necessary measures to comply. Organizations should also note that these actions are just examples of a larger whole-of-government effort to bolster the nation’s cybersecurity and address cyberattacks—organizations should expect and watch for additional cyber regulations that may impact their operations.