2023 is going to bring big changes to Pennsylvania’s Breach of Personal Information Notification Act. Although the revisions to the law do not go into effect until May 2, 2023, now is the time for Pennsylvania entities to ensure that they are in compliance before the effective date.… Continue Reading
As a Halloween treat for HIPAA-covered entities and business associates, on October 31, the Department of Health and Human Services Office for Civil Rights (OCR) released a new video on its YouTube channel, in which senior OCR cybersecurity advisor Nick Heesters addresses recognized security practices, or RSPs. In this video, Heesters answers a handful of questions … Continue Reading
In 2019, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR) announced its Right of Access Initiative, promising to prioritize patients’ rights to receive timely copies of their medical records without being overcharged. In the three years since, which saw the transition to a new administration in Washington, OCR has publicized … Continue Reading
What’s Trending? (Privacy a la Mode) Notable fashion brands have been engaging in a “trial period” of new technologies as privacy laws and privacy enforcement are trending – for example, exploring integrating branding into digital assets in video games, virtual reality (VR) and augmented reality (AR) technology, metaverses, and non-fungible tokens (NFTs). Fashion naturally pushes … Continue Reading
The Federal Trade Commission issued a detailed [staff report] on September 15 addressing Dark Patterns (or what some more descriptively call “manipulative design,” but Dark Patterns seems to be sticking). Regulators are focusing increased attention on these manipulative designs and it’s critical for marketing, user experience and design teams to understand this topic.… Continue Reading
After a long stretch of breach enforcement actions and settlements arising out of alleged technology gaps, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it settled a case that involved improper disposal of physical protected health information (PHI). This case unusual for its quick resolution, but that is … Continue Reading
On Aug. 29, California’s Senate unanimously passed Assembly Bill 2273, known as the Age-Appropriate Design Code Act (the CA AADC or the Bill). The Bill, which is anticipated to be signed into law by Gov. Gavin Newsom, is aimed at promoting online safety and privacy for children under 18. The Bill was inspired by the … Continue Reading
The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business Personal Information (PI) likely will not be extended. Aug. 31, 2022 was the last day for each house to pass bills, per the California Constitution (Art. IV, Sec 10(c) and the Joint Rules (J.R. 61(b)(18))), and no legislative proposals or amended bills made it … Continue Reading
BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer … Continue Reading
On July 8, 2022, following the Supreme Court’s decision in Dobbs, the president signed an executive order that called on a number of federal agencies to take steps to protect reproductive rights. He specifically asked the Federal Trade Commission (FTC) to “consider taking steps to protect consumers’ privacy when seeking information about and provision of … Continue Reading
We are excited to welcome new partner Ed McAndrew to our Digital Assets and Data Management Group! Ed joins our Privacy and Digital Risk Class Action and Litigation and Digital Risk Advisory and Cybersecurity teams, and will work out of our Philadelphia and Wilmington, Delaware offices. A former federal cybercrime prosecutor, Ed served as a … Continue Reading
On July 8, the California Privacy Protection Agency Board (CPPA, Agency or Board) announced the Notice of Proposed Rulemaking (NPRM), which begins the 45-day comment period for the draft regulations. As we previously reported, the California Privacy Rights Act (CPRA) draft regulations were released on May 27, and we had a heads-up about this rulemaking … Continue Reading
On June 29, in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, the U.S. Department of Health & Human Services Office for Civil Rights (HHS OCR) issued guidance on when entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are permitted to share protected health information (PHI) … Continue Reading
To help guide entities through the significant confusion and changes that will be evolving for the next several years, BakerHostetler has assembled the Dobbs Decision Task Force (DDTF), led by attorneys in five major areas (healthcare/health tech, privacy, labor and employment, employee benefits, and white collar). Like many others, healthcare entities are facing immediate uncertainty … Continue Reading
Over the years, there have been very few class certification rulings in actions arising from data breach incidents. Of those that have been published, most have favored the defense. However, as we discussed in our 2022 Data Security Incident Response Report, the recent ruling in In re Brinker Data Incident Litigation (“Brinker”)granting class certification has … Continue Reading
It has been just over one year since Lina Khan was confirmed by the Senate and designated Federal Trade Commission (FTC) chair by the president. At the outset of her tenure, she had a Democratic majority, which ended in October 2021 when former Commissioner Rohit Chopra departed the FTC to take over as director of … Continue Reading
Courts across the United States continue to grapple with California’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA). While the contours of this law are being litigated on multiple fronts, one important, but not most discussed provision, is Section 1798.150(a)(1), the right to cure. The CCPA, like other, similar California privacy laws, includes … Continue Reading
On May 26, 2022, the California Privacy Protection Agency (CPPA or the Agency) held a public board meeting to provide updates on the Agency’s rulemaking process. The next day, the CPPA released draft regulations for the California Privacy Rights Act (CPRA). This post includes initial impressions of the proposed regulations and how they square with … Continue Reading
On April 5th, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. Indeed, in addition to prohibiting said entities from paying ransoms, North Carolina’s new law actually goes so far as to prohibit a public entity from even communicating with threat … Continue Reading
Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage campaign and the Colonial Pipeline ransomware attack. This article summarizes several U.S. government actions aiming to improve the nation’s cybersecurity and the government’s ability to … Continue Reading
PART 1 PART 2 PART 3 In the event of a ransomware attack, there are a host of legal frameworks that could potentially be implicated. Whether those laws apply often depends on the nature of the data that the threat actor accessed and/or acquired. In this installment, we address the laws that could be implicated … Continue Reading
Part I: What Are Third-Party Cookies and Why They Are Important Part II: Privacy Laws and Third-Party Cookies Part III: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – Browsers and Mobile Part IV: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – First-Party Data … Continue Reading
In Part 1 of BakerHostetler’s Countdown to CPRA blog series, we provided initial guidance to businesses on key California Privacy Rights Act (CPRA) compliance readiness considerations. On January 1, 2023, California could become the first U.S. state to enact a comprehensive data privacy law covering employment-related data (“B2E”), whereas the California Consumer Privacy Act (CCPA) … Continue Reading
For companies preparing to comply with the California Privacy Rights Act (CPRA), operative on Jan. 1, 2023, this Road Map summarizes the provisions of the California Consumer Privacy Act (CCPA), which the CPRA amends, and the new requirements under the CPRA. It also includes a checklist of practical compliance actions. Read the Road Map.… Continue Reading