Tag Archives: privacy

2023 DSIR Report Deeper Dive: U.S. Employee Privacy Developments

Photo of Jennifer MitchellPhoto of Justin T. YedorPhoto of Frederick C. BinghamBy Jennifer Mitchell, Justin T. Yedor and Frederick C. Bingham on Posted in Data Security Incident Response
Among the many developments in data privacy regulation that took place over the past year, new requirements relating to employee personal information in California and New York have deservedly received a lot of attention. Meanwhile, ongoing risks arising under older laws—such as the massive verdict in the first jury trial of a claim under the … Continue Reading

2023 DSIR Report Deeper Dive: Privacy at the FTC – What Are the Hot Topics Almost Two Years Into the Khan Administration?

Photo of Daniel KaufmanBy Daniel Kaufman on Posted in FTC
It has been almost two years since Lina Khan was designated the new Federal Trade Commission (FTC) chair, and it has been an eventful few years. One of the many questions being asked is “Where do things stand at the FTC on privacy?” Congress has yet to pass comprehensive privacy legislation, and the FTC continues … Continue Reading

An Introduction to Washington’s My Health My Data Act

Photo of Andreas KaltsounisPhoto of BakerHostetlerBy Andreas Kaltsounis and BakerHostetler on Posted in Data Privacy, Healthcare
On April 17, the Washington legislature passed the My Health My Data Act (MHMD Act), which includes some of the most restrictive provisions in any U.S. state privacy law. The MHMD Act is the result of Washington state’s multi-year effort to pass comprehensive privacy legislation fueled by new fears about access to reproductive health care … Continue Reading

The FTC’s Latest Staff Report on Dark Patterns: A Warning for Marketing Teams and UX Designers

Photo of Andreas KaltsounisBy Andreas Kaltsounis on Posted in FTC
The Federal Trade Commission issued a detailed [staff report] on September 15 addressing Dark Patterns (or what some more descriptively call “manipulative design,” but Dark Patterns seems to be sticking). Regulators are focusing increased attention on these manipulative designs and it’s critical for marketing, user experience and design teams to understand this topic.… Continue Reading

What’s Old Is New Again: OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

Photo of Aleksandra VoldBy Aleksandra Vold on Posted in Healthcare
After a long stretch of breach enforcement actions and settlements arising out of alleged technology gaps, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it settled a case that involved improper disposal of physical protected health information (PHI). This case unusual for its quick resolution, but that is … Continue Reading

2022 DSIR Report Deeper Dive: The Expanding Landscape of State Data Privacy Law

Photo of Elise ElamPhoto of David PotterPhoto of Vaughn StupartBy Elise Elam, David Potter and Vaughn Stupart on Posted in Data Protection, Data Security
BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer … Continue Reading

OCR Provides Guidance on the Privacy of Data Stored on Health Apps and Mobile Devices

Photo of Robyn M. FeldsteinPhoto of Courtney LitchfieldBy Robyn M. Feldstein and Courtney Litchfield on Posted in HIPAA/HITECH, Privacy
In the wake of the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, many individuals and organizations have expressed uncertainty about the protection afforded to data stored on health apps, including cycle trackers.[1] As a result, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has issued guidance … Continue Reading

CPPA Publishes Notice of Proposed Rulemaking

Photo of Jeewon SerratoPhoto of Shruti Bhutani AroraPhoto of Christine MastromonacoBy Jeewon Serrato, Shruti Bhutani Arora and Christine Mastromonaco on Posted in CPRA
On July 8, the California Privacy Protection Agency Board (CPPA, Agency or Board) announced the Notice of Proposed Rulemaking (NPRM), which begins the 45-day comment period for the draft regulations. As we previously reported, the California Privacy Rights Act (CPRA) draft regulations were released on May 27, and we had a heads-up about this rulemaking … Continue Reading

Office for Civil Rights Provides Guidance: HIPAA Privacy Rule on Disclosures of Information Relating to Reproductive Healthcare

Photo of Aleksandra VoldBy Aleksandra Vold on Posted in Data Privacy, Healthcare, HIPAA/HITECH
On June 29, in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, the U.S. Department of Health & Human Services Office for Civil Rights (HHS OCR) issued guidance on when entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are permitted to share protected health information (PHI) … Continue Reading

Dobbs Triggers Significant Healthcare and Privacy Law Concerns and Confusion

Photo of Aleksandra VoldPhoto of Amy FoutsBy Aleksandra Vold and Amy Fouts on Posted in Data Privacy, Healthcare, HIPAA/HITECH
To help guide entities through the significant confusion and changes that will be evolving for the next several years, BakerHostetler has assembled the Dobbs Decision Task Force (DDTF), led by attorneys in five major areas (healthcare/health tech, privacy, labor and employment, employee benefits, and white collar). Like many others, healthcare entities are facing immediate uncertainty … Continue Reading

If it’s broke, just fix it…: Curing Alleged CCPA Violations

Photo of Colby EverettPhoto of Robyn M. FeldsteinPhoto of Casie CollignonBy Colby Everett, Robyn M. Feldstein and Casie Collignon on Posted in CCPA
Courts across the United States continue to grapple with California’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA). While the contours of this law are being litigated on multiple fronts, one important, but not most discussed provision, is Section 1798.150(a)(1), the right to cure. The CCPA, like other, similar California privacy laws, includes … Continue Reading

CPPA Begins CPRA Rulemaking

Photo of Jennifer MitchellPhoto of Jeewon SerratoPhoto of Justin T. YedorPhoto of Jenny HaBy Jennifer Mitchell, Jeewon Serrato, Justin T. Yedor and Jenny Ha on Posted in CCPA, CPRA
On May 26, 2022, the California Privacy Protection Agency (CPPA or the Agency) held a public board meeting to provide updates on the Agency’s rulemaking process. The next day, the CPPA released draft regulations for the California Privacy Rights Act (CPRA). This post includes initial impressions of the proposed regulations and how they square with … Continue Reading

2022 DSIR Deeper Dive: Increased Regulatory Scrutiny of Cybersecurity Incidents

Photo of Teresa Goody GuillénPhoto of Andreas KaltsounisBy Teresa Goody Guillén and Andreas Kaltsounis on Posted in Data Security Incident Response
Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage campaign and the Colonial Pipeline ransomware attack. This article summarizes several U.S. government actions aiming to improve the nation’s cybersecurity and the government’s ability to … Continue Reading

A Digital Advertising Primer on Preparing for the Post-Cookie World: Part Four

Photo of Fernando A. Bohorquez, Jr.Photo of Gerald J. FergusonPhoto of Yadilsa DiazPhoto of Priyanka SurapaneniBy Fernando A. Bohorquez, Jr., Gerald J. Ferguson, Yadilsa Diaz and Priyanka Surapaneni on Posted in Cookies
Part I: What Are Third-Party Cookies and Why They Are Important Part II: Privacy Laws and Third-Party Cookies Part III: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – Browsers and Mobile Part IV: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – First-Party Data … Continue Reading

Complying with the CCPA’s Right to Deletion

Photo of Janine Anthony BowenBy Janine Anthony Bowen on Posted in CCPA
The California Consumer Privacy Act dramatically changed the regulatory landscape for privacy in the United States. Among the CCPA’s many requirements, one right is proving a particular challenge for many businesses: the right to delete. Whitney Schneider-White and Justin Yedor coauthored this white paper with Privatar, which discusses the challenges complying with the CCPA’s right … Continue Reading

A Digital Advertising Primer on Preparing for the Post-Cookie World: Part Two

Photo of Gerald J. FergusonPhoto of Fernando A. Bohorquez, Jr.Photo of Yadilsa DiazBy Gerald J. Ferguson, Fernando A. Bohorquez, Jr. and Yadilsa Diaz on Posted in Cookies, Data Privacy, GDPR, Privacy
Part I: What Are Third-Party Cookies and Why they are Important — PART II — Privacy Laws And Third-Party Cookies Welcome to our second installment in our eight-part series preparing you for the post-cookie world. In our first post, we provided a deep dive into cookies for a baseline understanding of the technology and why … Continue Reading

Why Everyone Is Talking About a Rarely Invoked Rule – the FTC’s Health Breach Notification Rule

Photo of Daniel KaufmanBy Daniel Kaufman on Posted in Advertising, Enforcement, FTC, HHS, HIPAA/HITECH, Privacy
Back in September, the Federal Trade Commission (FTC) issued (by a 3-2 vote) a policy statement (the Statement) regarding the oft-forgotten Health Breach Notification Rule (the Rule). I was at the FTC when the Statement was released and have since joined BakerHostetler. Around the time I joined BakerHostetler, my new colleague Melissa Hewitt published an … Continue Reading

The Impact of Data Security Incident Trends on Commercial Transactions: Part II – Development Agreements

Photo of Craig CarpenterBy Craig Carpenter on Posted in Cybersecurity, Data Breach Notification Laws, Data Breaches, Information Security, Uncategorized
The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered in this blog, including trends in global breach notification, healthcare industry risks and ransomware. The report is … Continue Reading

8 Key Takeaways for Initial Defenses Under the CCPA and CPRA

Photo of Marshall J. MatteraPhoto of Jeewon SerratoPhoto of Casie CollignonPhoto of Stanton BurkeBy Marshall J. Mattera, Jeewon Serrato, Casie Collignon and Stanton Burke on Posted in CCPA, CPRA, Data Breach Notification Laws, Data Breaches, Privacy
Authors: Marshall Mattera, Jeewon Serrato, Casie Collignon and Stanton Burke Since the Jan. 1, 2020 kickoff for private enforcement under the California Consumer Privacy Act (CCPA), plaintiffs have filed scores of class actions invoking the CCPA. Such claims, when properly made, present substantial risk to companies including statutory damages up to $750 per consumer. Early … Continue Reading

New Director of HHS Office for Civil Rights Announced: What could Lisa J. Pino’s appointment mean for future HIPAA enforcement?

Photo of Sara GoldsteinBy Sara Goldstein on Posted in Cybersecurity, Enforcement, Healthcare, HHS, HIPAA/HITECH
More than eight months into the Biden administration, the U.S. Department of Health & Human Services (HHS) announced the appointment of Lisa J. Pino as the new director of the Office for Civil Rights (OCR) on Sept. 27, 2021. As the new director of the OCR, Pino will be responsible for enforcing the Health Insurance … Continue Reading

Effective Oct. 1, 2021: Connecticut Expands Data Breach Notification Statute

Photo of Benjamin WangerPhoto of Elana WeinblattBy Benjamin Wanger and Elana Weinblatt on Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Data Privacy, HIPAA/HITECH
On June 16, 2021, the Connecticut General Assembly adopted an expanded version of Connecticut’s data breach notification statute (2021 CT H.B. 5310 (NS)). Through this expansion, Connecticut’s data breach notification statute will be updated, effective Oct. 1, 2021, to (1) broaden the definition of “personal information,” (2) shorten the amount of time within which businesses … Continue Reading

CPRA Rulemaking Begins with an Invitation by the New California Privacy Protection Agency

Photo of Justin T. YedorPhoto of Stanton BurkePhoto of Jeewon SerratoBy Justin T. Yedor, Stanton Burke and Jeewon Serrato on Posted in CCPA, CPRA, Information Security, Online Privacy, Uncategorized
By Justin Yedor, Stanton Burke, and Jeewon K. Serrato For businesses awaiting guidance on how to comply with the California Privacy Rights Act (the “CPRA”), the new California Privacy Protection Agency (“CPPA”) began the rulemaking process on September 22, 2021 with an Invitation for Preliminary Comments on Proposed Rulemaking (the “Invitation for Comment”).  In the … Continue Reading
LexBlog