Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Scott Loughlin

Posts by Scott Loughlin
Posted in Consumer Privacy

California AG Submits CCPA Regulations for Approval – Requests Expedited Review Ahead of July 1 Enforcement Deadline

On June 1, The California Attorney General submitted the final text of the CCPA regulations to the California Office of Administrative Law for approval. Though regulations submitted to the OAL in June ordinarily would not become effective—if approved—until October 1, the CA AG has requested an expedited review. According to the CA AG, the expedited review would allow the regulations to become effective by July 1, which still is the date his office plans to begin enforcing the CCPA according to a public statement.

Posted in Consumer Privacy

COVID-19 and IT Service Provider Contracts: A Checklist for Force Majeure Events

COVID-19 has impacted organizations’ relationships with their IT service providers, who often play an important role in securing their data and systems. Under current conditions, some service providers may face challenges in performing this work. Potential non-performance has significant consequences for service providers and their clients alike. To prepare for these challenges, entities that have contracts with service providers—and service providers themselves—should carefully review their existing agreements and any force majeure-type provisions in particular. This post includes our COVID-19 service provider risk mitigation checklist.

Posted in Consumer Privacy, News & Events

Second Modified CCPA Draft Regulations Released—Comments Due March 27

On March 11, The California Attorney General released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. These modifications update the initial draft regulations published on October 11, 2019 as well as the first set of modified draft regulations published on February 10, 2020. The second set of modifications contain a small number of impactful changes, which we summarize in this post.

Posted in Consumer Privacy

Modified CCPA Regulations Released—Comments Due February 25 (Updated)

On Friday, February 7, 2020, the California Attorney General released notice of changes to the California Consumer Privacy Act draft regulations. Initial draft regulations were published for public comment on October 11, 2019. Public comments on these modified draft CCPA regulations will be accepted by the CA AG until Monday, February 24, 2020, at 5 pm PST.

Posted in Consumer Privacy

Washington State to Try Again for a Comprehensive Privacy Law

Washington State is already shaping up as a center of state privacy legislation for 2020. Last year, SB 5376 gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle, chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.

Posted in Consumer Privacy

The Results Are in: Modest Changes to CCPA Await the Governor’s Signature

Since the California Consumer Privacy Act’s hasty passage in June last year and minor changes last September, the CCPA has vexed businesses working on compliance. Among many practical challenges, the CCPA often includes inconsistent or ambiguous requirements that have been an obstacle to implementing clear compliance strategies. Businesses, some academics, and various legislators thought that further amendments were needed to make the CCPA work effectively and accomplish its objectives. Over the past several months, the California legislature debated several amendments, eventually passing five bills, which now sit on the Governor’s desk. These bills collectively do not provide the sweeping changes sought by businesses. Instead amendments make minor tweaks and postpone for a year some of the more challenging requirements.

Posted in Consumer Privacy

New Nevada Privacy Law With “Sale” Opt-Out Right Will Take Effect Before the CCPA

Nevada has a new privacy law. On May 29, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220) into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. The act, which amends an existing online privacy notice law, is significantly narrower than the California Consumer Privacy Act (CCPA).

Posted in Health Privacy/HIPAA

HIPAA Penalty Caps to Be Reduced and Tied to Culpability Level

In a dramatic turn, the US Department of Health and Human Services (HHS) has announced that effective immediately, penalties for many HIPAA violations will be subject to substantially reduced limits. After a record year of collecting high-dollar settlements, the agency has pulled back and tied its own hands through a Notification of Enforcement Discretion that will likely result in lower penalties and settlement agreement amounts.

Posted in Employment Privacy

California Consumer Privacy Act: The Challenge Ahead – CCPA and Employee Data

The application of the California Consumer Protection Act of 2018 (“CCPA”) to employee data has been the subject of much debate since the first version of the bill was introduced on June 21, 2018 (just days prior to its enactment on June 28). Under a plain language reading of the CCPA, the law likely applies to employee data. However, it is unclear whether the California legislature intended that result. There is no clarity to be found in the general statutory structure, the legislative history, legislative responses to advocate letters, or the technical amendments signed into law on September 23. As part of our ongoing series on the CCPA, this post lays out why the issue of CCPA applicability to employees is controversial and nevertheless offers potential strategies to address CCPA compliance requirements as they may relate to personnel records.

Posted in Health Privacy/HIPAA

California Consumer Privacy Act: The Challenge Ahead – Four Key Considerations for Health and Life Sciences Companies

The California Consumer Privacy Act of 2018 (CCPA) adds another set of privacy requirements for health and life sciences companies.  Managing the interaction of these new requirements with existing obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other health privacy laws will continue to be an area of focus in the health privacy community for years to come. In the latest installment of the CCPA blog series, we describe these issues and outline four important steps health and life sciences companies may consider to assess the CCPA’s operational impact.

Posted in Cybersecurity & Data Breaches

NIST Launches into the Internet of Things

This week, the National Institute of Standards and Technology convened the first face-to-face meeting of the cyber-physical systems public working group to develop and implement a new cybersecurity framework dedicated to cyber-physical systems, also known as the “Internet of Things.” Companies developing products and services involving CPS may consider participating in the CPS PWG, as participation in webinars and meetings is open and intended to be convenient. The group’s efforts may affect the legal landscape developing around CPS.

Posted in Consumer Privacy

Destroy Securely: Delaware Adopts New Data Destruction Law

Delaware recently adopted a new law that will add requirements related to the destruction of records containing “personal identifying information.” With that law, Delaware joined a number of other states that place restrictions on the ways in which entities destroy or dispose of personal information. The Delaware law will become effective January 1, 2015.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

Settlement for Failure to Scrub Data from Photocopier: A $1.2 Million Lesson Learned

In a recently-announced settlement between the Department of Health and Human Services Office for Civil Rights and a New York health plan, the health plan agreed to pay $1.2 million for the breach of electronic patient records stored in the internal memory of digital photocopiers leased and improperly disposed by the plan.

Posted in Cybersecurity & Data Breaches

ABA Commission Proposes Ethics Rule Requiring Adequate Data Security

The American Bar Association (ABA) is proposing to make clear that the protection of a client’s data is an ethical responsibility of lawyers. The Commission on Ethics 20/20 of the American Bar Association recently released its Report to the House of Delegates recommending several modifications to the ABA Model Rules of Professional Conduct regarding lawyers’ use of technology and protection of client confidences, including a Rule that requires lawyers to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to information relating to the representation of a client.

Posted in Cybersecurity & Data Breaches

North Carolina and Montana Data Breach Statutes Amendments Now in Effect

Recently-enacted amendments to the Montana and North Carolina data breach notifications go into effect today, October 1, 2009. North Carolina. The amendment to North Carolina’s statute increases the state’s notification requirements for smaller breaches. Under the amended law, businesses and public agencies are required to notify the state attorney general every time a resident is notified. Prior to […]

Posted in Cybersecurity & Data Breaches

Possible Health Information Trend in State Data Protection Statutes

With the compliance date for the federal health data breach notifications in the HITECH Act looming, more states are amending their data breach notification statutes to cover health information. The possible trend is evident in the newly-enacted laws of three states – Missouri, New Hampshire and Texas – all of which have been enacted since June 2009.  […]