On July 25, New York Governor Andrew Cuomo signed into law a pair of bills establishing new requirements for businesses that process certain personal information related to New York residents. The changes include expanding the scope of information covered by New York’s data breach notification law; defining breaches to include incidents involving unauthorized access to covered information, even where the information is not acquired; and requiring consumer reporting agencies who suffer breaches of social security numbers to offer up to 5 years of identity theft services. Businesses maintaining the private information of New York residents also will now be required to proactively develop “reasonable safeguards” within their organization as part of a new “reasonable security requirement.”
Tag Archives: breach notification
HHS Seeking Input on HIPAA Changes
The Department of Health and Human Services (HHS) announced a Request for Information (RFI) regarding how the HIPAA Privacy, Security, and Breach Notification Rules could be modified to reduce regulatory burdens and to improve care coordination, case management, and value-based health care. In addition to opening the door for public comments on current challenges and potential modifications to the HIPAA Rules, the RFI specifically requests feedback on anticipated changes to several specific provisions of the Privacy Rule.
Hogan Lovells Updates Practical GDPR Guide
With the coming into effect of the GDPR on 25 May 2018, the modernisation of European privacy laws has reached a critical milestone. Hogan Lovells has updated our guide “Future-proofing privacy,” which aims to be a useful starting point for organisations seeking to understand the GDPR and comply with it. Twenty-four authors from 10 European Hogan Lovells offices have contributed their knowledge, efforts, and advice to compile a unique resource of practical guidance. We have identified the key issues and explained why they matter. Crucially, we have approached the new framework with a practical mindset, providing concrete suggestions for actions to take now.
Privacy and Cybersecurity June 2018 Events
Join us in June as our Cybersecurity and Privacy team discusses what breach notification looks like under the GDPR and how it will be different from breach notification in the U.S. as well as public policy trends in the cybersecurity space.
OCR Emphasizes Security Obligations of Business Associates with Latest Enforcement
The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
HHS Issues New Guidance on Ransomware and HIPAA
The Department of Health and Human Services released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.
Future-Proofing Privacy: Security is a Critical Piece
Part 12 of Future-Proofing Privacy: Security is a Critical Piece. Security is a critical piece of the data protection jigsaw. Lack of consumer confidence has been identified as a key risk for the development of the digital single market, and a series of high profile breaches has exacerbated the situation. So it was inevitable that data protection reform would need to demonstrate that regulators were serious about data security and the Regulation does this by introducing three critical changes: obligations to have appropriate security in place will apply directly to data processors for the first time; there will be mandatory reporting of data breaches to data protection authorities; and there will also be mandatory reporting of data breaches to data subjects in certain situations.
Why Europe’s New Privacy Reg is a Business-Critical Issue
It has finally happened. Like that train you are waiting for that keeps getting delayed but eventually arrives. The all-powerful trio comprising the European Parliament, the Council of the EU and the European Commission arrived at their destination after a journey of four years, and on December 15th, 2015, agreed the final text of the EU General Data Protection Regulation. Once formally adopted in the coming weeks, the GDPR will create a completely new legal framework for the collection, use and sharing of personal information that will apply well beyond Europe.
The Law of Securing Consumer Data on Networked Computers
The status of consumer data security law in the United States is at a crossroads. Last week, the White House released a discussion draft of its Consumer Privacy Bill of Rights Act of 2015, which would require businesses collecting personal information to maintain safeguards reasonably designed to ensure the security of that information. And yesterday, the Third Circuit held oral argument in FTC v. Wyndham Worldwide Corp., in which the district court last April denied Wyndham’s challenge to the Federal Trade Commission’s data security enforcement efforts.
The White House Pushes Privacy and Data Security in Advance of the State of the Union
Today, the President spoke at the Federal Trade Commission on the importance of preventing identity theft and improving consumer and student privacy. Today’s speech has been billed as a first look at a broader White House policy initiative on cybersecurity, identity theft, and privacy that will continue this week and will be included in the President’s State of the Union address to Congress on January 20th. Tomorrow, the President will highlight the work of the Department of Homeland Security and the importance of public-private collaboration on cyber threats and is expected to release policy proposals over the coming weeks.
Hogan Lovells’ IAPP Tracker Post Highlights State Data Security Laws
Is data security legislation coming to a state near you? With data breaches continuing to make the headlines, 60 Minutes reporting that breaches are inevitable and federal legislation seeming unlikely, consumers and advocates may press state lawmakers to address data security. We have already seen state data breach notification laws proliferate following California’s enactment of the first such law in 2002. We may see data security laws spread in a similar fashion. In this post, we look at current and proposed state data security laws and consider their potential impact.
Massachusetts Data Breach Settlement Highlights Expectation of Timely Notification
On December 8, Massachusetts Attorney General Martha Coakley announced a settlement with TD Bank, under which TD Bank must pay $625,000 and take several steps to strengthen its data security practices. The settlement agreement stems from a data breach that impacted over 90,000 Massachusetts residents and over 260,000 customers nationwide. The AG’s approach to this case and the resulting settlement underscore the importance of providing prompt notification following a data breach as well as maintaining adequate oversight over the security practices of third-party service providers.
HHS Reaches First Settlement with Local Government Over HIPAA Violations
The U.S. Department of Health and Human Services sent a strong message to local governments last week when it reached a settlement with Skagit County, Washington over alleged violations of the Health Insurance Portability and Accountability Act. This is the first time that HHS has settled charges against a local—and not state level—government entity for HIPAA violations.
California AG Files Suit Alleging Untimely Breach Response
Last week, California Attorney General Kamala Harris filed suit against Kaiser Foundation Health Plan, Inc. (“Kaiser”) in relation to a 2011 data security breach. The AG’s complaint alleges that even though Kaiser provided notice of the breach to affected individuals, it took too long to issue the required notifications.
California Expands Breach Notification Law to Cover Online Accounts
California recently passed a law updating its breach notification requirements and making it the first state to expand the definition of personal information to expressly include login credentials for online accounts. Under the new law, companies would be required to notify individuals if and when their passwords, usernames, or security question and answers are compromised or stolen. The latest amendments become effective as of January 1, 2014.
Cyberlaw Radio Discussion of New California Privacy Laws Features Hogan Lovells
On Wednesday, Harriet Pearson, a partner in Hogan Lovells’ Privacy and Information Management Practice, appeared on the Cyberlaw and Business Report Internet radio show to discuss newly enacted California privacy laws. This blog post contains a link to the interview and a downloadable podcast.
Hogan Lovells’ IAPP Tracker Post Highlights Impact of California Privacy Legislation
This post describes the whirlwind of recently enacted and currently debated privacy legislation in California, including new online protections for minors, amendments to breach notification requirements, and new online privacy policy requirements.
Hogan Lovells Contributes Focus on Privacy and Trade to Global Privacy Meeting
At the 35th annual Conference of Data Protection Authorities and Privacy Commissioners in Warsaw, Poland today, Hogan Lovells partner and privacy practice lead Christopher Wolf spoke on the issue of privacy and trade in light of the ongoing Transatlantic Trade and Investment Partnership negotiations between the EU and the U.S. This post contains prepared remarks to the commissioner’s on the need for interoperable cross-border privacy standards and the merits of the U.S. privacy regime.
Settlement for Failure to Scrub Data from Photocopier: A $1.2 Million Lesson Learned
In a recently-announced settlement between the Department of Health and Human Services Office for Civil Rights and a New York health plan, the health plan agreed to pay $1.2 million for the breach of electronic patient records stored in the internal memory of digital photocopiers leased and improperly disposed by the plan.
EU Commission: Data Breach Notification for Telecoms Providers and ISPs within 24 Hours
Under a new regulation on the notification of personal data breaches, providers of publicly available electronic communication services must provide notices to authorities of breaches within 24 hours. If the provider lacks full information about the data breach, a preliminary notice is required, with a subsequent notification within 3 days after the initial notification. The subscribers […]
European Parliament Committee Releases Proposed Amendments to Data Protection Regulation
Jan Albrecht, the rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, released a draft report last month with key proposals to amend the European Commission’s proposed Regulation on data protection. The report includes a total of 350 amendments to the original proposal. Highlights of the 215-page report include the following:
Philippine Data Privacy Law is Signed into Law
Philippine President Benigno Aquino III signed into law the Data Privacy Act of 2012, which is modeled after the EU Data Protection Directive and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. The Act contains provisions that govern the processing of personal information, the rights of data subjects (e.g., notice, access, and data portability), and the security of personal information (which includes a breach notification requirement).
New Italian Rules Concerning Data Security in the Electronic Communications Sector
Following the recent implementation of the EU e-Privacy Directive, the Italian Data Protection Authority (the “Garante”) has issued a set of guidelines based upon which telecom operators and access providers are required to notify the Garante and data subjects of data breaches.
Thoughts on Privacy and Data Security from the May 11 PLI Cloud Computing Seminar
Privacy and data security were at the forefront of the May 11 PLI seminar program entitled “Cloud Computing 2012: Cut Through the Fluff and Tackle the Critical Stuff,” with presenters including Hogan Lovells partners Chris Wolf and Philip Porter. This blog post contains summarizes the panel discussions, with topics ranging from breach preparation to cloud contracting.