Perspectives on Privacy, Data Protection & Data Security

In the wake of the recent ransomware attack on Hollywood Presbyterian Medical Center, news reports have emerged that at least three more medical centers and a large health care system have been the victims of these attacks.

Costco Wholesale Corporation recently moved to dismiss a class action lawsuit alleging that the discount retailer printed more than the last five digits of a customer’s credit card number on her receipt, in violation of the Fair and Accurate Credit Transactions Act.

Following a settlement, ASUSTeK must maintain a comprehensive security program and endure 20 years of independent audits. The onus is on technology companies to ensure reasonable security measures and practices.

Cybersecurity may have rocketed to the top of management’s priority list in the wake of the recent cyberattack on Hollywood Presbyterian Medical Center (HPMC) that left the hospital unable to access some of its computer systems for ten days.

More details are still to come regarding the potential replacement to the invalidated Safe Harbor data transfer mechanism, the EU-US Privacy Shield.

On January 15, 2016, the National Highway Traffic Safety Administration (NHTSA) and 18 automakers pledged to work together to enhance safety and improve recalls. In addition, the automakers agreed to voluntarily work with the government to identify cybersecurity threats to cars and light trucks.

This morning, the European Commission and US Department of Commerce agreed on a Safe Harbor replacement deal, rebranded as the EU-US Privacy Shield.

The Federal and Trade Commission recently released a report outlining the benefits and risks involved in using big data.

The EU Commission, Parliament, and Council of Ministers recently reached an agreement on the General Data Protection Regulation (GDPR).

Earlier this month, Arent Fox counsel James Westerlind published an article with Mealey’s Emerging Insurance Disputes that details how cybersecurity risks are impacting insurance policies. 

The Network Advertising Initiative (NAI), an advertising industry trade group for third-party advertisers, recently released the 2015 update to its Mobile Application Code.

The FTC may start to scrutinize marketers that engage in cross-device tracking. Advertisers engaged in cross-device tracking should review their online disclosures to ensure that the tracking is adequately described.

Multinational businesses and EU member states are currently making ad hoc decisions to regulate data transfer to the US. To address the chaos, several EU data protection authorities have issued new guidance.

Banks are a key target for hackers, and finance hub New York aims to set first state regulations in this space. While the cyber regulatory landscape continues to shift, companies should constantly analyze and update security measures as compliance does not guarantee security.

The Federal Trade Commission has lost an important mechanism for privacy and data security enforcement in data flowing across the Atlantic with the invalidation of the Safe Harbor framework, according to Commissioner Julie Brill.

The decision caused international panic and businesses will be asked questions about their data protection practices. It is important to check where Safe Harbor is built into current agreements and evaluate both business-to-consumer and business-to-business relationships.

These action items will not only put you in a better position when a breach arises, but you will have the right answers when a regulator calls.

The EU’s top court could rule the Safe Harbor framework is ineffective to allow data to flow across the Atlantic and as companies await the Oct. 6 decision, they should consider other options for transfer of data from the EU to the US.

In a closely watched data collection case, Arent Fox LLP secured a victory for Lacoste when the California Supreme Court declined to clarify whether retailers in the state can ask customers for their personal information.

New York insurer Excellus BlueCross BlueShield became the most recent health care company to announce it was the victim of a sophisticated cyberattack after hackers gained access to the Social Security numbers, mailing addresses, and financial information of as many as 10 million customers.

The US Department of Health and Human Services, Office for Civil Rights announced a new settlement for $750,000 with Cancer Care Group, P.C. to resolve potential violations of the HIPAA Privacy and Security Rules identified as the result of the theft of a laptop and backup media.

On September 2-3, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) hosted the 8th Annual Safeguarding Health Information: Building Assurance through HIPAA Security conference.

On May 20, 2015 the Bureau of Industry and Security (BIS) within the Department of Commerce (Commerce) published a proposed rule that will affect exports of products dubbed “cybersecurity items.”

On June 10, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights, announced that it had entered into a resolution agreement with St. Elizabeth’s Medical Center, a Massachusetts hospital, to resolve potential HIPAA violations.

Beginning September 1, 2015, many companies that engage in mobile advertising will be subject to a new level of scrutiny by industry watch dogs.