On December 3, 2018, twelve attorneys general (“AGs”) jointly filed a data breach lawsuit against Medical Informatics Engineering and its subsidiary, NoMoreClipboard LLC (collectively “the Company”), an electronic health records company, in federal district court in Indiana. See Indiana v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. filed Dec. 3, 2018). The suit—led by Indiana Attorney General Curtis Hill—is joined by AGs from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. While state AGs have previously exercised their civil enforcement authorities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is the first multi-state data breach lawsuit alleging HIPAA violations in federal court and may signal increased interest on the part of state officials in exercising their data protection authorities to address cybersecurity incidents.
When the GDPR came into effect on May 25, 2018, several European Member States had yet to put in place further implementing legislation. And while the data protection world watches and eagerly digests each new interpretive guidance from data protection authorities, Member State legislation provides additional interpretive tones of harmony or discord in data protection across Europe. After much delay and almost seven months after the EU’s General Data Protection Regulation (“GDPR”) came into force, the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”) – which implements the GDPR in Spain – entered into force on 7 December 2018. (more…)
With the midterm election out of the way, legislators on Capitol Hill and in state capitols are getting ready to consider the future of data privacy regulation in 2019 and consumer and industry groups continue to weigh in on the ongoing debate. The debate has begun to move from principles and frameworks to drafting of legislative language.
On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”). The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them. The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2). The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).
The proposed Guidelines are open for public consultation until January 18, 2019. It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation. (more…)
Rapid advances in automation have the potential to disrupt a number of sectors, perhaps none more so than the automobile industry. The U.S. Department of Transportation (DOT) has accordingly announced its intention to take “active steps to prepare for the future by engaging with new technologies to ensure safety without hampering innovation.” Most recently, on October 4, 2018, DOT issued Preparing for the Future of Transportation: Automated Vehicles 3.0 (AV 3.0), its third round of guidance on the topic. Like its 2017 predecessor, “Automated Driving Systems 2.0: A Vision for Safety,” AV 3.0 emphasizes the development of voluntary, consensus-based technical standards and approaches while noting that there are cross-cutting policy issues where federal leadership may be necessary. AV 3.0 also builds on its predecessors by emphasizing that it reflects the view of all of DOT’s operating administrations; by providing much more detailed guidance on the development and testing of automated vehicle technologies; and by announcing some specific regulatory steps DOT plans to take in the near future. (more…)
Companies with robust cybersecurity programs may still be vulnerable to attack. A new, first-of-its-kind law in Ohio now recognizes this fact. On November 1, 2018, the Ohio Data Protection Act (SB 220) establishes a safe harbor from state tort actions in data breach cases for entities that have developed an information security program with “administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.” Without establishing minimum cybersecurity standards, the Ohio law affords defendants an “affirmative defense” against state tort actions and establishes an important precedent that may serve as a model for other states and the federal government to follow. (more…)
The growing network of internet of things (IoT) devices is expected to reach 30 billion devices by 2020. Despite this tremendous growth, the state of IoT regulation is patchwork at best. Although the FTC is the primary security regulator for consumer IoT devices, there are no comprehensive regulations or laws specific to the unique challenges of the IoT market. This absence of clear and unambiguous standards can be a burden for IoT companies who are looking to innovate while maintaining their customers’ privacy. (more…)
On Friday, August 31, the California legislature unanimously passed a host of “clean-up” amendments to the new California Consumer Privacy Act (CCPA), AB 375, as it set about addressing flaws and other concerns in the state’s groundbreaking data privacy law. These amendments are now awaiting Governor Brown’s signature. (more…)
Companies subject to New York’s Cybersecurity Regulation are acting quickly to finalize their compliance obligations as the fifth “due date,” September 4, 2018, quickly approaches.
By September 4, 2018, Covered Entities must ensure that their cybersecurity programs have in place certain additional safeguards:
- an audit trail that shows detection of and response to material cybersecurity events;
- written security procedures, guidelines, and standards for the development of in-house applications and for the evaluation and testing of externally developed applications;
- data retention policies and procedures for the disposal on a periodic basis of nonpublic information no longer necessary for business operations;
- risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access; and security controls, such as encryption, to protect non-public business relations and personal information.
Notably, for this upcoming deadline, Covered Entities that have received a limited exemption must still comply with the regulatory provision regarding data retention policies and procedures for the periodic disposal of nonpublic information. (more…)
On June 28, 2018, California Gov. Jerry Brown signed into law the California Consumer Privacy Act of 2018 (AB 375). According to the bill’s author, it was consciously designed to emulate the new European General Data Protection Regulation (GDPR) that went into effect on May 25, and if and when it goes into effect, it would constitute the broadest privacy law in the United States. It is intended to give consumers more transparency regarding and control over their data and establishes highly detailed requirements for what companies that collect personal data about California residents must disclose. (more…)