On July 10, 2023, the European Commission issued its Final Implementing Decision granting the U.S. adequacy (“Adequacy Decision”) with respect to companies that subscribe to the EU-U.S. Data Privacy Framework (“DPF”).
On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.
Yesterday DOJ announced its first settlement under the Department’s new “Cyber-Fraud Initiative.” This initiative, announced in October 2021, aims to “utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.” However, as discussed further here, in addition to targeting traditional government contractors, the initiative presents broader opportunities for DOJ to use the FCA to address data protection practices by healthcare providers.
The healthcare industry is consistently the recipient of disproportionate oversight under the FCA, and thus it is perhaps no surprise that DOJ’s first settlement under the Cyber-Fraud Initiative was with a healthcare provider. As announced here, a healthcare provider furnishing medical services on air force bases paid $930,000 to resolve allegations that it “violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services.” The settlement also resolved allegations relating to controlled substances. (more…)