Category

Enforcement

11 February 2019

Michigan Adopts National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law

On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law).  Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.

(more…)

EmailShare
06 February 2019

First Multistate HIPAA Data Breach Lawsuit May Signal Increased State Interest in Data Security Enforcement

On December 3, 2018, twelve attorneys general (“AGs”) jointly filed a data breach lawsuit against Medical Informatics Engineering and its subsidiary, NoMoreClipboard LLC (collectively “the Company”), an electronic health records company, in federal district court in Indiana.  See Indiana v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. filed Dec. 3, 2018).  The suit—led by Indiana Attorney General Curtis Hill—is joined by AGs from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.  While state AGs have previously exercised their civil enforcement authorities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is the first multi-state data breach lawsuit alleging HIPAA violations in federal court and may signal increased interest on the part of state officials in exercising their data protection authorities to address cybersecurity incidents.

(more…)

EmailShare
04 February 2019

Second Annual Review of Privacy Shield Continues to Call for Improvements; White House Nominates Privacy Shield Ombudsperson

In December 2018, the European Commission published its report on the second annual review of the EU-US Privacy Shield (the “Report”). The Report concluded that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the US. However, the Commission did identify a number of recommendations from the first annual review which still required implementation including the appointment by the US of a permanent ombudsperson to oversee complaints.  To date, the U.S. has only appointed an interim ombudsperson (Manisha Singh). In the first annual review, the Commission did not set a deadline for the appointment. However, the latest review required an appointee to be identified by 28 February 2019 failing which the Commission will “consider taking appropriate measures.”

(more…)

EmailShare
29 January 2019

FINRA Issues Its 2019 Risk Monitoring and Examination Priorities Letter

On January 17, the Financial Industry Regulatory Authority (FINRA) released its annual Risk Monitoring and Examination Priorities Letter (Letter), which identifies topics that FINRA will focus on in 2019. Unlike in previous years, this Letter primarily discusses new topics and priorities in areas of ongoing concern while not repeating topics that have been at the center of FINRA’s attention over the years. FINRA notes, however, that while traditional topics such as cybersecurity,1 recidivist brokers and anti-money-laundering (AML) may not be discussed extensively in the Letter, FINRA will nonetheless review firms for compliance regarding these areas of focus.

As always, firms should use the Letter to review their compliance and supervisory procedures carefully and make any necessary revisions. Firms also should be prepared to explain their compliance and supervisory policies in these areas in their upcoming FINRA examinations and provide documentation of relevant reviews. The following is a discussion of some of the more salient points of the FINRA Letter. (more…)

EmailShare
24 January 2019

French CNIL Fines Google €50m for Violation of GDPR’s Transparency and Consent Requirements

On January 21, 2019, the French Supervisory Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) issued Google’s U.S. headquarters (“Google”) with a fine of €50m for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. The CNIL found that the general structure of Google’s privacy policy and terms & conditions was too complex for the average user and that Google, by using pre-ticked boxes as a consent mechanism, failed to establish a legal basis for data processing to deliver targeted advertising. This is the first regulatory fine the CNIL issued on the basis of the GDPR’s penalty authorities, and it marks a strong enforcement signal to organizations subject to the CNIL’s jurisdiction moving forward. (more…)

EmailShare
22 January 2019

Transfers of Personal Data from the EU to the U.S. in the Event of a Brexit ‘No-Deal’

The EU-U.S. Privacy Shield (“Privacy Shield”) enables the free-flow of personal data from the European Economic Area (“EEA”) to the U.S. Under the Privacy Shield, U.S. participant organisations commit to adhering to Privacy Shield principles, which include accountability for the onward transfer of personal data after receiving such data from EEA organisations, data integrity obligations and purpose limitations with respect to the personal data transferred. Privacy Shield participant organisations are also required to develop and maintain a Privacy Shield-compliant privacy policy which informs individuals of the organisation’s practices and procedures when handling personal data and explains the independent recourse mechanisms in place for individuals to address complaints with respect to the processing of their personal data.  (more…)

EmailShare
17 January 2019

French DPA Publishes Updated Data Protection Impact Assessment Guidance

Under Article 35(3) of the EU General Data Protection Regulation (GDPR), organisations are required to conduct a data protection impact assessment (DPIA) where they: (i) engage in a systematic and extensive evaluation of personal aspects of individuals, based on automated processing, and on which decisions are based that produce legal or other effects that concern the individual, or (ii) process special categories of personal data (e.g. health data) on a large scale or personal data relating to criminal convictions, or (iii) engage in a systematic monitoring of a publicly accessible area on a large scale. (more…)

EmailShare
16 January 2019

SEC Announces Examination Priorities for 2019

On December 20, 2018, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (the SEC) released its report (the 2019 Report) setting forth its list of examination priorities for 2019 (the Exam Priorities).1 OCIE announces its exam priorities annually to provide insights into the areas it believes present potentially heightened risk to investors or the integrity of the U.S. capital markets.2  The Exam Priorities can serve as a roadmap to assist advisers in assessing their policies, procedures and compliance programs; testing for and remediating any suspected deficiencies related to the Exam Priorities; and preparing for OCIE exams. (more…)

EmailShare
08 January 2019

HHS Releases Cybersecurity Guidance for Healthcare Organizations

On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released a four-volume cybersecurity guidance document for healthcare organizations. The publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), is the result of a government and industry collaboration mandated by the Cybersecurity Act of 2015. The HICP is not limited to individually identifiable health information but instead covers organizations’ enterprise-level information security more generally. HHS describes the publication as “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes.” Notwithstanding their voluntary nature, these HHS-backed cybersecurity recommendations are likely to serve as an important reference point for the industry. (more…)

EmailShare
03 January 2019

Spain’s New Data Protection Act Now in Force

When the GDPR came into effect on May 25, 2018, several European Member States had yet to put in place further implementing legislation.  And while the data protection world watches and eagerly digests each new interpretive guidance from data protection authorities, Member State legislation provides additional interpretive tones of harmony or discord in data protection across Europe.  After much delay and almost seven months after the EU’s General Data Protection Regulation (“GDPR”) came into force, the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”) – which implements the GDPR in Spain – entered into force on 7 December 2018. (more…)

EmailShare
XSLT Plugin by BMI Calculator