EU Commission Adopts New Rules for GDPR Enforcement: the Beginning of a Centralized Enforcement Model?
On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to standardize and streamline cooperation between EU Member State Data Protection Authorities (DPAs) when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The GDPR adopts a decentralized enforcement model. National EU Member State DPAs are competent to enforce the GDPR on their respective territories. However, in cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate in accordance with the GDPR’s “one-stop-shop” through cooperation and consistency mechanisms. Although these mechanisms establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action.
Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action
On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.
Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims
For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1
Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years
Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1
Uber Data Breach Results in Corporate Cooperation and Executive Conviction
On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.
Caremark’s Comeback Includes Potential Director Liability in Connection With Data Breaches
A Caremark-based claim against a board of directors alleging a failure to monitor corporate operations has been said to be “the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” or at least to withstand a motion to dismiss. Yet, Caremark has taken on renewed importance — as noted by this blog — following recent high-profile successes on duty-to-oversee claims, most notably in Marchand v. Barnhill in 2019 and In re Boeing in September 2021, and recent shareholder lawsuits alleging that data breach- and cybersecurity-related failures would have been preventable were it not for oversight failures by corporate officers and directors, are being plead asserting Caremark claims. (more…)
DOJ Deploys the FCA on Cybersecurity Fraud
This article originally appeared in Law360 on November 3, 2021.
Sidley lawyers Brenna Jenny and Sujit Raman recently published an article in Law360 entitled How To Minimize FCA Cyber Fraud Enforcement Risk, which analyzes the implications of DOJ’s recent formation of a Civil Cyber-Fraud Initiative to use the FCA to pursue cybersecurity-related fraud. Although the Initiative focuses generally on government contractors and grant recipients—and does not, by its terms, impose any new cybersecurity requirements—the project promises in particular to attract whistleblowers in the defense industry, as recent years have witnessed high-profile FCA cases implicating alleged cybersecurity non-compliance in that sector. The healthcare industry may also see a marked increase in cybersecurity-related qui tams, especially in light of a recent Department of Health and Human Services Office of Inspector General report taking the Centers for Medicare & Medicaid Services to task for failing to hold hospitals accountable for the cybersecurity of their networked devices. Healthcare providers and medical device manufacturers, in addition to other government contractors and grantees, would do well to heed DOJ’s warning that “cybersecurity failures…are prime candidates for potential False Claims Act enforcement.”
How Artificial Intelligence Manufacturers Can Protect Themselves Against Future Negligence Claims
Innovative medical devices have changed the healthcare landscape and will continue making dramatic improvements in patient care. Nevertheless, the growth of such devices will inevitably lead to increased litigation over their alleged failures. All companies developing healthcare tech therefore need to consider measures to protect themselves against potential claims. (more…)
Changes to FTC Rulemaking Procedures Herald More Aggressive Action on Consumer Privacy
On July 22, 2021, the Federal Trade Commission finalized important changes to its procedures for rulemaking under Section 18 of the FTC Act. Section 18 authorizes the Commission to make regulations, termed “Trade Regulation Rules,” (or “Magnuson-Moss Rules” after their authorizing statute), which “define with specificity” conduct that violates the FTC Act’s ban on “unfair or deceptive” business practices. Section 18 rules are promulgated through a “hybrid rulemaking” process that includes, if an interested party requests it, an “informal hearing” with limited opportunities for oral presentation and cross-examination by representatives of stakeholder groups. (more…)
