Takeaways From CCPA Public Forums

When California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law on June 28, 2018, there was broad agreement that revisions and clarifications were necessary.  The CCPA was written and enacted with extraordinary speed, as legislators felt the need to move quickly in order to preempt a data privacy ballot initiative that had received enough signatures to be placed on California’s November ballot.  Consequently, June 28 was, in many ways, the beginning of a debate over the specifics of the CCPA, rather than the end.  Indeed, the California legislature has already passed a “clean-up” bill to address concerns expressed about the CCPA, and heated debates over the meaning and merits of specific provisions continue. 

Read More

EmailShare

Michigan Adopts National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law

On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law).  Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.

Read More

EmailShare

EDPB Adopts Opinion on Interplay Between the EU Clinical Trials Regulation and the GDPR

On 23 January 2019, the European Data Protection Board (EDPB) adopted an opinion on the interplay between the EU Clinical Trials Regulation (CTR) and the EU General Data Protection Regulation (GDPR). The Opinion addresses the appropriate legal basis for the processing of personal data in the context of clinical trials (primary use), and the secondary use of clinical trial data.

Read More

EmailShare

First Multistate HIPAA Data Breach Lawsuit May Signal Increased State Interest in Data Security Enforcement

On December 3, 2018, twelve attorneys general (“AGs”) jointly filed a data breach lawsuit against Medical Informatics Engineering and its subsidiary, NoMoreClipboard LLC (collectively “the Company”), an electronic health records company, in federal district court in Indiana.  See Indiana v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. filed Dec. 3, 2018).  The suit—led by Indiana Attorney General Curtis Hill—is joined by AGs from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.  While state AGs have previously exercised their civil enforcement authorities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is the first multi-state data breach lawsuit alleging HIPAA violations in federal court and may signal increased interest on the part of state officials in exercising their data protection authorities to address cybersecurity incidents.

Read More

EmailShare

Second Annual Review of Privacy Shield Continues to Call for Improvements; White House Nominates Privacy Shield Ombudsperson

In December 2018, the European Commission published its report on the second annual review of the EU-US Privacy Shield (the “Report”). The Report concluded that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the US. However, the Commission did identify a number of recommendations from the first annual review which still required implementation including the appointment by the US of a permanent ombudsperson to oversee complaints.  To date, the U.S. has only appointed an interim ombudsperson (Manisha Singh). In the first annual review, the Commission did not set a deadline for the appointment. However, the latest review required an appointee to be identified by 28 February 2019 failing which the Commission will “consider taking appropriate measures.”

Read More

EmailShare

In Landmark Case, Illinois Supreme Court Sets Low Bar For Claims Under Illinois’ Biometric Information Privacy Act

On January 25, 2019, the Illinois Supreme Court unanimously held that a plaintiff does not need to allege any actual injury or damages to successfully state a claim under the Illinois Biometric Information Privacy Act (BIPA). Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) (a copy of the opinion is available here). A violation of the statute by itself is sufficient to state a claim, even if no breach or misuse of the biometric information or identifier has occurred. Because BIPA includes stiff liquidated damages for violations, the court’s ruling is likely to lead to renewed interest by the plaintiffs’ bar in class action suits alleging BIPA violations.

Read More

EmailShare

FINRA Issues Its 2019 Risk Monitoring and Examination Priorities Letter

On January 17, the Financial Industry Regulatory Authority (FINRA) released its annual Risk Monitoring and Examination Priorities Letter (Letter), which identifies topics that FINRA will focus on in 2019. Unlike in previous years, this Letter primarily discusses new topics and priorities in areas of ongoing concern while not repeating topics that have been at the center of FINRA’s attention over the years. FINRA notes, however, that while traditional topics such as cybersecurity,1 recidivist brokers and anti-money-laundering (AML) may not be discussed extensively in the Letter, FINRA will nonetheless review firms for compliance regarding these areas of focus.

As always, firms should use the Letter to review their compliance and supervisory procedures carefully and make any necessary revisions. Firms also should be prepared to explain their compliance and supervisory policies in these areas in their upcoming FINRA examinations and provide documentation of relevant reviews. The following is a discussion of some of the more salient points of the FINRA Letter.

Read More

EmailShare
EmailShare
XSLT Plugin by BMI Calculator