In 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided a variety of guidance to address the importance of honoring the right of patients to have access to their medical information and not to be over-charged for exercising that right.

Earlier this week, the OCR announced an enforcement action and settlement under its Right of Access Initiative against Bayfront Health St. Petersburg (Bayfront) in Florida. This settlement, the first of its kind under OCR’s initiative to enforce patients’ rights to promptly receive copies of their medical records without being overcharged, has cost Bayfront $85,000. The 480-bed hospital is also required to undertake a corrective action plan that includes a one-year period of monitoring by OCR. Continue Reading OCR Proves it is Serious About HIPAA’s Right of Access

As discussed here, the California Consumer Privacy Act of 2018 (CCPA), in its current state, likely applies to businesses that collect the personal information of their employees.  AB 25, which passed in the California Assembly on May 29, 2019, sought to address this issue by removing employees and job applicants from the CCPA’s definition of “consumer.”  This amendment was slated to exclude businesses from having to comply with the CCPA if their only connection to the “big data” world is collecting the personal information of employees and job applicants.

Recently, however, AB-25 underwent significant revisions when it made its way to the Senate Judiciary Committee for hearing on July 9, 2019.  The bill’s author, Assembly Member Ed Chau, agreed to amend AB-25 before it unanimously passed.  The amended version now states that businesses collecting personal information from job applicants, employees, owners, directors, officers, medical staff members or contractors of the business are exempt from the CCPA only until January 1, 2021.  Moreover, businesses are not completely off the hook under the one-year exemption.  They must still comply with the disclosure obligations under Sections 1798.100, and remain subject to a private right of action under the CCPA if there is a data breach based on a business’s failure to implement and maintain reasonable security procedures and practices.

It remains to be seen if AB-25 will be signed into law in its current iteration.  The addition of the sunset clause suggests that this amendment may be a placeholder until proponents on both sides of this issue negotiate legislation that, on the one hand, alleviates the CCPA’s burden on employers who do not collect or sell typical consumer data, and on the other hand, adequately protects employee privacy and information.

With relatively minimal fanfare, Nevada passed Senate Bill 220 (SB-220), making it the second state to offer consumers the ability to opt out of the sale of their personal information.  SB-220 is narrower than California’s Privacy Law (CCPA), but it becomes effective on October 1, 2019 – four months before CCPA.

Continue Reading Privacy and Cybersecurity State Law Tracker: Nevada Consumer Privacy Law

Governor Mills signed, “An Act To Protect the Privacy of Online Customer Information,” (LD- 946) which requires Internet service providers (ISPs) to obtain opt-in consent prior to, “using, disclosing, selling or permitting access to [a consumer’s] prohibited personal information.”  LD- 946, goes into effect July 2020.

Continue Reading Privacy and Cybersecurity State Law Tracker: Maine Consumer Privacy Law

New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The law amends the existing data breach notification law and adds new cybersecurity requirements. The SHIELD Act takes effect in March 2020.

The Governor also signed into law the Identity Theft Prevention and Mitigation Services Act (Act). The Act requires that credit reporting agencies suffering a breach involving Social Security numbers must provide five years of identity theft prevention and mitigation services to affected consumers. The Act becomes effective in September 2019.

Continue reading for a summary of the SHIELD Act and how it could impact your business. Continue Reading Privacy and Cybersecurity State Law Tracker: NY SHIELD Act and Information Governance

On April 30, 2019, the United States Department of Health and Human Services (HHS) published a notice of enforcement discretion that lowers most of the annual caps on civil money penalties (CMP). HHS may assess against Covered Entities and Business Associates for violating the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  Specifically, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers that progressively increases from the first to the fourth penalty tier and maxes out at $1.5 million per violation per year. Continue Reading HHS Lowers Annual Caps on Most HIPAA CMPs

Welcome back to our three-part series examining cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. In Part Two, we reviewed different types and  trends of cyberattacks. Here, we will outline how family offices can defend against cyberattacks.

How Family Offices Can Defend Against Cyberattacks

Over a quarter of multi-million dollar family offices do not have dedicated cybersecurity policies in place to protect their systems. This may be because they do not view themselves as needing an onerous cybersecurity policy. However, this view is short-sighted and can leave family offices subject to heavy losses. Family offices do not need to implement large scale or particularly burdensome policies or procedures. Rather, they can build specialized, flexible programs by utilizing a consultant that is reactive to ongoing and updating threats. Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats? (Part III)

Welcome back to our three-part series examining vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. Here, we will review different types and trends of cyberattacks.

Cyberattack Trends

Most cyberattacks are the result of “phishing” emails. “Phishing” refers to a deceptive effort to obtain the recipient’s sensitive information by disguising the sender as someone the recipient knows and would trust. Phishing recipients can be deceived into downloading malicious software, providing personal information like account numbers or PINs, wiring funds or paying invoices to cyber-criminals. Ransomware is malware that denies the victim access to their system’s files until the victim pays a ransom. While malware can also take the form of “drive-by” downloading when a victim visits a website prompting the malware to download, over 90% of malware is still delivered via email. Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats? (Part II)

At least 25% of family offices have been subjects of cyberattacks, and nearly 40% of them lack a cyber security policy. Welcome to a three-part series that will examine the cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks.

Family Offices Are Particularly Vulnerable to Cyber-Crime

As part of the global increase in the number of billionaires worldwide, family offices have evolved from little more than holding companies to highly sophisticated financial firms managing family wealth, administering assets and acting like a typical private equity or debt fund. Family offices are managing almost 50% of Ultra High Net Worth family wealth. Given the vast amount of wealth that family offices support, they are prime targets for cyber crime, which some analysts project will account for a global $6 trillion cost by 2021.  The fact that nearly 40% of family offices do not even have a cybersecurity policy in place highlights the need for improvement when it comes to making themselves less vulnerable to cybercrime.  Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats?

The world of data privacy often focuses on how companies are using consumers’ information and what measures those companies take to protect such information.  Each of the fifty states have enacted laws that require entities to notify individuals of security breaches involving personally identifiable information (although those laws vary greatly).  Additionally, twenty-five states have laws that address the data security practices of private sector entities.  But what happens when a privacy breach originates not from a company, but from a government agency?   Continue Reading How Do State Governments Protect Your Personal Information?