In a unanimous decision, the Ohio Supreme Court found that a computer software company’s business owners insurance policy does not cover losses resulting from a ransomware attack on the company’s computer software systems because the attack did not cause physical loss or physical damage to the software.

Read on for background on this case and analysis of the ruling.

A bipartisan coalition of state attorneys general sent a comment letter to the Federal Trade Commission highlighting the risks to consumers from businesses’ surveillance and their collection and storage of data such as health information and location tracking.

Read on for details about this development and how companies that collect such information can minimize risks to their businesses and their customers.

As 2022 draws to a close, it is important to keep in mind that key state-level regulations on consumer and employee data privacy will become effective as soon as 2023 begins. Data security measures, personal data processing activities and privacy policies of businesses covered by the regulations are now proscribed specific standards and requirements in recognition of the consumer rights created by each of the Acts. As a result, businesses need to ensure that their policies and practices are adjusted to address the increased privacy risk.

The Virginia Consumer Data Protection Act (“VCDPA”) will go into effect on January 1, 2023. This statute requires companies who operate in Virginia or target Virginia consumers (whether or not the company is located in Virginia) and collect personal information from more than 100,000 Virginia consumers annually to meet certain cybersecurity requirements and to offer certain privacy rights to those consumers, such as the right to opt-out. For more specifics on the VCDPA read on here.

The California Privacy Rights Act (“CPRA”) also goes into effect on January 1, 2023. This statute applies to any business that collects the personal information of a California resident if that business meets one of the following three criteria:  (1) had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year; (2) alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more California consumers or, households; or (3) derives 50 percent or more of its annual revenues from selling or sharing California consumers’ personal information.  These businesses must meet certain disclosure and cybersecurity requirements and must offer certain privacy rights to those consumers.  Subject to certain exceptions, these rights include the right by the consumers to know what information is collected about them, the rights to correct and delete their personal information, the right to opt-out of the sale or sharing of their personal information and the right to limit the use of their sensitive personal information.  Read on for more specifics on the CPRA here.

Our Data Privacy & Security team can assist with drafting privacy policies that are consistent with the Virginia CDPA and the CPRA. Contact us today to learn more.

On Nov. 21, 2022, the Federal Communications Commission issued a declaratory ruling and order finding that “ringless voicemails” to wireless phones are “calls” made using an artificial or prerecorded voice. Such calls, therefore, are subject to the Telephone Consumer Protection Act and callers must obtain consent before delivering such messages.

Read on to learn about the FCC’s ruling and why companies should not rely on a vendor’s representation that its technology falls outside the TCPA’s reach.

Compliance with out-of-state investigative requests, like warrants, just got a little trickier for some California-based companies.

Read on for details and implications of a new California law that, among other things, prohibits technology and communications companies based in the state from providing user data to out-of-state authorities investigating abortions that would be legal under California law.

During the 2022 Federal Identity Forum & Exposition on Sept. 7, FinCEN acting Deputing Director Jimmy Kirby emphasized the importance of securing digital identity as “fundamental to the effectiveness” of every financial institution’s anti-money laundering/countering the financing of terrorism (AML/CFT) program.

Read on for details and analysis of his remarks and proactive steps financial institutions can take to build secure, privacy-preserving digital identity solutions.

On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC. Continue Reading First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory

During the pandemic, audio-only telehealth was a critical tool to provide care to populations that could not use video during telehealth sessions, due to factors such as lack of financial resources, disability or lack of sufficient broadband coverage.

New HHS guidance outlines steps covered entities should take to ensure that their audio-only telehealth practices are compliant with HIPAA following the expiration of the PHE.

Read on for steps covered entities should take to ensure compliance with HIPAA and a description of the recent expansion of reimbursement for audio-only telehealth.

On July 8, 2022, the U.S. Department of Justice announced a $9 million
settlement with federal government contractor Aerojet Rocketdyne, Inc. for
alleged violations of the False Claims Act in a case pending in the Eastern
District of California. The settlement results from alleged false
statements by Aerojet related to compliance with Department of Defense
cybersecurity requirements described in DoD Federal Acquisition Regulation
Supplement clause 252.204-7012 and National Aeronautics and Space
Administration Federal Acquisition Regulation Supplement clause
1852.204-76. The settlement further underscores DOJ’s commitment to FCA
enforcement actions involving cybersecurity considerations related to its
Civil Cyber-Fraud Initiative announced in October 2021. The settlement
serves as a clear reminder to contractors that DOJ and the plaintiffs’ qui tam bar are taking the Cyber-Fraud Initiative seriously.

Read on to learn why a close understanding of and adherence to federal
agency contractual cybersecurity requirements are important mandates for
the government contracting community broadly and the defense industrial
base in particular.

In 2021, the Health Information Technology for Economic and Clinical Health Act (HITECH) was amended to add “recognized cybersecurity practices” as a mitigating factor when determining fines, audits and remedies against covered entities and business associates for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human Services now seeks public comment on what should be considered a recognized cybersecurity practice.

Covered entities and business associates should update their HIPAA compliance plans to incorporate the recognized cybersecurity practices, implement the identified security practices and ensure they have been actively and consistently used over the prior 12-month period of time to reduce the risk of HIPAA audits and fines.

See our recent alert for more details about this request for public comments, which are due June 6.