Enforcement - Federal Agency and State AG Action

The one-year transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expired on March 1, 2018. Financial services companies that are regulated by NYDFS now face additional requirements for assessing, monitoring, testing and reporting on the integrity and security of their information systems and the overall effectiveness of their cybersecurity programs.

Overview of New York Cybersecurity Regulations

The NYDFS cybersecurity regulations became effective on March 1, 2017, and the initial 180-day transitional period expired on August 28, 2017. The regulations that took effect last year require all covered entities to implement a cybersecurity program that identifies and protects against cybersecurity risks and adopt comprehensive policies and procedures for the protection of the company’s information systems and nonpublic information. The cybersecurity regulations apply to any organization operating under or required to operate under a NYDFS license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. Click here for more information about the requirements of the regulations that took effect last year.

Additional Actions Required to Achieve Compliance

On March 1, 2018, additional requirements under the cybersecurity regulations took effect. In addition to the requirements that took effect last year, covered entities that are subject to the cybersecurity regulations must implement the following additional cybersecurity measures:
Continue Reading New York Cybersecurity Regulations: Additional Testing and Reporting Requirements Take Effect

On February 28, 2018, the Federal Trade Commission (FTC) hosted its third Privacy Con conference in Washington D.C., an event that highlights research and facilitates discussion of the latest research and trends related to consumer privacy and data security. The FTC welcomes privacy and data security researches to inform it of their latest findings, and

Last week, as previously reported, the U.S. Securities and Exchange Commission (SEC) unanimously voted to approve additional guidance for reporting cybersecurity risks. The release of this guidance underscores the SEC’s intent to prioritize cybersecurity compliance in 2018. The SEC may bring action against boilerplate cybersecurity disclosures that are not specifically tailored to address unique

The GDPR (General Data Protection Regulation) will be applicable as of May 25, 2018. The (high) level of penalties under the GDPR will become one of the core issues for companies. Indeed the GDPR is based on the European fundamental rights to privacy and data protection and could potentially apply outside the European Union.

In

On January 8, 2018, the FTC announced that VTech, maker of electronic toys for children, agreed to settle charges that it violated the law by collecting personal information without parental consent.

When Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998, it directed the FTC to create a rule implementing the goal of

The Virginia General Assembly is underway and several privacy related bills are on the legislative agenda for 2018. The Virginia legislature will consider approximately 3,000 bills during its 60-day session that will end in early March. Several of these pending bills have privacy implications in a variety of substantive areas.

Tax Return Data

In an

Drug adherence programs have significantly evolved over the last few years with drug companies, health plans, and providers taking steps to monitor patient medication compliance. Drug adherence is the degree to which a patient complies with medication administration advice for treatment of chronic disease. Beyond the obvious benefits to patients’ health and health entities’ bottom lines, drug adherence can have a large effect on public health and social communities. Therefore, although it is no surprise that the health care industry has turned its focus to adherence in a big way, it may be surprising that in an industry where confidentiality is king, the most recent strategy may be turning to big brother.

U.S. Food & Drug Administration Announcement

This past November, the U.S. Food & Drug Administration (“FDA”) announced approval of a new solution to medication noncompliance – digital tracking. The FDA has not broadly blessed the practice, which has been around since 2012, but rather took a large leap in that direction by approving the digital drug Abilify MyCite – a collaboration between drug manufacturer Otsuka and technology company Proteus Digital Health. The drug is used for the treatment of schizophrenia, episodes associated with bipolar I disorder, and certain depression diagnoses in adults, and Abilify MyCite, specifically, uses an ingestible sensor embedded in the drug tablet to trigger an electrical signal upon reacting with stomach acids. The signal is sent to a wearable patch and a mobile application, which records that medication was taken. The medication compliance can be tracked by patient relatives and caregivers so that they may directly access the information through a similar application or web-based portal.[1]

Privacy Concerns and Obtaining Consent

As the industry looks to improve public health and reduce health care costs (medication noncompliance is estimated to cost $100 billion/year in the U.S.), it works to balance the need to uphold patient rights, including patient privacy, especially where disease increases patients’ vulnerability. While HIPAA and state laws generally allow the access to and disclosure of patient information with consent as well as for treatment purposes,[2] regulation regarding this kind of monitoring by third parties and resulting use of the data is less explicit. Just as states are beginning to take a stronger stance on protection of biometric and genetic information, digital drugs and medication compliance may be next to receive additional scrutiny and increased protections.
Continue Reading Big Brother is a Pill: Digital Tracking Drugs

Earlier this year, the Northern District of Illinois declined to certify a Telephone Consumer Protection Act (TCPA) class action even though the key issue in the case – whether class members had provided prior express written consent to receive prerecorded telemarketing calls – appeared to be a common question. In Legg v. PTZ Insurance Agency,

As previously written about in this blog, student privacy figured prominently in a few campaigns for the Virginia House of Delegates this past Fall. A progressive special interest group utilized Virginia’s Freedom of Information Act to request and receive student identifying information, including cell numbers, from numerous public colleges and universities in Virginia (

The Federal Trade Commission (FTC) and U.S. Department of Education (ED) increasingly are responding to concerns about educational technology and its ability to capture and manipulate massive quantities of private student and parent data. “EdTech,” as it is called, broadly refers to online curriculum and instructional materials accessed by school and personal devices. EdTech has