On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips.

The Employee Benefits Security Administration, a sub-agency of the DOL (the “EBSA”) long ago stated that addressing cybersecurity has been on the agency’s “to do” list and even published a report in 2016 reflecting the need for such guidance, which we previously covered here.

The Employee Retirement Income Security Act of 1974, as amended (“ERISA”), includes fiduciary standards that require a retirement plan to be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Common sense dictates that ERISA fiduciaries administer their plans in accordance with industry standards for cybersecurity, safeguard plan assets and ensure that appropriate controls are in place to avoid financial losses to plans that may result from a cybersecurity breach. However, the legal issues concerning who is responsible (plan participant, plan sponsor or record keeper) remain open questions in many jurisdictions.


Continue Reading DOL’s New Cybersecurity Guidance

On April 1, 2021, the U.S. Supreme Court issued its long-awaited opinion in Facebook v. Duguid, which resolved a circuit split regarding the meaning of “automatic telephone dialing system” (autodialer or ATDS) under the Telephone Consumer Protection Act (TCPA). In a decision authored by Justice Sonia Sotomayor, the court adopted the narrow, pro-defendant definition of autodialer.

Continue Reading U.S. Supreme Court Adopts Narrow Autodialer Definition in 9-0 Defense Victory

On March 9, the Department of Health and Human Services announced it was extending until May 6, 2021, the comment period for proposed changes to regulations implementing the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009.

Read our complete alert to learn

2021 is shaping up to be a groundbreaking year for employment litigation topics, and Illinois’ Biometric Information Privacy Act (BIPA) is no exception. State and federal appellate courts in Illinois are poised to decide several open issues, including the proper limitations period, whether the Workers Compensation Act pre-empts BIPA claims and whether BIPA liquidated damages

Information security is critical to the operation of the financial markets and the confidence of its participants. . . The Division is acutely focused on working with firms to identify and address information security risks, including cyber-attack related risk . . .” SEC Division of Examinations, 2021 Examination Priorities, at 24.

On March 3, 2021, the Securities and Exchange Commission’s newly renamed Division of Examinations (EXAMS) (formerly the Office of Compliance Inspections and Examinations (OCIE)) announced its 2021 examination priorities.  Information security and operational resiliency ranked number two out of the top five priorities sending a clear message that the SEC is focused on emergent security threats, particularly cyber-attacks, resulting from the sudden and unprecedented increase in remote operations.


Continue Reading SEC Announces 2021 Information Security Examination Priorities – Five (5) Steps Every Firm Should Take to Prepare!

On Feb. 15, Rep. Fiona McFarland (R-Sarasota) filed HB 969, following a press conference in which Gov. Ron DeSantis and House Speaker Chris Sprowls made clear their intent to crack down on “big tech.” A Senate companion bill is expected to be filed shortly, and the issue has support from Senate President Wilton Simpson. McGuireWoods Consulting expects a version of this bill will pass by the time Florida’s legislative session ends on April 30.

Continue Reading Florida House Moving on Major Consumer Data Privacy Legislation

As we discussed in Part I, the United States does not have a single, comprehensive federal law governing biometric data.  However, we have recently seen an increasing number of states focusing on this issue.  Part I summarized legislative activity on this issue in 2020.  In this Part II, we discuss noteworthy legislation to monitor in 2021.

What to Expect in 2021

At least two states—New York and Maryland—have already introduced biometrics legislation in this first month of 2021.

New York – AB 27

On January 6, 2021, the New York Assembly introduced the Biometric Privacy Act (BPA), a New York state biometric law aimed at regulating businesses handling biometric data.  BPA will prohibit businesses from collecting biometric identifiers or information without first receiving informed consent from the individual, prohibit profiting from the data, and will require a publicly available written retention and destruction policy.  As proposed, the statute contains a private right of action; and if passed, it will permit consumers to sue businesses for improperly collecting and using their biometric data.  The statute follows Illinois’s BIPA, allowing recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.


Continue Reading U.S. Biometrics Laws Part II: What to Expect in 2021

On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).

The proposed rule is part of HHS’ Regulatory Sprint to Coordinated Care, which seeks to promote value-based healthcare by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients. Specifically, HHS aims to amend the regulations implemented pursuant to HIPAA and HITECH where the rules present barriers to coordinated care and case management or where they otherwise impose burdens on covered entities that do not increase individuals’ privacy protections.


Continue Reading Department of Health and Human Services Announces Proposed Changes to the HIPAA Privacy Rule

Data privacy laws have made significant breakthroughs in recent years, making it a top priority for businesses.  From the adoption of the European Union’s General Data Protection Regulation (GDPR) in 2016 to the enactment of the California Consumer Privacy Act (CCPA) in 2018 and the latest ballot approval of the California Privacy Rights Act (CPRA) in 2020, we continue to see data privacy laws develop and garner interest from consumers, businesses, and legislators alike.

Specific biometric privacy laws, in particular however, are often overshadowed by more general data privacy laws.  As we discussed in our prior article, biometrics are physical and behavioral human characteristics (i.e., face, eye, fingerprint, and voice features) that can be used to digitally identify a person.  As the collection and use of biometric data become more common in daily life and its applications in different industries continue to expand, new privacy considerations will emerge in this field.  Biometrics laws, in their own right, require separate recognition because of the nuanced application of these specific laws.

The United States does not have a single, comprehensive federal law governing biometric data.  Recently, we have seen an increasing number of individual states focus on this issue, and the recent introduction of legislation in a number of states specifically aimed at protecting the collection, retention, and use of biometric data.  In Part I, we summarize some of the legislative activity on biometric laws from 2020.  We will describe other noteworthy legislation to monitor for 2021 in Part II.


Continue Reading U.S. Biometrics Laws Part I: An Overview of 2020

On November 4, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published an Interim Final Rule with Comment Period (IFC) that delays compliance dates necessary to meet certain requirements related to information blocking initially finalized in the ONC Cures Act Final Rule (Final Rule) in March of 2020. The Final Rule implemented health IT provisions enacted under the 21st Century Cures Act (the Cures Act) to achieve ubiquitous interoperability among health IT systems and to improve patient’s ability to access their electronic health information (EHI). Among these provisions is a prohibition of information blocking. This article will define information blocking, provide and explain exceptions to such practice, detail the IFC’s deadline extensions, and highlight key compliance concerns and solutions regarding these reforms.

Information Blocking

The term “Information Blocking” is broadly defined by the Cures Act as any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI when the entity knows (or should know) that it is likely to do so. The Cures Act specifies four types of “actors” that must comply with the information blocking rule:

  1. Healthcare Providers
  2. Health information technology companies that have a certified health IT system
  3. Health information networks (HINs)
  4. Health information exchanges (HIEs)


Continue Reading Information Blocking Compliance: What Providers Need To Know As Deadlines Approach