The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement for $1,500,000 and entered into a substantial corrective action plan with Athens Orthopedic Clinic (AOC) as a result of AOC’s alleged systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC, located in Georgia, provides a wide range of orthopedic services to approximately 138,000 patients a year.

Problems began for AOC in June 2016, when the practice was notified by a journalist that AOC patient records may have been posted for sale on the internet. Shortly thereafter, AOC was contacted by a hacker demanding payment for the stolen patient records. It was later determined that the hacker had accessed AOC’s electronic medical records using a vendor’s credentials on June 14, 2016, and continued to access protected health information (PHI) until July 16, 2016. AOC filed a breach report with OCR on July 29, 2016, revealing that the names, dates of birth, social security numbers, and other PHI of over 200,000 patients had been compromised by this breach.


Continue Reading Hacked Patient Records Land Athens Orthopedic Clinic in Hot Water with OCR

On July 21, the New York Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for violating multiple sections of the New York Cybersecurity Regulation,  23 NYCRR 500.00, et seq.  The significance of the NYDFS enforcement action cannot be overemphasized.  This is the first action filed under the Cybersecurity Regulation, signaling a more aggressive enforcement stance by the regulator.  The good news is the filings provide important guidance on best practices and red flags to avoid agency sanctions.

The NYDFS Statement of Charges alleges that First American knowingly exposed tens of millions of documents containing consumer sensitive personal information (e.g., bank account numbers, bank statements, mortgage records, Social Security numbers, wire transaction receipts, drivers’ license images, etc.). The charges further allege that for almost 5 years (from October 2014 through May 2019) these records were available on First American’s public-facing website to anyone with a web browser.  The fact that First American failed to remediate the vulnerability, even after it was discovered by a penetration test in December 2018, was particularly troublesome for the regulators.  The charges state that, “Remarkably, [First American] allowed unfettered access to the personal and financial data of millions of its customers for six more months. . .”   Clearly, the NYDFS found this treatment of sensitive consumer data unconscionable and that First American demonstrated a total disregard for the Cyber Regulations.


Continue Reading NYDFS State of Mind: Regulator Focus and Enforcement Trends

On August 14, 2020, the California Attorney General announced final approval of the California Consumer Privacy Act Regulations by the Office of Administrative Law.  The Regulations take effect immediately.

While the revisions made to the Final Regulations mostly consist of “non-substantive changes” to correct grammatical errors or clarify the wording of various provisions, business should be aware of the “global modifications” made in a few key areas.  These are summarized below along with our take on what they may mean for businesses:


Continue Reading Finally Final: CCPA Regulations Take Effect

The EU’s General Data Protection Regulation (“GDPR”) contains the much-publicised right of subject access, which gives an individual the right to access a copy of all the personal data a controller holds in relation to him or her.

Under the GDPR, anything that can identify a living individual is personal data. Obvious examples include names, dates of birth, and addresses. Less obvious examples include photographs, identification numbers, or statements of opinion or fact about a person.

The GDPR also has extra-territorial scope, which means that it applies to organisations and businesses outside the borders of the EU if they meet certain criteria. Organisations based outside the EU could therefore find themselves on the receiving end of a subject access request (“SAR”) from an employee, customer or any other individual whose data they process.


Continue Reading Subject Access Requests and Cross-Border Privilege: Tips for In-House Counsel

Earlier this year, U.S. Senator Sherrod Brown of Ohio released a draft discussion bill that if implemented would drastically alter corporations’ ability to collect and use personal information from consumers.

According to Sen. Brown, “We need legislation now more than ever that empowers Americans to control their personal information. No person should have to worry about being spied on, just as no one should worry about their information being bought and sold or stolen.” Brown believes that his bill would “change the fundamental framework of privacy in this country” by shifting the burden of privacy protection from consumers to corporations. Brown’s new bill is critical of the current consent-based framework that requires customers to agree to privacy policies in order to use specific online service.


Continue Reading Senator Brown Proposes New Privacy Bill

Earlier this year, several pieces of privacy related legislation pending in the 2020 General Assembly session were referred by a standing committee of the Virginia House of Delegates to the Joint Commission on Technology and Science (JCOTS) for study outside of the regular legislative session.  JCOTS has taken its first steps toward establishing study committees to look at several issues prior to the 2021 regular legislative session.

Specifically, JCOTS established the following study committees:

  • Data Protection & Privacy Advisory Committee
  • Children’s Online Protection Advisory Committee
  • Facial Recognition within Law Enforcement Advisory Committee


Continue Reading Virginia Legislative Commission Set to Begin Look at Data Protection, Privacy and Children’s Online Privacy Protection Issues

Artificial intelligence (AI) refers to the ability of a computer or a computer-enabled robotic system to process information and produce outcomes in a manner similar to the thought processes of humans in learning, decision making and problem solving.  As a result of rapid advances in AI, pre-pandemic, McKinsey Global Institute estimated that between 75 and 375 million people around the world will need to change jobs or acquire new skills by 2030.  AI both holds promise of innovation and disruption, as does the legal framework that is developing to rein in its risks without hindering its progress.

In May 2019, the US Government joined the OECD (Organisation for Economic Co-operation and Development) in setting forth principles to improve the innovation and trustworthy development and application of AI.  At the same time, the bipartisan Artificial Intelligence Initiative Act (AIIA) was introduced in the US Senate to organize a national strategy for developing AI and provide a $2.2 billion federal investment over five years to build an AI-ready workforce, accelerating the delivery of AI applications from government agencies, academia, and the private sector over the next 10 years.


Continue Reading The Evolving World of AI

Does your phone immediately unlock for use after you glance at it?  Have you visited your favorite social media platform only to find that you have been tagged in dozens of pictures?  Or how about that time you scanned your fingerprints or eyes to open your phone, gain admittance to a theme park, or pass through airport security?  These features all involve biometrics technology—the latest trend and high-growth area of technology used to help organizations provide consumers with a more effortless and interactive experience in exchange for personal information about your physical or behavioral attributes.  Companies should be mindful in collecting this data and how they use and store that information.

Biometrics include facial, fingerprint, iris, gestures, and voice recognition.  While biometrics technology is becoming more ubiquitous in daily life and being employed by more governmental agencies and service providers, new privacy considerations will continue to emerge as a result of the pieces of personal information shared by consumers to increase convenience.


Continue Reading As Biometrics Technology Permeates Everyday Life, What Laws Should Companies Be Aware Of?

If you’re like us, you’ve been anticipating an announcement from the California Attorney General about the types of companies it targeted in its initial enforcement of the California Consumer Privacy Act (the “CCPA”), the types of violations the AG is interested in, and the types of arguments it is making in enforcing the Act.  While official word from the AG is unlikely before the end of the 30-day cure period following its initial notice letters, a member of the AG’s office did confirm during a recent panel discussion that the AG sent out those letters on July 1, 2020.

The statement was part of a fascinating and informative panel put on by the International Association of Privacy Professionals (“IAPP”).  It featured Stacey Schesser, Supervising Deputy Attorney General for the State of California and part of a multi-member team of attorneys in the AG’s office charged with enforcing the CCPA.  A recording is available on the IAPP’s website, and we encourage you to check it out if you’re a member.  In terms of the details gleaned from Ms. Schesser’s comments, here is what we know about the AG’s enforcement of the CCPA to-date:


Continue Reading California Attorney General CCPA Enforcement—Make Sure You Pay Attention to What Customers Are Saying on Twitter

Update: On the evening of June 24, 2020—the same date we published the post below and the day before the original deadline for verification of signatures—the Secretary of State announced that the CPRA reached the signature verification threshold and qualified for the fall 2020 ballot.  While the Mactaggart lawsuit will now be a mere footnote in the history of the CPRA, any way you look at it, this was a successful week for Californians for Consumer Privacy.

On June 19, 2020, the Superior Court for Sacramento County, California issued a ruling providing relief to the promoters of the California Privacy Rights Act ballot initiative (the “CPRA”).  We wrote here about the potential problem with the timing of the signature verification process required for the CPRA to qualify for the Fall 2020 ballot, but that issue now appears to be resolved.

The specifics are to be ironed out in a further order to be jointly proposed by the parties, but suffice it to say that the procedural issue with the timing of signature verification will not prevent the CPRA from appearing on the Fall 2020 ballot.  For now, the Court ordered as follows:


Continue Reading CPRA Back on Track Following Court Order