Compliance with out-of-state investigative requests, like warrants, just got a little trickier for some California-based companies.

Read on for details and implications of a new California law that, among other things, prohibits technology and communications companies based in the state from providing user data to out-of-state authorities investigating abortions that would be legal under California law.

During the 2022 Federal Identity Forum & Exposition on Sept. 7, FinCEN acting Deputing Director Jimmy Kirby emphasized the importance of securing digital identity as “fundamental to the effectiveness” of every financial institution’s anti-money laundering/countering the financing of terrorism (AML/CFT) program.

Read on for details and analysis of his remarks and proactive steps financial institutions can take to build secure, privacy-preserving digital identity solutions.

On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC. Continue Reading First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory

During the pandemic, audio-only telehealth was a critical tool to provide care to populations that could not use video during telehealth sessions, due to factors such as lack of financial resources, disability or lack of sufficient broadband coverage.

New HHS guidance outlines steps covered entities should take to ensure that their audio-only telehealth practices are compliant with HIPAA following the expiration of the PHE.

Read on for steps covered entities should take to ensure compliance with HIPAA and a description of the recent expansion of reimbursement for audio-only telehealth.

On July 8, 2022, the U.S. Department of Justice announced a $9 million
settlement with federal government contractor Aerojet Rocketdyne, Inc. for
alleged violations of the False Claims Act in a case pending in the Eastern
District of California. The settlement results from alleged false
statements by Aerojet related to compliance with Department of Defense
cybersecurity requirements described in DoD Federal Acquisition Regulation
Supplement clause 252.204-7012 and National Aeronautics and Space
Administration Federal Acquisition Regulation Supplement clause
1852.204-76. The settlement further underscores DOJ’s commitment to FCA
enforcement actions involving cybersecurity considerations related to its
Civil Cyber-Fraud Initiative announced in October 2021. The settlement
serves as a clear reminder to contractors that DOJ and the plaintiffs’ qui tam bar are taking the Cyber-Fraud Initiative seriously.

Read on to learn why a close understanding of and adherence to federal
agency contractual cybersecurity requirements are important mandates for
the government contracting community broadly and the defense industrial
base in particular.

In 2021, the Health Information Technology for Economic and Clinical Health Act (HITECH) was amended to add “recognized cybersecurity practices” as a mitigating factor when determining fines, audits and remedies against covered entities and business associates for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human Services now seeks public comment on what should be considered a recognized cybersecurity practice.

Covered entities and business associates should update their HIPAA compliance plans to incorporate the recognized cybersecurity practices, implement the identified security practices and ensure they have been actively and consistently used over the prior 12-month period of time to reduce the risk of HIPAA audits and fines.

See our recent alert for more details about this request for public comments, which are due June 6.

On May 25, the Federal Trade Commission announced that it, along with the Department of Justice, fined Twitter $150 million for violating a 2011 agreement with the FTC in which Twitter promised to protect the integrity of nonpublic consumer information, including users’ phone numbers and email addresses.

Read on for details about the alleged violations and the corrective actions required in the FTC’s new order.

Reflecting its determination to monitor the crypto markets, the U.S. Securities and Exchange Commission announced today that it was renaming the Cyber Unit the “Crypto Assets and Cyber Unit” and nearly doubling its size, from 30 to 50 members. The additional permanent positions will include investigative staff attorneys, trial lawyers and fraud analysts, who will target the full panoply of hot topics in the crypto world.

Read on for details about this development and implications for crypto market participants.

Federal courts in recent Telephone Consumer Protection Act cases served up two victories and one disappointment for the defense. Siding with the defense, the 7th U.S. Circuit Court of Appeals ruled that defendants do not carry the burden of proof at class certification, and the 8th Circuit joined other courts in maintaining a narrow autodialer definition. Defendants were less pleased when the U.S. Supreme Court denied a petition that would have resolved the enforceability of the autodialer prohibitions.

Read our alert to learn more about these developments and their implications for businesses defending against TCPA claims and class actions.

The Utah Consumer Privacy Act (“UCPA”) passed by the Utah legislature was signed into law by Governor Spencer Cox on March 24, 2022 and becomes effective December 31, 2023. While companies conducting business in Utah will need to familiarize themselves with the law in order to become complaint if they are covered by the statute, the good news is that the UCPA creates only marginally different obligations than those found in California, Colorado, and Virginia’s data privacy laws. Continue Reading New Utah Privacy Law Largely Overlaps with Existing State Statutes