Seeking to formalize its Sept. 15, 2021, Statement of the Commission on Breaches by Health Apps and Other Connected Devices, the Federal Trade Commission proposed broadening the Health Breach Notification Rule to cover “most health apps and similar technologies that are not covered by HIPAA.” Read on for details about this proposed rule, which is intended to better align the Health Breach Notification Rule with recent technological advancements and mobile applications that access personal health data.

Read More

Once an outlier, the 11th U.S. Circuit Court of Appeals recently joined seven other Circuit Courts in holding that receipt of a single, unwanted text message constitutes the concrete injury required for standing in class actions filed under the Telephone Consumer Protection Act. Read on for details about this development and implications for TCPA class actions moving forward.

Read More

On July 26, the U.S. Securities and Exchange Commission adopted new rules regarding public companies’ reporting of (i) cybersecurity incidents, (ii) policies and procedures for identifying and managing cybersecurity risks and (iii) management and board roles in implementing cybersecurity policies and procedures. Read on for details about the new rules and recommended next steps for reporting companies.

Read More

On June 21, the U.S. Department of Homeland Security issued a long-anticipated cybersecurity final rule that revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation related to contractors’ handling of controlled unclassified information.

Read on for highlights from this rule, which goes into effect July 21 and is likely to complicate DHS contractors’ cybersecurity compliance programs.

Read more

Over the past year, website operators have experienced a proliferation of lawsuits under the Federal Video Privacy Protection Act (“VPPA”), a Reagan-era statute prohibiting the nonconsensual disclosure of an individual’s video tape rental history. Despite its nondigital origin, litigation under the VPPA has successfully targeted the ubiquitous use of tracking technologies on businesses’ websites, creating a risk of significant class-action damages under VPPA’s $2,500 per violation statutory-damages clause. Read on for more details about the risk of litigation under the VPPA and how best to avert it.

Continue Reading Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for Businesses

Over the past few years, data privacy and security has been the focus of many state legislatures.  CA, CO, CT, IA, UT and VA have already passed comprehensive data privacy laws. Indiana joined them on May 1, 2023 when the Governor signed the latest consumer privacy bill into law.  Many other states have bills in the legislatures that are likely to become law, including FL, MT and TN (where the bills are awaiting the governors’ signatures).   Though most of these laws apply to businesses that control or process personal data of 100,000 or more residents in each of those states, California’s data privacy law applies to any business that has gross annual revenue of over $25M if it collects the personal data of any California resident, which includes employees and business contacts.

Continue Reading Failing to Comply With the Slew of New Data Privacy Laws Can Be Costly to Companies

On March 29, 2023, Iowa became the latest in a small but growing number of states to enact comprehensive data privacy legislation.  Like its counterpart laws in California, Connecticut, Colorado, Utah and Virginia, Iowa’s data privacy law – formally titled “An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions” (“IDPL”) – provides a detailed framework regulating the collection and use of consumer personal data, and affords consumers various rights as to data collected about them.  Fortunately, many of the requirements imposed by the IDPL, which goes into effect on January 1, 2025, are largely similar to those applicable in the other five states, and especially those in Connecticut, Colorado, Utah and Virginia.[1]

Continue Reading Iowa Joins Data Privacy Vanguard

An Illinois Supreme Court ruling on February 17, 2023 opened the door to astronomical damages under the Illinois Biometric Information Privacy Act (“BIPA”).  Enacted in 2008, BIPA provides for a private right of action against an entity that collects or discloses a person’s biometric identifier without opt-in consent.

Continue Reading The Door Opens for Astronomical Damages Under BIPA

Cyberattacks on corporate networks are on the rise, and the ramifications from such attacks can be financially devastating. Recent benchmarking data shows that the number of material cyber breaches at large businesses increased by 20.5% from 2020 to 2021, with cybersecurity budgets across industries aimed at preventing breaches jumping 51%. And while businesses suffering cyberattacks emanating from state-sponsored entities may have insurance coverage for their losses, the scope of coverage available can vary dramatically depending on the amount of coverage purchased and the terms and conditions of policies. Interestingly, next month Lloyd’s is adding exclusions to limit insurance coverage for state-sponsored cyberattacks.

Read on to learn how to prepare your company for these rapidly evolving security risks and why policyholders should review cyber, property and other policies to determine which may provide cyberattack coverage.

The Supreme Court of Illinois relied on legislative intent, policy concerns and precedents to hold that all Biometric Information Privacy Act claims are subject to a five-year statute of limitations. Read on to learn more about the Tims v. Black Horse Carriers, Inc. opinion and how it may impact businesses and their BIPA decisions going forward.