Data Breach

On February 1, the Federal Trade Commission (“FTC”) announced its first-ever enforcement action under its Health Breach Notification Rule (“HBNR”) against digital health platform GoodRx Holdings Inc. (“GoodRx”) for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to third-party advertisers.  According to the proposed order, GoodRx will pay a $1.5 million civil penalty and be prohibited from sharing users’ sensitive health data with third-party advertisers in order to resolve the FTC’s complaint. 

This announcement marks the first instance in which the FTC has sought enforcement under the HBNR, which was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and comes just sixteen months after the FTC published a policy statement expanding its interpretation of who is subject to the HBNR and what triggers the HBNR’s notification requirement.  Below is a discussion of the complaint and proposed order, as well as key takeaways from the case.

Continue Reading FTC Announces First Enforcement Action Under Health Breach Notification Rule

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and business models.”

The Rule, which first went into effect in 2009, applies only to vendors of personal health records (“PHRs”) and other related entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”).  A PHR is an electronic record of individually identifiable health information “that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.”  See 16 C.F.R. § 318.2(d).  Under the Rule, PHR vendors and related entities must notify individuals, the FTC, and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or within 10 days if more than 500 individuals are affected by the breach.
Continue Reading FTC to Consider Changes to the Health Breach Notification Rule

On March 21, 2020, the data security requirements of the New York SHIELD Act became effective.  The Act, which amends New York’s General Business Law, represents an expansion of New York’s existing cybersecurity and data breach notification laws.  Its two main impacts on businesses are:

  1. expanding data breach notification requirements under New York law; and

Earlier this month, the Governor of Vermont signed into law S.B. 110, which will amend the state’s data breach notification law and create a new student privacy law focused on operators of educational technology services.  Notably, the amendments to the state’s data breach notification law will expand the categories of personally identifiable information (“PII”) that may trigger notification obligations to individuals and regulators in the event of a breach to include online account credentials, health and medical information, and biometric and genetic data, among others.  The student privacy law will place certain restrictions on how student data can be collected, used, and disclosed by operators of online educational technology services.  The new requirements, which will enter into force on July 1, 2020, are discussed in more detail below.
Continue Reading Vermont Enacts Data Breach Notification and Student Privacy Legislation

Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws.  Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined as a resident’s name along with a Social Security number, driver’s license or state identification card number, or a financial account, debit, or credit card number with any required security code, access code, or password to access a financial account.  Among other changes, these amendments have expanded the categories of PII that may trigger notification obligations if breached, imposed new requirements to notify regulators (in addition to affected individuals) in the event of a breach, and implemented specific timing requirements for how soon after a breach individuals and regulators must be notified.  These changes are summarized in additional detail below.
Continue Reading Round-Up of Recent Changes to U.S. State Data Breach Notification Laws

On July 25, New York Governor Andrew Cuomo signed two data security and breach notification bills into law.  The first bill, the “Stop Hacks and Improve Electronic Data Security Act” or “SHIELD Act,” will impose specific data security requirements on businesses that own or license private information of New York residents, in addition to amending New York’s data breach notification statute to broaden the circumstances under which notification may be required.  The second bill, meanwhile, will require consumer reporting agencies to offer identity theft prevention and mitigation services.  Both bills are described in further detail below.
Continue Reading New York Passes New Data Security and Breach Notification Requirements

The Washington Privacy Act stalled this April in the state’s House of Representatives, and will likely not reappear again for discussion until the 2020 legislative session.

The bill overwhelmingly passed the Senate, but failed to come to a floor vote in the House of Representatives before the April 17th deadline for state lawmakers to consider

On February 26, 2019, a key House subcommittee held a hearing to explore the possible contours of new federal privacy legislation.  At the hearing, Rep. Jan Schakowsky (D-IL)—who chairs the Energy & Commerce Committee’s Subcommittee on Consumer Protection and Commerce—said the hearing on “Protecting Consumer Privacy in the Era of Big Data” was only the first of “several hearings” that she would organize on consumer privacy.

Continue Reading House Subcommittee Holds Initial Hearing On Potential New Privacy Bill

The Governor of Massachusetts recently signed House Bill No. 4806 into law, which will amend certain provisions of the state’s data breach notification law.  In addition to changing the information that must be included in notifications to regulators and individuals, the amendments will also require entities to provide eighteen months of free credit monitoring services following breaches involving Social Security numbers.  The amendments, which will enter into force on April 11, 2019, are discussed in greater detail below.
Continue Reading Massachusetts Amends Data Breach Notification Law to Require Free Credit Monitoring

Recent years have seen significant amounts of legislative activity related to state data breach notification laws, and 2018 was no exception.  Not only did South Dakota and Alabama enact new data breach notification laws in 2018, becoming the last of 50 U.S. states to enact such laws, but other states also enacted changes to existing data breach notification laws during 2018 to expand their scope and implement additional notification requirements.  Following up on our global year-end review of major privacy and cybersecurity developments, we’ve summarized the major developments and trends observed with regards to state data breach notification laws over the past year.
Continue Reading State Data Breach Notification Laws: 2018 in Review