enforcement

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule adopts a number of modifications to Subparts C and D of Part 160 (HIPAA Enforcement Rule) to implement Section 13410 of the HITECH Act. Most significantly, the rule includes modifications to implement Section 13410(a) of the HITECH Act, which requires HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil money penalty for a violation due to willful neglect.Continue Reading HITECH Update #12: HHS Modifies HIPAA Enforcement Provisions

On October 26, 2012, the FTC finalized settlements with Georgia auto dealer Franklin Budget Car Sales, Inc. and Utah-based debt collector EPN Inc. over charges that each company illegally exposed sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems.  The final settlements follow a notice-and-comment period opened to the public in June 2012.Continue Reading FTC Finalizes Settlements with Companies for Exposing Sensitive Consumer Information through Installation of Peer-to-Peer File Sharing Software

Earlier this week, Wyndham Hotels & Resorts LLC moved to dismiss the complaint filed against it by the Federal Trade Commission in connection with Wyndham’s data security practices, asserting that the FTC has neither the authority nor the expertise to regulate them.

As we previously noted, the FTC filed a complaint against Wyndham in June — the first data security enforcement action to be litigated instead of being resolved by settlement.  Wyndham has now moved to dismiss the complaint, calling the FTC’s case “a classic example of agency overreaching.”

As we previously noted, the FTC filed a complaint against Wyndham in June — the first data security enforcement action to be litigated instead of being resolved by settlement.  Earlier this week, Wyndham has now moved to dismiss the complaint, calling the FTC’s case “a classic example of agency overreaching.”  

Continue Reading Wyndham: FTC Lacks Authority to Regulate Data Security

California Attorney General Kamala Harris yesterday announced the creation of a Privacy Enforcement and Protection Unit in her office that will focus on protecting consumer and individual privacy through civil prosecution of federal and state privacy laws.  The Unit will be staffed by six prosecutors who will focus on privacy

Continue Reading California AG Creates New Privacy Enforcement and Protection Unit

By Ryan Mowery

Last week, the FTC filed suit in federal court against global hospitality firm Wyndham Worldwide Corporation in connection with a series of data breaches affecting Wyndham and its subsidiaries between 2008 and 2010.  The complaint alleges that Wyndham misrepresented the security measures it employed to protect consumers’ personal information and that consumers were harmed by Wyndham’s failures to provide reasonable security for that information.  The FTC asserts that the alleged misrepresentations amounted to “deception” in violation of Section 5 of the FTC Act, while the failure to employ reasonable security measures violated the FTC Act’s prohibition against “unfair” acts. Continue Reading The FTC’s Lawsuit Against Wyndham