United States

As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500).  Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.

Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced.  That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).

On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website.  The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers.  Some highlights below:
Continue Reading New York DFS Publishes FAQs on New Cybersecurity Regulations

In an effort to improve international privacy rights, the United Nations Human Rights Council yesterday established a special rapporteur on the right to privacy.  Special rapporteurs are expert individuals appointed with specific mandates to investigate, monitor, and report on particular human rights concerns that range from access to water to extrajudicial killings.  Yesterday’s Resolution on

On August 1, Representatives Lee Terry (R- Neb.) and Jan Schakowsky (D-Ill.) announced the creation of a bipartisan Privacy Working Group in the U.S. House of Representatives that will seek to “examine online privacy concerns and issues…with a balanced approach that recognizes the need to protect personal information online in a manner that preserves growth

On Tuesday, the U.S. cybersecurity firm Mandiant released a 60-page report detailing the activities of a hacking collective it claims has direct ties to China’s military. The firm has linked the collective to cyberattacks on more than 140 organizations across 20 industries worldwide since 2006.

Mandiant claims the activity—carried out by a group called the

On Wednesday, a federal judge in the Central District of California dismissed Humana Pharmacy Inc.’s motion to dismiss a putative class action suit alleging the company illegally recorded telephone calls with customers, finding that the California Invasion of Privacy Act (“CIPA”) does not exempt quality assurance recordings.

In its motion to dismiss, Humana argued that CIPA exempts “service observing,” or a business’s recording of calls between its employees and customers for quality assurance purposes.  Judge Josephine Staton Tucker rejected Humana’s interpretation of the statute and further found that plaintiff’s complaint did not allege that Humana recorded the call for service observing purposes, refusing to read such purpose into the allegations.

The court also rejected Humana’s contention that plaintiff’s complaint failed to allege that the company did not provide proper notice to him at the outset that the call was being recorded. The court held that plaintiff’s allegation that he was not warned “at any point during the telephone conversation” was sufficient at the pleadings stage, but acknowledged that the issue could be raised again in a motion for summary judgment. Continue Reading Humana’s Quality Assurance Calls Not Exempted From CIPA

The U.S. Supreme Court ruled on Tuesday that the federal government does not always lose its sovereign immunity to damages lawsuits claiming that an agency violated the Fair and Accurate Credit Transactions Act (“FACTA”) by printing the expiration date of a credit card on a receipt issued to a consumer. In a unanimous decision, authored by Justice Antonin Scalia, the Court rejected a November 2010 ruling by the Federal Circuit that the Little Tucker Act authorized the government to be sued for money damages under the Fair Credit Reporting Act (“FCRA”), which FACTA amended.  

James Bormes, a Chicago lawyer, paid a $350 court filing fee through the federal government’s pay.gov system with his American Express card. He was sent an electronic receipt for the transaction, which contained his credit card’s expiration date. Bormes alleged that this violated FACTA’s prohibition on printing expiration dates on credit card receipts issued at the point of sale.  He sued the government, seeking class-action status on behalf of thousands of people issued receipts that displayed card expiration dates or more than the last five digits of credit and debit card numbers (which FACTA also prohibits).

The district court initially dismissed the suit, finding that the FCRA does not contain an explicit waiver of the government’s sovereign immunity and could, therefore, not allow for the plaintiff’s damages claims. Bormes appealed to the Federal Circuit, which has exclusive jurisdiction for appeals in which a lower court’s jurisdiction was based partly on the Little Tucker Act. The government moved to transfer the suit to the Seventh Circuit, arguing that the Act’s jurisdictional provision did not apply. The Federal Circuit denied the motion and vacated the lower court’s ruling. The federal government then took the sovereign immunity issue to the Supreme Court.Continue Reading Government May be Immune to Suits Alleging Violations of FACTA

By Kurt Wimmer and Josephine Liu

The United Nations Office on Drugs and Crime has released a report warning that terrorists are increasingly using the Internet to spread propaganda, recruit and train supporters, finance their activities, and plan terrorist attacks.  Besides providing an overview of the existing legal frameworks to address terrorists’ use of the Internet, the report highlights a number of challenges associated with investigating and prosecuting terrorism cases — and specifically notes that “[o]ne of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.”   

As the report notes, some countries already require ISPs to retain certain types of data for a specified time period.  But even in the European Union, where Directive 2006/24/EC requires Member States to ensure that regulated providers retain specified communications data for a period between six months and two years, there is no consistent data-retention period.  Some Member States require data to be retained for six months, others for two years.  In addition, several Member States continue to grapple with implementing the Directive, including Germany (where an attempt to implement it was struck down by the constitutional court). Continue Reading UN Report Calls for Mandatory Data Retention

According to TechWeek Europe, the United States Department of Commerce is working with the United States Chamber of Commerce to lobby European Union officials in an effort to change certain provisions of the EU’s proposed General Data Protection Regulation.  If enacted, the Regulation, which was published in draft form in January 2012, would supersede the existing EU Data Protection Directive and apply to all EU member states.  

As we previously wrote, the Regulation would enact sweeping revisions to the EU’s existing data privacy regime and impose many new obligations on data controllers.  The Regulation’s provisions include an obligation to report data breaches to the appropriate national data protection authority within 24 hours, a requirement that companies with more than 250 employees appoint a data protection officer, and new individual rights, such as a right to be forgotten and a right to data portability.  The Regulation also provides for substantial fines of up to 2% of global revenue for data protection violations.  Moreover, the Regulation would apply to more non-EU companies than the current Directive because it would extend to non-EU companies that target EU citizens by either processing their data or monitoring their activities.Continue Reading TechWeek Europe: US Department of Commerce Involved in Lobbying to Change EU Data Protection Regulation

Last month, the Minnesota Attorney General filed a lawsuit in federal court against Accretive Health, Inc. alleging that the company violated various provisions of HIPAA as well as Minnesota consumer privacy and protection law.  Although HIPAA-covered entities have been the subject of enforcement actions by state AGs and the Department of Health and Human Services, this marks the first time that an enforcement action has been brought against a HIPAA business associate.   

Accretive had partnered with two Minnesota hospitals to deliver “revenue cycle operations” services, including scheduling, registration, admissions, billing, collection and payment functions.  For one of the Minnesota hospitals, Accretive also performed “care coordination” services.  Because both the revenue cycle and care coordination services required the hospitals (HIPAA-covered entities) to disclose protected health information (PHI) to Accretive, Accretive qualifies as a “business associate” under HIPAA, and therefore must comply with certain HIPAA requirements or face civil or criminal penalties.Continue Reading Minnesota AG Files First HIPAA Enforcement Action Against Business Associate