Brazil Enacts Measure Creating a Data Supervisory Authority; Delays Implementation of the LGPD

While the inauguration of a polarizing new president dominated the news of Brazil around the beginning of the new year, outgoing President Michel Temer, before leaving office, issued an executive order that has important ramifications for Brazil’s recently enacted General Data Protection Regulation (Lei Geral de Proteção de Dados or LGPD). Provisional Measure No. 869/2018 (MP 869/2018), published Dec. 28, 2018, takes the vitally important step of creating Brazil’s National Data Protection Authority (ANPD), tasked with rulemaking, education and enforcement of the LGPD. Additionally, MP 869/2018 delays the effective date of the LGPD by six months, from February 2020 to August 2020.

Continue Reading

A New Year Brings a New Vermont Law Aimed at Data Brokers and Credit Reporting Agencies

Hacker using laptop. Lots of digits on the computer screen.

On Jan. 1, 2019, a new Vermont law intended to protect consumers by imposing new requirements on “data brokers,” companies that aggregate and sell consumer information, and credit reporting agencies took effect. Under the new law, data brokers must comply with registration, information security safeguards and reporting requirements, while credit reporting agencies are prohibited from assessing fees for establishing or removing security freezes. The Vermont legislature’s intent in enacting the new law is fourfold: (1) inform consumers about data brokers and their data collection practices; (2) protect consumer information by requiring that data brokers implement certain administrative, technical and physical safeguards; (3) prevent harm to consumers by prohibiting certain methods of acquisition and use of their information by data brokers; and (4) make it easier and less expensive for consumers to obtain and protect their credit information.

Continue Reading

First Public Forum on the California Consumer Privacy Act

Sacramento California outside the capital building

The California Attorney General and the Department of Justice held the first public forum about the California Consumer Privacy Act (CCPA) on Tuesday, Jan. 8, in San Francisco. The public forums are part of the rulemaking process the attorney general’s office is undertaking pursuant to Section 1798.185 of the CCPA, which requires the attorney general to “solicit broad public participation and adopt regulations to further the purposes” of the CCPA. These forums are an opportunity to provide input to the attorney general prior to publication of the proposed rules, and BakerHostetler will be actively participating throughout the public comment and subsequent rulemaking process.

Continue Reading

Massachusetts Enacts Significant Changes to Its Data Breach Notification Law

On Jan. 10, 2019, Massachusetts Gov. Charlie Baker signed legislation that will significantly amend the state’s data breach notification law. The amendments become effective on April 11, 2019.

One of the significant changes includes a new requirement to provide an offer of complimentary credit monitoring for “a period of not less than 18 months” when the data security incident involves a Massachusetts resident’s Social Security number. With this new obligation, Massachusetts joins Connecticut and Delaware as states that require an offer of complimentary credit monitoring when the incident involves a resident’s Social Security number. There was no update to the timing of any required individual notice obligations, which remains “as soon as practicable and without unreasonable delay”; but the new amendments require a rolling notification to individuals under certain circumstances: “A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.” Additionally, the notice to individuals must now identify the name of the parent or affiliated corporation if the organization that experienced a breach of security is owned by another person or corporation.

Continue Reading

HHS Issues Cybersecurity Guidance for Healthcare Organizations

BakerHostetler will post a series of blogs to fully explore the recommendations and guidance Health and Human Services provides healthcare organizations in its report.

Cyberattacks continue to rise across industries, and healthcare is no different. Eighty percent of U.S. physicians reported having experienced some form of cyberattack. In 2017, cyberattacks cost small and midsize businesses an average of $2.2 million, with 60 percent of small businesses going out of business within six months of the attack. According to a study from IBM Security and the Ponemon Institute, the cost of a data breach for healthcare organizations rose from $380 per record in 2017 to $408 per record in 2018, the highest cost for data breaches across all industries. In 2016, U.S. healthcare systems lost $6.2 billion due to data breaches. No doubt this amount continued to rise in 2017 and 2018, with the growing number of cyberattacks.

Continue Reading

Privacy Shield Update: Commission Report, Ombudsperson Deadline, Brexit Guidance

European union concept, digital illustration.

The end of 2018 saw heightened activity surrounding the EU-U.S. Privacy Shield Framework.  This blog post provides a news roundup on the following developments:

• The European Commission’s (the “Commission”) December 19th report (the “Report”) summarizing the second annual joint review that was held in October 2018.

• The Report’s February 28, 2019 deadline for the U.S. to identify a nominee to permanently fill the Ombudsperson position required by the EU-U.S. Privacy Shield Framework.

• The UK Information Commissioner’s Office’s guidance providing deadlines for Privacy Shield-certified companies to update their privacy policies depending on whether the UK ends up with a Deal or a No-Deal Brexit.

Continue Reading

New FTC Provides Insights Into Its Plan for a Balanced Approach to Data Privacy and Security

This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or Commission) under the Obama Administration was active in calling for, and advancing, greater privacy protection for consumers, as well as authority for itself, and late in its tenure went so far as to push its unfairness authority into the realm of privacy. We have been anxiously waiting for the newly reshaped Commission to articulate its worldview on consumer privacy and data security. Earlier this month, the FTC provided a detailed outline of its approach and strategy to data protection in a Comment responding to a Request for Comment made by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA). While the FTC remarked that due to data privacy concerns by consumers, the laws, tactics and enforcement by the FTC must constantly evolve, its forward-looking comments emphasized status quo principles, approaches, and a more balanced approach to weighing the interests of individual rights and the benefits to consumers collectively when completion and innovation are not unnecessarily fettered. Further, throughout its Comment, the FTC reiterated the value of a risk-based and cost-benefit approach to protect against actual harm and of not creating impediments to the advancement of prosperity and innovation. This theme is reflected also in the FTC’s warning that “[a]ny [new privacy or data protection] legislation should balance consumers’ legitimate concerns about the protections afforded to the collection, use and sharing of their data with businesses’ need for clear rules of the road, consumers’ demand for data-driven products and services, and the importance of flexible frameworks that foster innovation.”

Continue Reading

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On Feb. 11, 2014, ACH was initially notified by a local hospital that patient demographic and clinical information, including Social Security numbers, were viewable on the website of Doctor’s First Choice Billing Inc. (First Choice). On April 11, 2014, ACH initially notified 400 patients, and after further investigation, notified an additional 8,855 patients.

Continue Reading

The Weekly Privacy Rewind

State AGs

Coalition of AGs Asks Social Security Administration to Establish Database of SSNs to Combat ID Theft

• Forty-three state AGs sent a letter to acting Social Security Administration (SSA) Commissioner Nancy Berryhill urging the SSA to swiftly develop a database that would make it easier for financial institutions to verify consumers’ personal information.

• According to the AGs, this will help combat so-called synthetic identity theft, where identity thieves use real SSNs in combination with false names and dates of birth to create new identities.

U.S. Senate

Democratic Senators Introduce Federal Privacy Legislation

  • A group of 15 Democratic Senators, led by Hawaii Senator Brian Schatz, introduced the Data Care Act, which “would require websites, apps, and other online providers to take responsible steps to safeguard personal information and stop the misuse of users’ data.”
  • The Act would establish duties of care, loyalty and confidentiality and would be enforceable by the Federal Trade Commission as well as state AGs.
  • Introduction of the Act was praised by a variety of privacy organizations, the Electronic Frontier Foundation, and the Center for Democracy and Technology.

Wearables in The Arena: The Shifting Legal Landscape Governing Fitness Trackers in Professional Sports

The use of wearable technology (colloquially known as “wearables”) has been on the radar of athletes, sponsors, sports teams and leagues for years, with the various constituencies carefully balancing the necessity for player privacy with growing professional and financial interests. Following the Supreme Court’s decision in Murphy v. NCAA, which overturned the Professional and Amateur Sports Protection Act and cleared the way for more widespread legalized gambling, the regulation of how wearables may be used has gained attention. Analysis of these developments is complicated by the evolving legal landscape surrounding wearable tech, the privacy implications and the various types of biometric data it may collect. Continue Reading