Archives: Enforcement

Subscribe to Enforcement RSS Feed

Court of Appeals Upholds FCC’s Net Neutrality Rules and Regulatory Authority

On June 14, 2016, the D.C. Court of Appeals ruled 2-1 in favor of the Federal Communication Commission’s (FCC) net neutrality rules, which the commission approved on February 26, 2015 (published March 12, 2015). This reclassified broadband internet access service (BIAS) as a telecommunications service under Title II of the Communications Act, affording the FCC … Continue Reading

German Data Protection Authority Issues Fines for Unlawful Cross-Atlantic Data Transfers

The Data Protection Authority of Hamburg, Germany has made good on its promise to audit cross-Atlantic data transfers in the wake of the October 2015 Safe Harbor decision.  On June 6, the Hamburg DPA announced that it had fined three companies for unlawful transfers of personal data from the EU to the United States.  According … Continue Reading

FCC’s Growing Privacy and Data Security Enforcement

The Federal Communications Commission (FCC) has had a busy 2015, and its presence in the data security regulatory enforcement space will likely continue to grow. Last year, the FCC named Travis LeBlanc as chief of the Enforcement Bureau. Since then, the FCC has brought three separate enforcement actions against companies for allegedly not safeguarding consumers’ … Continue Reading

German Data Protection Authorities Limit Use of Alternative Data Transfer Mechanisms in Light of Safe Harbor Decision

In the weeks since the October 6, 2015, Court of Justice of the European Union decision (“CJEU Decision”) that invalidated the EU-U.S. Safe Harbor framework, companies have been faced with the quandary of establishing legal alternatives for transferring personal data from Europe to the U.S. We have discussed alternative data transfer mechanisms such as standard … Continue Reading

Safe Harbor Is Dead, Long Live Standard Contractual Clauses?

For the past 15 years, the EU-U.S. Safe Harbor Framework has been one of the most popular data transfer mechanisms for organizations that engage in cross-border transfers of EU personal data to the United States. In the aftermath of the recent invalidation of the Safe Harbor Framework by the Court of Justice of the European … Continue Reading

What Now? What Next? FAQs and Answers Regarding the Safe Harbor Decision

As we discussed in our blog post last week, on October 6, 2015, the Court of Justice of the European Union issued a judgment that invalidated the EU-U.S. Safe Harbor Framework. For the past 15 years, thousands of companies have been using the Safe Harbor Framework to transfer personal data from the EU to the … Continue Reading

EU High Court Invalidates Safe Harbor Framework for Cross-Border Data Transfers

On October 6, 2015, the Court of Justice of the European Union (CJEU) issued a highly anticipated judgment that has the potential to impact how thousands of companies transfer data from the EU to the United States. The Court’s decision effectively invalidates the European Commission’s “adequacy” determination with respect to the U.S.-EU Safe Harbor Framework, … Continue Reading

CA AG Requires Chief Privacy Officer and Privacy Compliance Program

California’s Attorney General, Kamala Harris, has required Houzz, a home décor information and e-commerce website and mobile app publisher, to hire a chief privacy officer (CPO), conduct a company-wide privacy assessment, and maintain a privacy compliance program to settle a lawsuit that alleged Houzz failed to follow California law that requires disclosure of the recording … Continue Reading

Federal Trade Commission Joins with Industry Experts to Provide Start-Ups and Developers with Practical Advice at “Start with Security” Conference

The FTC has a history of offering practical advice to organizations and consumers to protect against security threats and related concerns, and is continuing this practice with the upcoming – and very first – “Start with Security” conference, taking place at the University of California’s Hastings College of the Law on September 9, 2015. The … Continue Reading

Federal Trade Commission Continues Its Enforcement Campaign Against False Safe Harbor Claims

Reiterating its commitment to enforcing the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks, the Federal Trade Commission announced on Monday that it has reached settlements with 13 companies alleged to have misled consumers either by claiming Safe Harbor membership despite never having applied, or by allowing their Safe Harbor certifications to lapse. A related FTC Business … Continue Reading

FTC to Host Workshop on Online Lead Generation

The FTC has increasingly focused its attention on the online lead generation industry by bringing enforcement actions against payday loan lead generators (lead generators alleged to have engaged in advertising that lacked disclosures required by the Truth in Lending Act), mortgage lead generators (lead generators alleged to have deceptively advertised mortgage products by misrepresenting their … Continue Reading

FCC’s New TCPA Order May Require Companies to Obtain Updated Consents for Marketing Calls and Texts

Last week we published an overview of key issues raised by the Federal Communications Commission’s July 10, 2015, Declaratory Ruling and Order regarding the Telephone Consumer Protection Act (the “July 2015 Order”). The July 2015 Order responded to 21 requests for clarification concerning previous rules and orders the FCC has issued pursuant to the TCPA, … Continue Reading

“Don’t Call Us, We’ll Call You.” The FCC’s Latest TCPA Ruling Imposes Even More Restrictions on Telemarketing Calls and Texts

On July 10, 2015, the Federal Communications Commission released the Omnibus Declaratory Ruling and Order (the Order) it adopted on June 18. The Order addresses requests for clarification regarding requirements under the Telephone Consumer Protection Act (TCPA) and previous rules and orders issued by the Commission. The Order, which took effect immediately upon release, is … Continue Reading

How to Respond to SEC Inquiries Concerning Data Breach and Data Security Policies

Every company, whether public or private, has exposure to potential data breach or theft of confidential information. When this occurs, various state and federal regulatory organizations have jurisdiction over ensuring that there is prompt, corrective, and remedial action taken by the company whose systems have been compromised. Much of the focus of articles and commentary … Continue Reading

California Continues to Regulate Privacy and Advertising to Minors in New Law Regulating School-related Online Services

On September 29, 2014, California Governor Jerry Brown signed SB 1177 into law, effective Jan 1, 2015.  See Governor Brown Issues Legislative Update.  The new privacy and advertising regulation goes beyond FERPA, the federal student privacy law, and existing state student privacy laws that govern schools and requires them to obtain privacy protections for student … Continue Reading

Health System Investigated for Leaving PHI in Doctor’s Driveway – Settles with OCR for $800K

While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form.  To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution … Continue Reading

HHS Attorney: Major HIPAA Fines and Enforcement Coming

As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR.  But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months. According to Law360, Jerome B. Meites, Chief … Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

On May 7, 2014, HHS OCR announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million dollars—the highest settlement amount to date.  These resolution agreements make it clear that organizations must be able to propose steps to analyze security risks for ePHI as specified by HIPAA … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals.   HITECH … Continue Reading

OCR Settles Potential HIPAA Violations with County Government for $215,000

Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient … Continue Reading

Careful! Your Company May Be a Defacto Data Broker: Are Privacy Regulators Going for Broke(rs) as part of the 2014 Legislative and Privacy Enforcement Agenda?

Concerns about privacy practices in the data broker industry, and the privacy implications about the lack of transparency “behind-the-scenes,” will remain a topic of intense regulatory and legislative focus in 2014.   The Federal Trade Commission has defined “data brokers” as companies that collect personal information about consumers from a variety of public and non-public sources … Continue Reading

FTC Releases Complaint Alleging LabMD Failed to Protect Consumer Privacy

Authorship credit:  Tina U. Amin FTC Complaint Alleges Disclosure of Medical and Other Sensitive Information over Peer-to-Peer Network and Alleges Identity Thieves may have Obtained Sensitive Information In August 2013, the Federal Trade Commission filed a petition in federal court to investigate Atlanta based medical testing laboratory LabMD, Inc. on suspicion that the company failed … Continue Reading

Health Plan Settles HHS OCR Investigation Related to Photocopier Breach for $1.2m

The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013.  Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780.  The resolution agreement relates … Continue Reading

Federal Prosecutors Indict Accused Data Thieves

Federal prosecutors announced yesterday the arrest and indictment of five men accused of involvement in the theft of over 160 million credit card numbers. According to prosecutors, thefts by this group involved some of the largest and most notable U.S. data breaches of recent years, including Global Payments, Heartland Payment Systems, Hannaford, and NASDAQ, among … Continue Reading
LexBlog