Search:
Recent Posts
Popular Topics
Contributors
Archives
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
Washington state’s My Health My Data Act (“MHMD”) goes into effect on March 31, 2024. Entities should carefully evaluate whether MHMD applies to them in light of the law’s broad applicability, an expansive definition of consumer health data, strict consent requirements and a unique private right of action. This post answers questions about which entities are subject to MHMD, and what the law requires entities to do.
Privacy and data security laws and regulations continue to evolve quickly, and companies processing personal data have an increasing array of issues to manage. As we enter 2024, below are five key considerations for companies managing privacy and data security risks.
Data breaches in the healthcare industry are a costly and legally evolving issue. The sophistication of threat actors and their ability to navigate IT systems using constantly changing tactics has made it difficult to predict and, in some cases, respond to a breach. The recent aggressive enforcement by the Federal Trade Commission (the “FTC”) of its Health Breach Notification Rule (the “HBNR”), as well as its proposed changes to the HBNR, have expanded the factors companies must consider when analyzing and responding to potential breaches of health data.
On November 22, 2023, the Federal Communications Commission issued a proposed rule that likely will considerably alter the online lead generation industry, including the use of comparison shopping websites. The proposed rule addresses a number of areas, but, notably, the rule would require texters and callers using certain regulated technologies to obtain prior express written consent from a single seller at a time to comply with the Telephone Consumer Protection Act (“TCPA”). The FCC is expected to pass the rule during its December 13, 2023 meeting.
Last week, the FTC amended its Gramm-Leach-Bliley Safeguards Rule, supplementing the additions to the rule that it announced in 2021 and that have been in effect since June 2023. The recent amendment will require nonbank financial institutions to notify the FTC when there is an unauthorized acquisition of unencrypted customer information involving 500 or more consumers. This notification requirement, which is scheduled to go into effect in May 2024, adds to the growing list of notifications that a company must consider after a data incident, including the SEC’s recently enacted rules requiring registrants to disclose material cybersecurity incidents.
On Sept. 5, the U.S. Department of Justice announced its settlement with Verizon Business Network Services LLC, a Verizon Communications Inc. subsidiary, in which Verizon agreed to pay $4.1 million to settle certain False Claims Act allegations related to cybersecurity.
The settlement resolves allegations that Verizon's Managed Trust Internet Protocol Service, or MTIPS, which was designed to provide federal agencies with secure connections to public internet and other networks, did not satisfy certain cybersecurity controls related to contracts with the U.S. General Services Administration from 2017 to 2021.
In April 2023, Kyland Young, a star from the popular reality TV show Big Brother, brought a right of publicity claim against NeoCortext, Inc., the developer of a deepfake software called Reface. See Young v. NeoCortext, Inc., 2:23-cv-02486 (C.D.CA filed Apr. 3, 2023). Young claimed that NeoCortext’s Reface, “which uses an artificial intelligence algorithm to allow users to swap faces with actors, musicians, athletes, celebrities, and/or other well-known individuals in images and videos,” violates California’s right of publicity law. Young’s case, which is still pending in the U.S. District Court for the Central District of California, raises important questions about deepfakes and their intersection with the law as it pertains to famous figures.
Last week, the FTC and HHS’ Office for Civil Rights (OCR) sent a joint letter to approximately 130 hospitals and telehealth providers concerning the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps. The agencies assert that these tracking technologies – such as the Meta/Facebook pixel and Google Analytics – gather identifiable information about users when they interact with a website or mobile app, often without users’ knowledge and in ways that are hard for users to avoid.
According to a study conducted by the Federal Research Division of the Library of Congress as of 2018, counterfeiting was identified as the largest criminal enterprise in the world, with domestic and international sales of counterfeit and pirated goods totaling between an estimated $1.7 trillion and $4.5 trillion a year.
On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) into law, making Texas the next state to enact a comprehensive state-wide data privacy statute. The TDPSA will take effect on July 1, 2024, and applies to businesses that produce a product or service that is “consumed” by Texas residents, and process or engage in the sale of personal data.