Photo of Gerard Stegmaier

Last week, the Federal Trade Commission (FTC) announced in a Statement of the Commission On Breaches by Health Apps and Other Connected Devices (Policy Statement) that the FTC will begin enforcement of its Health Breach Notification Rule (Rule) issued in 2009. The Rule was issued by the FTC to regulate certain businesses that handle health information when they are not regulated by the Health Insurance Portability and Accountability Act (HIPAA). Many of those businesses are likely not aware of the Rule, because there has been no public enforcement activity. While questions about the Rule’s scope remain, recent actions by the FTC (including the Policy Statement) suggest that it may be time for businesses to consider whether and how their operations may be drawing interest (investigative and enforcement) from regulators.

Persistent uncertainty about the scope of the FTC’s Health Breach Notification Rule

Our colleagues wrote about the Rule when it was first issued, to explain how certain businesses that handle health information may be required by the Rule to provide notice of data breaches affecting health information. We will not restate that analysis here, but it remains as accurate now as it was then. Until last week, the FTC had never publicly enforced or published new guidance on the Rule. Significant questions, therefore persist, about how the FTC will interpret and apply the Rule.

The Rule does not apply to businesses regulated by HIPAA, but the Rule ambiguously describes the types of business to which it does apply. For example, as drafted, employers that hold employee health records electronically could theoretically be regulated by the Rule—even though it was likely not the FTC’s intent for the Rule to apply in the employment context. Given the Rule’s ambiguous scope, businesses may need to conduct a case-by-case assessment of the applicability of the Rule to their data security incidents to avoid missing this little-known and broad regulatory requirement.

In contrast with the FTC’s Health Breach Notification Rule, HIPAA, which is enforced by the Office for Civil Rights in the Department of Health and Human Services, generally provides clear guidelines as to the scope of its applicability. HIPAA is applicable only to health care providers that submit claims electronically, health plans, and health care clearinghouses. Similar to the Rule, a breach of unsecured protected health information regulated by HIPAA triggers potential breach notification requirements. A “breach” under HIPAA involves “an acquisition, access, use, or disclosure of protected health information in a manner not permitted” by HIPAA, which includes many restrictions on disclosures without patient authorization. Failure to comply with the notification requirements under HIPAA could result in civil monetary and other penalties.Continue Reading FTC signals impending enforcement of its Health Breach Notification Rule

California’s new enforcement agency, the Consumer Privacy Protection Agency (CPPA), recently held a meeting of its Board of Directors (Board), where they discussed the possible need to extend the July 1, 2022 CPRA rulemaking deadline and estimated that the updated privacy law, which takes effect in 2023, may require doubling the existing body of CCPA regulations. Key rulemaking topics discussed at the board meeting included rules covering new topics such as rules related to automated decision-making and the CPRA’s new data protection assessment and auditing requirements.

CPPA executive director and staff to be appointed

With a little over nine months until the CPRA regulations are supposed to be finalized, the CPPA is still working on making key staff and leadership appointments. The Board recently held an all-day closed session to review and discuss the applications for the executive director post, indicating it may be close to making a decision on that leadership post. In the preceding open session, members discussed the Chief Privacy Auditor role and the requirements for that new position. As for staff, the Board noted that the Attorney General’s (AG) office already has 10 people dedicated to CCPA-related work and discussed hiring five retired state employees that are attorneys for part-time positions.

Extension of the July 1, 2022 rules deadline

With the CPRA rulemaking deadline looming on July 1, 2022, Board members expressed concern about the CPPA’s ability to draft, revise, and finalize a large number of new rules in the time that remains. Based on this concern, the Board discussed asking the legislature for an extension, enacting temporary “emergency” regulations, or adding grace periods for compliance with the new rules. Emergency rules would allow the CPPA to introduce new rules on an expedited basis while extending the final rulemaking beyond the July 1, 2022 deadline. 
Continue Reading California privacy update: New state enforcement agency leadership discuss extending CPRA rulemaking deadline and doubling the number of current CCPA regulations

In preparation for the California Privacy Rights Act (CPRA), effective January 1, 2023, the California AG Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) and providing updated guidance for consumers and businesses. The AG recently held a press conference to discuss enforcement proceedings brought by his office over the last year

In response to a number of recent high-profile cyber attacks aimed at federal agencies, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity (EO) on May 12, 2021. The EO which created a new Cyber Safety Review Board to review major cyber incidents and requires information and communications technology (ICT) service providers entering

In a ruling on April 22, 2021, the United States Supreme Court unanimously held that § 13(b) of the Federal Trade Commission Act (the Act) does not authorize the Federal Trade Commission (FTC) to seek, or a court to award, equitable monetary relief such as restitution or disgorgement. The FTC previously used § 13(b) as

The protection afforded by attorney-client privilege brings about a candid conversation between lawyers and clients. Privilege can attach to communications covering a variety of topics, from responding to a data subject access request (DSAR) to handling a security incident or managing complex and time consuming investigations on a multinational scale. Different privilege rules may apply

On September 9, a federal judge in California dismissed claims brought by hiQ Labs, Inc. (hiQ) against LinkedIn Corp. (LinkedIn) that alleged that LinkedIn’s attempts to prevent hiQ from accessing public information on its website violated various antitrust laws. In an opinion that will continue to fuel debate over the relationship between antitrust and privacy,

In April, the Federal Trade Commission settled charges against Progressive Leasing, a company that markets virtual rent-to-own payment plans to retail stores nationwide. Unlike traditional rent-to-own companies, Progressive does not operate its own brick-and-mortar stores. Instead, Progressive markets its rent-to-own payment plans to consumers who shop at certain retail stores or websites, primarily those in

As the U.S. economy and educational system adapt to work and life at home, it is important to remember that cybersecurity (and related privacy) risks remain and are evolving. Remembering to think through measures that are in place to protect personal information, proprietary information, confidential information, and information needed for ongoing operations can help businesses avoid and mitigate these risks. Appropriate protective measures are specific to changing circumstances, but fortunately, guidance and helpful resources have quickly emerged. We have set forth below some important considerations in assessing administrative, technical, and contractual cybersecurity safeguards in virtual business and educational settings.

New tools bring new vulnerabilities

Many entities whose employees are now working from home for the first time are implementing new, sometimes expensive, tools to help their employees collaborate and maintain business operations. These new tools include videoconferencing, file-sharing, and other communication platforms. Even if the employer does not provide the tools, employees may find and use their own.

There are good reasons for implementing these tools at the business level, including consistent-use practices in the entity’s system, a process for regular software patches and updates, and discounted pricing. When selecting and implementing these tools, or modifying the manner and extent by which these tools will be used, it can be easy to overlook or minimize better practices for use of third-party information technology services: reasonable and appropriate diligence, contractual protections, and ongoing oversight and validation.

In addition, it is important to remember that the cybersecurity posture of many (if not most) online tools can vary widely depending on how the tool is configured, maintained, and used. This means considering whether the right virtual-IT skill set has been engaged and applied, and helping ensure that users have the information they need to make better privacy and data security decisions. Addressing these issues effectively can be especially challenging as work and learning environments change radically.Continue Reading U.S. cybersecurity – points to remember when business is not as usual

On January 6, 2020, the Director of the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection, Andrew Smith, published a blog post highlighting recent changes to the Commission’s enforcement orders relating to data security. Industry leaders, law practitioners, Congress, and even the courts have been critical of aspects of the Commission’s data security orders.  In the post, titled New and improved FTC data security orders: Better guidance for companies, better protection for consumers, Smith acknowledges that, upon arriving at the FTC, strengthening the FTC’s orders in data security matters was among Chairman Joseph J. Simons and his first priorities.  Smith’s blog post is a useful roadmap to help understand the practices the Commission requires of companies under its orders.  Lawyers often look to these orders to distill advice for clients in a challenging area where the public shaming of companies after data security incidents is rampant.

The FTC began working towards specific improved data security orders in 2019, and Smith cites seven different 2019 data security orders in an effort to lay out some of these improvements.  The improvements, he notes, resulted in part from a December 2018 FTC hearing addressing areas of improvement for data security orders, as well as a 2018 Eleventh Circuit Court of Appeals decision.

As a result, Smith highlights three major changes that “improve data security practices and provide greater deterrence” for companies and enhance enforceability.  These changes fall into the following three categories:

(1) The orders are more specific.

(2) The orders increase third-party assessor accountability.

(3) The orders elevate data security considerations to the C-Suite and Board level via executive certifications modeled after similar certifications in securities and other laws.Continue Reading New key features of FTC data security orders highlighted by Consumer Protection Bureau Director