Photo of Wendell Bartnick

Wendell Bartnick

Subscribe to Wendell Bartnick's Posts
Contact: Read more about Wendell Bartnick

In response to recent cybersecurity incidents, the Federal Energy Regulatory Commission (FERC) has announced a Notice of Proposed Rulemaking (NOPR) that would task the North American Electric Reliability Corporation (NERC) to impose additional cybersecurity requirements on high-, medium-, and, potentially, low-impact bulk electric systems in its Critical Infrastructure Protection (CIP) Reliability Standards.
Continue Reading Additional cybersecurity measure proposed for CIP Reliability Standards

Last week, the Federal Trade Commission (FTC) announced in a Statement of the Commission On Breaches by Health Apps and Other Connected Devices (Policy Statement) that the FTC will begin enforcement of its Health Breach Notification Rule (Rule) issued in 2009. The Rule was issued by the FTC to regulate certain businesses that handle health information when they are not regulated by the Health Insurance Portability and Accountability Act (HIPAA). Many of those businesses are likely not aware of the Rule, because there has been no public enforcement activity. While questions about the Rule’s scope remain, recent actions by the FTC (including the Policy Statement) suggest that it may be time for businesses to consider whether and how their operations may be drawing interest (investigative and enforcement) from regulators.

Persistent uncertainty about the scope of the FTC’s Health Breach Notification Rule

Our colleagues wrote about the Rule when it was first issued, to explain how certain businesses that handle health information may be required by the Rule to provide notice of data breaches affecting health information. We will not restate that analysis here, but it remains as accurate now as it was then. Until last week, the FTC had never publicly enforced or published new guidance on the Rule. Significant questions, therefore persist, about how the FTC will interpret and apply the Rule.

The Rule does not apply to businesses regulated by HIPAA, but the Rule ambiguously describes the types of business to which it does apply. For example, as drafted, employers that hold employee health records electronically could theoretically be regulated by the Rule—even though it was likely not the FTC’s intent for the Rule to apply in the employment context. Given the Rule’s ambiguous scope, businesses may need to conduct a case-by-case assessment of the applicability of the Rule to their data security incidents to avoid missing this little-known and broad regulatory requirement.

In contrast with the FTC’s Health Breach Notification Rule, HIPAA, which is enforced by the Office for Civil Rights in the Department of Health and Human Services, generally provides clear guidelines as to the scope of its applicability. HIPAA is applicable only to health care providers that submit claims electronically, health plans, and health care clearinghouses. Similar to the Rule, a breach of unsecured protected health information regulated by HIPAA triggers potential breach notification requirements. A “breach” under HIPAA involves “an acquisition, access, use, or disclosure of protected health information in a manner not permitted” by HIPAA, which includes many restrictions on disclosures without patient authorization. Failure to comply with the notification requirements under HIPAA could result in civil monetary and other penalties.

Continue Reading FTC signals impending enforcement of its Health Breach Notification Rule

Colorado’s recently passed privacy act, the Colorado Privacy Act (CPA), is scheduled to take effect on July 1, 2023, if signed into law by Governor Jared Polis. While the CPA is a comprehensive privacy act which provides certain rights to consumers regarding their personal data, it does not include a private right of action. It

On March 31, 2021, the Texas legislature passed House Bill 3746 (HB 3746), an update to the state’s breach notification statute. HB 3746 is expected to be signed into law by the Texas governor and become effective on September 1, 2021. The bill makes two primary changes to Texas’ current breach notification statute.

First, the updated breach notification statute will require the Texas attorney general’s office to begin posting on its website “a listing of the notifications” it receives when a breach affects at least 250 Texas residents. The amended statute does not describe what “listing” must be posted; however, the statute prohibits the posting of “any information that may compromise a [business’] data system’s security,” or anything that includes sensitive personal information or is considered confidential under the law.

Unlike similar posting requirements under the laws of other states (California, Massachusetts, etc.), the Texas law provides for a take-down for what might be considered good behavior. If the business does not notify the Texas AG of an additional data breach within the subsequent twelve months, the online posting for that business is to be taken down. In addition, the Texas statute only contemplates publication of one breach – the most recent one. The one-year time period for the listing restarts when each new listing is posted.
Continue Reading Texas legislature updates state data breach notification law to provide for online posting of certain data breaches

The U.S. Department of Labor (DOL) announced in April new cybersecurity guidance (the Guidance) for protecting ERISA-covered plan data from internal and external cybersecurity threats. This Guidance is the first of its kind from the DOL and supplements DOL regulations that govern electronic records and disclosures to plan participants and beneficiaries.

The Guidance recognizes that

Although regulators seem to think all too often that cybersecurity is an after-thought for internet-connected device manufacturers, the National Institute of Standards and Technology (NIST) recognizes that as the Internet of Things (IoT) grows, so do cybersecurity risks. In March 2021, NIST published several key takeaways from a recent workshop that provide helpful guidance for IoT manufacturers so that they can be more pro-active in securing IoT devices.

Continue Reading Recent report signals NIST may publish IoT cybersecurity standards

Vermont’s Security Breach Notice Act is noteworthy because it has the United States’ shortest deadline for providing preliminary notice of a “security breach” to the state’s attorney general. The deadline is 14 days from discovery of a security breach. Security incident response teams commonly consider the Vermont law early in the response process to determine whether an organization will be required to provide breach notifications to affected Vermont residents and the state attorney general. On July 1, 2020, the Vermont law will be expanded to cover more types of incidents, which may cause organizations to pay even more attention to the Vermont notice deadline. The amendments also provide instructions on how organizations should provide notice in the event that online account credentials are breached.
Continue Reading Amendments to Vermont’s Security Breach Notice Act to become effective July 1

Last week, on March 11, the California Department of Justice, Office of the Attorney General (AG) released its second set of revisions to its draft regulations under the California Consumer Privacy Act (CCPA). This second set of proposed revisions is based in part on comments received in response to an initial set of proposed revisions released by the AG last month (see February 10 Reed Smith client alert here). Written comments to this second set of proposed revisions must be submitted by March 27, 2020.

This set of proposed revisions was not extensive. Highlights appear below.
Continue Reading Still working on it – draft CCPA regulations are modified a second time

On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with

Late last week, the California legislature approved five bills intended to clarify the scope and required compliance obligations of the California Consumer Privacy Act (CCPA or the Act). Organizations now have just over three months to determine whether they need to comply with the newly amended CCPA, assess what their obligations are, and implement the policies, procedures, and operational changes necessary to comply with the law.

Five amendments passed: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. Significant impacts of the amendments that were enacted include:

  • The amendments clarify that, at least for 2020, this consumer privacy law will apply to personal information of employees, job applicants, and contractors and personal information collected through certain business-to-business interactions but only in certain respects.
  • The amendments add flexibility to the processes that businesses may use for receiving and verifying consumer access and deletion requests.
  • The amendments exclude from CCPA applicability certain processing of consumer report data is already governed by the federal Fair Credit Reporting Act.
  • The amendments clarify how encryption and redaction may play into the private right of action for data breaches.
  • The amendments confirm that properly deidentified or aggregate data is not personal information under the Act.


Continue Reading Last minute amendments likely finalize CCPA language for January 1 deadline.