Company investigations (whether self-initiated or required by regulators) generally require the collection, review, and analysis of data to identify documents and other materials that are relevant to the investigation. An investigation may result in the need to access sensitive personal data or, frequently, involve the review of other materials that happen to include personal data

On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 (the Order), which relaxes various telehealth reporting requirements, penalties, and enforcements otherwise imposed under state laws, including those associated with unauthorized access and disclosure of personal information through telehealth mediums.

As stated in the Order, which became effective immediately, telehealth services may help reduce the spread of COVID-19, and strict compliance with certain state telehealth requirements would otherwise “prevent, hinder, or delay appropriate actions to prevent and mitigate the effects of the COVID-19 pandemic.” The Order impacts certain health care facilities, health care providers, health care administrators, clinics, home health agencies, and  hospice providers, generally in instances where non-compliance occurs during the “good faith provision of telehealth services.”

Continue Reading California relaxes key telehealth regulatory requirements during COVID-19 emergency

Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach.

As further guidance and details on the new requirements will be provided by PDPC in due course, we will follow up with an updated guide at the appropriate time.

What is a data breach?

 A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.

Continue Reading An FAQ guide to data breach notifications in Singapore

In a continued pursuit for cybersecurity compliance, New York Attorney General (AG) Letitia James has sued Dunkin’ Brands, Inc. (franchisor of Dunkin’ Donuts) over two data breaches in 2015 and 2018, accusing the company of mishandling a series of cyberattacks that together compromised more than 320,000 customer accounts.

In the complaint filed last week, AG James alleges that Dunkin’, by failing to notify consumers of the breaches or to take sufficient steps to investigate and safeguard consumer data, violated not only its internal data security procedures but also New York data breach notification and consumer protection laws.

In 2015, Dunkin’ was the target of a series of brute force attacks, in which automated software was used to gain access to accounts by guessing various combinations of usernames and passwords. The lawsuit alleges that despite being notified of these attacks by one of its mobile app developers, Dunkin’ did not notify its customers – in violation of the New York data breach notification law – nor did it conduct any security protocols to prevent future attacks, such as resetting passwords or freezing accounts.

Continue Reading With latest lawsuit, New York attorney general continues to demand cybersecurity compliance

On May 7, 2019, Governor Jay Inslee of Washington signed HB 1071 into law, which strengthens the state’s data breach notification law. Washington joins the growing list of states that have recently amended their breach notification laws. Although Washington’s law was amended in 2015, the law was initially enacted nearly 14 years ago. This amendment, like those of other states, is designed to better align with the way in which consumers interact with technology today. As consumers share more information about themselves via the internet, states continue to place the onus on the companies and organizations collecting that information to guard against its loss or misuse.

Washington’s amendment expands upon the breach notification law in the following key ways:

  • First, it shortens the period between the discovery of a breach of consumers’ personal information (as defined by the law) and the time in which notification of the breach must be provided to those consumers from 45 days to 30 days. This change also applies to notifications to the attorney general, who now must be notified within 30 days after the breach was discovered, also down from 45 days (the requirement to notify the attorney general still only applies if notification must be provided to more than 500 Washington residents).
  • Second, the notification to the attorney general must now also include:
    • A list of the types of personal information implicated in the breach;
    • The timeframe of exposure, if known, including the date of the breach and the date of its discovery;
    • A summary of steps taken to contain the breach; and
    • A sample copy of the breach notification letter without any personally identifiable information.

In the event that more information becomes known as the investigation into the breach progresses, updates must be provided to the attorney general under the amended law.
Continue Reading Washington becomes the latest state to amend its data breach notification law

The FDA represents the latest federal agency to show a focus on cybersecurity issues with the release December 28 of new guidance. While the prospect of network-enabled medical devices increasingly offers the promise of improved care and patient treatment, evolving technology and new-found connectivity present emerging security considerations as well.

The Food and Drug

The Dutch data protection authority, the College Bescherming Persoonsgegevens (CBP), has released a report following a seven-month investigation examining Google’s changes to its privacy policy. CBP’s report condemns Google for violating Dutch data protection law, the Wet bescherming persoonsgegevens (Wbp).

Controversially in March 2012, Google made changes to its privacy policy (GPP2012) to allow the

This post was written by Nick Tyler. 

The European Commission today completed its task of reforming the EU Data Protection Directive by sending a draft Regulation to the European Parliament. The draft Regulation contains comprehensive reforms and seeks to harmonise data protection laws across the 27 EU Member States, and to enhance EU citizens’ privacy