HHS Issues Guidance on HIPAA and Workplace Wellness Programs

Written by
On Thursday, April 16, 2015, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued guidance, consisting of two frequently asked questions (FAQs), on the application of the HIPAA Privacy, Security, and Breach Notification Rules to workplace wellness programs. HHS explains in one of the FAQs that the application of HIPAA to workplace wellness programs depends on whether the wellness program is offered as part of a group health plan for employees, or if it is offered independent of such a group health plan.  If the wellness program is offered as a part [...] Read more

FTC Proposes Settlement with Two Companies Over False Safe-Harbor Claims

Written by
On April 7, 2015, two U.S. companies agreed to settle Federal Trade Commission (“FTC”) allegations that they falsely claimed to be in compliance with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework. In the concurrently filed complaints against TES Franchising, LLC (“TES”), a franchisee coaching business, and American International Mailing, a mail delivery company, the FTC accused the companies of violating Section 5 of the FTC Act by indicating on their websites that they were currently certified under the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe [...] Read more

FCC Adopts Consent Order with AT&T Over Alleged Data Security Violations

Written by
The Federal Communications Commission (FCC) announced on April 8 that it had adopted a consent decree between its Enforcement Bureau and AT&T Services, Inc. (AT&T), including a civil penalty of $25 million and a requirement to adopt a comprehensive compliance plan, among other actions.  The consent decree alleges that AT&T “failed to protect the confidentiality” of approximately 280,000 customers’ “sensitive personal information” and “account-related customer proprietary network information,” or “CPNI,” and questions whether AT&T made the necessary notifications [...] Read more

Kim Peretti and Dominique Shelton Speaking at Georgetown’s 2015 Cybersecurity Law Institute

Written by
Kim Peretti and Dominique Shelton will be featured speakers at the 3rd Annual Cybersecurity Law Institute, hosted by Georgetown Law Continuing Legal Education, and co-sponsored by the American Bar Association Cybersecurity Legal Task Force, Bloomberg BNA, and the Center for Internet Security. The Institute, designed by a national advisory board of professionals, will be held on May 20-21, 2015. This two-day program is a highly-regarded event in the cybersecurity space and will provide in-house and outside counsel with the practical, pragmatic advice they need to effectively address today’s [...] Read more

New York State Regulator to Examine Insurers on Cybersecurity Following Comprehensive Risk Assessments

Written by
On March 26, 2015, Benjamin Lawsky, Superintendent of the New York State Department of Financial Services (DFS), sent a letter to the CEOs, General Counsel, and Chief Information Officers of all insurers doing business in the state to inform them of a mandatory cybersecurity questionnaire and the initiation of targeted cybersecurity examinations.  Approximately 160 insurers will be affected by the initiative. In the letter, Lawsky “encourages all [financial] institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset [...] Read more

FFIEC Issues Warnings on Malware and Cyber Attacks

Written by
The Federal Financial Institutions Examination Council (FFIEC) has issued two joint statements warning of specific cyber risks.  The warnings, which were issued on March 30, 2015, address risks arising from destructive malware, which can destroy sensitive data, and cyber-attacks that compromise user credentials.  In both statements, the FFIEC also provides guidance on how to mitigate these risks. The statement on destructive malware warns financial institutions about the increasing use of malware that successfully compromises databases and destroys the information or renders the system hosting [...] Read more

Wyoming Broadens Definition of Personal Information In Amended Data Breach Notification Law

Written by
Wyoming has updated its data breach notification statute to widen the definition of “personal identifying information” that will trigger notification to individuals. In addition, the amendments prescribe the information to be contained in the notice and provide a safe harbor to entities that provide notice in compliance with and under the requirements of the Health Insurance Portability and Accountability Act. The changes in the law will become effective July 1, 2015. The amendment expands the definition of personal information to now include an individual’s first name or first initial [...] Read more

Court Finds Hulu Did Not “Knowingly” Disclose PII in Violation of VPPA, Grants Summary Judgment

Written by , , and
Ending a four-year battle that has helped define the parameters of the Video Privacy Protection Act’s (VPPA) application to new technologies, on March 31, 2015, Northern District of California Magistrate Judge Laurel Beeler dismissed with prejudice the In re: Hulu Privacy Litigation. In doing so, Judge Beeler found that there was simply no evidence that Hulu knowingly disclosed plaintiffs’ video viewing selections and personal identification information (PII) to a third party. Many companies and privacy professionals were following this case closely because of the significant potential exposure [...] Read more

President Obama Signs Executive Order Authorizing Sanctions for Cyber Attacks, Use of Stolen Data

Written by
On April 1, 2015, the White House unveiled Executive Order 13694, which authorizes the Treasury Department to sanction entities outside of the United States that engage in “cyber-enabled activities” that are “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” The Executive Order (“EO”), titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” contemplates sanctions against entities conducting [...] Read more

FCC Advisory Group Issues Cyber Risk Management Report

Written by
On March 18, the Federal Communications Commission (“FCC”) approved the Final Report on cybersecurity risk management and best practices issued by Working Group 4 (“WG4”) of its Communications, Security, Reliability, and Interoperability Council (“CSRIC”).  The CSRIC, currently in its fourth assembly, is an advisory committee tasked with providing recommendations to the FCC to achieve “among other things, optimal security and reliability of communications systems…”  The report was created in response to WG4’s mission to “develop voluntary mechanisms to provide macro-level [...] Read more