Crisis & Data Breach Response

More Guidance from HHS on Online Tracking Technologies but Questions Remain

March 20, 2024 By Daniel Felz and David Keating

Health and Human Services (“HHS”) released updated guidance yesterday on the use of online tracking technologies (like cookies, pixels, software development kits (SDKs), etc.) by HIPAA Covered Entities (the “Updated Guidance”). The Updated Guidance amends and supersedes HHS’s original guidance on the use of digital tracking technologies published on December 1, 2022 (the “Prior Guidance”). […]

NY AG’s Office Announces Significant Cybersecurity Settlement with Healthcare Company

January 16, 2024 By Kim Peretti, Alysa Austin and Andrew Rice

On January 5, 2024, the New York Attorney General’s Office (“NY AG”) announced a settlement with Refuah Health Center, Inc. (“Refuah”) based on the company’s alleged failures to appropriately safeguard its patients’ information, including failing to encrypt patient information or use multifactor authentication, which allegedly resulted in a May 2021 ransomware attack that impacted approximately […]

Are You Using EU Standard Contractual Clauses for Data Transfers? Be Aware of these Breach Notification Requirements

January 8, 2024 By Wim Nauwelaerts

It has become common knowledge that the General Data Protection Regulation (2016/679) (GDPR) heavily restricts transfers of personal data outside of the European Union (EU). In the absence of an adequacy decision by the European Commission, the GDPR allows controllers and processors to transfer personal data to a third country outside of the EU only […]

NYDFS Releases Consent Order in First Enforcement Action Brought Under the Cybersecurity Regulations

December 18, 2023 By Kate Hanniford, Lance Taubin, Ashley Miller and Kristen Bartolotta

After a three-year investigation/enforcement action by the New York Department of Financial Services (“NYDFS”), NYDFS entered into a Consent Order with a large title insurer (the “Company”) for its violation of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500) (the “Regulation”), specifically, its failure to protect non-public information (“NPI”). NYDFS originally brought the enforcement action in […]

FCC Plans to Update Data Breach Notification Rules

December 12, 2023 By Kim Peretti and Lance Taubin

After a decade and a half under the current data breach notification rules for telecommunications carriers and telecommunications relay services (TRS) providers, the FCC recently unveiled plans to update and expand them. On November 22, 2023, the FCC issued a Report and Order that it intends to consider at its December 13th meeting that would […]