As we discussed in Part I, the United States does not have a single, comprehensive federal law governing biometric data.  However, we have recently seen an increasing number of states focusing on this issue.  Part I summarized legislative activity on this issue in 2020.  In this Part II, we discuss noteworthy legislation to monitor in 2021.

What to Expect in 2021

At least two states—New York and Maryland—have already introduced biometrics legislation in this first month of 2021.

New York – AB 27

On January 6, 2021, the New York Assembly introduced the Biometric Privacy Act (BPA), a New York state biometric law aimed at regulating businesses handling biometric data.  BPA will prohibit businesses from collecting biometric identifiers or information without first receiving informed consent from the individual, prohibit profiting from the data, and will require a publicly available written retention and destruction policy.  As proposed, the statute contains a private right of action; and if passed, it will permit consumers to sue businesses for improperly collecting and using their biometric data.  The statute follows Illinois’s BIPA, allowing recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.

The Northern District of Illinois recently denied a hospital reimbursement consultant’s motion for summary judgment, finding that the consultant could be held liable under the FCA based on the theory that the consultant’s solicitations of fees-for-recommendations could be found to violate the Federal Anti-Kickback Statute (“AKS”).

In United States ex rel. Graziosi v. R1 RCM

On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).

The proposed rule is part of HHS’ Regulatory Sprint to Coordinated Care, which seeks to promote value-based healthcare by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients. Specifically, HHS aims to amend the regulations implemented pursuant to HIPAA and HITECH where the rules present barriers to coordinated care and case management or where they otherwise impose burdens on covered entities that do not increase individuals’ privacy protections.

lock 0 [Converted]

On successive days last week, the Department of Justice (DOJ) unveiled enforcement actions against international cybercriminal organizations that utilized ransomware to infect computer systems and then extort payment, often in the form of cryptocurrency, from victims worldwide.  First, the Criminal Division’s Computer Crime and Intellectual Property Section and the U.S. Attorney’s Office for the Middle District of Florida announced the unsealing of charges against a Canadian national for his alleged involvement in the ransomware scheme known as NetWalker that generated tens of millions of dollars from businesses, public entities, and individuals whose computer databases were encrypted and rendered useless, pending satisfaction of a ransom demand.  The following day, the U.S. Attorney’s Office for the Middle District of North Carolina and the Criminal Division’s Computer Crime and Intellectual Property Section revealed their participation in a multinational enforcement operation that disrupted and dismantled Emotet, a botnet that utilized malware, including ransomware, to target critical infrastructure in the United States and abroad.  These actions highlight U.S. law enforcement’s increased focus on preventing ransomware attacks, which in the future will rely on both traditional collaboration among international law enforcement agencies and reporting from private entities over which the government exercises regulatory control.

Fraud has reached epidemic levels in the UK and should be seen as a national security issue, says think tank the Royal United Services Institute (RUSI) in a paper published last week[1]. It is the crime to which UK citizens are most likely to fall victim[2]. Its impact on the private sector has consequences for both the stability of individual companies and the broader reputation of the UK as a place to do business.

85% of reported fraud in 2019/2020 was cyber enabled[3] fraud[4]. With limited in person interaction due to the pandemic, and increasing levels of remote working, this figure is expected to increase in the coming year. Cyber fraud is a constantly evolving area with perpetrators adapting their methods as new technologies become available. Common examples of cybercrime are denial of service (DoS), botnet, phishing, and ransomware attacks.

SEC v. GPB Capital Holdings, LLC, et al. was filed in the Eastern District of New York on February 4, 2021 by the SEC, alleging violations of federal law in connection with the defendants’ investment business, which allegedly raised over $1.7 billion from more than 17,000 investors. Specifically, the complaint alleges that the defendants violated the Investment Advisers Act, the Securities Act, and the Exchange Act, along with corresponding regulations.

Health Enterprise Partners (HEP) has announced it has completed an investment in Aware Recovery Care.

Aware Recovery Care, based in Wallingford, Conn., is a provider of in-home mental health and substance use disorder services in Connecticut, New Hampshire, Maine, Florida and Massachusetts. The company provides what it describes as the “full continuum of home-based

As discussed in a prior McGuireWoods alert, the U.S. Department of Health and Human Services (HHS) published final rules that significantly amend the Physician Self-Referral Law (Stark Law), the federal Anti-Kickback Statute (AKS) and the Civil Monetary Penalties Law. The final rules discussed in this alert were originally given a Jan. 19, 2021, effective

February 3, 2021 – Rotstain v. Mendez, 2021 WL 359989 (5th Cir.)

On February 3, 2021, the United States Court of Appeals for the Fifth Circuit issued an opinion in Rotstain v. Mendez, holding in part that a receiver had standing to bring claims on behalf of investors in connection with a Ponzi scheme.

In the context of denying a motion to intervene, Rotstain clarified that receivers and their assignees have standing to bring claims on behalf of investors when the investors’ claims are against alleged conspirators for conduct in furtherance of that scheme and are derivative of and dependent on the claims of the receivership estate.