Last week’s Privilege Point described a data breach victim’s latest losing effort to claim privilege protection for its consultant’s investigation report. Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023). Before bluntly rejecting McMenamins’ privilege claim, the court spent more time analyzing its work product claim before also
Latest from Password Protected - Page 2
Don’t Forget: It’s Time to Notify the FTC of Your Data Breach
This summer, the Federal Trade Commission (“FTC”) will once again tighten the belt on entities that offer financial products and services when another round of amendments to the Gramm-Leach-Bliley Safeguards Rule goes into effect—this time, requiring covered entities to report data breaches to the FTC.
What is the Safeguards Rule?
The Safeguards Rule, which originally…
Can Any Data Breach Investigation Report Deserve Protection? Part III
The last two Privilege Points have described yet another losing effort to protect a data breach investigation and related communications. In Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023), the court denied the company’s privilege and work product claims — specifically rejecting its efforts to squeeze…
OCR Continues Holding Healthcare Entities Accountable for Protected Health Information Breaches
On Feb. 6, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $4.75 million settlement with New York non-profit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows…
FTC Proposes Modifying Health Breach Notification Rule for Non-HIPAA Entities
Seeking to formalize its Sept. 15, 2021, Statement of the Commission on Breaches by Health Apps and Other Connected Devices, the Federal Trade Commission proposed broadening the Health Breach Notification Rule to cover “most health apps and similar technologies that are not covered by HIPAA.” Read on for details about this proposed rule, which is…
En Banc 11th Circuit Joins Sister Circuits, Deeming One Text Message Enough for TCPA Standing
Once an outlier, the 11th U.S. Circuit Court of Appeals recently joined seven other Circuit Courts in holding that receipt of a single, unwanted text message constitutes the concrete injury required for standing in class actions filed under the Telephone Consumer Protection Act. Read on for details about this development and implications for TCPA class…
SEC Adopts Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rules
On July 26, the U.S. Securities and Exchange Commission adopted new rules regarding public companies’ reporting of (i) cybersecurity incidents, (ii) policies and procedures for identifying and managing cybersecurity risks and (iii) management and board roles in implementing cybersecurity policies and procedures. Read on for details about the new rules and recommended next steps for…
DHS Issues Final Rule Regulating Federal Contractors’ Handling of Controlled Unclassified Information
On June 21, the U.S. Department of Homeland Security issued a long-anticipated cybersecurity final rule that revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation related to contractors’ handling of controlled unclassified information.
Read on for highlights from this rule, which goes into effect July 21 and is likely to…
Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for Businesses
Over the past year, website operators have experienced a proliferation of lawsuits under the Federal Video Privacy Protection Act (“VPPA”), a Reagan-era statute prohibiting the nonconsensual disclosure of an individual’s video tape rental history. Despite its nondigital origin, litigation under the VPPA has successfully targeted the ubiquitous use of tracking technologies on businesses’ websites, creating…
Failing to Comply With the Slew of New Data Privacy Laws Can Be Costly to Companies
Over the past few years, data privacy and security has been the focus of many state legislatures. CA, CO, CT, IA, UT and VA have already passed comprehensive data privacy laws. Indiana joined them on May 1, 2023 when the Governor signed the latest consumer privacy bill into law. Many other states have bills in…