Category Archives: Security & Privacy Alerts

HIPAA “Omnibus” Regulations Published in Federal Register

The revised HIPAA regulations were formally published today in the Federal Register.  In this form, they only take up 138 pages! Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes.  While I’m not sure I agree with the quote that “This is a […]

Key Elements of the New “Omnibus” HIPAA

On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations. In the 563 pages of the regulations and related regulatory comments, […]

ALERT: FTC Delays Enforcement of Red Flags Rule Through December 31, 2010

Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.

Federal Judge Rules That Lawyers Need Not Comply With Red Flags Rules

In an order entered this morning, Federal District Judge Reggie B. Walton granted the American Bar Association’s (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission’s (FTC’s) controversial Red Flags Rules. This comes as the legal community steeled itself for the FTC’s imminent November 1st enforcement deadline.

ALERT: Massachusetts Proposes Revised Information Security Regulations, Delays Enforcement Until March 1, 2010

Today, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) issued proposed amendments to the Massachusetts information security regulations, 201 CMR 17.00 to 17.05 (.doc). The highlights of the proposed regulations include the following: Enforcement of the regulations is postponed until March 1, 2010. Businesses affected by the regulations include anyone that “receives, maintains or otherwise has […]

FTC Releases “Template” Identity Theft Prevention Program for Red Flags Rules Compliance

On Wednesday, May 13, 2009, the FTC released a "template" identity theft prevention program (.pdf) to guide businesses subject to a "low risk" of identity theft through the process of complying with federal Red Flags Rules.  The FTC template was first announced on May 1, 2009 when the agency postponed enforcement of the general purpose Red Flags Rules until August […]

Last Minute Reprieve: FTC Postpones Deadline for Red Flags Compliance Until August 1, 2009 – Will Release “Template” For Compliant Identity Theft Prevention Program

On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009. Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a “template” identity theft prevention program. “For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.” The FTC indicates that it will make the template available through their website.

Class Action Lawsuit Continues Against Blockbuster For Making Video Rental Information Available to Facebook Users

On April 15, 2009, a federal district court issued a decision that keeps alive a woman’s suit "against Blockbuster and the way it offers information to the social networking site Facebook."  This was reported in the Dallas Business Journal.  In the ruling (.pdf), the court denied Blockbuster’s motion to compel arbitration by holding that an arbitration clause in the "Terms […]

Swine flu and privacy in the workplace

With swine flu on everybody’s mind right now (even leading President Obama’s news conference this evening), employers and employees should understand what questions can be asked and what information can be obtained from employees in the midst of apparent pandemic.  At the federal government’s pandemic flu website, the basic rules are set out.  In general, […]

Limits of Privacy in Schools: Supreme Court Hears Arguments on School Strip Search Case

Today, the Supreme Court heard oral arguments in Safford Unified School v. Redding, a dispute concerning the propriety of a school-ordered a strip-search of a 13-year-old student who was believed to be in possession of prescription strength ibuprofen in violation of the school’s zero-tolerance drug policy.  The case has received a good deal of media coverage […]

ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations

On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010.  The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal […]

ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations

On Friday, November 14, 2008, Massachusetts regulators announced that they will give affected businesses until May 1, 2009 to comply with new identity theft regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same day.

ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC “Red Flags” Regulations

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.