Password Security & Best Practices – A Refresher

As more and more of us return to the office, it’s a good time to revisit the passwords you use.  It is therefore timely that the U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center (“HC3”) recently published a set of password security suggestions and best practices.  Here are some of HC3’s key takeaways:

  • Use multi-factor authentication when possible.…
  • More

The FTC’s Post-Dobbs Focus on Location Privacy Draws a Legal Challenge

As we had previously blogged, the FTC in guidance following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health indicated that it would aggressively wield its enforcement authority in relation to deceptive statements about location privacy, particularly in the context of what the FTC called “the often shadowy ad tech and data broker ecosystem.”  The FTC voiced particular concern about unbeknownst tracking or selling of sensitive location data,… More

Federalism Rankles National Privacy Debate: California Weighs in on the proposed American Data Protection and Privacy Act

As states have continued to debate and pass new comprehensive privacy statutes – such as those in Virginia and Colorado – a common refrain from business leaders is the need for a comprehensive federal privacy statute that will lessen the need to comply with a patchwork of state laws.  Indeed, the absence of serious privacy protections at the federal level – something akin to PIPEDA in Canada or the GDPR in Europe – has long spurred states to act as online data gathering and brokering has grown and advanced well beyond what most extant federal law contemplates. … More

SEC and DOJ Bring First-Ever Crypto Insider Trading Actions

Key Takeaways:

  • The U.S. Securities and Exchange Commission (“SEC”) and U.S. Department of Justice (“DOJ”) have brought the first-ever insider trading actions involving cryptocurrency against a former manager of Coinbase, one of the largest U.S. crypto asset trading platforms, and two tippees for sharing or trading upon confidential information relating to the planned listing of various cryptocurrencies on Coinbase.
  • The SEC’s securities fraud charges are based on its longstanding position that certain cryptocurrencies are investment contracts and therefore “securities” subject to the SEC’s jurisdiction.…
  • More

Federal Agencies Issue Alert Regarding Maui Ransomware

On July 7, 2022, three federal agencies – the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury – issued a joint alert regarding Maui Ransomware, which has been linked to ransomware attacks on healthcare and public health entities carried out by North Korean state-sponsored cyber actors.

These are the key recommendations of the alert:

  • Since at least May 2021,…
  • More

Anonymization v. De-Identification, Post-Dobbs; Rumblings from the FTC

When is personal data “anonymized”?  The answer to this question has largely been based on jurisdiction.  If your business is in the U.S., so long as HIPAA or the CCPA does not govern, then generally aggregated or de-identified data could often be considered “anonymized” for legal compliance purposes.  (Both HIPAA and the CCPA have specific requirements for what counts as “de-identified” data.)  Under the GDPR, the story has been much more complicated:  merely “de-identified”… More

Colorado Privacy Act: The Cannabis Industry Prepares for Enforcement

As we wrote last year, Colorado is among the vanguard of privacy-focused states—including California, Washington, and Virginia—to adopt significant state-level privacy legislation.  One year out from enforcement of the Colorado Privacy Act (which begins on July 1, 2023), businesses should begin to put their compliance frameworks in place, as some of the Colorado Privacy Act’s significant requirements will need substantial investment beforehand to afford consumers the rights that they are guaranteed under the Act.… More

New Privacy Shield Framework in the Works, Favoring Continuity Over Change for Businesses

President Biden and EU leaders announced on March 25, 2022 an agreement in principle to craft a replacement for the Privacy Shield and expand options for trans-Atlantic data transfers in accordance with the General Data Protection Regulation (“GDPR”).

Background

The GDPR requires that transfers of personal data of EU residents to countries outside of the EU must take place pursuant to an approved transfer mechanism,… More

How to Prevent and Respond to Business Email Compromises

Foley Hoag presented a discussion and Q&A regarding the growing threat of business email compromises (a.k.a. man-in-the-middle attacks). Attorneys Chris Hart and Yoni Bard, litigators with experience in privacy matters and business disputes, shared what they have learned through successfully representing victims of hacking and phishing attacks that have led companies to misdirect payments to unknown criminal actors. They discussed strategies for preventing these attacks and, if they occur, maximizing the likelihood of recovery through rapid response strategies (involving law enforcement and banks),… More

Key Considerations for Health App Developers from the FTC

If your company creates health-related apps, the Federal Trade Commission (FTC) has set out some key considerations:

  • Make accurate representations. Clearly explain how people’s information will be used and shared and then live up to those promises. If your company has deployed apps to read credentials at storefronts, ensure that those businesses understand your practices and the limits on how they may use the data you share.…
  • More