As more and more of us return to the office, it’s a good time to revisit the passwords you use. It is therefore timely that the U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center (“HC3”) recently published a set of password security suggestions and best practices. Here are some of HC3’s key takeaways:
As we had previously blogged, the FTC in guidance following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health indicated that it would aggressively wield its enforcement authority in relation to deceptive statements about location privacy, particularly in the context of what the FTC called “the often shadowy ad tech and data broker ecosystem.” The FTC voiced particular concern about unbeknownst tracking or selling of sensitive location data,… More
As states have continued to debate and pass new comprehensive privacy statutes – such as those in Virginia and Colorado – a common refrain from business leaders is the need for a comprehensive federal privacy statute that will lessen the need to comply with a patchwork of state laws. Indeed, the absence of serious privacy protections at the federal level – something akin to PIPEDA in Canada or the GDPR in Europe – has long spurred states to act as online data gathering and brokering has grown and advanced well beyond what most extant federal law contemplates. … More
Key Takeaways:
On July 7, 2022, three federal agencies – the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury – issued a joint alert regarding Maui Ransomware, which has been linked to ransomware attacks on healthcare and public health entities carried out by North Korean state-sponsored cyber actors.
These are the key recommendations of the alert:
When is personal data “anonymized”? The answer to this question has largely been based on jurisdiction. If your business is in the U.S., so long as HIPAA or the CCPA does not govern, then generally aggregated or de-identified data could often be considered “anonymized” for legal compliance purposes. (Both HIPAA and the CCPA have specific requirements for what counts as “de-identified” data.) Under the GDPR, the story has been much more complicated: merely “de-identified”… More
As we wrote last year, Colorado is among the vanguard of privacy-focused states—including California, Washington, and Virginia—to adopt significant state-level privacy legislation. One year out from enforcement of the Colorado Privacy Act (which begins on July 1, 2023), businesses should begin to put their compliance frameworks in place, as some of the Colorado Privacy Act’s significant requirements will need substantial investment beforehand to afford consumers the rights that they are guaranteed under the Act.… More
President Biden and EU leaders announced on March 25, 2022 an agreement in principle to craft a replacement for the Privacy Shield and expand options for trans-Atlantic data transfers in accordance with the General Data Protection Regulation (“GDPR”).
Background
The GDPR requires that transfers of personal data of EU residents to countries outside of the EU must take place pursuant to an approved transfer mechanism,… More
Foley Hoag presented a discussion and Q&A regarding the growing threat of business email compromises (a.k.a. man-in-the-middle attacks). Attorneys Chris Hart and Yoni Bard, litigators with experience in privacy matters and business disputes, shared what they have learned through successfully representing victims of hacking and phishing attacks that have led companies to misdirect payments to unknown criminal actors. They discussed strategies for preventing these attacks and, if they occur, maximizing the likelihood of recovery through rapid response strategies (involving law enforcement and banks),… More
If your company creates health-related apps, the Federal Trade Commission (FTC) has set out some key considerations: