Privacy, Cyber Security and Data Protection 101: A Primer that Addresses New York’s New Mandatory CLE Requirement

On Wednesday, June 21, Foley Hoag hosted a NY CLE program “Privacy, Cyber Security and Data Protection 101: A Primer that Addresses New York’s New Mandatory CLE Requirements. You can access the materials and recording using the below links.

Cyberattacks on the Energy Sector Continue to Rise

Cyberattacks on the energy sector have been rapidly growing since 2017, and we saw an all-time high of cyberattack events on the sector in 2022. The energy sector is particularly vulnerable due to these types of attacks due to the outdated and unsecured networks oftentimes used in the industry, as well as the increased use of distributed energy resources (“DER”), which creates more openings to attack and requires more resources to monitor and manage.… More

FTC Seeks to Send a Message about COPPA and Schools

In late May, the Federal Trade Commission sought an injunction in the Northern District of California against Edmodo, which has historically offered school districts a virtual classroom platform with tools for assignments, quizzes, and similar items.  The FTC argues that Edmodo violated the Children’s Online Privacy Protection Act by failing to obtain parental consent to certain disclosures of children’s personal information.

As the FTC has long expressed in guidance,… More

Privacy and Security of Genetic Information: The FTC Is Putting Privacy and Security Promises of DNA Companies to the Test

In the FTC’s first case focused on the privacy and security of genetic information, the FTC alleges that San Francisco-based Vitagene, Inc. – now known as 1Health.io – failed to live up to its promises and unfairly changed material privacy terms without customers’ consent.

After consumers paid between $29 and $259, sent a saliva sample to Vitagene, and answered an online questionnaire about their health history,… More

If Your Password Is On This List, It’s Time to Change It

It’s been several years since I have written about password hygeine. I have been hoping that a better security solution would be widely adopted and while I hear rumors in that regard, passwords still reign supreme.  So when I saw that the SafetyDetectives website had listed the 30 most common passwords, it seemed like a good time to revisit the topic.  Their study found that “123456” and “password”… More

MA Sports Wagering Regulators Take Aim at Data Privacy

Following the March 2023 rollout of mobile sports wagering in Massachusetts, the Massachusetts Gaming Commission has been hard at work promulgating the various regulations needed to oversee Massachusetts’ burgeoning sports wagering industry, which includes both brick-and-mortar locations as well as mobile apps.  The quick pace of regulatory implementation following the sports wagering statute’s passage last August has found the Commission wanting to promulgate some more complex regulations after having had time to further consider them – among these are the currently-proposed regulations (page 14) on data privacy,… More

CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force

On May 23, 2023, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions,… More

Anonymization and the GDPR – Clarity from the European Courts? Not so Fast!

As we’ve written about before, the question of anonymization can be tricky.  When is something “anonymized” or merely “de-identified” or “pseudonymous” — and when does it matter?  This is a particularly fraught issue under the GDPR, where the text of the regulation creates practical compliance complications under various scenarios.

But in an important recent decision, the European General Court (or EGC, which hears actions against EU institutions,… More

Expiration of COVID-19 Public Health Emergency Means the Beginning of the End for HIPAA Privacy and Security Enforcement Discretion

The Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency expired at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency.

As previously announced, the HHS Office for Civil Rights (“OCR”) is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to the provision of telehealth in particular.… More

As If Bank Failures Aren’t Enough – Hackers Are Exploiting the Chaos to Breach Security

The Massachusetts State Police Commonwealth Fusion Center (CFC) believes that cyber actors may use the current bank failures for future phishing and business email compromise (BEC) attacks. Cyber actors often use current events to mask their phishing campaigns to seem more believable and relevant.  As everyone now knows, Silicon Valley Bank (SVB) became one of the largest banks to fail since the 2008 financial crisis. More recently, First Republic Bank also failed. … More