Joseph Lazarrotti of JacksonLewis writes: On May 20, 2022, the Federal Trade Commission’s Team CTO and the Division of Privacy and Identity Protection published a blog post entitled, “Security Beyond Prevention: The Importance of Effective Breach Disclosures.” In the post, the FTC takes the position that in some cases there may be a de facto data breach…
Category: Breach Laws
OCR: Current Fines Too Low to Spur Compliance; Agency Also Seeks Funding Boost, Injunctive Relief
Theresa Defino reports: Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and business associates (BAs). And, if Congress agrees, its impact would expand significantly in the coming months. As part of its…
Rattled by RIPTA breach that affected 22,000, lawmakers propose policy changes
Antonia Noori Farzan reports: Lawmakers say that last year’s breach of Rhode Island Public Transit Authority computer systems highlighted glaring problems with the way the state responds to the theft of people’s personal data. […] DiPalma’s bill, S 2664, is designed to expand the protections and reporting requirements outlined in the Identity Theft Protection Act of 2015. A companion bill, H…
Indiana Amends Breach Notification Law to Require Notification Within 45 Days
Linn Foster Freedman of Robinson + Cole writes: Indiana has amended its breach notification law to require entities to notify individuals “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” It clarifies that a delay is “reasonable” if it is: “(1) necessary to restore the integrity of the…
Revised Health Breach Notification Rule resources spell out companies’ legal obligations
Lesley Fair writes: Shoppers can find a plethora of apps, trackers, and sensors that hold or capture almost every conceivable form of personal health information. If your business or nonprofit offers products like that or provides certain services to entities that do – and you aren’t subject to HIPAA – you may be covered by…
US regulators order banks to report cyberattacks within 36 hours
Sergiu Gatlan reports: US federal bank regulatory agencies have approved a new rule ordering banks to notify their primary federal regulators of significant computer-security incidents within 36 hours. Banks are only required to report major cyberattacks if they have or will likely impact their operations, the ability to deliver banking products and services, or the…