Breach Laws – Page 14 – DataBreaches.Net

Data breach class actions: Southern District of New York dismisses action against health care providers for lack of standing

Posted on May 26, 2022 by Dissent

James Bogan III of Kilpatrick Townsend & Stockton LLP writes: Takeaway: In a prior article, we reported on the Second Circuit’s decision in McMorris v. Carlos Lopez & Associates, LLC, 995 F.3d 295 (2d Cir. 2021), in which the court, ruling on an issue of first impression, set out a non-exhaustive three-factor test for determining…

FTC Blog: “The FTC Act Creates a De Facto Breach Disclosure Requirement”

Posted on May 24, 2022 by Dissent

Joseph Lazarrotti of JacksonLewis writes: On May 20, 2022, the Federal Trade Commission’s Team CTO and the Division of Privacy and Identity Protection published a blog post entitled, “Security Beyond Prevention: The Importance of Effective Breach Disclosures.” In the post, the FTC takes the position that in some cases there may be a de facto data breach…

OCR: Current Fines Too Low to Spur Compliance; Agency Also Seeks Funding Boost, Injunctive Relief

Posted on May 10, 2022 by Dissent

Theresa Defino reports: Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and business associates (BAs). And, if Congress agrees, its impact would expand significantly in the coming months. As part of its…

Rattled by RIPTA breach that affected 22,000, lawmakers propose policy changes

Posted on April 2, 2022 by Dissent

Antonia Noori Farzan reports: Lawmakers say that last year’s breach of Rhode Island Public Transit Authority computer systems highlighted glaring problems with the way the state responds to the theft of people’s personal data. […] DiPalma’s bill, S 2664, is designed to expand the protections and reporting requirements outlined in the Identity Theft Protection Act of 2015. A companion bill, H…

Indiana Amends Breach Notification Law to Require Notification Within 45 Days

Posted on March 25, 2022 by Dissent

Linn Foster Freedman of Robinson + Cole writes: Indiana has amended its breach notification law to require entities to notify individuals “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” It clarifies that a delay is “reasonable” if it is: “(1) necessary to restore the integrity of the…

Revised Health Breach Notification Rule resources spell out companies’ legal obligations

Posted on January 21, 2022 by Dissent

Lesley Fair writes: Shoppers can find a plethora of apps, trackers, and sensors that hold or capture almost every conceivable form of personal health information. If your business or nonprofit offers products like that or provides certain services to entities that do – and you aren’t subject to HIPAA – you may be covered by…