-
Nov 4, 2024 | 
constangy.com | John C. Babione |Jason S. Cherry |Christopher R. Deubert |Maria Efaplomatidis
Bert Bender – Partner, Philadelphia
Bert Bender brings almost ten years of combined experience in litigation and managing responses to data privacy and security incidents. A graduate of the U.S. Naval Academy and having served five years in the Marines, Bert understands the critical importance of risk mitigation and crisis management in responding to data privacy and security incidents.
-
Sep 30, 2024 | 
constangy.com | Lauren Godfrey |Edwin Jones |John C. Babione |Jason S. Cherry
The Commonwealth of Pennsylvania has amended its Breach of Personal Information Notification Act. The amendments, available here 2024 Act 33 - PA General Assembly (state.pa.us), took effect last week, on September 26. The key provisions are as follows:
If notice of a breach must be given to more than 500 individuals, notice must made at the same time to the Office of the Attorney General.
-
Sep 16, 2024 | 
constangy.com | Lauren Godfrey |Chasity Wilson Henry |John C. Babione |Jason S. Cherry
These changes took effect on July 29. Therefore, in the event of a qualifying security incident, companies who are not considered HIPAA-covered entities or business associates should be aware of their legal obligations. A copy of the amendments is available here.
Is my business subject to the Health Breach Notification Rule?
As a result of the amendments, the Rule applies to health applications, websites, and other technologies that possess health information but aren’t subject to HIPAA.
-
Sep 10, 2024 | 
jdsupra.com | John C. Babione |Xuan Zhou
Businesses continue to be subjected to a steady stream of consumer class action lawsuits alleging improper collection or disclosure of information from their websites. A variety of laws and legal claims are used to support the suits. Some lawsuits assert violation of laws that are not particularly cutting edge, such as the Video Privacy Protection Act, or cite to non-disclosed use of more modern technology such as tracking pixels. In many of the lawsuits, both types of claims are asserted.
-
Jun 11, 2024 | 
constangy.com | Lauren Godfrey |Edwin Jones |John C. Babione |Jason S. Cherry
Canada Publishes New Breach Reporting FormsEffective May 24, 2024, the Office of the Privacy Commissioner of Canada (OPC) has introduced a new online PIPEDA breach reporting form for federal institutions and businesses subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).
Going forward organizations should be prepared to:
Submit New Breach Reports:
Organizations can use the secure online form to submit reports of new privacy breaches.
-
Apr 1, 2024 | 
constangy.com | Sebastian Fischer |Allison Prout |John C. Babione |Jason S. Cherry
On March 20, the U.S. House of Representatives passed House Resolution 7520, the Protecting Americans’ Data from Foreign Adversaries Act of 2024, targeting companies that sell sensitive information to “foreign adversaries.” H.R. 7520 comes on the heels of two other major developments. First, House Resolution 7521 would require TikTok to divest from its Chinese parent company.
-
Mar 22, 2024 | 
constangy.com | Sebastian Fischer |Sarah Rugnetta |John C. Babione |Jason S. Cherry
The updated guidance came after a group of hospitals and health care groups sued the OCR over its previous guidance on the topic (the plaintiffs claim, among other things, that the rule was issued improperly and that it misinterprets the requirements of the privacy rule). Unfortunately, the updated guidance still leaves some questions unanswered.
Both the previous and updated guidance documents differentiate between user-authenticated and unauthenticated web pages.
-
Feb 29, 2024 | 
constangy.com | Jordan Fischer |Sarah Rugnetta |John C. Babione
In its settlement order, the Attorney General focused on DoorDash’s sale and sharing of personal information in a marketing cooperative, finding that DoorDash sold its California customers’ personal information without providing notice or an opportunity to opt out of the sale of their personal information.
-
Jan 29, 2024 | 
constangy.com | Jordan Fischer |John C. Babione |Jason S. Cherry
Understand third-party cyber risks
Third-party cyber risk can come from various sources, including suppliers, service providers, contractors, and even cloud service providers. The threat actors can access these third parties through inadequate security measures, vulnerabilities in the third-party software, or negligent employee practices. With this in mind, below are some steps organizations can take to mitigate third-party risks.
Create a vendor risk management program.
-
Jan 8, 2024 | 
constangy.com | Jordan Fischer |Sarah Rugnetta |John C. Babione
Key changes to the Regulation
Tiered obligations and exemptions. Entities licensed by the DFS should first assess whether they are a “Small Business” or a “Class A Business,” as well as whether they fall within one of the exemptions based on factors outlined in the amended regulation. This will determine which, if any, requirements apply to their business.
Cybersecurity governance.
