Privacy & Cybersecurity

This post provides insights and recommendations surrounding the DOJ's charges against 10 defendants involved in business email compromise schemes.

In what is considered the largest privacy-related settlement in history, Google will pay $391.5 million to 40 states to settle an investigation by 40 state attorneys general.  The bipartisan coalition of attorneys general alleged that Google misled users into believing that opting out of sharing their location data prevented the company from tracking users’ locations.

Effective January 1, 2023, New York City employers will be prohibited from using artificial intelligence in employment decision-making processes unless they take a number of specific and affirmative steps prior to doing so, including a bias audit of the tool.  These requirements have emerged following the passage of New York City Local Law 144 in December 2021, which creates a specific regime employers must adhere to in order to utilize automated employment decision tools, which the City has referred to as “AEDTs”. Many questions emerged following the passage of Local Law 144  and in response to some of these inquiries, the City’s Department of Consumer and Worker Protection (“DCWP”) has proposed rules that provide some answers, expand upon Local Law 144, and regulate the use of AEDTs.  Mintz attorneys Corbin Carter, Michelle Capezza and Evan Piercey analyze and discuss these proposed rules.

If you’ve relied on the temporary “exemption” for employee/applicant and business-to-business (B2B) personal information under the California Consumer Privacy Act (CCPA), those exemptions will expire on January 1, 2023.   The California legislature adjourned on August 31 for the 2022 session without adopting legislation to extend those exemptions, and therefore, absent a special legislative session, they will sunset on December 31.

California is leading the way on privacy regulation --- again.   The California State Assembly has passed AB 2273, which, if approved by the California Governor, would require businesses that provide online services, products, or features likely to be accessed by children or teens under the age of 18 to increase their privacy and safety protections.

California Attorney General Rob Bonta has announced a major settlement under the California Consumer Privacy Act (CCPA), and it will cost Sephora, Inc. a whopping $1.2 million in penalties. Pay attention to your email boxes:  in addition to announcing the Sephora settlement, AG Bonta also said that his office today sent notices to “a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC.” 

The central tradeoff between a service’s affordability and the user’s right to privacy has been debated for the better part of two decades. The quickest jolt to the regulatory landscape may come via Federal Trade Commission (“FTC” or the “Commission”) enforcement. On August 11, the FTC issued an Advanced Notice of Proposed Rulemaking (“ANPR” or the “Notice”), asking the public to weigh in on whether new regulation is required to protect consumers and crackdown on “commercial surveillance.”

The new California privacy regulatory body, the California Privacy Protection Agency (CPPA), has loudly voiced its opposition to the proposed federal American Data Privacy and Protection Act (ADPPA).   The bottom line for the unanimous opposition:  the ADPPA would preempt California’s privacy laws – both the California Consumer Privacy Act and the California Privacy Rights Act effective as of 1/1/23 – and establishes a ceiling on privacy regulation by states. 

Recent enforcement actions reveal that New York is among the states leading the way in investigating and fining corporations for both actual and potential data breach situations. Within the past month alone, Attorney General Letitia James (“NYAG”) secured monetary settlements and consent agreements from two large corporations who failed to maintain adequate administrative, technical and physical safeguards as required by New York law.

In this second of our two-part blog series on protecting health information post Roe, we discuss legal and practical strategies that health care providers can take to protect the information of their patients. State laws that restrict or criminalize abortions will require significant amounts of health information to enforce, putting new pressure on health care providers caught in the middle of  competing obligations to their patients and to regulatory and law enforcement authorities making lawful requests for this information.

Much has been written about how existing privacy laws such as HIPAA are unhelpful to women in the wake of Dobbs vs. Jackon Women's Health Organization ruling. In the first of this two-part blog post series, the Mintz team breaks down the legal rights and practical strategies that women can use to protect their own information.

All players in the health and wellness ecosystem should be following developments around the American Data Privacy and Protection Act (ADPPA).  If enacted, the ADPPA would be a watershed in the regulation of the privacy and security of personal information, including health information.  The ADPPA would have a particularly large impact on entities that currently collect, process, and transmit health information but are not subject to HIPAA.

In this post, the Mintz team breaks down the elements within the “American Data Privacy and Protection Act” (ADPPA) bill draft. Released to the public on Friday, June 3, this comprehensive bill touches on all facets of the privacy debate that has been ongoing in Congress for well over 20 years. 

It does not look as though Massachusetts will be state number 6 to enact a comprehensive data privacy law – or at least not the one that people have been talking about.  The Massachusetts Joint Committee on Health Care Financing has voted to send House Bill 4514, An Act Establishing the Massachusetts Information Security and Privacy Act to “study.”  This action by the influential legislative committee signals that this particular bill is not likely to advance during the current legislative session which concludes at the end of the calendar year.

Privacy law 101 includes a simple but important basic concept that organizations may only use personal information they collect for what they say they will, and how they say they will.  According to the Federal Trade Commission ("FTC") and the Department of Justice ("DOJ"), Twitter got this wrong - and it is going to cost Twitter $150M as a result. On May 25, 2022, Twitter reached a proposed settlement with the DOJ and the FTC to resolve allegations that Twitter violated the FTC Act and an Order issued by the FTC in 2011 by misrepresenting how it would make use of users’ personal information, including users’ nonpublic contact information. 

FBI Director Christopher Wray said that agents this summer thwarted a planned attack on Boston Children’s Hospital.  Wray said that the FBI learned of the plan from “an intelligence partner,” and “quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids who depended on it.” 

Connecticut Governor Ned Lamont has signed the country’s fifth comprehensive consumer privacy act. Our breakdown below outlines key concepts on how the Connecticut Data Privacy Act (CDPA) will impact businesses, and several notes about how its provisions compare to other US state privacy laws.

Ransomware is the “business pandemic.”  Warnings have been issued by multiple agencies around the world to alert businesses to increase their protection and awareness.  Most recently, the Department of Health and Human Services (HHS) has issued a warning to health care organizations related to what it calls “an exceptionally aggressive” ransomware group known as Hive.

On March 21, President Biden warned U.S. companies to be on guard against Russian cyberattacks, citing intelligence as a call to action.