Privacy & Cybersecurity

In this second of our two-part blog series on protecting health information post Roe, we discuss legal and practical strategies that health care providers can take to protect the information of their patients. State laws that restrict or criminalize abortions will require significant amounts of health information to enforce, putting new pressure on health care providers caught in the middle of  competing obligations to their patients and to regulatory and law enforcement authorities making lawful requests for this information.

Much has been written about how existing privacy laws such as HIPAA are unhelpful to women in the wake of Dobbs vs. Jackon Women's Health Organization ruling. In the first of this two-part blog post series, the Mintz team breaks down the legal rights and practical strategies that women can use to protect their own information.

All players in the health and wellness ecosystem should be following developments around the American Data Privacy and Protection Act (ADPPA).  If enacted, the ADPPA would be a watershed in the regulation of the privacy and security of personal information, including health information.  The ADPPA would have a particularly large impact on entities that currently collect, process, and transmit health information but are not subject to HIPAA.

In this post, the Mintz team breaks down the elements within the “American Data Privacy and Protection Act” (ADPPA) bill draft. Released to the public on Friday, June 3, this comprehensive bill touches on all facets of the privacy debate that has been ongoing in Congress for well over 20 years. 

It does not look as though Massachusetts will be state number 6 to enact a comprehensive data privacy law – or at least not the one that people have been talking about.  The Massachusetts Joint Committee on Health Care Financing has voted to send House Bill 4514, An Act Establishing the Massachusetts Information Security and Privacy Act to “study.”  This action by the influential legislative committee signals that this particular bill is not likely to advance during the current legislative session which concludes at the end of the calendar year.

Privacy law 101 includes a simple but important basic concept that organizations may only use personal information they collect for what they say they will, and how they say they will.  According to the Federal Trade Commission ("FTC") and the Department of Justice ("DOJ"), Twitter got this wrong - and it is going to cost Twitter $150M as a result. On May 25, 2022, Twitter reached a proposed settlement with the DOJ and the FTC to resolve allegations that Twitter violated the FTC Act and an Order issued by the FTC in 2011 by misrepresenting how it would make use of users’ personal information, including users’ nonpublic contact information. 

FBI Director Christopher Wray said that agents this summer thwarted a planned attack on Boston Children’s Hospital.  Wray said that the FBI learned of the plan from “an intelligence partner,” and “quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids who depended on it.” 

Connecticut Governor Ned Lamont has signed the country’s fifth comprehensive consumer privacy act. Our breakdown below outlines key concepts on how the Connecticut Data Privacy Act (CDPA) will impact businesses, and several notes about how its provisions compare to other US state privacy laws.

Ransomware is the “business pandemic.”  Warnings have been issued by multiple agencies around the world to alert businesses to increase their protection and awareness.  Most recently, the Department of Health and Human Services (HHS) has issued a warning to health care organizations related to what it calls “an exceptionally aggressive” ransomware group known as Hive.

This advisory outlines the SEC’s new proposed cybersecurity disclosure rules and discusses how the changes will impact public companies and their boards.  

On March 21, President Biden warned U.S. companies to be on guard against Russian cyberattacks, citing intelligence as a call to action.

Utah is on the brink of joining California, Colorado, and Virginia to become the fourth state in the US to enact a major comprehensive privacy law.  On February 25, the Utah Senate passed the Utah Consumer Privacy Act (“UCPA”), and on March 2, it was passed by the Utah House. The Mintz privacy team has reviewed the UCPA for answers to business’ most pressing questions about how this new law will affect them if it is enacted.

Facebook’s parent company Meta has agreed to settle one of the longest-running data privacy lawsuits in the country for $90 million. This dispute, originally filed in 2012 in a total of 21 related cases, alleged that Facebook continued to track its users even after they logged out of the social media platform. Specifically, the plaintiffs’ alleged that Facebook used cookies and various plug-ins in order to track and save information about its users’ visits to third-party websites and then sold to advertisers.

This alert covers the UK’s new international data transfer agreement and the implications for parties that transfer or receive personal data from the United Kingdom.

The UK Information Commissioner’s Office (ICO) has just published the final form of its much-anticipated new International Data Transfer Agreement (IDTA), along with a separate addendum to the EU SCCs (SCCs Addendum). The IDTA and the SCCs Addendum offer important alternative ways to ensure that UK personal data is adequately protected when exported from the UK. They have been laid before Parliament and, assuming there are no objections from MPs, will go into effect on March 21, 2022.

Data Privacy Week kicked off with a major message for US publicly-traded companies: the Securities and Exchange Commission will be looking at cybersecurity. SEC Chairman Gary Gensler asked SEC staff to make recommendations regarding companies’ cybersecurity practices and risk disclosures. Gensler also indicated that he will also be considering whether companies should update disclosures to investors when cyber events occur.

Read about key regulatory and other developments, including board diversity and other ESG matters, which public companies need to consider as they prepare for their fiscal year-end SEC filings and 2022 annual shareholder meetings.

Before the holidays, we warned of a critical vulnerability in a widely-used Java logging utility that could affect tens of thousands of companies.   Since that original alert, multiple US and foreign government cybersecurity agencies published a joint advisory and guidance for affected organizations recommending that patches or workarounds be applied immediately to mitigate the vulnerabilities and exposure.   The US Cybersecurity and Infrastructure Security Agency also ordered US federal civilian executive branch agencies to patch within days of the order. 

Unauthorized use of a trademark on the Internet occurs often and in many forms, usually involving the profiting, whether intentionally or unintentionally, from the goodwill associated with a trademark belonging to someone else. Such use, however, does not always rise to the level of trademark infringement. Unauthorized use of a trademark is only infringing if the particular use causes likely confusion among consumers. The most common type of confusion is confusion over source, which occurs at the time of purchase, but confusion can also arise as to affiliation, connection, or sponsorship, and confusion does not necessarily need to occur at the time of purchase.

CVE-2021-44228 — dubbed Log4Shell — can easily be exploited to gain complete access to the targeted system by getting the application to log  a specially crafted string. Government organizations and the private sector are responding to the disclosure of a critical vulnerability affecting the widely used Log4j logging utility, as exploitation attempts are on the rise.