On April 26, 2024, the Federal Trade Commission (“FTC” or the “Commission”) announced changes to the Health Breach Notification Rule (“HBNR”), which requires certain entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify consumers, the FTC, and, in some cases, the media of breaches of unsecured personally identifiable health data.[1] The final rule seeks to address technological and industry advancements since the original HBNR was adopted in 2009 by clarifying the rule’s applicability to direct-to-consumer health technologies (such as fitness trackers) which have proliferated in recent years. The final rule also expands the information that covered entities must provide to consumers when notifying individuals of a data breach.Continue Reading FTC Announces Reforms to the Health Breach Notification Rule
Breach Notifications
Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws
Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws
SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack
On March 9, 2023, the Securities and Exchange Commission (“SEC”) brought an enforcement action against a public company, Blackbaud Inc. (“Blackbaud” or the “Company”), alleging that it had made misleading disclosures about a 2020 ransomware attack.[1] This is the fourth SEC settled enforcement action concerning disclosures following a cyberattack.[2] This development highlights increased regulatory scrutiny that public companies face related to cyberattacks and serves as a potential prelude to the SEC’s aggressiveness in enforcing its upcoming revised rules on cybersecurity incident disclosures. Continue Reading SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack
Privacy and Data Protection Compliance Will Remain a Top Priority in 2023
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.
As the value of data continues to increase exponentially, so too do the associated risks, including risk of cyberattacks, data breaches or data-related litigation, as well as rising regulation throughout the world…
Cybersecurity: Continued Cyberattacks and New Regulations Result in Increased Risk
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.
In a recent survey of almost 2,800 global organizations, one in five respondents reported experiencing a ransomware attack in 2021—with almost half of those respondents suffering significant operational impacts as a result.…
2021 Cybersecurity and Privacy Developments in the United States
Cybersecurity and data privacy continue to be among the most significant legal risks that businesses face today.
Last year brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets, continuing the trend seen in recent years. Regulators also brought a number of cybersecurity enforcement actions and announced new rules, guidance, and initiatives on ransomware and other cyber-related issues. In addition, after many years of debate, Congress made some progress in crafting legislation that would require certain companies to report significant cyberattacks and ransomware payments to the U.S. federal government. Companies should expect the demands of cybersecurity risk management and oversight to intensify as we enter 2022.
Continue Reading 2021 Cybersecurity and Privacy Developments in the United States
Data Breach Class Action Against Bonobos Dismissed For Lack of Standing
On January 19, 2022, District Judge Jesse M. Furman of the Southern District of New York dismissed a putative class action filed against men’s clothing store Bonobos, Inc., following an August 2020 data breach. Judge Furman determined that a Bonobos customer whose personal information was stolen in the breach failed to demonstrate a sufficiently substantial risk of harm to establish standing to sue.
The decision in Cooper v. Bonobos reflects the increased uncertainty regarding the viability of suits for damages based solely on future risk of identity theft or fraud, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez.
Continue Reading Data Breach Class Action Against Bonobos Dismissed For Lack of Standing
Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus
A 2021 survey of chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses face today. This should not come as a surprise as 2021 brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets.
Continue Reading Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus
Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements
On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur.[1] The rule separately requires bank service providers to notify their bank customers if they experience a cyber incident that causes, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours.
Continue Reading Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements
Robinhood Sued For Failing To Protect Customers’ Accounts
Recent developments in a lawsuit have illustrated the importance of maintaining sufficient data security measures and responding adequately to data breaches, which topics are addressed in Cleary Gottlieb’s Global Crisis Management Handbook in depth. A class-action lawsuit in the Northern District of California against Robinhood Financial, LLC, a securities trading platform, alleges that unauthorized users…