Privacy & Information Security Law Blog

On November 16, 2023, the Federal Trade Commission released a proposed order in connection with a complaint filed in August of 2020 against Global Tel*Link Corp. (“GTL”) and its subsidiaries, Telmate and TouchPay, which offers communication and payment services for incarcerated individuals. The complaint centered around a security breach where a technician for a vendor of GTL placed unencrypted, personally identifiable information in a test environment to test a new search and storage software. The test environment allegedly was accessible on the internet without password protections which permitted an unauthorized actor to access and exfiltrate the data between August 11-13, 2020. Though GTL restricted access to the test environment, GTL allegedly failed to notify its customers for roughly nine months, while also falsely representing to prospective customers that it had never experienced a security breach.

Glass Lewis & Co. recently published its updated Benchmark Policy Guidelines for 2024 (the “Policy”), which reflect investors’ continuing focus on corporate disclosure and board oversight of cyber risks. The Policy indicates that Glass Lewis may recommend “against” directors following a cybersecurity incident if it finds the board’s risk oversight or its post-incident response to be insufficient. The Policy also provides guidance on what Glass Lewis expects companies to disclose after such an incident.  

On November 21, 2023, the UK Information Commissioner’s Office (“ICO”) issued a statement explaining that it has recently written to companies operating some of the UK’s most visited websites regarding their compliance with data protection laws when using cookies. The ICO noted that certain websites are not providing users with fair choices as to whether or not they are tracked for personalized marketing purposes, and referred to its guidance on making it simple for users to “Reject All” advertising cookies. 

On November 16, 2023, the European Data Protection Board (“EDPB”) published its Guidelines 2/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive (the “Guidelines”).

Patrick Gunning from King & Wood Mallesons reports that, on November 2, 2023, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against Australian Clinical Labs Limited seeking a civil penalty (i.e., a fine) in connection with the company’s response to a data breach that occurred in February 2022. The case is significant because: (1) it is only the second time that the Australian regulator has brought court proceedings of this kind despite having the power to do so since 2014; and (2) it signals the regulator’s priority in ensuring that cybersecurity incidents are responded to swiftly. The Australian legislature increased maximum penalties for ‘serious’ contraventions of the Privacy Act with effect from December 2022 to at least A$50 million. However, the maximum penalty available in this case will be A$2.2 million because the company’s conduct occurred prior to December 2022.

The California Privacy Protection Agency (“CPPA”) Board (the “Board”) announced an upcoming public meeting to take place over Zoom on Friday, December 8, 2023 at 9 am PST.

On November 9, 2023, the European Parliament adopted, by a majority of 481 votes in favor, 31 votes against and 71 abstentions, the final text of the Data Act. As explained in our previous blog, the Data Act aims to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all” and was initially proposed by the European Commission on February 23, 2022.

On October 31, 2023, the Department of Health and Human Services (“HHS”) announced the issuance of a settlement agreement with Doctors’ Management Services (“DMS”), a Massachusetts-based medical management company, related to alleged violations of the Health Insurance Portability and Accountability Act’s (“HIPAA’s”) Privacy and Security Rules (collectively, the “HIPAA Rules”). DMS is a HIPAA business associate (“BA”) that provides payer credentialing and medical billing services to HIPAA Covered Entities (“CEs”). 

On November 8, 2023, the UK Information Commissioner’s Office (“ICO”) and the European Data Protection Supervisor (“EDPS”) announced they have signed a Memorandum of Understanding (“MOU”) intended to reinforce their “common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal”. The MOU sets out broad principles of collaboration between the ICO and EDPS and the legal framework governing the sharing of relevant information and intelligence. The ICO and EDPS consider that, when addressing similar issues, reducing divergencies in their regulatory approaches will benefit public and private organizations, individuals, and other stakeholders in the UK and EU.  

On October 30, 2023, the Federal Trade Commission announced that it is sending nearly $100 million in refunds to consumers who were harmed as a result of internet phone service provider Vonage’s alleged use of dark patterns and other obstacles that made it difficult for users to cancel their service.