Privacy & Information Security Law Blog

On October 31, 2023, the Department of Health and Human Services (“HHS”) announced the issuance of a settlement agreement with Doctors’ Management Services (“DMS”), a Massachusetts-based medical management company, related to alleged violations of the Health Insurance Portability and Accountability Act’s (“HIPAA’s”) Privacy and Security Rules (collectively, the “HIPAA Rules”). DMS is a HIPAA business associate (“BA”) that provides payer credentialing and medical billing services to HIPAA Covered Entities (“CEs”). 

On November 8, 2023, the UK Information Commissioner’s Office (“ICO”) and the European Data Protection Supervisor (“EDPS”) announced they have signed a Memorandum of Understanding (“MOU”) intended to reinforce their “common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal”. The MOU sets out broad principles of collaboration between the ICO and EDPS and the legal framework governing the sharing of relevant information and intelligence. The ICO and EDPS consider that, when addressing similar issues, reducing divergencies in their regulatory approaches will benefit public and private organizations, individuals, and other stakeholders in the UK and EU.  

On October 30, 2023, the Federal Trade Commission announced that it is sending nearly $100 million in refunds to consumers who were harmed as a result of internet phone service provider Vonage’s alleged use of dark patterns and other obstacles that made it difficult for users to cancel their service.

On November 8, 2023, the Network Advertising Initiative (“NAI”) issued its best practices guidance (“Guidance”), which advocates for the use of demographic data for health advertising, rather than sensitive health information.

On November 1, 2023, New York Governor Hochul announced that the New York State Department of Financial Services (“NYDFS”) amended its Cybersecurity Regulation applicable to covered financial institutions. Our previous blog post covered key proposed changes to the Cyber Regulation.

The NYDFS, which regulates financial institutions including insurance companies, mortgage brokers and banks, adopted the original Cybersecurity Regulation in 2017. The new amendments strengthen the initial framework and require NYDFS-regulated entities to adhere to a number of ...

On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC”) announced charges against SolarWinds Corporation and its Chief Information Security Officer (“CISO”), Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The SEC’s complaint alleges that, from SolarWinds’ October 2018 initial public offering through its December 2020 8-K filing, the company was the target of a massive, nearly two-year long cyberattack, known as SUNBURST, and defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks. The SEC has alleged that SolarWinds (1) mislead investors by disclosing only generic and hypothetical risks when the company and Brown allegedly knew of specific deficiencies in SolarWinds’ cybersecurity practices; (2) issued public statements about its cybersecurity practices and risks that were allegedly at odds with its internal assessments; and (3) discussed internally in 2019 and 2020 questions regarding the company’s ability to protect its critical assets from cyberattacks; and (4) made an incomplete disclosure about the SUNBURST attack in the company’s Form 8-K filing on December 14, 2020. In addition, the SEC alleged that Timothy Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but did not resolve the issues or sufficiently raise them further within the company.

On October 27, 2023, the European Data Protection Board (“EDPB”) adopted an urgent binding decision instructing the Irish Data Protection Commissioner (the “Irish DPC”) to take final measures against Meta Ireland Limited (“Meta”) within two weeks and impose a ban on Meta’s processing of personal data for behavioral advertising based on the contractual necessity and legitimate interests legal bases. The ban would apply across the European Economic Area (“EEA”).

On November 1, 2023, 29 nations, including the U.S., the UK, the EU and China (full list available here), reached a ground-breaking agreement, known as the Bletchley Declaration. The Declaration sets forth a shared understanding of the opportunities and risks posed by AI and the need for governments to work together to meet the most significant challenges posed by the technology. The Declaration states  that there is an urgent need to understand and collectively manage the potential risks posed by AI to ensure the technology is developed and deployed in a safe, responsible way. The Declaration was signed at the AI Safety Summit 2023, held at Bletchley Park in the UK.

On October 30, 2023, U.S. President Biden issued an Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. It marks the Biden Administration’s most comprehensive action on artificial intelligence policy, building upon the Administration’s Blueprint for an AI Bill of Rights (issued in October 2022) and its announcement (in July 2023) of securing voluntary commitments from 15 leading AI companies to manage AI risks.

On October 19, 2023, the Consumer Financial Protection Bureau (“CFPB”) proposed a new rule that would provide consumers with more control over their financial information and impose certain requirements on the following types of entities: