In a recent opinion, Henderson v. The Source for Public Data, L.P., et al, the U.S. Court of Appeals for the 4th Circuit considered whether Section 230(c)(1) of the Communications Decency Act (CDA) – a federal law that allows social media websites to provide a forum for users to post videos or other information
Uncategorized
Amendment to CMIA Regarding Mental Health and Mental Health Apps
California passed Assembly Bill (AB) 2089, which amends the Confidentiality of Medical Information Act (CMIA) to include mental health application information under the definition of medical information. Under the revisions to CMIA, mental health application information is defined as information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as…
Employee Monitoring: New York Establishes New Requirements for Employers
Earlier this month, New York Governor Kathy Hochul signed into a law a bill that will require New York private sector employers to provide written notice to employees before engaging in electronic monitoring of their activities in the workplace. Civil Rights (CVR) Chapter 6, Article 5, Section 52-C*2 will take effect six months after enactment,…
AG Becerra Announces Approval of Additional CCPA Regulations
Here we go again! On March 15th, 2021, the California Department of Justice (“Department”) announced approval of modifications to the California Consumer Privacy Act’s (CCPA) regulations, originally introduced in December of 2020. The new regulations mainly modify provisions related to a consumer’s right to opt out of sale of their personal information, with…
NLRB Approves Workplace Social Media Policy Limiting Employees’ Online Communications
Recently, the National Labor Relations Board (NLRB), in a split decision 2-1, approved a California-based ambulance company’s implementation of a social media policy that prohibited employees from “inappropriate communications” related to the company. The NLRB’s ruling reversed a decision by an administrative law judge, back in October 2019, that concluded that the company’s social media…
OCR Releases Report Summarizing HIPAA Privacy and Security Compliance Failures
In the final days of 2020, the Office for Civil Rights (OCR) at the U.S. Health and Human Service (HHS) released a HIPAA Audits Industry Report (“the Report”), that could be quite helpful to covered entities and business associates for tackling HIPAA compliance as we enter the new year. The Report examines OCR’s findings from…
FTC Settles Claims Financial Institution Failed to Oversee Its Vendor’s Data Security Practices
Assessing the privacy and cybersecurity practices of third-party service providers is critical not only for employee personal information, but also for confidential and personal information pertaining to an organization’s business and its clients, customers, patients, students, etc. The Federal Trade Commission (FTC) announced a settlement on December 15 with a financial institution that it…
City of Portland Bans Private Entities From Using Facial Recognition Technologies
The City of Portland, Oregon becomes the first city in the United States to ban the use of facial recognition technologies in the private sector citing, among other things, a lack of standards for the technology and wide ranges in accuracy and error rates that differ by race and gender. Failure to comply can be…
NYDFS Files First Enforcement Action Under Reg 500
On July 21, 2020, the New York Department of Financial Services (“DFS”) filed its first enforcement action under New York’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”). Reg 500, which took effect in March 2017, imposes wide-ranging and rigorous requirements on subject organizations and their service providers, which are summarized…
EU-U.S. Privacy Shield Program for Transfer of Personal Data to U.S. Found Invalid
On July 16, 2020, the Court of Justice of the European Union (CJEU) published its decision in the matter of Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”). The matter, arising from the transfer of Schrems’ personal data by Facebook Ireland to Facebook Inc. in the United States, presented questions…