On May 11, 2021, the Centers for Medicare & Medicaid Services (CMS) of the U.S. Department of Health & Human Services published an interim final rule/guidance to establish COVID-19 vaccination requirements for Long-Term Care (LTC) facilities. The requirements are applicable to both residents and staff. LTC facilities have already been managing COVID-19 vaccination requirements both
Is New York Next? A Comprehensive Consumer Privacy Bill Reintroduced
On May 13th, New York State Senator Kevin Thomas, Chair of NY’s Consumer Protection Committee, reintroduced the New York Privacy Act (“NYPA”), a comprehensive consumer privacy law similar in kind to the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and Virginia’s Consumer Data Protection Act (“CDPA”). The NYPA had been
Biden Administration Issues Cybersecurity Executive Order Following Colonial Pipeline Cyberattack
On May 12, 2021, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, reportedly a ransomware incident that snarled the flow of gas on the east coast for days. Ransomware attacks are nothing new, but they are increasing in
COVID-19 Vaccine Passport Programs: Privacy and Security Considerations
As access to COVID-19 vaccines becomes more prevalent, and we begin to conceptualize what a post-pandemic world might look like, many governments are assessing the idea of a COVID-19 vaccine passport framework. In late March, the European Commission announced its plan for a COVID-19 Digital Green Certificate framework (“the framework”) to facilitate “safe free movement
DOH Employee Error Causes Breach of COVID-19 and Other Health Data Affecting Nearly 165,000 Individuals
In a recent post, we highlighted the need for a privacy and cybersecurity training program, one not solely focused on spotting phishing attempts (although that is quite important as well). A primary reason, quite simply, is that employees continue to be a leading cause of data breaches. This fact was reaffirmed for the Wyoming
Florida Moves Forward a Revised Consumer Privacy Bill
Will Florida be the next state to enact a comprehensive consumer privacy law? It sure is starting to look like a viable possibility. With the California Consumer Privacy Act (“CCPA”) in full effect, and the recent enactment of Virginia’s Consumer Data Protection Act (“CDPA”), there has been a flurry of state privacy legislative proposals since
Developing a Privacy and Cybersecurity Training Program for Employees
Increased remote work due to the COVID-19 pandemic has only exacerbated privacy and cybersecurity concerns, and likely has not changed the finding in Experian’s 2015 Second Annual Data Breach Industry Forecast:
Employees and negligence are the leading cause of security incidents but remain the least reported issue.
A more recent state of the industry
DOL Issues Cybersecurity Best Practices for ERISA Covered Retirement Plans
Today, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued much anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal
COVID-19 Vaccination: Setting Up An On-site Program
The Biden administration reportedly has called for all people at least 18 to be eligible for the COVID-19 vaccine by April 19, 2021, two weeks earlier than its prior goal of May 1, and less than a week away. Most states have already done so. Without the barriers created by state-by-state priority rules, the
Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation
In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such