On May 1, 2024, amendments to Utah’s cybersecurity and data breach notification law took effect.
The state’s cybersecurity and data breach notification law requires an organization that conducts business in the State of Utah to prevent the unlawful use or disclosure of personal information collected by the organization.
Under the requirements, if an organization that
On May 25, 2023, the Governor of Florida signed a bill amending the Florida Telephone Solicitation Act (FTSA). The amendments under Florida’s House Bill (HB) 761, become effective immediately upon signing by the Governor. Moreover, the amendments apply retroactively to any class action not certified on or before May 25, 2023.
The FTSA
With first responders on the front lines of helping to fight the coronavirus, sharing information about potential exposure to COVID-19 is critical to protecting them and preventing further spread. In these situations, the information shared is most often “protected health information” (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
The Washington State Supreme Court ruled recently that state employees’ birthdates associated with their names are not exempt from disclosure pursuant to a freedom of information records request. In so holding, the Court strictly construed the applicable statute that did not expressly exempt birthdates from disclosure. Wash. Pub. Emps. Assn. v. State Ctr for Childhood
In a landmark ruling, the Vermont Supreme Court recently held that a patient had standing to sue both the hospital at which she was a patient and the employee who attended to her, for negligent disclosure of her personal health information to a third-party. Neither the Health Insurance Portability and Accountability Act (HIPAA) nor Vermont
Most employers are well aware that potential liability lurks if unauthorized information is disclosed to third parties. Obvious examples would include unauthorized employee or applicant health or financial information or personal information such as social security numbers and the like.
In an interesting twist, the Minnesota Supreme Court considered whether liability could be created when
As we have previously anticipated, yesterday New Jersey joined the multitude of other states which have enacted laws limiting employer access to employee social media accounts.
The law prohibits employers from requesting or requiring a current or prospective employee to provide or disclose any user name or password, or in any way provide the employer access to, a personal account. 
Additionally, the law goes on to prohibit employers from requiring an individual to waive or limit any protection granted under the law as a condition of applying for or receiving an offer of employment. Specifically, the law states that an agreement to waive any right or protection is against the public policy of New Jersey and is void and unenforceable.
The law also prohibits employer retaliation or discrimination against an individual because the individual: refuses to provide or disclose any user name or password, or in any way provide access to, a personal account; reports an alleged violation to the Commission of Labor and Workforce Development; testifies, assists, or participates in an investigation, proceeding, or action concerning a violation of the law; or otherwise opposes a violation of the law.
Notably, the law permits the Commissioner of Labor and Workforce Development to collect civil penalties in an amount not to exceed $1,000 for the first violation and $2,500 for each subsequent violation.
Based on the Governor’s recommendations, the final law does not prevent an employer from implementing and enforcing a policy pertaining to the use of an employer issued electronic communications device or any accounts or services provided by the employer or that the employee uses for business purposes.
While the law prohibits certain employer activity, it does permit employers to conduct investigations regarding: work-related employee misconduct based on information about activity on social media; or an employee’s actions based on information about the unauthorized transfer of an employer’s proprietary, confidential, or financial information to social media. Logically, the law also does not prevent an employer from viewing, accessing, or utilizing information about a current or prospective employee that can be obtained in the public domain.
It appears that New Jersey is just the next in the line of states which will adopt similar provisions limiting employer access to an employee’s personal social media accounts. While it is difficult to say the impact the law will have, at a minimum, employers must begin to assess their own internal hiring and human resources practices to make sure they comply with this law.Continue Reading New Jersey Ban On Employer Access To Social Media Accounts
The Fourth Circuit recently held that the Consumer Fraud and Abuse Act’s (“CFAA”) prohibitions against unauthorized access or access in excess of authorization were not violated by an employee when the employee used his valid access to employer’s computer network to download confidential business information that he later used while working for a competitor.
Prior
SEC issues guidance clarifying reporting obligations for public companies relating to cybersecurity and cyber incidents.
Continue Reading SEC Guidance Related to Reporting Cyber Risks and Incidents
A Missouri federal district court has ruled, in I.S. v. Washington University, that a HIPAA-covered entity’s disclosure of protected information can form the basis for a state-law negligence claim. The Court reached this holding despite the well-accepted principle there is no private cause of action under HIPAA.
The plaintiff, I.S., was undergoing medical treatment