On March 15, 2022, President Biden signed into law significant new federal data breach reporting legislation that could vastly expand data breach notice requirements far beyond regulated entities or entities processing personal data. Unceremoniously tucked as Division Y into the H.R. 2471 Consolidated Appropriations Act, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of
Modern smartphones, wearables and internet-enabled devices are capable of monitoring heart rate, blood oxygen levels, steps taken, prescription adherence, and other vital health-related activities. Contrary to popular belief, HIPAA does not cover many of these applications and devices. On September 15, 2021, the Federal Trade Commission issued a Policy Statement attempting to assert authority to police that gap. The Policy Statement explains the FTC’s view that the Health Breach Notification Rule applies to mobile health applications. This Policy Statement signals increasing FTC scrutiny designed to safeguard sensitive health data on a variety of modern technologies that consumers use to monitor and improve their health.
Continue Reading FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule
Data security notification requirements could become much stricter under a proposed rulemaking from the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation. The proposal, published January 12, 2021, would impose new security incident notification requirements on federally regulated “banking organizations” and, notably, their service providers. If adopted, the proposed rule would expand upon existing notification requirements—adding a 36-hour notice window—and would, for the first time, impose direct notification obligations on service providers.
Continue Reading New Security Incident Notification Requirements for Federally Regulated Banks