Privacy & Cybersecurity Newsletter

January 2019

Locke Lord's Privacy & Cybersecurity Newsletter provides topical snapshots of recent developments in the fast-changing world of privacy, data protection, and cyber risk management. For further information on any of the subjects covered in the newsletter, please contact one of the members of our privacy and cybersecurity team.

To read the Locke Lord Privacy & Cybersecurity Newsletter, click here.

In This Issue

Third Party Service Provider Cybersecurity Management: The (Not Quite) Last Requirement of the New York Department of Financial Services Cybersecurity Regulation
In prior issues, we have reported on the various requirements imposed by the New York Department of Financial Services (the ‎DFS) Cybersecurity Regulation (23 NYCRR 500) (the Regulation) on “Covered Entities,” which are defined to include all licen-‎sees of the DFS.‎ read more

HIPAA Enforcement Update (January 1, 2018 – December 11, 2018)
Throughout 2018, the Department of Health and Human Services, Office for Civil Rights (OCR) has announced seven settle‎ment agreements and one civil monetary penalty to resolve allegations of Health Insurance Portability and Accountability Act ‎‎(HIPAA) violations.‎ read more

Drone-Related Cybersecurity Risks Abound Both in the Air and on the Ground
As the use of drones (small unmanned aerial systems or UASs) has continued to expand, a great deal of ink has already been ‎spilled over two categories of risk associated with their operation: 1) bodily injury and property damage caused by negligent ‎and/or malicious operations; and, 2) claims for invasion of privacy, nuisance and trespass.‎ read more

The GDPR – Some Troublesome Aspects and Misconceptions, Part II: Confusion Around Marketing and Consent
One of the main changes brought about by the GDPR is that it is much more difficult to obtain a valid “consent” from an indi-‎vidual to process his or her data.‎ read more

California Consumer Privacy Act: A Priority for 2019
As reported in our last newsletter, California has enacted a game-changer in the U.S. privacy regime.‎ read more

California Takes the First Step With IoT: Will the Federal Government Follow?
This past September, California became the first state to take a first (small) step in addressing Internet of Things (IoT) security. ‎read more

Biometrics: Illinois Appellate Court Potentially Revives “No-Injury” Lawsuits Under the Biometric Information Privacy Act
On September 28, 2018, an Illinois Appellate Court issued an opinion that will likely increase class action filings under Illinois’s ‎Biometric Information Privacy Act (“BIPA”). read more

New Ohio Data Security Law Offers Safe Harbor: May Signal New Trend
A first-of-its-kind data security law, the recently enacted Ohio Data Protection Act ‎ may signal the beginning of a new trend ‎in the legal approach to corporate cybersecurity obligations.‎ read more

WM Morrison v Various Claimants – Employer Vicariously Liable for Data Protection Breach
On October 22, 2018, the Court of Appeal of England and Wales gave its judgment in WM Morrison Supermarkets PCL v Var‎ious Claimants.‎‎ read more

Dittman v. UPMC: Pennsylvania Employers have a Common Law Duty to Exercise Reasonable Care to Protect Employee Personal and Financial Data
Pennsylvania’s highest court recently held that an employer has a common law duty to exercise reasonable care to safeguard ‎its employees’ sensitive personal information stored on the employer’s internet-accessible computer system.‎ read more

Enforcement of the GDPR in North America – The Experience So Far
By now, North American organisations will be well aware that they can be subject to the European Union’s (EU) new data pro-‎tection law, the General Data Protection Regulation (GDPR), without having a physical presence in the EU.‎ read more