HIPAA’S Right of Access is No Joke, and the Holidays are No Excuse for Noncompliance

On November 30, 2021, the Office for Civil Rights (“OCR”) at the United States Department of Health and Human Services (“HHS”) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Initiative. This brings the total number of this type of enforcement action to 25 since the initiative began. OCR originally launched this initiative in an effort to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

HIPAA grants people the right to see and obtain copies of their health information from their healthcare providers and health plans. Once a HIPAA-regulated entity receives a request, it has 30 days to provide an individual or their representative with their records in a timely manner. If HIPAA-regulated entities need more time to comply with timely requests, they may obtain an additional 30-day extension of time to do this by providing written notice to the individual who made the request, including the reasons for the delay and the expected date by which the entity will complete the action on the request.

Newly-appointed OCR Director, Lisa J. Pino, has said that timely access to health records is a powerful tool for people to stay healthy, protect their privacy as patients, and is a right under the law. She has gone on to say that OCR will continue its enforcement actions to hold covered entities responsible for their HIPAA compliance and pursue civil monetary penalties for violations that go unaddressed. 

For example, OCR has taken enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access, such as the enforcement action against Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, New York, who allegedly did not cooperate with OCR’s investigation or respond to OCR’s data requests after a hearing. He also did not contest the findings of OCR’s Notice of Proposed Determination. Consequently, OCR closed this matter out by issuing a civil monetary penalty of $100,000. Moreover, a licensed provider of residential eating disorder treatment services in Eugene, Oregon, Rainrock Treatment Center, LLC, doing business aa Monte Nido Rainrock (“Monte Nido”),  has taken corrective actions including one year of monitoring and a $160,000 settlement payment to HHS for the alleged violation of the HIPAA Privacy Rule’s Right to Access. In the Monte Nido action, the patient requested records on two occasions—on October 1, 2019 and then again on November 21, 2019. Monte Nido complied with the request for access but not until May 22, 2020, more than six months after the initial request was made. Even still, OCR moved to enforce.

These are just two examples of enforcement actions taken by OCR for violations of the HIPAA Privacy Rule’s Right to Access. In order to avoid an investigation and potential enforcement action such as the ones noted above, it is imperative to determine first whether you are subject to HIPAA’s Privacy Rule as a covered entity, and if so, to handle any requests for access to health information with requisite haste and attention so as to avoid costly and time-consuming regulatory enforcement actions.

Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

Policyholder Best Practices As Cyberattacks Escalate

This article originally ran in Law360 on September 4, 2021. All rights reserved. 

Cyberattacks are exploding. The coronavirus pandemic has further exposed cyber vulnerabilities due to remote work and the increasing use of underprotected devices. Ransomware attacks are increasingly becoming the cyberattack of choice.

While data breach and privacy claims fell between 2018 and 2020, ransomware attacks rose by 486% over that same period. Victims of ransomware paid $350 million in 2020, an increase of 311% over the previous year.

The average ransomware payment in 2020 was $312,943. The costs of ransomware extend well beyond the ransom payments. The average downtime due to an attack is 21 days and it takes a business an average of 287 days to recover.

This explosion of cyberattacks has resulted in greater regulatory oversight and a hard insurance market. As the responses to escalating cyberattacks continue to unfold, corporate policyholders may wish to employ some best practices to avoid regulatory hot water and the worst effects of a hard insurance market.

Heightened Cyber Regulations

Regulators, both nationally and internationally, have sharpened their focus on the privacy rights of individuals and on the regulation of data collection and protection. Regulators are enforcing their regulations through the imposition of fines and the extraction of settlements for noncompliance.

Internationally, the European Union stepped up enforcement of the General Data Protection Regulation. In the first 10 months of 2020, 220 fines were issued, reflecting a 260% increase over the previous year.

Nationally, the second largest Health Insurance Portability and Accountability Act settlement ever was reached in 2020, with Premera Blue Cross agreeing to pay $6.85 million to the U.S. Department of Health and Human Services‘ Office for Civil Rights.

Also last year, the U.S. Department of the Treasury‘s Office of Foreign Assets Control issued an advisory stating that ransom payments to cybercriminals that are subject to OFAC sanctions may violate OFAC regulations and result in civil penalties. That advisory clarified that it applied to companies involved in providing cyber insurance, digital forensics investigators, incident response firms, and financial services companies that facilitate the processing of ransom payments.

On the state level, several states, including Illinois, Washington, Texas and Arkansas, have either enacted or amended privacy laws related to the collection, use, and retention of biometric data, resulting in related litigation, including a $650 million settlement involving a class of Illinois residents in In re: Facebook Biometric Information Privacy Litigation.

In addition, several states have proposed and enacted legislation following the California Consumer Privacy Act, aimed at granting U.S. citizens greater control over their personal data.

New York has taken a leading role in cybersecurity regulation directed specifically at insurance companies and other financial institutions. New York’s regulation became effective on March 1, 2017, with a two-year implementation period.

By March 1, 2019, all insurance companies and other financial services institutions and licensees regulated by New York’s Department of Financial Services were required to have a robust cybersecurity program in place designed to protect consumers’ private data.

In addition, those entities were required to have a written policy or policies approved by the board of directors or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry including encryption and multifactor authentication.

As many financial institutions are headquartered in or conduct substantial business in New York, this new regulation is significant and may influence how other states decide to regulate cybersecurity.

Cyber Insurance

Cyber insurance has become a standard part of corporate cyber risk management. As cyber losses generally, and ransomware attacks specifically, have increased, a number of insurers have exited the field, and it appears as if cyber insurance has entered a hard market.

A hard insurance market is typically associated with rising premiums and coverage restrictions. Premium increases of between 15%-50% were anticipated for this year. With regard to coverage, insurers are actively evaluating the following coverage terms and conditions.

Ransomware Coverage 

In response to the rapid rise in ransomware attacks, insurers are capping aggregate limits and insisting on sublimits. When critical internal controls are lacking, insurers are proposing to exclude ransomware attacks in their entirety.

Contingent Business Interruption 

SolarWinds Corp. is a major software company that provides tools for network and infrastructure monitoring, including an IT monitoring system called Orion. More than 30,000 organizations use the Orion system. Following the SolarWinds cyber breach last spring, the hackers were able to gain access to the computer systems of thousands of the company’s customers.

The SolarWinds attack prompted insurers to review their overall exposure to contingent business interruption exemplified by supply chain risks exposed by the attack. Specifically, insurers are insisting on greater waiting periods before coverage incepts and reduced aggregate limits and sublimits.

Notice Requirements 

Late notice is one of the most common causes of insurance claim disputes under errors and omissions insurance policies. Often those disputes have their origins in the sometimes confusing use of “claims made,” “claims made and reported” and “occurrence” notice language. Insureds must pay careful attention to these provisions to ensure proper and timely notice of any cyber loss.

Breach Response Vendors

The costs of responding to a cyberattack, including IT forensics, external services and other specialists, are typically covered under cyber insurance policies. To reduce, or at least stem, the increase in these costs, insurers are becoming increasingly less flexible in the use of nonpanel or preagreed vendors.

Corporate Policyholder Best Practices

Corporate policyholders can proactively employ the following practices to best respond to the heightened regulatory scrutiny and a hardening insurance market.

Enhance Cybersecurity 

While cybersecurity risks cannot be eliminated, certain proactive steps can be taken to reduce those risks. Those steps include: the implementation of risk management strategies involving assessment, testing and practice improvement, incident response preparedness through retention of incident response vendors and incident response practice.

Make Privacy a Focus

Establish and update corporate policies that address third-party contracts, online presence, service providers and supply chains. For example, policyholders may want to ensure that their vendor contracts include the maintenance of requisite privacy and security standards as well as breach notification procedures.

Embrace Cybersecurity Culture 

Train employees to spot malicious actors and reduce common cybersecurity and phishing vulnerabilities. Using multifactor authentication and strong passwords can be crucial to staving off threat actors.

Demonstrate Ransomware Preparedness

Develop plans for business continuity, disaster recovery, privileged access controls, multifactor authentication, proactive scanning and testing, and overall incident response readiness. Segregate and test backups to ensure that critical systems can be restored in the face of an attack and put in place a ransomware-specific incident response plan that is tested by senior leadership.

Be Transparent and Communicate

Don’t wait for a claim. Be open about potential vulnerabilities and include insurers in your planning. Maintaining open lines of communication with all lines of insurers before a claim arises will enhance outcomes after a claim is presented.

Update: This article has been updated with a citation including an estimate from SolarWinds regarding the scope of the cyber breach last spring. The time frame for the breach in 2020 was also clarified.

Lee Epstein is a shareholder and chair of the insurance counseling and recovery practice group at Flaster Greenberg PC. He represents corporate and individual policyholders in recovering insurance in response to an array of hazards and catastrophic property and business interruption losses. He advises market leaders in the airline, chemical, construction, financial services, food, HVAC&R, packaging, retail and satellite television industries. Lee is currently litigating insurance coverage disputes throughout the state and federal courts of the United States.

Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups through which she advises clients on matters related to regulatory compliance, data breach response, and crafting privacy-by-design policies.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] See Aon-errors-and-omissions-cyber-insurance-snapshot.pdf.

[2] Chainalysis Team, Ransomware Skyrocketed in 2020, But There May Be Fewer Culprits than You Think, excerpt from the Chainalysis 2021 Crypto Crime Report (Jan. 26, 2021).

[3] Unit 42, Palo Alto Networks, Ransomware Threat Assessments: A Companion to the 2021 Unit 42 Ransomware Threat Report, (Mar. 17, 2021), https://unit42.paloaltonetworks.com/ransomware-threat-assessments (last visited Aug. 12. 2021).

[4] Coveware, Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands, (Feb. 1, 2021), https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020 (last visited Aug. 12. 2021).

[5] Naveen Goud, Ransomware attacks could have cost the United States $7.5 Billion, by Naveen Goud, Cybersecurity Insiders, https://www.cybersecurity-insiders.com/ransomware-attacks-could-have-cost-the-united-states-7-5-billion/ (last visited Aug. 12. 2021).

[6] See Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, Department of the Treasury, October 1, 2020, ofac_ransomware_advisory_10012020_1.pdf (treasury.gov).

[7] See Facebook Wins Preliminary Approval for Biometric Privacy Accord, Joe Schneider, August 19, 2020, https://news.bloomberglaw.com/privacy-and-data-security/facebook-wins-preliminary-approval-for-biometric-privacy-accord (last visited Aug. 23, 2021).

[8] See 23 N.Y.C.R.R. 500.

[9] See, e.g., “Aon’s E&O | Cyber Insurance Snapshot,” https://www.aon.com/cyber-solutions/wp-content/uploads/Aon-errors-and-omissions-cyber-insurance-snapshot.pdf; “Cyber may never experience another soft market: Gallagher Re,” Intelligent Insurer, April 14, 2021, https://www.intelligentinsurer.com/news/cyber-may-never-experience-anothersoft-market-gallagher-re-25350; 2021 Cyber Insurance Market Conditions Report, https://www.ajg.com/us/news-andinsights/2021/jan/2021-cyber-insurance-market-report (last visited Aug. 12. 2021).

[10] On May 7, 2021, in an update about an ongoing investigation, SolarWinds estimated the actual number of customers hacked to be fewer than 100.

The Changing Landscape of Cyber Insurance and the Response from Regulators

The State of Cyberattacks 

Cyberattacks are on the rise, and have significantly increased since the pandemic began in March of 2020. Remote work, coupled with bring your own device policies, have only increased vulnerabilities of businesses and individuals during this time. In fact, ransomware attacks in particular increased 300% in 2020. 

The Cybersecurity and Infrastructure Security Agency (“CISA”) defines ransomware as:

an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.

Ransomware can be exorbitantly expensive because it is one of the most disruptive forms of cybercrime. Cybercriminals keep demanding larger sums and ransomware demands have increased 171% from 2019 to 2020, and continue to grow.

While small businesses account for 43% of all cyberattacks, neither large businesses nor government institutions are immune. In March 2021, for example, CNA Financial Corporation, one of the largest insurance companies in the United States, paid $40 million to regain control of its network after a ransomware attack. In another recent example, the Kaseya ransomware attack in July 2021 paralyzed as many as 1,500 organizations by compromising the tech management software. Kaseya’s software serves many managed services providers so the attacks multiplied before Kaseya could effectively warn its users thereby allowing the attackers to rapidly encrypt data and demand ransoms of as much as $5 million per victim. From the rise of this type of ransomware to the SolarWinds-based cyber-espionage campaign, it is abundantly clear that cybersecurity is now fundamental to almost every aspect of modern life—from consumer protection to national security. 

The Insurance Industry’s Response  

The rise of cyberattacks has consequently impacted the cyber insurance market. Because of the increasing regularity of ransomware attacks, the loss ratios on cyber insurance increased from an average of 42% between 2015 and 2019 to 73% in 2020. Cyber-related business interruption claims are the most sought after cyber coverage. Increasing costs are affecting premiums and scope of coverage. Insurers are also becoming more rigorous in assessing the cybersecurity of their customers and providing insurance according to that risk. 

Cyber insurance plays a key role in managing and reducing cyber risk. This is a relatively new area of insurance for most insurers though cyber insurance is becoming increasingly common. In 2019, the U.S. cyber insurance market was a $3.15 billion market. By 2025, it is estimated that the market will be worth about $20 billion. Is it important to note, too, that these numbers may understate the insurance coverage of cyber risk as many policyholders submit insurance claims arising from cyber incidents under non-cyber insurance policies.

Insurance companies themselves have also come under scrutiny for their cyber hygiene. As insurance companies collect, store, and maintain a plethora of sensitive personal and business data, this is somewhat predictable and only follows the trend of increasing regulation of the cybersecurity world. In the absence of federal comprehensive legislation, states are paving the regulatory pathway and setting baseline standards of care for cybersecurity. 

State Cybersecurity Regulation  

At least one state has taken a proactive role in issuing a cybersecurity regulation directed towards insurance companies, and other financial institutions. As many top companies are headquartered in New York or conduct substantial business in New York, this new regulation is significant, and may have implications for how other states decide to regulate the cyber insurance market. In 2017, New York’s Department of Financial Services (“NYDFS”) promulgated the first cybersecurity regulation for the financial services sector, and it created a specific Cybersecurity Division in 2019. See 23 N.Y.C.R.R. 500. 

The regulation became effective on March 1, 2017 and instituted a two-year implementation period. By March 1, 2019, all insurance companies and other financial services institutions and licensees regulated by DFS were required to have a robust cybersecurity program in place that is designed to protect consumers’ private data. In addition, they were required to have a written policy or policies approved by the Board of Directors or a Senior Officer, a Chief Information Security Officer to help protect data and systems, and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry including encryption and multifactor authentication. The regulation sets forth certain limited exceptions, many of which still require certain cybersecurity programs and practices. 

According to a 2018 DFS Memorandum, the purpose of this regulation is to bolster the financial services industry’s defenses against cybersecurity attacks in order to protect the markets and consumers’ private information. The regulation also requires that all entities and persons regulated or licensed by the New York State Department of Financial Services are required to file various cybersecurity notices to the Superintendent, including notifications of cybersecurity events—whether they are successful or not. 

The DFS has already brought several investigations into covered entities that were thought to be non-compliant with the new regulation, with the most recent resulting in a settlement with the First Unum Life Insurance Company of America (“First Unum”) and Paul Revere Life Insurance Company (“Paul Revere”) on May 13, 2021. The Superintendent of DFS announced that the insurance companies agreed to pay a $1.8 million penalty to New York State for violations of DFS’s Cybersecurity Regulation that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of consumers nationally and hundreds in New York. As part of the settlement, the companies also agreed to implement further improvements to their existing cybersecurity program to ensure that their cybersecurity controls are fully compliant with the regulation. 

DFS’s Cybersecurity Regulation serves as a model for other regulators both at the national and state level, as well as for industry-specific organizations, such as the National Association of Insurance Commissioners. 

Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

Defending Patient Breaches for Hospitals – PODCAST

On this episode of Darshan Talks, we had discussed Health Literacy with guest Krishna Jani.

Krishna Jani, Cybersecurity & Data Privacy Attorney at Flaster Greenberg PC, had spoken about the relationship between data privacy, life sciences, and health issues in the legal domain. She had highlighted that healthcare services should ensure that they don’t compromise patients’ digital privacy in any way. What startups do with patient data matters regarding what legal liability or implications are placed on them. Example: If they sell data for a profit, it might come under California’s CCPA or the new CCRA regulations. There are a lot of hospitals getting hacked despite hiring IT teams to avoid these incidents. This is often because they outsource the IT work to another company, have an outdated privacy policy, and don’t discuss cybersecurity in board meetings. Besides the breach of privacy to patients, there is also a strong possibility that the hospital will be sued. Thus, hospitals need to hold themselves accountable, focus on data privacy and keep themselves up to date with the latest digital security compliances. She had cited a study in the 80s where people could connect even 1 or 2 data points to a single person. With the advancement of technology that is there now, it is even harder to remain completely anonymous. Thus, it is advisable to delete unnecessary patient data systems for clinical trials or purposes of research and development. A defence would arise only if there has been some substantial effort made or standard of care exercised by hospital management to curb these cybersecurity attacks, even if attacks have become increasingly sophisticated over the years. She had concluded with an interesting point: healthcare data is 3x more critical than financial data.

The Uniform Personal Data Protection Act Is Here

In July 2021, the Uniform Law Commission (“ULC”) voted to approve the Uniform Personal Data Protection Act (“UPDPA”). The UPDPA is a model data privacy bill designed to provide a template for states to introduce to their own legislatures, and ultimately, adopt as binding law.


The UPDPA would govern how business entities collect, control, and process the personal and sensitive personal data of individuals. This model bill has been in the works since 2019 and includes the input of advisors, observers, the Future of Privacy Forum, and other stakeholders. This is significant because the ULC has set forth other model laws, such as the Uniform Commercial Code, which have largely been adopted across the states.

Interestingly, the model bill is much narrower than some of the recent state privacy laws that have been passed, such as the California Privacy Rights Act and Virginia’s Consumer Data Protection Act. Namely, the model bill would provide individuals with fewer, and more limited, rights including the right to copy and correct personal data. The bill does not include the right of individuals to delete their data or the right to request the transmission of their personal data to another entity. The bill also does not provide for a private cause of action under the UPDPA itself, but would not affect a given state’s preexisting consumer protection law if that law authorizes a private right of action. If passed, the law would, consequently, be enforced by a state’s Attorney General.


The UPDPA would apply to the activities of a controller or processor that conducts business in the state or produces products or provides services purposefully directed to residents of this state and:

(1) during a calendar year maintains personal data about more than [50,000] data subjects who are residents of this state, excluding data subjects whose data is collected or maintained solely to complete a payment transaction;

(2) earns more than [50] percent of its gross annual revenue during a calendar year from maintaining personal data from data subjects as a controller or processor;

(3) is a processor acting on behalf of a controller the processor knows or has reason to know satisfies paragraph (1) or (2); or

(4) maintains personal data, unless it processes the personal data solely using compatible data practices.

The UPDPA defines “personal data” as a record that identifies or describes a data subject by a direct identifier or is pseudonymized data. The term does not include deidentified data. The bill also defines “sensitive data” as a category of data separate and apart from mere “personal data.” “Sensitive data” includes such information as geolocation in real time, diagnosis or treatment for a disease or health condition, and genetic sequencing information, among other categories of data.

The law would not apply to state agencies or political subdivisions of the state, or to publicly available information. There are other carve-outs, as well.

Notably, the model bill also contains several different levels of “data practices,” broken down into three subcategories: (1) a compatible data practice; (2) an incompatible data practice; and (3) a prohibited data practice. Each subcategory of data practice comes with a specific mandate about the level of consent required—or not required—to process certain data. For example, a controller or processor may engage in a compatible data practice without the data subject’s consent with the expectation that a compatible data practice is consistent with the “ordinary expectations of data subjects or is likely to benefit data subjects substantially.” Section 7 of the model bill goes on to list a series of factors that apply to determine whether processing is a compatible data practice, and consists of such considerations as the data subject’s relationship to the controller and the extent to which the practice advances the economic, health, or other interests of the data subject. An incompatible data practice, by contrast, allows data subjects to withhold consent to the practice (an “opt-out” right) for personal data and cannot be used to process sensitive data without affirmative express consent in a signed record for each practice (an “opt-in” right). Lastly, a prohibited data practice is one in which a controller may not engage. Data practices that are likely to subject the data subject to specific and significant financial, physical, or reputational harm, for instance, are considered “prohibited data practices.”

The model bill has built in a balancing test meant to gauge the amount of benefit or harm conferred upon a data subject by a controller’s given data practice, and then limits that practice accordingly.

What’s Next

After final amendments, the UPDPA will be ready to be introduced to state legislatures by January 2022. This means that versions of this bill can, and likely will be, adopted by several states over the next couple of years—and perhaps, eventually, lead to some degree of uniformity among the states’ privacy laws.

Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

Cybersecurity & Data Privacy Legislative Updates

Since the passage of the CCPA in 2018, there has been a flurry of proposed state laws aimed at regulating the areas of cybersecurity and data privacy in the absence of federal comprehensive legislation. Additionally, there has been a renewed focus on legislation at the federal level. Here’s an overview of some recently proposed pieces of federal legislation, and recently proposed and passed state laws that may actually have a shot at success.

Federal Privacy Legislation

Information Transparency and Personal Data Control Act (2021)

This Act is the first of its kind to be introduced in 2021. The Act would create protections for the processing of personal information. Under the Act, businesses would be required to utilize an opt-out consent mechanism for consumers for the collection, processing, and sharing of non-sensitive information. For the collection, sale, sharing, or other disclosure of sensitive personal information, however, companies would be required to obtain an “affirmative, express, and opt-in consent” from consumers.

The proposed law defines “sensitive personal information” as financial account numbers and authentication credentials, such as usernames and passwords; health information; genetic data; any information pertaining to children under the age of 13; Social Security numbers and any “unique government-issued identifiers;” precise geolocation information; the content of oral or electronic communications, such as email or direct messaging; personal call detail records; biometric data; sexual orientation, gender identity or intersex status; citizenship or immigration status; mental or physical health diagnoses, religious beliefs; and web browsing history and application usage history.

Notably, information that is classified as deidentified, public information, and employee data would not fall under the definition of “sensitive personal information.” Written or verbal communication between a controller and a user for a transaction concerning the provision or receipt of a product or service would also not be considered sensitive data.

Additionally, data controllers would be responsible for informing processors or third parties about the purposes and limits to the specific consent granted but would not be liable for processors’ failure to adhere to those limits.

Moreover, the law would provide additional rulemaking authority to the Federal Trade Commission to devise requirements for entities that collect, transmit, store, process, sell, share, or otherwise use the sensitive personal information of members of the public.

This Act would not provide consumers with a private right of action. Instead, it directs the Attorney General to notify controllers of alleged violations and provide them with 30 days to cure non-willful violations of this Act before commencing an enforcement action.

For more information on recently-proposed federal legislation, including those crafted to address the COVID-19 pandemic, see my pieces on the Exposure Notification Privacy Act, The Public Health Emergency Act, and the COVID-19 Consumer Data Protection Act.

State Privacy Legislation

Unlike comprehensive national laws like the GDPR, which generally applies to all data in all settings, state laws in the U.S. typically carve out exceptions for certain types of data, such as health information already subject to HIPAA, for example. The laws outlined below largely follow this pattern.

The following states have recently passed, or proposed, cybersecurity and data privacy laws.

The CPRA is a ballot initiative that amends the CCPA and includes additional privacy protections for consumers. It was passed in November 2020 and the majority of the provisions therein will enter into force on January 1, 2023 with a look-back to January 2022.Virginia’s law is similar to the still-pending Washington Privacy Act and includes provisions that are akin to the CCPA.

Other states like Oregon and Minnesota have also proposed privacy and security legislation in recent months.

Don’t forget to catch Krishna Jani’s presentation at PBI’s upcoming Cyberlaw Update on Thursday, April 29, 2021!

Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

Cybersecurity & Data Privacy Litigation Trends – February 2021

Spotlight on Recent Decisions 2021

The Delaware Superior Court recently dismissed a healthcare data breach lawsuit against Brandywine Urology Consultants (“Brandywine”) because it ruled that the victims of the breach failed to provide evidence of injuries or losses caused by a 2020 security incident and, therefore, lacked standing to sue. The suit, Abernathy, et al. v. Brandywine Urology Consultants, P.A., C.A. No. N20C-05-057 MMJ CCLD, resulted from a ransomware attack that was discovered by Brandywine in January 2020, and which was reportedly live on the network for two days before it was detected and isolated by the IT team. Interestingly, during the attack, cyberthieves accessed and encrypted records that included patient names, addresses, Social Security numbers, medical file numbers, claim data, and other financial and personal data but at no time did the cyberthieves attempt to extract a ransom. According to the Delaware Superior Court’s January 21, 2021 Opinion, Brandywine notified all of its patients of the attack via breach notification letters.

In May 2020, the breach victims filed suit against Brandywine, alleging negligence, invasion of privacy, breach of express contract, breach of implied contract, negligence per se, breach of fiduciary duty, noncompliance with the Delaware Computer Security Breach Act, and violation of the Delaware Consumer Fraud Act. In July 2020, Brandywine filed a motion to dismiss arguing that the plaintiffs lacked standing to sue—essentially that victims suffered no concrete, particularized, and actual or imminent injury-in-fact. In order to demonstrate “injury-in-fact” the victims alleged imminent risk of future harm, a loss of privacy, anxiety, failure to receive the benefit of the bargain, a loss of value to the property in personally identifying information, and disruption in medical care. The lawsuit sought mitigation expenses caused by the breach. In July 2020, Brandywine filed a motion to dismiss arguing that the plaintiffs lacked standing to bring the case to federal court—essentially that plaintiffs suffered no concrete, particularized, and actual or imminent injury-in-fact.

In its January 21, 2021 Opinion, the Delaware Superior Court stated that in “data breach cases [in Delaware], [p]laintiffs must provide at least some plausible specific allegations of actual or likely misuse of data to satisfy the standing requirement and avoid dismissal under [Superior Court Civil] rule 12(b)(1).” The court also noted that Delaware courts have not yet addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact sufficient to confer standing. Brandywine argued that it did not.

The court found that Brandywine’s breach notification specified that the breach was only a possible compromise of personal and financial information during the ransomware attack. It did not concede that it was a concrete and imminent threat. The court also determined that Brandywine appeared to act quickly in response to the breach and took the appropriate steps to investigate what had transpired. Ultimately, the court decided that Brandywine should not be punished for having notified individuals about a possible compromise of their data. In fact, the court expressed hesitancy about making any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution. The court stated that the mere fact that the attack occurred, without more, is insufficient to confer standing on plaintiffs. The court also found that mitigation costs, including credit monitoring and placing freezes and alerts with credit reporting agencies, do not create an injury sufficient to confer standing on plaintiffs who allege speculative harms resulting from a data breach.

In a similar case in the Middle District of Pennsylvania, cited in the Delaware Superior Court’s Opinion, the court also found that “[p]laintiffs’ alleged harm—that they are now at an increased risk of identity theft—does not suffice to allege an imminent injury.”

Though the courts remain fragmented on the issue of standing in data breach cases, the Delaware Superior Court’s opinion lays the groundwork for what may become the norm: a heightened pleading requirement for Article III standing in such cases.

Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

Disinformation, Mob Mentality, And Federal Privacy Legislation

Will the disinformation that led to a mob surrounding the Capitol Building help drive federal privacy legislation?

Here’s why I think it will.


It is no secret that the internet is rife with information—some legitimate, and, inevitably, some not. In many ways, social media and the rise of new and emerging platforms on which to share information, contribute to the spread of disinformation. Disinformation is false information that is intended to mislead, unlike misinformation, which is false information that is spread, regardless of intent to mislead.

Disinformation can be damaging to both individuals and businesses because it can be difficult to discern the difference between evidence-backed information and disinformation. This very issue arguably resulted in thousands of people surrounding the Capitol Building on January 6, 2021 in Washington, D.C.

The Role of the Internet and Social Media

Though many platforms likely contributed to the widespread disinformation that led to a mob storming the Capitol Building, certain platforms have a significantly greater impact. For example, with more than two billion users worldwide, Facebook has unprecedented reach, and that reach has created a near-monopoly on certain types of information and the sharing of that information. For instance, small businesses often rely on Facebook to find customers. Content creators use Facebook to create visibility for their work. Software developers seek to attract customers on the platform. Media outlets use the platform to share news articles. The list goes on.

Platforms like Facebook employ the details of personal profiles to gauge which content it believes a particular user will find enticing. Then, the platform will calibrate the user’s feed according to this process in an effort to maximize the amount of time that the user stays online. The result is that the information that appears in our feeds is informed, to at least some degree, by what our friends and network contacts post and consume. It is shaped, by a much larger degree, by the platforms’ algorithm.

This is precisely the point at which data privacy, personal autonomy, and democracy intersect.

The Problem and Ways to Avoid the Spread of Disinformation

Disinformation can harm businesses in a myriad of ways. Incorrect news, negative social media posts, and even overtly false consumer reviews can adversely impact a company’s bottom line.

Successful companies understand their markets, their customers, and their partners. They also need to understand how their brand is perceived by users of social media. This can be achieved by using in-house technology or hiring an outside firm. By doing so, companies can get advance warning of an individual’s or group’s efforts to spread disinformation about a given brand. To the extent a business participates in e-commerce and has a social media presence, the business should aim to establish verified accounts on major platforms and use them regularly to establish their markets.

Other tools businesses can use to avoid the spread of disinformation are: self-assessing, preparing for incident response, and communicating directly with their customers. In addition, data ethics should be incorporated into decision-making along with business motivation, technological practicality, and legal compliance.

How Federal Privacy Legislation Could Help

The federal government has no organization to regulate or help quell the spread of disinformation, and there is no one particular person within the government in charge of an overall disinformation policy. The United States needs a comprehensive approach to risk generated by data. Accordingly, any effective federal privacy regime must take into account the process of data throughout the whole lifecycle of data governance.

The business industry has plenty of reasons to support federal privacy legislation. For one, a single piece of comprehensive legislation reduces confusion surrounding compliance. Second, one law to rule them all would likely preempt many of the piecemeal legislative efforts of various states. Lastly, in the wake of the Schrems II decision, passing a commercial privacy law would help the atmosphere considerably as negotiations go forward with the European Union with regard to transborder data flows.

It is also worth noting that some of the largest markets in the world are moving toward comprehensive data protection laws, such as China, India, Brazil, and Canada. The adoption of a similar comprehensive law in the United States would solidify the United States’ position as a world leader in data privacy.

The goal of any federal privacy legislation should be to preserve the most beneficial aspects of social media platforms while simultaneously protecting individuals and businesses from the platforms’ more harmful impacts. Most pending federal legislation include the basics: data access, deletion rights, and portability. The next steps will be to incorporate protections against disinformation.

Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

Cybersecurity & Data Privacy Updates, Part II

From California to New York, data privacy laws and enforcement actions are ramping up. Check out some highlights below.

New York State Department of Financial Services launched its first enforcement action in July 2020.

As U.S. companies focus on CCPA enforcement, they should not ignore other state laws and accompanying regulations. The New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (“DFS’s Cybersecurity Regulation”) first took effect on March 1, 2017.

Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. In an effort to combat such exploitation, this regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a vigorous way. Senior management are encouraged to take this issue seriously. They must ensure that someone is responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

On July 22, 2020, the New York Department of Financial Services announced cybersecurity charges against First American Title Insurance Company for exposing millions of documents with consumers’ nonpublic personal information over the course of several years, including bank account numbers, mortgage and tax records, Social Security Numbers, wire transaction receipts, and drivers’ license images.

This marks the first cybersecurity enforcement action filed by the Department. The hearing will take place at the office of the New York State Department of Financial Services beginning on October 26, 2020.

What is The California Privacy Rights Act of 2020—“CCPA 2.0?”

If you’re thinking, “Wait! Didn’t the California Consumer Privacy Act (“CCPA”) just go into effect?” You’re right. The CCPA took effect on January 1 of this year, and enforcement actions began on July 1. Already, a privacy advocacy group, California for Consumer Privacy, collected 900,000 signatures to place the California Privacy Rights Act (“CPRA”) on the November 2020 ballot. According to several news sources, current polling suggests that the bill will pass.

The CPRA seeks to, among other things, establish the California Privacy Protection Agency (“CPPA”), a new privacy enforcement authority, similar to the Data Protection Authority put in place in the European Union by the General Data Protection Regulation (“GDPR”). This Agency will be empowered to fine transgressors, hold hearings about privacy violations, and clarify privacy guidelines.

In addition, the law would establish a new category of sensitive personal information, including Social Security numbers, precise geolocation data, biometric or health information, and more. It would also give consumers greater power to restrict the use of such data. The law would also add email addresses and passwords to the list of items covered by the “negligent data breach” section to help curb identity theft.

The Connecticut Insurance Data Security Law goes into effect on October 1, 2020.

The Act establishes standards applicable to licensees of the Connecticut Insurance Department for data security, the investigation of a cybersecurity event, and notification to the Department of such event. In preparation for this law to take effect, Connecticut’s Insurance Department issued a Bulletin on July 20, 2020 to all licensees of the Department.

Licensed insurance companies, and any other companies otherwise authorized to operate pursuant to the insurance laws of Connecticut, should be aware of and follow the guidelines laid out in the Bulletin.

The attorneys at Flaster Greenberg are following developments related to the COVID-19 Pandemic and formed a response team and to work with businesses to keep them up-to-date on developments that impact their business. If you have any questions on the information contained in this blog post, please feel free to reach out to Donna Urban, Krishna Jani, or any member of Flaster Greenberg’s Telecommunications or Privacy & Data Security Groups.


To serve as a central repository of information and contributions from Flaster Greenberg attorneys on legal developments during the COVID-19 crisis, we have launched a COVID-19 Resource page on our website. Feel free to check back frequently for Flaster Greenberg’s ongoing analyses of important legal updates that may affect you or your business.

Cybersecurity & Data Privacy Updates

There is a lot going on in the world right now—and the world of data privacy is no exception.

Here is a snapshot of what’s on our radar:

Senators Jeff Merkley and Bernie Sanders introduced the National Biometric Information Privacy Act of 2020 on Tuesday, August 4, 2020.

This legislation would, among other things, prohibit private companies from collecting biometric data—including eye scans, voiceprints, faceprints, and fingerprints—without consumers’ and employees’ consent, or profiting from this data. This introduction comes amid growing concerns over the prevalence of biometric data collection among private companies, including the use of facial recognition technology.

This legislation limits the ability of companies to collect, buy, sell, lease, trade, or retain individuals’ biometric information without specific written consent, and requires private companies to disclose to any inquiring individual the information the company has collected about that individual. Importantly, this bill would allow individuals and State Attorneys General to bring lawsuits against companies that fail to comply.

Several United States Senators have urged Congress to include the privacy protections contained in the Public Health Emergency Act into any new stimulus package.

On July 28, 2020, several U.S. senators drafted a letter addressed to senate leaders urging them to include the privacy protections contained in the Public Health Emergency Privacy Act in any forthcoming stimulus package.

The senators emphasized the need for commonsense privacy protections for COVID data because “public trust in COVID screening tools will be essential to ensuring meaningful participation in such efforts.” Research shows that many Americans are hesitant to adopt COVID screening and tracing apps due to privacy concerns; therefore, the lack of health privacy protections could significantly undermine efforts to contain this virus and safely reopen—“particularly with many screening tools requiring a critical mass in order to provide meaningful benefits.”

As the drafters point out, “health data is among the most sensitive data imaginable and even before this health emergency, there has been increasing bipartisan concern with gaps in our nation’s privacy laws.” The drafters believe these common-sense protections are critical in quelling the spread of COVID-19 while at the same time protecting sensitive health and geolocation information.

We will continue to track this legislation and provide updates as they become available.

Schrems II invalidated the EU-US Privacy Shield.

On July 16, 2020, the Court of Justice of the European Union issued a decision in Data Protection Commission v. Facebook Ireland, Schrems. The decision, known as Schrems II, invalidated the European Commission’s adequacy decision for the European Union-United States (EU-US) Privacy Shield framework, which is critical for more than 5,000 United States based companies that conduct trans-Atlantic trade in compliance with EU data protection rules.

The Court found the European Commission’s adequacy determination for the Privacy Shield invalid for two primary reasons: (i) the US surveillance programs, which the commission addressed in its previously-issued Privacy Shield decision, are not limited to what is strictly necessary and proportional as required by EU law; and (ii) with regard to US surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the US, as required by the EU Charter.

The Schrems II decision requires both data importers and data exporters to be reasonably certain that they can comply with their obligations in the Standard Contractual Clauses. Where they cannot comply, importers and exporters should likely stop transferring data, forcing some companies into data localization. Schrems II addresses a long-running series of issues regarding the appropriate role of surveillance in our society and its inevitable clash with privacy.

This decision also influences data flows across nations. Some data privacy professionals believe that we are moving away from global data flows and moving towards more fragmented data flows. This shift could have a particularly significant impact on e-commerce. For more, see the Court of Justice of the European Union’s Press Release on this decision.

The attorneys at Flaster Greenberg are following developments related to the COVID-19 Pandemic and formed a response team and to work with businesses to keep them up-to-date on developments that impact their business. If you have any questions on the information contained in this blog post, please feel free to reach out to Donna Urban, Krishna Jani, or any member of Flaster Greenberg’s Telecommunications or Privacy & Data Security Groups.


To serve as a central repository of information and contributions from Flaster Greenberg attorneys on legal developments during the COVID-19 crisis, we have launched a COVID-19 Resource page on our website. Feel free to check back frequently for Flaster Greenberg’s ongoing analyses of important legal updates that may affect you or your business.