The Matrix

Showing 6 posts from 2021.

(Don’t) Send in the Drones

Posted by

The Michigan Court of Appeals issued a recent opinion in Long Lake Township v. Maxon, considering the question of whether a private landowner had a reasonable expectation of privacy that would preclude the government from flying a drone over their property.  The Court concluded that there was an expectation of privacy, and distinguished expectations of privacy from drones from those expected of plane or helicopter surveillance.  (A dissent argues that U.S. Supreme Court precedent on the Fourth Amendment mandated the opposite result.) More

Utah Becomes Second State to Adopt a Safe Harbor for Compliance with a Written Cybersecurity Program

Posted by

With the passage of the Cybersecurity Affirmative Defense Act, Utah became the second state – after Ohio’s Data Protection Act in 2018 – to create an affirmative defense to certain causes of action stemming from a data breach.  The law provides an affirmative defense under Utah law and in Utah courts to certain tort claims arising out of a data breach if the company demonstrates that it created, maintained, and reasonably complied with a written cybersecurity program.   More

Requirements for Businesses under Virginia’s New Consumer Data Protection Act

Posted by

With Governor Ralph Northam’s signature yesterday, the Consumer Data Protection Act (“CDPA”) became law, making Virginia the second state after California to enact a comprehensive privacy law (with apologies to Nevada, which also has passed more modest privacy legislation). Although similar in many respects to the California Consumer Privacy Act (“CCPA”), which was recently updated by the Consumer Privacy Rights Act (“CPRA”), the law contains terminology more consistent with the European Union’s General Data Protection Regulation (“GDPR”).  More

Putting M.D. Anderson in Context: Unpacking the 5th Circuit Dismissal of HIPAA Penalties

Posted by

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit issued its opinion vacating the $4.3 million penalty that the U.S. Department of Health and Human Services (“HHS”) had levied against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”).  Eye-popping penalty amounts for HIPAA and HITECH Act violations have picked up steam in recent years. However, the M.D. Anderson case is among the first such settlement to be litigated. The Fifth Circuit decision contains some critical takeaways as to key requirements under HIPAA and the enforcement actions available to HHS, and should be of particular interest to healthcare providers and also insurers writing cybersecurity policies. More

Eleventh Circuit Joins Courts That Have Declined to Find Standing Based on Alleged Substantial Risk of Identity Theft Resulting From a Data Breach

Posted by

In Tsao v. Captiva MVP Restaurant Partners, LLC, the Eleventh Circuit joined the federal appellate courts holding that a consumer’s exposure to a substantial risk of future identity theft, and efforts to mitigate the risk of future identity theft, are not sufficient to confer Article III standing. The decision highlights federal court’s struggle with the standing requirements in a data breach case, and possibly raises the likelihood that the U.S. Supreme Court will address the issue. More

U.S. Department of Commerce Proposed Restrictions to Secure the IT Supply Chain

Posted by

Over the last few weeks, the federal government has issued a number of trade sanctions and restrictions targeting the People’s Republic of China.  These include prohibitions on investments in certain companies deemed to be Chinese military companies, and further restrictions on any business relationships with an entity connected to Huawei.  This article discusses certain new restrictions with significant data, privacy and cybersecurity implications. More

Jump to Page