Recent Posts
- (Don’t) Send in the Drones
- Utah Becomes Second State to Adopt a Safe Harbor for Compliance with a Written Cybersecurity Program
- Requirements for Businesses under Virginia’s New Consumer Data Protection Act
- Putting M.D. Anderson in Context: Unpacking the 5th Circuit Dismissal of HIPAA Penalties
- Eleventh Circuit Joins Courts That Have Declined to Find Standing Based on Alleged Substantial Risk of Identity Theft Resulting From a Data Breach
- U.S. Department of Commerce Proposed Restrictions to Secure the IT Supply Chain
- Ransomware On the Rise: Unwary Victims May Pay Twice
- Federal U.S. Autonomous Vehicle Bill Would Update Safety Standards and Require Detailed Privacy and Cybersecurity Plans
- Transactional Components of Telehealth Contracts
- In the Wake of Schrems II: US Government’s White Paper Aims to Assist Confused Companies, Push Back on “Wild West” Privacy Characterization
Showing 2 posts from February 2021.
Putting M.D. Anderson in Context: Unpacking the 5th Circuit Dismissal of HIPAA Penalties
On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit issued its opinion vacating the $4.3 million penalty that the U.S. Department of Health and Human Services (“HHS”) had levied against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”). Eye-popping penalty amounts for HIPAA and HITECH Act violations have picked up steam in recent years. However, the M.D. Anderson case is among the first such settlement to be litigated. The Fifth Circuit decision contains some critical takeaways as to key requirements under HIPAA and the enforcement actions available to HHS, and should be of particular interest to healthcare providers and also insurers writing cybersecurity policies. More
Eleventh Circuit Joins Courts That Have Declined to Find Standing Based on Alleged Substantial Risk of Identity Theft Resulting From a Data Breach
In Tsao v. Captiva MVP Restaurant Partners, LLC, the Eleventh Circuit joined the federal appellate courts holding that a consumer’s exposure to a substantial risk of future identity theft, and efforts to mitigate the risk of future identity theft, are not sufficient to confer Article III standing. The decision highlights federal court’s struggle with the standing requirements in a data breach case, and possibly raises the likelihood that the U.S. Supreme Court will address the issue. More