As a Legal and Privacy Associate at RADAR, staying ahead of the constantly changing privacy law landscape is part and parcel with my job. These days, when it comes to privacy law, change is the only constant. I find updates from regulators, regulatory enforcement actions, and individuals exercising their private right of action of particular interest. These updates and actions serve as reminders to privacy professionals of the very real consequences that can come out of an organization’s culture of compliance. It’s up to your team to decide if those consequences will be dire due to an insufficient privacy program, or positive due to best-in-class privacy practices.
Below are a few of the news stories I’ve been discussing with the team this week:
The UK's Information Commissioner's Office (ICO) and Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MOU) to increase their cooperation efforts. Attorneys are currently speculating that this may mean that financial institutions will have to notify both regulatory agencies in the event of a data breach, not just the ICO.
The Supreme Court declined to hear the Zappos customer data breach case this week. This leaves in place the lower court's ruling that a group of consumers affected by the 2012 data breach have standing to sue the company.
Following a similar note from the story above, a patient at UConn Health is suing the hospital over a data breach it announced in February. In addition to inadequately securing the PII and PHI, the patient accuses the hospital of failing to “provide timely, accurate and adequate notice” of the data breach involving personal information.
Finally, UCLA Health is to pay $7.5 million to settle a data breach class-action against them. Even though HHS Office for Civil Rights determined UCLA Health followed appropriate protocols, patients disagreed and sued arguing that "UCLA Health failed to notify them about the data breach in a timely manner, there had been a breach of contract, and that failing to protect patients' privacy was negligence."
If you’d like to share what privacy and data breach news is currently on your radar, we would love to hear from you at firstname.lastname@example.org