December 2016

This year has been a busy year for education law in the area of data privacy. Educational institutions continue to be a rich target for hackers. Additionally, there were some important developments in the interpretation of Family Educational Rights and Privacy Act (FERPA) and the Telephone Consumer Protection Act (TCPA) as it applies to educational institutions.

  • In December, DeVry University Settled with the FTC for $100 million over allegations that it misled prospective students with ads that promised higher employment success and income upon graduation.
  • Also in December, UMass Amherst settled with the Office for Civil Rights (OCR) for $650,000 for HIPAA violations related to a malware infection that led to the release of names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses, and procedure codes.
  • In November, a hacker gained access to 1,213 records of applicants to the University of Wisconsin Law School.
  • On September 14, 2016, the Department of Education (DOE) issued a “Dear Colleague Letter” providing guidance on the application of FERPA to the disclosure of student medical records in the context of litigation.

Continue Reading Top Ten Education Developments, Breaches, and Settlements of 2016

The National Governors Association released a road map report on December 9 entitled, Getting the Right Information to the Right Health Care Providers at the Right Time: A Road Map for States to Improve Health Information Flow Between Providers. The report aims at reducing the legal barriers that prevent the effective and efficient flow of

The New York Department of Financial Services announced last week that it will revise and delay the effective date of its proposed cybersecurity regulation. The announcement came two days after New York bankers brought up a number of criticisms of the proposed rules at a hearing before the state’s Standing Committee on Banks.

At the hearing, bankers lamented that the proposed regulation will prove too burdensome to implement, particularly for small community banks.
Continue Reading Bank Objections Play Key Role in Delay of New York Cybersecurity Regulation

On December 28, 2016, the Food and Drug Administration (FDA) issued guidance on Postmarket Management of Cybersecurity in Medical Devices. The guidance clarified aspects of the reporting requirements under Part 806 (21 CFR part 806), which require device manufacturers and importers to report certain device corrections and removals to the FDA. Most actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “routine updates and patches” that do not require advance notification or reporting. However, actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health must be reported to the Agency. The guidance:

  • Clarified the changes to devices that are considered cybersecurity routine updates and patches (e.g., certain actions to maintain a controlled risk to health); and
  • Outlined circumstances where FDA does not intend to enforce reporting requirements under Part 806 for specific vulnerabilities with uncontrolled risk.

Continue Reading FDA Guidance on Cybersecurity in Medical Devices

The New York Department of Financial Services (NYDFS) will delay the effective date of their proposed cybersecurity regulation until March 1, 2017. A new draft of the proposed regulation will be published on December 28, 2016, with an anticipated 30 day comment period. The original proposed regulation met with significant resistance, including reportedly more than

2016 has been a banner year for ransomware cybercriminals. We have seen a dramatic rise in the use of ransomware, and businesses continue to become victims to ransomware, primarily through phishing and spear phishing schemes.

The cybercriminals are getting so brazen, that when they attack a business with ransomware, they actually provide instructions on how

The Federal Trade Commission announced this week that it has settled with DeVry (DeVry) for $100 million over allegations that it misled prospective students with ads that promised higher employment success and income upon graduation.

We previously reported on the allegations levied by the Federal Trade Commission (FTC) against DeVry [view related post].

The

Continuing the trend of filing a shareholders derivative suit following a data breach, a Wendy’s shareholder recently filed a derivative suit against Wendy’s executives and board members alleging they did not adequately protect data from a breach.

According to the suit, the executives and board members breached their fiduciary obligations to the shareholders by making

Turn, Inc. (Turn), a California based company that enables sellers to target digital advertisements to consumers via a website or mobile app, settled allegations by the Federal Trade Commission (FTC) that it deceived consumers by tracking them online and through their mobile app even after consumers opted out of such tracking. Director of the FTC’s