May 102018

Katharine Goodloe writes:

As policymakers weigh the many policy implications associated with the Internet of Things (“IoT”), U.S. lawmakers have put forward a variety of proposals for studying—and regulating—IoT devices.  Although the likelihood of current proposals becoming law this term remain uncertain at best, existing legislative proposals provide important context and insight into the ways that lawmakers view IoT and the government’s role in fostering and regulating the technology.

Below, we summarize five draft bills in the U.S. that approach IoT from different perspectives—including seeking to develop IoT technologies, imposing contractual requirements on companies that provide IoT devices to the government, regulating specific security standards, and creating new resources for consumers to better understand the security and reliability of their IoT devices.

Read more on Covington & Burling Inside Privacy.

Apr 102018

There is yet another really informative post by Jeff Drummond of Jackson Walker.  This one is about a CE’s responsibility to actively monitor a BA’s compliance.  Jeff writes, in part:

Lexology today led me to this article by Adam Green’s crew at Davis Wright Tremaine.  It turns out, there is specific language in the December 2000 Privacy Final Rule that removed a more active monitoring requirement in the proposed regs from 1999 (the regs I famously read on the beach in Destin, Florida in June of 2000).  The 2000 Final Rule says, “In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate’s material violation of the contract. . . .  [T]his standard relieves the covered entity of the need to actively monitor its business associates. . . .”

Read more on HIPAA Blog.

Mar 272018

Mike Litt writes:

A bipartisan group of 32 state Attorneys General, led by Illinois AG Lisa Madigan, sent a joint letter last week to the House Financial Services Committee leadership against the draft (link includes opposition testimony of Massachusetts Attorney General’s Office) “Data Acquisition and Technology Accountability and Security Act” that PIRG has also been opposing. The bill incorporates numerous aspects of previous Trojan Horse privacy laws pushed in Congress.

What has brought together 20 Democrats and 12 Republican state consumer cops against this bi-partisan proposal, co-sponsored by Congressman Blaine Luetkemeyer (R-MO) and Congresswoman Carolyn Maloney (NY-D)?

As the letter points out, the proposal “…appears to place Equifax and other reporting agencies and financial institutions out of states’ enforcement reach. This bill totally preempts all state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.”

Read more on U.S. PIRG.

Mar 092018

David Lazarus has some unflattering words for a bill introduced in Congress by Representatives Blaine Luetkemeyer and Carolyn Maloney. Indeed, the Data Acquisition and Technology Accountability and Security Act might be more aptly named the “Businesses Get Out of Jail Free Pass and Screw The Consumers Act of 2018.”

Well, ok, I grant you that that title is a bit long.  Anyway, Lazarus writes:

This week, a congressional hearing was held on a draft bill aimed at creating a national standard for breach notifications. It’s a dubious piece of legislation for a number of reasons, not least that it would exclude Equifax and other credit agencies from its requirements.

No less troubling, it would exempt all banks and financial institutions, and would require notification by retailers and other businesses only if they believe there’s “a reasonable risk that the breach of data security has resulted in identity theft, fraud or economic loss” to consumers.

No harm, apparently, no foul. And hence no notification that the company’s system had been hacked.

Read more on the Los Angeles Times.

Mar 022018

Chase Gunter reports:

Rep. Ted Lieu (D-Calif.) is looking to toughen standards on private sector data breaches. His new bill was released the same day that Equifax announced that an additional 2.4 million Americans had their information stolen from the company, on top of the 145 million it had previously disclosed.

Lieu wants to expand the authority of the Federal Trade Commission in order to protect consumers and take action against companies who lose consumer data in security breaches.

Read more on FCW.

Related: Text of Protecting Consumer Information Act of 2018.