Tennesse State CapitolThe State of Tennessee recently amended its data breach notification statute, Tenn. Code Ann. § 47-18-2107, which is set to go into effect on July 1, 2016. Numerous commentators have proclaimed that the amendment1 marks a watershed moment—that with the enactment of S.B. 2005, Tennessee becomes the first state to eliminate the encryption safe harbor from its data breach notification statute. However, this is not the case; Tennessee has not removed its primary encryption safe harbor. Even under the amended Tennessee law, data encryption remains an important method for securing data, and one that may reduce notice obligations if a breach occurs.

S.B. 2005 makes three changes to the breach notification statute that may impact whether Tennessee’s notification law applies to a particular data breach situation, and when organizations must send notices to affected individuals.
Continue Reading Tennessee Updates Data Breach Notification Law

ThinkstockPhotos-516780641-webThe Consumer Financial Protection Bureau (CFPB) recently brought its first data security enforcement action, adding itself to the growing list of federal regulators tackling data security issues. The CFPB’s enforcement action was against Dwolla Inc., a Des Moines, Iowa-based online payment platform. The CFPB alleged that Dwolla misrepresented its data security practices, and as a result, Dwolla agreed to pay a $100,000 penalty and to implement significant data security measures.1 While this is only its first data security-related action, the CFPB appears to be taking very seriously its role in securing consumers’ financial information. The requirements the agency placed on Dwolla’s board of directors make this clear, as the board will be held accountable for any security shortcoming by the company. This goes beyond the typical requirements imposed by the Federal Trade Commission (FTC), the regulator with the most extensive data security experience, in its data security enforcement actions. As such, companies, especially financial technology start-ups, should take note of the data security requirements placed on Dwolla by the CFPB, and ensure that any statements made regarding the security of consumers’ information are accurate.
Continue Reading CFPB Brings First Data Security Enforcement Action

The U.S. Department of Health and Human Services (HHS) recently issued guidance to help mobile application developers analyze whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may apply to them.1 Not every mobile application developer that handles personal health information is subject to HIPAA regulation, and determining whether HIPAA applies is situation-dependent and requires thoughtful analysis. The HHS guidance lists some of the factors to consider when assessing whether HIPAA applies to an app developer and analyzes several scenarios where apps handle health-related information.
Continue Reading HHS Issues HIPAA Guidance for Mobile Health Apps

On April 13, 2016, the body of European Data Protection Authorities (DPAs)—the “Article 29 Working Party” (WP29)—issued its opinion on the new EU-U.S. Privacy Shield. The WP29 acknowledged that progress has been made with the


Continue Reading WSGR Alert: Article 29 Working Party Calls for Improvements to the EU-U.S. Privacy Shield