Tag:

data security

Bringing FERPA Up to Grade

The Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 to protect the privacy of student education records. While FERPA provides essential privacy safeguards, it also includes provisions that allow certain student information to be shared with third parties, particularly under the guise of “directory information.” With the increasing concerns surrounding personal data in the digital age, many argue that FERPA’s exceptions undermine its original intent. In an era where other U.S. privacy laws are tightening restrictions on the sharing of personal information, FERPA’s provisions are lagging, leaving students vulnerable to privacy breaches that would be impermissible in other contexts.

Generative AI- The Next Frontier in Fighting Financial Crime

Artificial intelligence (AI) is the latest tool in a financial institution’s arsenal to restrict the flow of money being channeled to fund illegal activities worldwide. As criminals get more innovative and sophisticated in using the latest technology to evade detection of their financial crimes, financial institutions must follow suit and utilize similar technology to root out these crimes or risk facing regulatory sanctions. Money laundering generally refers to financial transactions in which criminals, including terrorist organizations, attempt to disguise the proceeds of their illicit activities by making the funds appear to have come from a legitimate source. However, this is not a new phenomenon. Congress passed the Bank Secrecy Act (BSA) in 1970 to ensure financial institutions follow a set of guidelines known as KYC (Know Your Customer/Client) to detect and prevent money laundering through their systems.

Reproductive Health Data Privacy – A Right To Life

Following the Supreme Court decision to overturning Roe v. Wade on June 24, 2022, the Dobbs v. Jackson Women’s Health Organization ruling that gutted the long-established right to an abortion has been a constant focus, both inside and outside of the legal and healthcare communities. Notably, the ruling has remained a central focus within both the government, federal and state, and surrounding the tech sector. And these Dobbs-related conversations have a theme – the topic of health data privacy. But more specifically, discussions about data privacy surrounding reproductive healthcare.

Digital Footprints in the Post-Roe Era

On June 24, the Supreme Court officially overturned Roe v. Wade. In doing so, it declared that there was no longer a constitutional right to abortion, allowing state police power to determine its legality. Immediately after this decision, trigger laws went into effect across a quarter of the states, making abortions illegal. Post Dobbs, information collected on personal devices, especially through period-tracking and telemedicine apps, is at risk of being exposed and utilized as criminal evidence.

Working From Home and Its Data Security Implications

Remote work was something once looked at as a gift, a day to work at home in your sweatpants on your couch. But now, some are stuck working from home until further notice or maybe even until they retire. This new method of work has made it much harder for businesses to keep the information of their workers and customers safe despite additional avenues of technology being used to work from home. An average employee may never think about the challenges associated with data security, but it is important to shed some light on this subject so that more people understand its importance. It is also important to understand why the lack of data security laws in the US could be so detrimental to any company doing work here. Company and consumer information is more vulnerable than ever with people working from home all over the country and without comprehensive data security regulations in the US, there is no end in sight.

Should The US Implement More Federal Data Privacy Laws

While the United States does have some federal data privacy regulations in place, the most comprehensive regulations exist at the state level with a degree of variation of protection from state to state. Recently, more conversations are being had about whether the United States should implement more federal data privacy laws. Proponents say they would likely use something equivalent to the European Union’s General Data Protection Regulation (GDPR), which focuses on regulating consumer data privacy and protecting consumers from data breaches. This is especially significant because states are taking matters into their own hands by passing state data privacy regulations that all vary slightly, which could become confusing for companies trying to be compliant with more than one.

Security Awareness — Not Just an IT and Compliance Responsibility

Since the start of 2021, cyber-attacks have dominated headlines across every industry. From governments and government organizations, healthcare companies, and banks, to gaming companies and oil pipelines, ransomware has impacted organizations of all types and sizes. The scale and scope of these attacks have continued to grow and have far reaching consequences. Despite current agency attempts to strengthen cybersecurity through regulation, individual users continue to pose a serious threat due to insufficient security education.  

A Practical Approach to Post-Schrems II Remediation of Cross-Border Data Transfers to the U.S. and Other “High Risk” Third Countries

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its deafening decision that summarily and immediately invalidated the EU-US Privacy Shield. The regulatory program established between the European Council and the U.S. Dept. of Commerce allowed for the transfer of personal data of EU residents to be sent from the EU to the US without violating the data transfer restrictions of the General Data Protection Regulation (“GDPR”). The decision went on to cast serious doubt on the sufficiency of standard contractual clauses to adequately protect data transferred to any third country, not just the US. Several months later, data exporters in the EU are still sorting through the wreckage of their privacy programs and waiting for practical advice on the way forward.

Relax, After GDPR’s Schrems II, Some Companies Transferring Personal Data from the EU to the US May Actually Have Less Challenges Than You Thought

On December 12, 2020, the European Commission (the “EC”) issued a highly anticipated draft of newly revised standard contractual clauses (“new SCCs”) that may be used by European Union-based companies to safeguard data transfers of personal data to third countries, such as the US, in compliance with GDPR Art. 46(1). The release comes at a decidedly inopportune time as it follows on the heels of the Court of Justice of the European Union’s (CJEU) Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (“Schrems II”) decision which casts serious doubt on the adequacy of SCCs alone to safeguard against the “high-risks” involved in EU to US data transfers. And for many data protection experts, the language of the revised SCCs only adds to the confusion, raising even more questions. But one question in particular seems to be prominent among others—for transfers to importers, directly subject to GDPR, are SCCs really necessary?

President Biden’s COVID-19 Data-Driven Executive Order to Promote Health Equity

President Joe Biden has issued a number of Executive Orders, many of which address the ongoing COVID-19 public health emergency. On January 21, 2021, President Biden released another pillar of his Administration’s long-term plan to direct the United States out of the throes of the pandemic. The twelfth Executive Order titled, “Ensuring a Data-Driven Response to COVID-19 and Future High-Consequence Public Health Threats” orders the Department of Health and Human Services (“HHS”) Secretary Alex Azar to conduct a nationwide review of the interoperability of public health data systems in an effort to enhance the collection, sharing, analysis, and collaboration of de-identified patient data.