The New York Attorney General's investigation has revealed significant data protection failures at Albany ENT. It was found that over 80,000 driver's license numbers were exposed without proper reporting. The investigation also highlighted ongoing data storage issues and insufficient oversight of third-party IT vendors. As a result, Albany ENT has agreed to implement enhanced security measures, including encryption and multi-factor authentication, and provide one year of free credit monitoring to those affected. The settlement includes a $1 million penalty, with $500,000 suspended contingent upon successful implementation of the new security protocols.
Various countries are strengthening their data protection regulations. China has introduced guidelines that define sensitive personal information under Chinese law, including biometric data, health records, financial account details, and personal information of minors. The aim is to prevent the illegal use or disclosure of such information and protect human dignity and personal safety.
The European Union has enacted the NIS2 Directive, which replaces the previous NIS Directive and aims to establish a high common level of cybersecurity across member states. Essential and important entities are required to adopt comprehensive cybersecurity measures, including incident handling, business continuity planning, and secure authentication practices. They must also promptly notify national computer security incident response teams of significant incidents.
The European Data Protection Board (EDPB) has adopted Opinion 22/2024, clarifying the responsibilities of data controllers who rely on processors and sub-processors. The EDPB has also released Guidelines on the processing of personal data based on legitimate interest, which are open for public consultation until November 20, 2024. These guidelines aim to provide clarity on lawful data processing under the General Data Protection Regulation (GDPR).
In the UK, the Information Commissioner’s Office (ICO) has launched an audit framework to help organizations assess their compliance with data protection laws. The framework includes toolkits covering various aspects of privacy management, such as accountability, records management, and personal data breach management.
The Consumer Financial Protection Bureau (CFPB) has finalized a rule granting customers of financial institutions the right to data portability. This rule, effective in 2026, allows individuals to transfer their financial data between institutions. However, industry groups have raised concerns about potential hindrances to the development of safer data-sharing mechanisms.
The Department of Justice has proposed a rule to limit the transfer of sensitive data to countries of concern, including China, Russia, and North Korea. This proposal aims to mitigate risks associated with giving these countries access to U.S. government-related data. The DOJ is currently accepting comments on the proposal.
In recent data privacy litigation, the U.S. Court of Appeals for the Second Circuit has vacated the dismissal of a class action lawsuit against the NBA under the Video Privacy Protection Act (VPPA). The case alleges that the NBA unlawfully disclosed personally identifiable information and online viewing habits without consumer consent. This ruling highlights the evolving landscape of data privacy laws and the increased scrutiny on organizations handling personal data.
Thomson Reuters Corporation has received preliminary approval for a $27.5 million settlement in a class action lawsuit related to data brokerage practices. This settlement underscores the growing trend of legal actions against companies for mishandling personal data and the importance of compliance with data protection regulations.
As the landscape of data protection continues to evolve, organizations must remain vigilant in their compliance efforts. The interplay between regulatory developments, legal challenges, and consumer expectations will shape the future of data privacy and security.