DoD Issues Year-End DFARS Changes; Russians Now Have the “Right to Be Forgotten”; No Injury in Michael’s Data Breach Suit; FAA Issues Interim Final UAS Rule; New Penalties for Distributing Unique Medical Identifiers

Holiday Gift from Defense Department: More Time to Comply with DFARS Safeguarding Rule

Last Wednesday, the Department of Defense issued an interim rule making several changes to the Defense Federal Acquisition Regulation Supplement (DFARS), including extending the deadline for government contractors to comply with data protection requirements in DFARS 252.204-7012.  Even though the Department extended the compliance window, contractors still face an obligation to inform DoD if their security programs do not yet fully comply with the regulation.  For more information, or to seek assistance in meeting these changes, affected contractors can refer to the Crowell & Moring Alert on this topic, or contact the attorneys listed therein.

Search Engines in Russia Now Subject to “Right to Be Forgotten” Requests

On January 1, a Russian law went into effect requiring search engines operating in Russia to delist websites containing “false” or “obsolete” personal information upon that person’s request.  Search engines need not remove certain information, such as criminal convictions or the salaries of public employees.  Russia’s protections mimic those of the European Union, where the European Court of Justice upheld this right in 2014.  Web companies operating in Russia and offering information aggregation services—companies that could be fined up to one million rubles ($13,000) per occurrence for their non-compliance with this measure—should take note of this development.

Court Finds Plaintiffs in Suit Against Michael’s Craft Stores Lacked Injury

This week, Judge Joanna Seybert in the Eastern District of New York dismissed a suit against Michael’s Stores filed after a data breach impacted credit information for more than 2.6 million customers.  Relying on the oft-cited Clapper standard for Article III standing, Judge Seybert held the plaintiff had not pled the requisite injury to sustain the claim, failing to meet the Supreme Court’s requirement that her injuries were “certainly impending” or “based on a substantial risk that harm will occur.”  Notably, the court pointed out that the plaintiff’s credit card company has a “zero-fraud-liability” policy – mooting any potential injuries.  And, unlike the plaintiffs in other cases in which standing has been upheld, the plaintiff had failed to allege any out-of-pocket losses stemming from the breach.

FAA Issues Interim Final Rule on Drone Registration

Effective just before Christmas 2015, the FAA issued registration requirements for small unmanned aerial systems (sUAS) devices weighing between 0.55 and 55 pounds.  UAS operators for devices weighing more than 55 pounds cannot use this streamlined registration process, but must instead complete the FAA’s Aircraft Registry process.  This move, of interest to firms contemplating the use of UAS for commercial operations, firms manufacturing UAS, and recreational UAS users alike, follows a holiday season during which the FAA projected one million UAS would be sold in the United States.  Those who do not register could face both civil and criminal penalties.

President Signs Law Increasing Penalties for Distribution of Unique Health Identifiers

On Monday, December 28, President Obama signed Senate Bill 2425, the so-called “Patient Access and Medicare Protection Act.”  Among its provisions, the bill increased the penalties (to $500,000 for an individual offender or $1 million for a corporate offender) for knowingly distributing unique health identifying information.  Of note, this new law for the first time added criminal sanctions (up to 10 years in prison) for individuals convicted of purchasing, selling, or distributing this type of confidential personal information.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Related Posts
AI-Powered Chatbots:  Mythical Super Creature or Legal Trojan Horse
June 6, 2023
SEC Encourages Internal Accounting Controls to Guard Against Cyber Fraud
November 8, 2018
FERC Proposes to Require Expanded Cyber Security Incident Reporting
January 17, 2018