Blog

Doctor Sally Sanchez specializes in surgeries that are not medically necessary such as face lifts. Since most of the procedures Doctor Sanchez performs would not be covered under health insurance, she only accepts credit cards for payment and does not bill insurance. Will Lee, a potential patient, looks online for a doctor to perform a facelift and finds Doctor Sanchez’s website. When Will visits Doctor Sanchez’s office, Will does not receive a privacy notice with his initial paperwork. Will asks Doctor Sanchez for a copy of the privacy notice and is told that the office does not maintain a privacy notice. Is it likely that Doctor Sanchez has violated HIPAA?

Most state data breach notification laws require affected companies to notify national CRAs of a qualifying incident “without unreasonable delay.” Which state requires companies to report to these CRAs within 48 hours – making this state reporting requirement the shortest of any state?

New Jersey’s new state comprehensive privacy law lacks a private right of action that would allow individuals to sue for violations of their consumer rights under the law. Which of the state comprehensive privacy laws studied in this class adopts a similar approach on this topic?

Garrett Gamer, an experienced poker player, signs up to play in a national poker tournament at Wild Cougar Casino in Las Vegas, Nevada. After arriving at the casino, Garrett decides to participate in 3 smaller tournaments in addition to the national poker tournament.  To cover the entry fees, Garrett pays the casino $20,000 in cash. Does this cash payment trigger a reporting requirement?

Virtual Armor, a company founded to assist businesses with addressing cybersecurity concerns, found itself the victim of a significant data breach. Fearing for the loss of trust by its customers, Virtual Armor’s top management chose to hide the evidence of the data breach. Approximately one year after the breach, the FTC informed Virtual Armor that the company and its top management were under investigation concerning the data breach. The results of the FTC investigation included both civil and criminal allegations against Virtual Armor and its top management. Which federal agency or agencies are able handle these civil and criminal allegations in court?

Sean Senzeni is a 2023 graduate of Georgia Tech who recently started a job at Tiger Security in Austin, Texas. Sean received an employee manual on the first day of work at the cybersecurity support center, which is unionized. Being a detail-oriented Georgia Tech graduate, Sean reads the entire manual. The manual is explicit that the company will monitor all emails in a person’s official work account. Sean learns from the manual that the company promises not to read any emails accessed at work that originate in an account other than the official work account. Based on these statements in the manual, Sean regularly checks his personal email accounts at work. After a month with Tiger Security, Sean realizes that the company is failing to pay its workers overtime as required by federal law. After this discovery, the topics of Sean’s personal emails change from general updates to complaints about working conditions at Tiger Security. After two months of working for Tiger Security, Sean is fired. Sean believes that his personal emails led to his termination. If Sean is correct, does Sean have a strong case that he should not have been fired?

In 2023, the detailed information of customers of BetterOnExams, a test prep company, was hacked by high school students hoping to do better on standardized tests. The hacked information included customers’ addresses, ages, grade point averages in high school, colleges of interest, and preferred learning methods. BetterOnExams has customers across the United States. When notifying customers about the breach, the company is likely to include a description of the nature of the breach, in all states except:

Baked Goodies is a company established in 1975 that sells breads, croissants, and muffins. Until 2020, Baked Goodies accepted only cash as payment. In 2020, Baked Goodies decided to take online orders and allow customers to pay with credit cards. Along with this decision to take credit cards, Baked Goodies joined the self-regulatory system known as PCI DSS. In the company’s new website, Baked Goodies informed its customers that the company adhered to the security standard required by PCI DSS. By the beginning of 2024, Baked Goodies had failed to develop a plan to address the security of the financial information that the company collected on its customers. What potential sanctions is Baked Goodies facing?

Katharina Pichler, a resident of San Diego, California, purchased a plane ticket from Zest Airlines. The flight was scheduled to leave from San Diego and arrive in New York City on December 31, 2024. Katharina later decided to change the flight to the next day – January 1, 2025. When Katharina contacted Zest Airlines to make the adjustment to her reservation, she learned for the first time that Zest Airlines used a company named YourFlight to do the real-time seat assignments for their customers, including Katharina’s seat assignment on both the December 31 and January 1 flights. Believing that the California legal framework considers the sale of personal information to include “any disclosure” of personal information to another company, Katharina contacted the California Attorney General’s Office with her complaint. What defense is Zest Airlines likely to assert?

Two Georgia Tech students are in the development stages for Steps of Knowledge – a U.S.-based company that uses artificial intelligence to analyze the walking gaits of individuals to determine the identity of these individuals. The videos used for this analysis are acquired from video cameras on urban streets. Although the company has yet to earn any annual gross revenues, Steps of Knowledge expects its primary clients will be major sporting events, such as Major League Baseball games, where the company will be contracted to identify known terrorists attempting to enter the venues. Each of these stadiums will have a seating capacity of at least 25,000 people. Due to legal concerns related to newly enacted state comprehensive privacy laws, Steps of Knowledge decides not to originally roll out the company in these states. Steps of Knowledge’s two founders have expressed concern over the possibility of a nation-state attack, where a foreign government would be seeking to steal the company’s patented technology. The company’s Chief Privacy Officer is concerned about whether the company will need to comply with state data breach notification laws if a nation-state attack occurs. In determining whether Steps of Knowledge’s data is subject to most state data breach notification laws, which potentially conflicting issues will the Chief Privacy Officer likely need to examine?