OCCFDIC Final Rule for Banking Organizations Notification RequirementsOCC/FDIC Board Final Rule for Bank Organizations Notification Requirements

OCC/FDIC Board Final Rule for Bank Organizations Notification Requirements

On November 18, 2021, the three primary banking regulatory agencies — the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) – jointly approved a final rule with two distinct notification requirements:

  • The rule requires “banking organizations” to notify their primary federal regulator of any significant “computer-security incidents” as soon as possible and no later than 36 hours after the bank determines a “notification incident” has occurred.
  • The rule also requires “bank service providers” to notify any affected banking organization customer of “computer-security incidents” that has “caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”

The rule goes into effect in April 2022, and requires compliance by May 1, 2022.


Who is subject to the rule?

As explained above, the rule imposed distinct requirements “banking organizations” and “bank service providers.”

Banking organizations” generally include any organization that is regulated by the OCC, the Board, or the FDIC. Specifically:

  • For the OCC: “national banks, federal savings associations, and federal branches and agencies of foreign banks.”
  • For the Board: “all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations.”
  • For the FDIC: “all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations”

The rule expressly excludes designated financial market utilities (“FMUs”) from its definition of “banking organization” and “bank service provider.” See 12 U.S.C. § 5462(4). To the extent an FMU is supervised by the Securities and Exchange Commission (“SEC”) or the Commodity Futures Trading Commission (“CFTC”), the FMUs are subject to any notification requirements imposed by those agencies. See e.g., SEC Reg. SCI, 17 CFR 242.1000 (SEC); 17 CFR 39.18(g) (CFTC).

When making the rule, the agencies also considered a rule being on “additional entities, such as financial technology firms and non-bank OCC-chartered financial services entities, to the extent the agencies have jurisdiction over those firms.” In the end, the agencies simply concluded that the definition of banking organization under the rule was “consistent with the agencies’ supervisory authorities.”  To the extent that a banking organization is required to make a notification under the rule, that notification must go to the agency with primary regulatory oversight over the organization.

A “Bank Service Provider” includes persons and companies performing “covered services” subject to the Bank Service Company Act, 12 U.S.C. 1861-1867 (“BCCA”). The definition is vague, but the Agencies’ rulemaking explains that the purpose of the definition was to encompass any company that provides services to a banking organization that could be involved in a service disruption.


When is notification required?

The respective notification requirements applicable to Banking Organizations and Bank Service Providers are based on the occurrence of a “Computer Security Incident.” For consistency, the Agencies adopted the same definition of “Computer Security Incident” as provided by the National Institute of Standards and Technology (“NIST”). Thus, a “computer-security incident” is “an occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.


Banking Organizations

Bank Organizations must provide notification to their regulating agency when a “computer-security incident” rises to the level of a “notification incident.” A notification incident is a “computer-security incident” that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

  • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • Business line(s) (any product or service that serves or supports business needs), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • Operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The definition of “notification incident” is broad enough to encompass any computer-security incident that impacts the banking organization’s general operations. As a practical matter, a banking organization will want to provide notification for any computer security incident that is likely to materially disrupt its operations or services to ensure compliance.

The banking organization must provide notice to the appropriate agency “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.”


Bank Service Providers

Bank Service Providers’ notification requirement is triggered by the occurrence of the computer-security incident that has or is reasonably likely to “materially disrupt or degrade” the services it provides the bank for four or more hours. The rule makes clear that scheduled maintenance, testing, or software updates that have been previously communicated to the banking organization are not subject to the rule’s notification requirement.

The bank service providers must provide notification to the designated point of contact at each banking organization at which any customer will be impacted by the bank services provider’s degradation or disruption of service. The bank service providers must provide notification “as soon as possible.”



The joint new rule from OCC, Board, and FDIC is consistent with a recent trend of varying state and federal regulatory bodies imposing independent notification obligations related to a data incident.

The imposition of new notification requirements may lead to the imposition of inconsistent notification requirements (e.g., the Agencies’ rule conflicts with the state incident notification laws). The rule could place the banking organizations between a rock and a hard place. For example, the banking organization could determine that notification is required under the new rule but may need additional time to determine if notification to state agencies and customers is necessary. The perceived delay may serve as a justification for the imposition of fines or to support a theory of liability in litigation related to the incident.

The proper timing for notification will always be a case-by-case decision. Banking organizations and bank service providers should work closely and proactively with experienced incident response counsel to ensure compliance with notification laws and to mitigate against creating any bases for the imposition of penalties or civil liability.

Beckage closely monitors developments in laws and regulations governing cybersecurity. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Sources: 12 C.F.R. Part 53; 12 C.F.R. Part 255; 12 C.F.R. Part 304

Copy of the final rule: https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf

Florida Changes its Telemarketing LawsFlorida Imposes Stricter Restrictions for Telemarketers – Changes to the TCPA Landscape

Florida Imposes Stricter Restrictions for Telemarketers – Changes to the TCPA Landscape

Recently, the State of Florida amended its laws governing telemarketing that have a strong impact on telemarketing and text message marketing targeting Florida residents (and to Florida area codes). These include the amended Florida Do-Not-Call Act (Fla. Stat. Ann. § 501.059) and the Florida Telemarketing Act a/k/a Florida’s “Mini-TCPA” (Fla. Stat. Ann. 502.601, et seq.) (collectively “Florida Laws”).

Impacts of the Florida Laws

The Florida Laws provide a right of action similar to those under the Telephone Consumer Protection Act (“TCPA”). (See Beckage’s article for more information about the TCPA and considerations for text marketing).  Importantly, the Florida Laws create stricter restrictions on telephone solicitations (i.e., sales calls) and commercial telephone calls than those under the TCPA, TCPA regulations, and recent caselaw.

More Complex Restrictions to Navigate

The Florida Laws include requirements that deviate from or are more restrictive than those under the TCPA, TCPA regulations, and recent caselaw (in particular, the U.S. Supreme Court’s recent narrow interpretation of “automatic telephone dialing system” or ATDS). (See Beckage’s article on the SCOTUS decision here).

The Florida Laws are a hot topic and growing concern for businesses, including the contact center industry. On behalf of this industry, the Enterprise Communications Advocacy Coalition (ECAC) recently filed a petition asking the Federal Communications Commission (FCC) to interpret and preempt certain provisions of the Florida laws that “create a more restrictive environment” than the TCPA and TCPA Regulations and “frustrate the federal objective of creating uniform national rules and therefore must be preempted.” See

The most prominent aspects of the Florida Laws that have the potential to impose more restrictive requirements include:

1. Requirements Extend to Florida Residents & Florida Area Codes

The Florida Laws create a rebuttable presumption that telephonic sales calls made to any area code in Florida are made to residents or persons within the state at the time of the call.


2. Call Time Restrictions Changed

The times restrictions under the Florida Laws narrow the permissible call time window period by one hour (from 9 p.m. to 8 p.m.). This one-hour reduction arguably places an increase costs burden, in particular – on telemarketers.


3. New Three Call Frequency Limit

The Florida Laws include a call frequency limit of three “commercial solicitation phone calls” in a 24-hour period on the same subject matter/issue from any number. Imposing this limit when the TCPA does not include a similar limitation could impact telemarketers conducting nationwide calling campaigns.


4. Caller ID Restrictions Changed

The Florida Laws ban the use of technology that “deliberately displays” different caller ID number to conceal the true identity of the caller. This arguably conflicts with the FCC’s TCPA regulations that permit the use of such technology subject to conditions.


5. Automated Equipment/System Undefined & Broader Than ATDS

Under the Florida Laws the term automated system/equipment is not defined and arguably broader than the recent narrow interpretation of ATDS under the TCPA. This could open the door wider for litigation in Florida.


Private Right of Action & Potential Lawsuits   

The amended Florida Do-Not-Call Act creates a private right of action for a called party to sue and recover actual damages, or $500 per violation (whichever is greater) plus attorney’s fees and costs.

Tighter restrictions coupled with the private right of action may lead to increased litigation related to telemarketing and text messaging activities targeting Florida residents or area codes.  A series of civil actions (over 30) were filed since the Florida Laws took effect on July 1st, most dismissed or currently pending.  The Beckage team is watching these cases carefully.


Next Steps for Businesses Marketing to Florida Residents or Florida Area Codes 

As we continue to watch the response to the Florida Laws, marketing teams can take the steps below now to address and incorporate applicable requirements and help mitigate legal risk.

  • Review telemarketing and text marketing practices in light of Florida restrictions
  • Update policies and procedures to comply with Florida requirements
  • Update automated dialing systems/equipment to meet Florida requirements
  • Conduct due diligence/review of vendor systems/equipment used and evaluate compliance with Florida requirements
  • Keep an eye out for a potential increase in litigation

Managing compliance of telemarketing and text message marketing remains a complex issue and the emergence of state-specific requirements such as those under the Florida Laws adds an additional layer of complexity. Businesses should remain proactive and vigilant in maintaining compliance best practices for telemarketing and text message activities.  The Beckage team has deep experience guiding marketing teams and organizations managing compliance and litigation matters under the full spectrum of laws and regulations governing telemarketing and text message marketing.

For more information regarding the Florida Do-Not-Call Act, Florida Telemarketing Act, the TCPA, or related marketing questions email Beckage Member Myriah Jaworski at mjaworski@beckage.com

*Attorney Advertising: Prior results do not guarantee similar outcomes.

Subscribe to our newsletter.




What's next for UK Data Privacy?UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

On November 10, 2021, a unanimous decision by the UK’s Supreme Court in Lloyd v. Google in favor of Google rejects an attempt to bring opt-out class action cases for data privacy claims in the UK.

In the UK, a robust class action regime for the field of data protection does not currently exist, and the Lloyd decision reflects a rejection of class action or representative actions in the data privacy realm Unlike the UK, a class action regime that allows for mass claims (including opt-out cases) has long existed in the US. Further, class action claims in the US have extended beyond traditional privacy tort claims to other claims related to data privacy (e.g., for violations of consumer protection laws and recently enacted data privacy laws such as the CCPA).

Background of Lloyd v. Google LLC  

Plaintiff Richard Lloyd filed an opt-out mass privacy action in English courts against Google relying on an old Civil Procedure Rule 19.6 which permits representative actions. Lloyd sought to bring the mass privacy action on behalf of 4.4 million allegedly affected iPhone users as a representative action for breach of Section 4(4) of the Data Protection Act 1998 (“DPA”).

Lloyd alleged that Google had breached its duties as a data controller under Section 4(4) of the DPA. Google allegedly used a workaround to capture user browser data from iPhone users when visiting a site with Google content after Apple enabled the automatic blocking of third-party cookies in its Safari browser. Lloyd alleged that the use of Google’s Safari workaround secretly tracked and captured data from millions of Apple iPhone users (between late 2011 and early 2012) without the users’ knowledge or consent.

Further, Lloyd argued that an individual is entitled to compensation under Section 13 of the DPA whenever a data controller fails to comply with any of the requirements of the DPA in relation to that individual’s personal data without proof of damages, provided that the breach is not trivial or de minimum. Lloyd sought a uniform amount of damages for all individuals without proving damage for all on basis of “loss of control” (or “user”) damages, a lowest common denominator of loss suffered by every individual by reason of the breach. Lloyd argued that because the loss of control of data has value, the users were entitled to compensation for that value of that loss.

In the High Court, Lloyd had to show a reasonable prospect of success to serve Google out of jurisdiction to move the case forward.  Google contested Lloyd’s claim on two grounds:

  • damages cannot be awarded under the DPA for “loss of control” of data without proof that it caused financial damage or distress; and
  • the claim, in any event, is not suitable to proceed as a representative action.

The High Court held in favor of Google on both issues and refused permission to serve Google.

Then, Lloyd appealed and the Court of Appeals which allowed it, reversed the High Court’s decision, and granted permission to serve Google.

Finally, Google appealed to the Supreme Court where the case captured more attention and triggered various intervening parties including UK’s Information Commissioner’s Office (ICO).

UK Supreme Court Decision

The issue brought before the Supreme Court on whether Lloyd should have been refused permission included three key questions:

  • Whether members suffered damages within the meaning of section 13 of the DPA 1998?
  • Did the class share the “same interest,” as required for a representative action to proceed?
  • Should the court exercise its discretion to disallow the representative action?

1. Damages for Loss of Control

The Supreme Court rejected Lloyd’s argument that “loss of control” damages without proof was within meaning of the DPA.    

Meaning of Damages

The Supreme Court held that to recover compensation under the DPA proof of material damage or distress are required: “to recover compensation [under the DPA] for any given individual, it would be necessary to show both that Google made some unlawful use of personal information relating to that individual and the individual suffered some damage as a result.”

The Supreme Court considered the wording of Section 13 of the DPA which states that a person who suffers damage from contravention by a data controller of any requirements of the act (or damages suffered from distress meeting specific conditions of Section 13) is entitled to compensation for that damage or distress.  It also noted that the intent behind the wording of Section 13 of the DPA was to implement Article 23 of the GDPR which provided compensation from a controller for damages suffered, i.e., material damage.

Thus, requiring only proof of breach would be inconsistent with the DPA.

Loss of Control Damages for Data Protection Violation

Lloyd argued that the same rule for “loss of control” or “user” damages without proof of damages permitted for claims for the tort of misuse of private information should apply to the claim for the violation of the DPA. Lloyd claimed this was appropriate because they are based on the same right to privacy.  In the tort cases, loss of control compensation was available for wrongful use of property, even without financial/physical damage.

The Supreme Court rejected Lloyd’s argument that the same rules for loss of control or user damages should apply. It emphasized distinctions between the common law tort claim of violation of privacy for misuse of private information a claim for a violation of a data protection law (e.g., the tort claim requires a reasonable expectation of privacy).  Further, the court noted that Lloyd did not bring a claim for misuse of the data collected by Google but rather a violation of the DPA.

Thus, loss of control damages without proof did not apply.

2. Representative Action

Most critically, the Supreme Court found that a representative action, in this case, would fail.

The Supreme Court held that recovery under the DPA requires proof of unlawful use and material damage or distress suffered as a result. The Supreme Court said that Lloyd had to show that each of the individuals of the class had both suffered a breach and suffered damages as a result of that breach. Thus, the use of a representative action as a method for recovery without proving either will fail.

In the decision, the Supreme Court rejected the argument for a representative action for breach of the DPA. Further, the Supreme Court determined that a representative action for damages without an individualized assessment for damages would fail.

Representative Action for Breach – Same Interest Test

The Supreme Court evaluated the representative action to establish breach of the DPA and entitlement to compensation based on that breach. The CPR 19.6 permits claims to seek recovery on behalf of a group of individuals where all individuals have “the same interest” in the claim. The court noted that the CPR 19.6(1) requires proof that all individuals  have the “same interest” in claim as the representative and this test was not met.

However, the court noted that Lloyd could have framed the claim differently and adopted a bifurcated process for the representative action under the Act and individual claims for damages separately. As Lloyd did not seek a bifurcated action, the Supreme Court stated that the only other option for Lloyd was a representative action for damages.

Representative Action for Damages – Uniform v. Individual

The Supreme Court evaluated a representative action for damages and Lloyd’s claims for damages for each class member on “uniform per capita basis.” The court stated that this option fails because the effect of Safari Workaround was not uniform across the class and likely varied by types of users (i.e., super/heavy users v. limited users) and different types and amounts of affected data. Thus, individualized assessment of damages would be required for all class members.

Lloyd argued for no assessment requirement relying on the proposition that the class was entitled to compensation for any (non-trivial) contravention of DPA without the need to prove individual damages. Lloyd argued that all members suffered a loss (damages or distress under the Art) based either on general damages on uniform per capita basis, or the amount that could reasonably be charged for releasing Google from duties.  The Supreme Court rejected both arguments.

Key Takeaways

The Supreme Court unanimously allowed Google’s appeal and restored the dismissal of the case by the High Court.

This decision provides some key takeaways:

  • Claims for Violations of the DPA:
    • Proof of material damages or distress are required for claims for violation of the DPA brought by individuals and groups
    • Representative actions are not suitable for claims for violation of the DPA without evidence of misuse or material damages/distress
  • Other Mass Privacy Claims:
    • Opt-out representative action for damages requires an individualized assessment of damages

Further, the Supreme Court’s decision to reject Lloyd’s attempt to bring an opt-out case against Google shows that opt-out representative actions are likely not possible (or at least very difficult) for data protection actions.

How will this impact future data privacy claims in the UK?

This much anticipated and landmark decision will drastically reduce the number of mass privacy claims brought in the UK due to the heightened evidentiary burden, and deter cases where only minimal evidence of harm as a result of breach exists.

For plaintiffs/claimants, this decision makes it even more difficult for individuals and class counsel to bring a mass privacy claims in the UK without obtaining proof of damages for all potential class members. This could be costly and likely deter many cases but does not completely prevent these types of cases where individuals have suffered actual damages.

For businesses, this decision provides some relief from potential frivolous claims or claims lacking evidentiary support for businesses processing personal information in or about individuals in the UK.

Other pending potential representative actions (awaiting this decision) will likely be prevented from moving forward in UK courts.   However, note, the Lloyd decision focused on the DPA as applied during the claim period (2011 to 2012) and not recent developments in the data privacy framework in the UK (i.e., updates to the DPA and the UK GDPR).

Even in light of the Lloyd decision, the international data privacy landscape remains complex.  Beckage works with its clients on developing international privacy compliance strategies and programs to implement proactive measures to protect personal data and thus reduce the risk of litigation.  Our team of experienced attorneys, who are also devoted technologists, are specially equipped with the skills and experience necessary to provide guidance to navigate the complexities of international privacy frameworks and handle any resulting enforcement actions or litigation matters.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes. 


New Federal COVID-19 Vaccination Policies Trigger Data Privacy ConsiderationsNew Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

New Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

UPDATE:  On November 6th, the U.S. Court of Appeals for the Fifth Circuit issued a temporary stay of OSHA’s latest vaccine rules in BST Holdings, L.L.C., et al. v. OSHA, noting that “there are grave statutory and constitutional issues with the Mandate.” On November 12th, the Fifth Circuit issued an order in continuance of its November 6th stay, stating that enforcement of OSHA’s latest vaccine rules “remains STAYED pending adequate judicial review of the petitioners’ underlying motions for a permanent injunction.” The Fifth Circuit further ordered “that OSHA take no steps to implement or enforce the Mandate until further court order.”

However, with several other similar lawsuits pending in other federal circuits, the Judicial Panel on Multidistrict Litigation has selected, by lottery on November 16th, the U.S. Court of Appeals for the Sixth Circuit to be the tribunal to hear the consolidated cases. The Sixth Circuit will thus have the authority to issue the controlling opinion on OSHA’s latest vaccine rules, though many expect litigation to continue up to the Supreme Court of the United States for a final decision.

Businesses should stay up to date with current developments regarding OSHA’s latest vaccine rules and related lawsuits and should understand existing and intended data collections practices within their organizations.  Evaluating what is being collected, how it is being retained, how this information can be accessed and by whom remains a very important part of an organization’s data security and privacy infrastructure in light of this climate. The Compliance Team at Beckage is experienced in navigating such changes and can assist businesses with their data security and privacy programs as the landscape continues to evolve within the next couple of months.

Email Beckage Privacy Compliance Team Lead Kara L. Hilburger, Esq., (CIPP/US)  at khilburger@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in this space.

Continue reading initial post regarding The OSHA Rule below.


On Thursday, November 4, 2021, the Occupational Safety and Health Administration (OSHA) published an Interim Final Rules (OSHA Rule) requiring employers with 100 or more employees to implement plans to confirm employees are vaccinated, and if not to test their employees weekly and require face masks. The OSHA Rule, published in the Federal Register on November 5, 2021, requires employers subject to the OSHA Rule to implement testing protocols for unvaccinated employees starting January 5, 2022.

Although the Fifth Circuit Federal Court of Appeals temporarily blocked the OSHA Rule on November 6, 2021, employers should still prepare a plan in the event the OSHA Rule is not permanently blocked given the pending compliance deadlines. This may require employers to revise existing procedures or create new policies and procedures. As employers develop and implement these policies, it’s important to carefully consider data privacy and security implications of maintaining this sensitive information about employees.

Below are just a few questions employers should ask as they develop these new policies.

Does the OSHA rule apply to me?

The answer depends on your company’s size, operation, and industry. Importantly, the new OSHA Rule does not apply to health care providers, which have even more stringent rules announced by the Centers for Medicare and Medicaid (CMS) on the same day.  The OSHA Rule applies to businesses with 100 or more employees.  To determine whether an employer meets this 100-person threshold, companies should count all full- and part-time employees at all locations and worksites. Employers do not have to count employees who are contractors, employees from a staffing agency, or franchisee employees if the employer is the franchisor.

What does the OSHA Rule require?

Employers that are subject to the OSHA Rule must:

  • Determine vaccination status. Determine the vaccination status of each employee, accept proof of vaccination, and maintain records of each employee’s vaccination status. The OSHA Rule outlines forms of acceptable proof of vaccination, which includes COVID-19 Vaccination Record Cards, a copy of medical records documenting vaccination, and employee attestations in limited circumstances.
  • Test unvaccinated employees and require masks. If an employer elects to not mandate COVID-19 vaccinations, the company must test each employee who is not fully vaccinated at least once every 7 days. If an employee has not been tested within a 7-day period, the employee must telework for two weeks before reporting back to a location with other employees and be tested within 7 or fewer days before returning. Employees will have to provide documentation of their test results and employers must maintain these test result records. Unvaccinated employees must wear face masks at the workplace.
  • Require employees to notify the employer of a positive COVID test or diagnosis. Companies must require employees to provide prompt notice of positive COVID-19 tests and diagnoses and take steps to remove them from the workplace until they meet the criteria for returning.

Are there any exceptions?

Yes. The OSHA Rule does recognize certain exceptions and exemptions to these requirements.

  • Employees who work exclusively remotely or at outside locations are not subject to the requirements.
  • The OSHA Rule also does not apply to workplaces covered by the Safer Federal Workforce Task Force COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors.
  • The OSHA Rule does not apply to health care providers, which are covered by the CMS interim final rule.
  • The OSHA Rule has exceptions for employees who cannot receive the vaccine for medical reasons, or who are legally entitled to a reasonable accommodation under federal civil rights laws because of disability or sincerely held religious beliefs that conflict with the vaccination requirement.

Do I need to provide paid leave for vaccinations?

Yes. Companies subject to this rule must provide employees with up to four hours of paid time to receive their vaccination. They must also allow for reasonable time and paid sick leave for the employee to recover from vaccine side effects.

Do I need to pay for the cost of testing if an employee isn’t vaccinated?

No, the OSHA Rule does not require covered employers to cover the costs of testing. However, other laws, regulations, collective bargaining agreements, or collective negotiation agreements may require the employer to pay for testing.

How does the OSHA rule impact state vaccination and testing laws?

The OSHA Rule pre-empts any state law that has less restrictive standards regarding vaccination and testing for COVID-19 in the workplace. States can impose greater vaccination requirements; for example, some employers may be subject to state laws that do not include medical or religious exceptions.

What needs to be addressed in the vaccination policy?

Companies must develop, implement, and enforce mandatory policies that address COVID-19 vaccination procedures or mandatory testing if the company does not mandate vaccinations.  These policies must be provided to employees in a language and literacy level that employees understand.

Are there any additional documentation and reporting requirements?

Yes. Companies must provide employees and their designated representatives with their vaccination and testing records by the end of the next business day following the request for such records. Companies must also be able to provide policies and procedures to OSHA within four business hours and must provide an aggregate number of total vaccinated employees upon request by the next business day.  Finally, companies must report work-related COVID-19 fatalities to OSHA within 8 hours of learning about them. Covered employers must report a COVID-19 related in-patient hospitalization within 24 hours of learning about it.

Are there penalties for non-compliance?

OSHA Officials have stated they will use OSHA’s authority to inspect workplaces and investigate complaints received from employees. Failure to comply with OSHA regulations can lead to a $13,653 penalty per violation for serious or failure to abate violations and a $13,532 per violation for willful or repeated violations.

How should companies prepare?

Companies subject to the OSHA Rule should review the new requirements and develop a strategy on how to document and implement the mandatory procedures most effectively and efficiently. The new rule requires employers to collect and maintain sensitive employee data. Policies and procedures addressing how these records will be maintained and protected will be necessary, and in tandem with developing procedures, companies may want to evaluate whether they need to update record retention procedures and determine whether existing data security and privacy protocols are sufficient.  It is also recommended that companies work with legal counsel to review whether and how state laws interplay with the new OSHA requirements.  Many state laws have statutes and regulations requiring companies to safeguard medical information held on behalf of clients and employees. This is particularly important for employers that have not previously held sensitive employee information such as health records and may not have proper procedures in place for safeguarding such records.

Beckage continues to monitor this evolving landscape and provide updates on important topics that impact data privacy and security, which have a very real impact on business operations. Regardless of the legislative landscape, a robust data security and privacy program that can stand the test of time is a wise investment. Our team is available to assist your team in the evaluation of legal implications of current requirements and legislative changes in the data privacy field.

Email Beckage Compliance Team Leads Kara L. Hilburger, Esq., at khilburger@beckage.com or Jordan L. Fischer, Esq., at jfischer@beckage.com call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Illinois Cannabis Compassionate Care ActIllinois Cannabis Dispensaries and Their Vendors Should Pay Close Attention to Upcoming Compliance Deadlines

Illinois Cannabis Dispensaries and Their Vendors Should Pay Close Attention to Upcoming Compliance Deadlines

The Illinois Department of Financial and Professional Regulation (IDFPR) recently provided guidance interpreting data privacy and security requirements in Illinois’ Compassionate Use of Medical Cannabis Program Act (A280). Specifically, IDFPR recently published an FAQ outlining its interpretation of, and deadlines associated with, the Act’s requirement that Illinois cannabis dispensaries comply with certain sections of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The guidance from IDFPR describes steps dispensaries must take to protect the security and privacy of health information, consistent with requirements in the HIPAA Privacy and Security Rules. As of August 1, 2021, dispensaries are required to provide customers with a Notice of Privacy Practices. The FAQ directs dispensaries and many of their vendors to conduct a security risk analysis that identifies risks to health information, and the likelihood and impact of such risks, by December 1st. Dispensaries must also adopt administrative, technical, and physical controls consistent with HIPAA standards by December 1, 2021.

Fines of up to $10,000 per violation may be issued against dispensaries and their agents. Examples of violations cited in the FAQ include sharing computer passwords, discussing health information with third parties, not using an industry-standard firewall, and not encrypting computers or networks that store health information.

Dispensaries and technology vendors that host health information on behalf of dispensaries should meet with counsel to discuss how these new requirements can be efficiently incorporated into existing compliance programs.  Specifically, dispensaries and vendors should confirm that their compliance programs include:

  1. Administrative safeguards: Under HIPAA these include a security management process, assigned security responsibility, workforce security, information access management, security awareness training, security incident procedures, a contingency plan, and an evaluation.
  2. Physical safeguards: Under HIPAA these include facility access controls, workstation use procedures, workstation security, and device and media controls.
  3. Technical safeguards: Under HIPAA these include access controls, audit controls, integrity controls, person or entity authentication, and transmission security.

Two HIPAA safeguards that IDFPR focuses on in its guidance are security risk analysis and encryption of health information at rest and in transit.  Although HIPAA has no prescriptive timeframe for a security risk analysis, the IDFPR FAQ states that medical cannabis dispensing organizations should conduct a security risk analysis annually to identify areas of high-security risk to health information and implement security measures to address these risks.

Below are just a few key questions cannabis dispensaries and vendors should ask themselves as they evaluate readiness for these new requirements:

  1. Do I need to update my Notice of Privacy Practices or website privacy policies?
  2. Do I need to appoint additional privacy and security personnel?
  3. Is my training program appropriate and adequate?
  4. Do I need to consider additional administrative, technical, or physical controls to prevent unauthorized access (e.g., encryption, multi-factor authentication, heightened password requirements, access controls)?
  5. Is my annual risk analysis sufficient?
  6. Do I need to change my vendor management protocols or contract documents?
  7. Does my incident response plan consider relevant notification requirements?
  8. How should I document these compliance measures?


As the cannabis industry continues to grow, attention from state legislators and regulators increases.  Cannabis dispensaries (and technology vendors operating in Illinois) should review their privacy and security programs to confirm compliance with HIPAA’s standards, which the state incorporated into the Compassionate Use of Medical Cannabis Program Act (A280).

Beckage focuses on the tech and privacy side of Cannabis so companies can grow smarter and more secure.  We work closely with IT teams, general counsel, and executive leadership to accomplish these results.  For more information regarding the Compassionate Use of Medical Cannabis Program Act (A280), email Beckage Cannaprivacy Team Lead Daniel P Greene, Esq., CIPP/US, CIPP/E at dgreene@beckage.com or call 716.898.2102.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.





1 2 3 4 5 28