Recent Lawsuit Provides Insight on Intersection of AI Use and Healthcare DataWhat Does PrivacyCon Say About the FTC’s Data Privacy and Security Enforcement?

What Does PrivacyCon Say About the FTC’s Data Privacy and Security Enforcement?

On June 27, 2019 the Federal Trade Commission (FTC) hosted its fourth annual privacy conference PrivacyCon. Tasked with protecting consumers against privacy and security violations, at PrivacyCon the FTC brings together privacy stakeholders to discuss privacy issues that businesses encounter when providing innovative technologies to customers.

Read More
DroneDrones, Growth, & Data

Drones, Growth, & Data

Officially known as unmanned aerial vehicles or unmanned aerial systems, drones are now mainstream. The Federal Aviation Administration (FAA), who enforces federal drone laws, forecasts rapid growth in the commercial drone industry. New, non-recreational drone registrations are expected to exceed 800k in 2023. Businesses are using drones to augment business logistics, reduce shipping costs, automate certain business operations, increase customer satisfaction and advance socially beneficial ventures. As drone uses are expanding, drone operators, especially in commercial applications, must be aware of drone flying laws.

What Are Drone Laws in The United States?

As legislators struggle to keep up with evolving drone uses, drone laws around the U.S. remain tough to navigate. In addition to the FAA’s Part 107 drone regulation, many state and local municipalities have enacted measures that mean any business with multiple locations should be conscious of varying laws. Currently, state laws alone cover a range of considerations, including regulation on:

  • registration of drones
  • renewal of drone operation licenses
  • training required to fly drones
  • inspection of drones to ensure airworthiness
  • time and place for flying drones
  • the height and speed for operating drones

Some of these rules may not always apply. Businesses may be exempt or may qualify for a waiver from one or more of these legal requirements. Therefore, business owners should seek expert advice before, during and after incorporating drone technology in their business operations.

Who Uses Drones: Company Utilization of Unmanned Aerial Systems

According to the FAA, top industries for commercial drone use include education, agriculture and construction. However, investment and research and development in healthcare, manufacturing and in retail industries are expanding.

  • Drones in healthcare can be used for delivering medication, equipment and supplies. Drones can be used to collect and deliver blood and to locate lost and injured people. Drone exploration in healthcare is also aimed at reducing the time to deliver care and reaching patients with limited access to health providers.
  • In education drones are being used for academic research, instruction and data collection.
  • Drones in agriculturemanufacturing and infrastructure can be used to collect data, inspect facilities, track project progress and improve communication among workers.
  • In retail drones deliver packages.
What about Drones’ Data?

Drones are mapping and measuring buildings, taking and transmitting photographs, generating readings of geographies, delivering medicines and otherwise performing tasks that create, process and distribute data of wide variety – including highly sensitive data. When implementing drone usage, whether by contract or in-house, businesses must consider the implications around data management and how to balance the rewards of drone use with the responsibility for the data drones generate and utilize. 

Key Takeaways

Drone technology is expected to flourish across industries. Businesses should monitor and explore the trends of drone applications in their industries. While keeping an eye on drone market trends, companies should have legal experts on their team to navigate the legal drone landscape and assess proper data management protocols for drone data.

Have questions? Our team at Octillo is uniquely positioned to advise on emerging technology and privacy laws at both the state and national level. Contact us today for a consultation.

*Attorney Advertising: Prior results do not guarantee a similar outcome.Share

Important Privacy Developments in New York State

Important Privacy Developments in New York State

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

As always, Octillo lawyers are available to assist in addressing any questions you may have regarding data security developments. Please feel free to contact us.

There are two important privacy developments in New York State that companies should take note of: the Stop Hacks and Improve Electronic Data Security (SHIELD) Act and the New York Privacy Act (NYS5642).  If passed, these pieces of legislation will impose more stringent data security requirements on companies that collect information from New York residents.


Passed by the State’s legislature, the SHIELD Act updates New York’s general business law (GBL 899-aa) governing notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight regarding data breaches impacting New Yorkers.

Specifically, the Act purports to:

  • Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers;  
  • Broaden the definition of a data breach to include unauthorized “access” to private information from the current “acquired” standard;
  • Apply the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State;  
  • Update the notification procedures companies and state entities must follow when there has been a breach of private information; and
  • Create reasonable data security requirements tailored to the size of a business.


Passed by the legislature, awaiting signature by the Governor. Additionally, amendments to the Act are currently pending. 

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.


This bill, which has passed the Senate, was proposed by State Senator Thomas and is currently pending before the Senate Consumer Protection Committee. It has been compared to the General Data Protection Regulation and California Consumer Protection Act but differs in certain respects. Among other things, it purports to apply to most entities doing business in New York State, and includes those businesses outside the state that produce products or services targeted to NYS residents. Unlike the CCPA, there is no monetary or revenue threshold that must first be met to be included in the Act’s jurisdictional scope. 

This Act governs (and in some instances, limits) the collection and use of personal data by those entities. It requires consent, provides for certain data subject rights (correction, deletion), and includes a private right of action against companies processing jurisdictional PD. The bill does purport to exempt from its reach data sets governed by HIPPA/HITECH.


Pending in Senate Consumer Protection Committee.  


This bill is likely to pass the Senate.  However, as there is no same-as bill in the Assembly, the bill likely will not be passed this session. That said, it is a priority bill for Sen. Thomas and we expect more pressure next year to pass it.

Octillo Law PLLC continues to monitor privacy bills and regulations pending in New York State, including:

  • Proposed NYS Biometric Privacy Act;
  • Department of Financial Services regulations impacting credit reporting agencies;
  • New York Department of State Emergency Regulations on Identify Theft prevention and mitigation;
  • Proposed legislation relating to the New York State Cyber Security Advisory Board, a Cyber Security Action Plan for the State, and Periodic Cyber Security Reports.

Have questions? Our team at Octillo is uniquely positioned to advise on emerging privacy laws at both the state and national level. Contact us today for a consultation.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Biometric Law Compliance: What do State Biometric Laws Require of Businesses?

Biometric Law Compliance: What do State Biometric Laws Require of Businesses?

An increasing number of companies—in healthcare, education, finance, retail, technology and manufacturing—are implementing biometric identifiers.

Read More
Woman making expressive hand movements behind computerVendor Contracts and Legal Requirements Regarding Pen Testing and Vulnerability Assessments

Vendor Contracts and Legal Requirements Regarding Pen Testing and Vulnerability Assessments

More and more frequently, penetration testing and vulnerability assessments are making it into news headlines and advertisements.  Let’s examine a few questions you should ask before signing up for a pen test or vulnerability assessment:

·        What are they?

·        How frequently should they be run?

·        Who offers these tests?

·        Contractual terms to consider?

What Are They?

Pen tests test security from the outside or inside.  Some regulations require them, such as the New York State Cybersecurity Regulation (23 NYCRR500; the “Regulation”).  The Regulation defines penetration testing as a “methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside” the system.  Imagine it’s a basketball practice or hockey scrimmage and the coach’s focus is on gauging the strength and reliability of the defense in preventing the goals or baskets.  The intention is to identify the vulnerabilities and then try to exploit them, i.e., try to exploit the system.

By contrast, a vulnerability assessment is systematic review of information systems in order to identify cybersecurity vulnerabilities, quantify and/or consider the reasonable risk posed by vulnerabilities and potentially prioritize the levels of threat.  The goal is to identify potential risks.  The Regulation defines a vulnerability assessment as “systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities” in the Information Systems.

How Frequently Should They Be Run?

Under the Regulation, penetration testing must be performed annually, focusing on the relevant risks identified in your Risk Assessment.

Vulnerability assessments must be performed biannually, based on the Risk Assessment results.

NIST (National Institute for Standards and Technology) provides various vulnerability validation techniques, which include pen testing and vulnerability assessments.

Who Offers These Tests?

Who doesn’t?  Nearly every company in any way related to technology will offer this service.  Why?  It is inexpensive, a good first step to understanding a company, and the tests are relatively easy to perform.  It is important to find trusted, experienced vendors who know the purpose and goals of these tests.  Some parts of the tests are automated, and others require a sufficient degree of skill – so experience and knowledge will be important in selecting a vendor.

Contractual Terms to Consider

Because an organization must share a lot about their business and expose their systems during pen testing and vulnerability assessments, a vendor should be chosen thoughtfully, and contracts entered into carefully.

Initially, what is the purpose of performing the tests, are they legally required, are they part of a larger risk assessment and analysis?  What should the end product report look like?

Confidentiality is a must-have provision.  The scope of the project should be well defined and planned so as not to harm business operations or create new vulnerabilities.  Make sure the vendor has the appropriate insurance in place.  Most importantly, there must be well-defined risk allocation provisions.  Plan also for what the end of the project will look like and results and next steps.

Again, key ingredients of a vendor contract are confidentiality, scope, vendor insurance, risk allocation provisions and results/next steps.

The bottom line?  Know your vendor, get referrals from trusted persons in the space, and make sure the right legal obligations are in place.  The attorneys at Octillo Law PLLC can help you navigate through pen testing and vulnerability assessment from drafting the vendor agreement to performing a gap analysis of your current practices and policies and updating them accordingly.

DISCLAIMER:  This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Octillo: or

Attorney Advertising: Prior results do not guarantee a similar outcome.