Privacy & Information Security Law Blog

On August 29, 2018, Bloomberg Law reported that four Senate Commerce Committee members are discussing a potential online privacy bill. The bipartisan group consists of Senators Jerry Moran (R-KS), Roger Wicker (R-MS), Richard Blumenthal (D-CT) and Brian Schatz (D-HI), according to anonymous Senate aides.

On August 22, 2018, California Attorney General Xavier Becerra raised significant concerns regarding the recently enacted California Consumer Privacy Act of 2018 (“CCPA”) in a letter addressed to the CCPA’s sponsors, Assemblyman Ed Chau and Senator Robert Hertzberg. Writing to “reemphasize what [he] expressed previously to [them] and [state] legislative leaders and Governor Brown,” Attorney General Becerra highlighted what he described as five primary flaws that, if unresolved, will undermine the intention behind and effective enforcement of the CCPA.

On August 28, 2018, plaintiffs filed a class action lawsuit against Nielsen Holdings PLC ("Nielsen") and some of its officers and directors for making allegedly materially false and misleading statements to investors about the impact of privacy regulations and third-party business partners’ privacy policies on the company’s revenues and earnings. The case was filed in the United States District Court for the Southern District of New York. 

Recently, the Sixth Circuit rejected Travelers Casualty & Surety Company’s request for reconsideration of the court’s July 13, 2018, decision confirming that the insured’s transfer of more than $800,000 to a fraudster after receipt of spoofed emails was a “direct” loss that was “directly caused by” the use of a computer under the terms of American Tooling Company’s ("ATC's") crime policy. In doing so, the court likewise confirmed that intervening steps by the insured, such as following the directions contained in the bogus emails, did not break the causal chain ...

As reported on Hunton's Insurance Recovery blog, the Second Circuit has rejected Chubb subsidiary Federal Ins. Co.’s request for reconsideration of the court’s July 6, 2018, decision, confirming that the insurer must cover Medidata’s $4.8 million loss under its computer fraud insurance policy. In July, the court determined that the loss resulted directly from the fraudulent emails. The court again rejected the insurer’s argument that the fraudster did not directly access Medidata’s computer systems. But the court again rejected that argument, finding that access indeed occurred when the “spoofing” code in emails sent to Medidata employees ended up in Medidata’s computer system.

Recently, the Department of Commerce updated its frequently asked questions (“FAQs”) on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”) to provide additional clarification on a wide range of topics, including transfers of personal information to third parties, the application of the Privacy Shield Principles to data processors, and the relation of the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) to the Privacy Shield. Certain key insights from the updated FAQs are outlined below:

• Data processors. When ...

The Federal Trade Commission announced the opening dates of its Hearings on Competition and Consumer Protection in the 21st Century, a series of public hearings that will discuss whether broad-based changes in the economy, evolving business practices, new technologies or international developments might require adjustments to competition and consumer protection law, enforcement priorities and policy. The FTC and Georgetown University Law Center will co-sponsor two full-day sessions of hearings on September 13 and 14, 2018, to be held at the Georgetown University Law Center facility.

On August 15, 2018, U.S. District Judge Lucy Koh signed an order granting final approval of the record $115 million class action settlement agreed to by Anthem Inc. in June 2017. As previously reported, Judge Koh signed an order granting preliminary approval of the settlement in August 2017.

As reported in BNA Privacy Law Watch, a California legislative proposal would allocate additional resources to the California Attorney General’s office to facilitate the development of regulations required under the recently enacted California Consumer Privacy Act of 2018 (“CCPA”). CCPA was enacted in June 2018 and takes effect January 1, 2020. CCPA requires the California Attorney General to issue certain regulations prior to the effective date, including, among others, (1) to update the categories of data that constitute “personal information” under CCPA ...

On August 13, 2018, the Federal Trade Commission approved changes to the video game industry’s safe harbor guidelines under the Children’s Online Privacy Protection Act (“COPPA”) Rule. COPPA’s “safe harbor” provision enables industry groups to propose self-regulatory guidelines regarding COPPA compliance for FTC approval. 

On August 3, 2018, Ohio Governor John Kasich signed into law Senate Bill 220 (the “Bill”), which provides covered entities with an affirmative defense to tort claims, based on Ohio law or brought in an Ohio court, that allege or relate to the failure to implement reasonable information security controls which resulted in a data breach. According to the Bill, its purpose is “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” The Bill will take effect 90 days after it is provided to the Ohio Secretary of State ...

On August 6, 2018, the Federal Trade Commission published a notice seeking public comment on whether the FTC should expand its enforcement power over corporate privacy and data security practices. The notice, published in the Federal Register, follows FTC Chairman Joseph Simons’ declaration at a July 18 House subcommittee hearing that the FTC’s current authority to do so, under Section 5 of the FTC Act, is inadequate to deal with the privacy and security issues in today’s market.

On August 3, 2018, California-based Unixiz Inc. (“Unixiz”) agreed to shut down its “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.

On July 19, 2018, the French Data Protection Authority (“CNIL”) announced that it served a formal notice to two advertising startups headquartered in France, FIDZUP and TEEMO. Both companies collect personal data from mobile phones via software development kit (“SDK”) tools integrated into the code of their partners’ mobile apps—even when the apps are not in use—and process the data to conduct marketing campaigns on mobile phones.

On July 31, 2018, the Supreme Court of Ireland granted Facebook, Inc.’s (“Facebook”) leave to appeal a lower court’s ruling sending a privacy case to the Court of Justice of the European Union (the “CJEU”). Austrian privacy activist Max Schrems challenged Facebook’s data transfer practices, arguing that Facebook’s use of standard contractual clauses failed to adequately protect EU citizens’ data. Schrems, supported by Irish Data Protection Commissioner Helen Dixon, argued that the case belonged in the CJEU, the EU’s highest judicial body. The High Court agreed. Facebook’s request to appeal followed.