Posts in Information Security.
Time 2 Minute Read

On November 1, 2023, New York Governor Hochul announced that the New York State Department of Financial Services (“NYDFS”) amended its Cybersecurity Regulation applicable to covered financial institutions. Our previous blog post covered key proposed changes to the Cyber Regulation.

The NYDFS, which regulates financial institutions including insurance companies, mortgage brokers and banks, adopted the original Cybersecurity Regulation in 2017. The new amendments strengthen the initial framework and require NYDFS-regulated entities to adhere to a number of ...

Time 2 Minute Read

On October 19, 2023, the Consumer Financial Protection Bureau (“CFPB”) proposed a new rule that would provide consumers with more control over their financial information and impose certain requirements on the following types of entities:

Time 1 Minute Read

On October 27, 2023, the Federal Trade Commission announced that it has approved an amendment to the Safeguards Rule that would require non-banking institutions to report certain data breaches to the FTC. The FTC’s Safeguards Rule currently requires certain types of non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement and maintain a comprehensive security program to keep their customers’ information safe. The amendment will require such financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the unauthorized acquisition of unencrypted customer  information of at least 500 consumers. The notice to the FTC will need to include certain information about the event, such as the number of consumers affected or potentially affected.

Time 1 Minute Read

On October 17, 2023, the Office of the Privacy Commissioner of Canada (“OPC”) announced the release of two companion documents that provide further guidance on protecting the privacy of young people. This guidance follows the recently adopted resolution on young people’s privacy by federal, provincial, and territorial regulators earlier in the month.

Time 2 Minute Read

On October 8, 2023 and October 10, 2023, California Governor Gavin Newsom signed A.B. 947, A.B. 1194, S.B. 362 and S.B. 244 into law. A.B. 947 amends the California Consumer Privacy Act of 2018’s (“CCPA”) definition of “sensitive personal information” to include personal information that reveals a consumer’s “citizenship or immigration status,” while A.B. 1194 amends the CCPA to require a business to comply with the obligations imposed by the CCPA if the personal information collected by the business contains information related to accessing, procuring or searching for services regarding contraception, pregnancy care and perinatal care, including, but not limited to, abortion services, unless the personal information is used for a specified business purposes as defined by the CCPA, is only retained in aggregated and deidentified form and is not sold or shared.

Time 1 Minute Read

On October 5, 2023, Blackbaud Inc., a software provider for the philanthropy, healthcare, and education sectors, has resolved claims that the District of Columbia and 49 U.S. states raised. The claims stem from a ransomware attack that impacted Blackbaud in 2020. The company was affected by a ransomware attack that exposed user information to unauthorized third parties. The breach not only impacted approximately 13,000 Blackbaud customers, but the customers’ own clients and donors as well.

Time 1 Minute Read

On September 29, 2023, the Supreme Court of the United States (“SCOTUS”) accepted petitions challenging the constitutionality of social media laws in Florida and Texas. Florida’s law, S.B. 7072, prohibits “a social media platform from willfully deplatforming a [political] candidate.” Texas’s law, H.B. 20, refers to social media platforms as “common carriers” that are “central public forums for public debate,” and requires common carriers to publicly disclose information related to the common carrier’s method of recommending content to users, content moderation efforts, use of algorithms to determine search results, and the common carrier’s ordinary disclosures to its users on user performance data for each of its platforms. Both of these laws were challenged by NetChoice, LLC, a national trade association of large online businesses, who had recent successes in blocking several laws, including the California Age-Appropriate Design Code and a similar social media law in Arkansas.

Time 1 Minute Read

On September 19, 2023, the Director of the Federal Trade Commission Bureau of Consumer Protection, Samuel Levine, delivered remarks that provided insight into the FTC’s ongoing strategy for regulating artificial intelligence (“AI”) during the National Advertising Division’s annual conference. Levine emphasized that the FTC is taking a more proactive approach to protect consumers from the harmful uses of AI, while ensuring the market remains fair, open, and competitive. Levine expressed the belief that self-regulation is not sufficient to address the regulation of ...

Time 3 Minute Read

On August 8, 2023, the Massachusetts Gaming Commission approved 205 CMR 257: Sports Wagering Data Privacy, a set of regulations designed to create new rights and obligations with respect to sports betting operators’ use of patrons’ Confidential Information or Personally Identifiable Information. The regulations took effect on September 1, 2023.

Time 3 Minute Read

On September 21, 2023, the UK Information Commissioner’s Office (“ICO”) published an opinion on the UK Government’s assessment of adequacy for the UK Extension to the EU-U.S. Data Privacy Framework (the “UK Extension”). The ICO provides that, while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and lay regulations to that effect, there are four specific areas that could pose risks to UK data subjects if the protections identified are not properly applied. These four risks are: 

Time 2 Minute Read

On September 15, 2023, the Irish Data Protection Commission (the “DPC”) announced a fine of 345 million Euros against TikTok Technology Limited (“TikTok”) for non-compliance with GDPR rules regarding the processing of personal data of child users. This decision by the DPC reflects the binding decision of the European Data Protection Board (the “EDPB”) pursuant to Article 65 of the GDPR.

Time 1 Minute Read

On September 21, 2023, UK Secretary of State for Science, Innovation and Technology Michelle Donelan laid regulations in the UK Parliament, giving effect to a UK-U.S. Data Bridge. The regulations are supported by several documents, including a fact sheet and an “explainer.”  The regulations are due to take effect on October 12, 2023. U.S. companies approved to join the “UK Extension to the EU-US Data Privacy Framework” will be able to receive UK personal data under the new Data Bridge.

Time 3 Minute Read

On September 14, 2023, the California legislature passed S.B. 362 (“Act”), a bill that would impose new requirements on data brokers and grant residents new rights designed to facilitate control over their personal data. S.B. 362 is now awaiting signature by California Governor Gavin Newsom. The Act aims to close a loophole in the California Consumer Privacy Act (“CCPA”) that allows consumers to request that data brokers delete personal information obtained directly from the consumer, but does not require data brokers to delete personal information obtained from other sources. 

Time 1 Minute Read

On September 15, 2023, the Federal Trade Commission and the Department of Health and Human Services (“HHS”) published an updated version of the two agencies’ joint publication, entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.” 

Time 2 Minute Read

On September 12, 2023, the UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (NCSC) of the UK, Lindy Cameron, signed a joint Memorandum of Understanding (MoU) that sets forth a framework for cooperation and information sharing between the ICO and the NCSC. The MoU states the general aims “are to codify and enhance working” between the ICO and NCSC so as to “assist them in discharging their functions.”

Time 2 Minute Read

On August 24, 2023, 12 data protection authorities published a joint statement calling for the protection of personal data from unlawful data scraping. The statement was issued by the authorities of Argentina, Australia, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the UK. The joint statement reminds organizations that personal data that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions, and highlights the risks facing such data, including increased risk of social engineering or phishing attacks, identify fraud, and unwanted direct marketing or spam.

Time 2 Minute Read

On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework (the “Data Privacy Framework”) on July 10, 2023 (the “Information Note”).

Time 3 Minute Read

On July 10, 2023, the European Commission formally adopted a new adequacy decision on the EU-U.S. Data Privacy Framework (the “Adequacy Decision”). The adoption of this Adequacy Decision follows years of intense negotiations between the EU and the U.S., after the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

Time 2 Minute Read

On June 28, 2023, Louisiana Governor John Bel Edwards signed into law H.B. 61, which requires interactive computer services to get parental consent (or consent from a legal representative of a minor) to enter into a contract or other agreement, including the creation of an online account, with minors younger than 18 years of age. The Act comes after similar laws enacted in Texas, Utah and Arkansas. H.B. 61 will take effect on August 1, 2024. 

Time 1 Minute Read

On June 15, 2023, the UK Information Commissioner’s Office (“ICO”) called for businesses to address the privacy risks posed by generative artificial intelligence (“AI”) before “rushing to adopt the technology.” Stephen Almond, the ICO’s Executive Director of Regulatory Risk, said:  “Businesses are right to see the opportunity that generative AI offers . . . . But they must not be blind to the privacy risks.” An organization wishing to use AI should seek to understand at the outset how AI will use personal data, and mitigate any known risks. The ICO stated it is ...

Time 8 Minute Read

On June 14, 2023, the European Parliament (“EP”) approved its negotiating mandate (the “EP’s Position”) regarding the EU’s Proposal for a Regulation laying down harmonized rules on Artificial Intelligence (the “AI Act”). The vote in the EP means that EU institutions may now begin trilogue negotiations (the Council approved its negotiating mandate on December 2022). The final version of the AI Act is expected before the end of 2023.

Time 2 Minute Read

On June 8, 2023, the UK Information Commissioner’s Office (“ICO”) published a new report on neurotechnology. Neurotechnology is technology used to monitor neurodata, the information coming directly from the brain and nervous system. In its press release on the report, the ICO warns that “that newly emerging neurotechnologies risk discriminating against people if those groups are not put at the heart of their development” and predicts the use of such technologies to become “widespread over the next decade.”

Time 1 Minute Read

On June 2, 2023, Judge Brantley Starr of the U.S. District Court for the Northern District of Texas released what appears to be the first standing order regulating use of generative artificial intelligence (“AI”)—which has recently emerged as a powerful tool on many fronts—in court filings. Generative AI provides capabilities for ease of research, drafting, image creation and more. But along with this new technology comes the opportunity for abuse, and the legal system is taking notice.

Time 3 Minute Read

On May 31, 2023, the Federal Trade Commission announced a proposed order against home security camera company Ring LLC (“Ring”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

Time 2 Minute Read

On May 22, 2023, the Federal Trade Commission announced a proposed order against education technology provider Edmodo, LLC (“Edmodo”) for violations of the Children’s Online Privacy Protection Rule (“COPPA Rule”) and Section 5 of the FTC Act.

Time 2 Minute Read

On May 18, 2023, the Federal Trade Commission announced it is seeking comment to proposed changes to the Health Breach Notification Rule (the “Rule”). The Rule requires  vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access. By clarifying the Rule’s scope and applicability, and by modernizing allowable methods of notice, the proposed amendments seek to update the Rule to account for technological change since the Rule’s issuance, which includes the proliferation of health apps and connected devices, and the emergence of a widespread market for health data.

Time 2 Minute Read

On May 17, 2023, the Federal Trade Commission issued a consumer alert regarding the Premom Ovulation Tracker app (“Premom”) sharing sensitive information with third parties without users’ permission. According to the alert, Premom is a free app that is marketed as an accurate fertility calendar, which can be used to assist users who are trying to become pregnant.

Time 2 Minute Read

On May 18, 2023, the Federal Trade Commission issued a policy statement on “Biometric Information and Section 5 of the Federal Trade Commission Act.”  The statement warns that the use of consumer biometric information and related technologies raises “significant concerns” regarding privacy, data security, and bias and discrimination, and makes clear the FTC’s commitment to combatting unfair or deceptive acts and practices related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies.

Time 5 Minute Read

On May 4, 2023, the Florida Senate and House of Representatives voted in favor of sending the Florida Digital Bill of Rights (“FDBR”) and other amendments related to government moderation of social media and protection of children in online spaces (S.B. 262) to Governor Ron DeSantis for signature. Unlike the other comprehensive state privacy laws that have been enacted, the FDBR applies to a much narrower subset of entities.

Time 2 Minute Read

On April 4, 2023, the data protection regulator of the UK, the Information Commissioner’s Office (ICO), issued a fine of a £12.7 million to TikTok Information Technologies UK Limited and TikTok Inc (together, “TikTok”) for a number of breaches of UK data protection law, including failing to use children’s personal data lawfully. 

Time 2 Minute Read

On March 27, 2023, New York Attorney General Letitia James announced that a New York-based law firm (Heidell, Pittoni, Murphy & Bach LLP) had agreed to pay $200,000 in penalties and enhance its cybersecurity practices to settle charges stemming from a 2021 data breach. 

Time 3 Minute Read

On March 15, 2023, the Securities and Exchange Commission (“SEC”) proposed three rules related to cybersecurity and the protection of consumer information.

Time 1 Minute Read

On March 3, 2023, the U.S. Department of Justice (“DOJ”) released an update to its Evaluation of Corporate Compliance Programs guidance (“ECCP Guidance”). The ECCP Guidance serves as a guidance document for prosecutors when evaluating a corporate compliance program. Among other updates, the ECCP Guidance now includes new guidance for assessing how companies govern employees’ use of personal devices, communication platforms and messaging applications.

Time 2 Minute Read

On March 16, 2023, the Federal Trade Commission announced it issued orders to eight social media and video streaming platforms seeking Special Reports on how the platforms review and monitor commercial advertising to detect, prevent and reduce deceptive advertisements, including those related to fraudulent healthcare products, financial scams and the sale of fake goods. The FTC sent the orders pursuant to its resolution directing the FTC to use all available compulsory process to inquire into this topic, and using the FTC’s Section 6(b) authority, which authorizes the FTC to conduct studies that do not have a specific law enforcement purpose.

Time 3 Minute Read

On March 6 and 15, 2023, both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, which could make Iowa the sixth U.S. state to enact comprehensive privacy legislation. The bill is most similar to Utah’s comprehensive privacy law.

Time 3 Minute Read

On March 15, 2023, the UK Information Commissioner’s Office (“ICO”) published an updated version of its guidance on AI and data protection (the “updated guidance”), following requests from UK industry to clarify requirements for fairness in AI. 

Time 3 Minute Read

This is an excerpt from Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy’s recently published piece in the IAPP “Privacy Perspectives” blog, and are the views of the author.

Time 3 Minute Read

On March 9, 2023, the U.S. Securities and Exchange Commission (SEC) announced settled administrative charges against Blackbaud Inc. The case stems from disclosures Blackbaud made to investors regarding a 2020 ransomware attack that targeted donor data management software the company provides to non-profit organizations.

Time 2 Minute Read

On March 7, 2023, the Transportation Security Administration (“TSA”) announced the issuance on an emergency basis of a cybersecurity amendment to the security programs of certain TSA-regulated airport and aircraft operators, as part of the U.S. Department of Homeland Security’s initiatives to improve the cybersecurity of U.S. critical infrastructure. 

Time 2 Minute Read

On March 8, 2023, the UK Secretary of State for Science, Innovation and Technology, Michelle Donelan, introduced the Data Protection and Digital Information (No. 2) Bill to UK Parliament. The first version of the reform bill was originally proposed by the UK government in July 2022, but was put on pause during September 2022. 

Time 2 Minute Read

On February 24, 2023, Representative Patrick T. McHenry of North Carolina introduced a bill proposing the creation of the Data Privacy Act of 2023. The bill proposes to amend the Gramm-Leach-Bliley Act (“GLBA”) by making the following changes:

Time 3 Minute Read

On February 17, 2023, the Illinois Supreme Court issued an opinion in Cothron v. White Castle Systems, Inc., in response to a certified question from the Seventh Circuit, ruling that the plain language of Section 15(b) and 15(d) of the Illinois Biometric Privacy Act (“BIPA”) shows that a claim accrues under BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent. 

Time 2 Minute Read

On February 10, 2023, an Illinois federal district court ordered the dismissal of a putative class action lawsuit alleging that an online tool that allowed users to virtually try on sunglasses violated the Illinois Biometric Privacy Act (“BIPA”).

Time 4 Minute Read

On February 6, 2023, Texas State Representative Giovanni Capriglione submitted H.B. 1844, a comprehensive privacy bill modeled after the Virginia Consumer Data Protection Act (“VCDPA”). The bill could make Texas the sixth U.S. state to enact major privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut. Although the bill closely follows the VCDPA, it departs from the Virginia law in several key areas, most notably in the definition of “personal data” and its applicability.

Time 2 Minute Read

On February 2, 2023, the Illinois Supreme Court reversed in part and remanded a judgment of the lower appellate court in a class action lawsuit alleging violation of the Illinois Biometric Information Privacy Act (“BIPA”).

Time 3 Minute Read

On February 1, 2023, the Federal Trade Commission announced that it entered into a proposed order with GoodRx, a telehealth and prescription drug discount provider, for violations of the FTC’s Health Breach Notification Rule stemming from GoodRx’s unauthorized disclosures of consumers’ personal health information to third party advertisers and other companies. This is the first enforcement action taken under the FTC’s Health Breach Notification Rule, which was issued in 2009.

Time 1 Minute Read

On January 3, 2023, an Illinois state court entered a preliminary approval order for a settlement of nearly $300,000 in a class action lawsuit against Whole Foods for claims that the company violated the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs alleged that Whole Foods unlawfully collected voiceprints from employees who worked at the company’s distribution centers. 

Time 1 Minute Read

On December 31, 2022, Baltimore’s ordinance banning the private sector’s use of facial recognition technology expired. The ordinance, which was enacted in 2021, banned private entities and individuals within the city limits from using facial recognition technology, including obtaining, retaining, accessing or using a “face surveillance system” or any information obtained from such system. The Baltimore ordinance followed a similar ban on the use of facial recognition technology by private sector companies in Portland, Oregon, enacted in 2020. New York City also passed an ordinance in 2021 regulating commercial establishments’ use of biometric technology.

Time 2 Minute Read

On December 20, 2022, a former employee in Illinois brought a class action suit against Five Guys Enterprises, LLC (“Five Guys”), a burger chain, alleging that Five Guys violated the Illinois Biometric Information Privacy Act (“BIPA”). 

Time 2 Minute Read

On December 20, 2022, the English High Court has granted the victim of a cyber attack a permanent injunction against cyber attackers whilst the victim organization maintains its anonymity. Generally, a claimant's identity is public in English court proceedings. Injunctions can be made against unknown and unidentifiable defendants enabling them to be granted against individuals who are acting in breach or threatening to commit a breach. 

Time 2 Minute Read

On December 19, 2022, the Federal Trade Commission announced two settlements, amounting to $520 million, with Epic Games, Inc. in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (the “COPPA Rule”) and alleged use of “dark patterns” relating to in-game purchases.

Time 1 Minute Read

On December 1, 2022, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) released a Bulletin on the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. 

Time 2 Minute Read

On  December 15, 2022, the UK government and the Dubai International Financial Centre Authority (“DIFC”) issued a joint statement on the shared commitment to deepening the UK-DIFC data partnership. The statement explains that “[t]here are over 5,000 UK companies operating in the UAE, many of which depend on the free and secure flow of safe data across borders.” Further, the UK and the DIFC have strong links in the financial sector, following the DIFC’s establishment in 2004, with 16% of the DIFC’s financial services companies originally based in the UK.

Time 1 Minute Read

On December 7, 2022, the Federal Trade Commission released an updated Mobile Health App Interactive Tool to help developers determine what federal laws and regulations apply to apps that collect and process health data. The updated version of the tool, which revises the initial release in 2016, aims to assist developers of mobile apps that will access, collect, share, use or maintain information related to an individual consumer’s health, such as information related to diagnosis, treatment, fitness, wellness or addiction.

Time 4 Minute Read

On December 13, 2022, the European Commission launched the process for the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework. If adopted, the long-awaited adequacy decision will provide EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transfers.

An adequacy decision would foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”) judgment in the Schrems II case.

Time 1 Minute Read

On November 30, 2022, the Second District Appellate Court of Illinois reversed and remanded a grant of summary judgement in favor of defendant, J&M Plating, Inc., for alleged violation of the Illinois Biometric Information Privacy Act (“BIPA”). In Mora v. J&M Plating, Inc., the plaintiff claimed that J&M Plating had violated BIPA by collecting workers’ fingerprints without a proper data retention and destruction policy for biometric information.

Time 1 Minute Read

On November 22, 2022, the Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced that it filed comments with the Federal Trade Commission that call for new limits on how companies can collect and use personal information about consumers. The comments were filed in response to the FTC’s request for public comment on its Advanced Notice of Proposed Rulemaking on commercial surveillance and lax data security practices.

Time 1 Minute Read

On November 25, 2022, Ireland’s Data Protection Commission (“DPC”) released a decision fining Meta Platforms, Inc. (“Meta”) €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide.

Time 2 Minute Read

On November 21, 2022, Meta Platforms, Inc. (“Meta”) announced updated practices designed to protect the privacy of young people on Facebook and Instagram, including default privacy settings for new accounts, measures to limit unwanted interactions with adult users, and a tool to limit the spread of teens’ intimate images online.

Time 3 Minute Read

On November 22, 2022, the Court of Justice of the European Union (“CJEU”) determined in a preliminary ruling that the general public’s access to information on beneficial ownership constitutes a serious interference with the fundamental rights to respect for private life and to the protection of personal data, enshrined in Articles 7 and 8 of the Charter of Fundamental Human Rights (the “Charter”).

Time 1 Minute Read

The Cybersecurity and Infrastructure Security Agency (“CISA”) recently released a draft of the agency’s Cross-Sector Cybersecurity Performance Goals (“CPGs”) for critical infrastructure in the United States. The CPGs provide a common set of fundamental cybersecurity practices to guide critical infrastructure entities in measuring and improving their cybersecurity maturity.  

Time 3 Minute Read

On November 25, 2022, the UK Information Commissioner’s Office (“ICO”) and the UK’s communications regulator, Ofcom, issued a joint statement setting out how they intend to work together to “ensure coherence between the data protection and the new online safety regimes.” The regulators noted that the statement is primarily intended for online service providers that are likely to be regulated under the online safety regime, but it also will be of interest to other stakeholders as an indication of their joint direction.

Time 3 Minute Read

As reported in the the Retail Industry Law Resource blog:

Plaintiff’s firms continue to file variations of state law wiretapping lawsuits over “session replay” software and “live chat” or “chatbot” applications in various jurisdictions. These filings typically allege that companies use such software tools to record users’ interactions with a website without first obtaining users’ consent, thereby violating the wiretapping, eavesdropping, or interception provisions of various state laws. Session replay software allows companies to record and play back user’s interactions on its websites. The “live chat” or “chatbot” feature allows a website user to engage in text conversations with an assistant, to which chat the company has access. These wiretapping claims threaten substantial penalties. Companies that use these web-tracking tools, however, can take steps to protect themselves from these lawsuits by a careful examination of the software being used and by evaluating what disclosures or consent may be warranted.

Time 1 Minute Read

On November 15, 2022, the Federal Trade Commission announced a six-month extension for companies to comply with certain updated requirements of the Gramm-Leach-Bliley Act’s Safeguards Rule, a set of data security provisions covered  financial institutions must implement to protect their customers’ personal information. The new deadline is June 9, 2023.

Time 3 Minute Read

On November 17, 2022, the UK data protection regulator, the Information Commissioner’s Office (“ICO”), published updated guidance on international transfers that includes a new section on transfer risk assessments (“TRAs”) and a TRA tool.

In its statement regarding the updated guidance, the ICO describes the TRA guidance as “an alternative approach to the one put forward by the European Data Protection Board” and says its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”

Time 1 Minute Read

On November 14, 2022, Judge Edward J. Davila of the Northern District of California approved a $90 million privacy settlement against Meta Platforms, Inc. (formerly Facebook, Inc.) for unlawfully tracking user information when users were logged out of the site. Under the order granting plaintiffs’ motion for final approval of the class action settlement and attorney fees, Facebook must pay $90 million dollars in settlements, of which $26.1 million will be for attorney fees, and delete certain “wrongfully collected” data. Despite numerous objections that the settlement ...

Time 2 Minute Read

On November 14, 2022, Google LLC (“Google”) agreed to a $391.5 million settlement with the attorneys general of 40 U.S. states over the company’s location tracking controls available in its user account settings.   

The investigation by the state attorneys general found that, between 2014 and 2020, Google misled users by failing to disclose that toggling the “Location History” setting to off did not disable all tracking activities. The settlement noted that Google retained the ability to track users’ location via the “Web & App Activity” setting, and used the information for targeted advertising purposes.

Time 2 Minute Read

On October 26, 2022, House Energy and Commerce Committee and Consumer Protection and Commerce Subcommittee leaders (“Committee Leaders”) sent letters to several toy manufacturers, including Bandai Namco, Hasbro, Mattel, MGA Entertainment, LEGO Group and the Toy Association, asking how they plan to protect children and their information from BigTech companies like TikTok and YouTube. Given the shift of marketing efforts from traditional television outlets to social media platforms, Committee Leaders are concerned about failure to protect children’s privacy, security and mental health on social media platforms.

Time 2 Minute Read

On November 3, 2022, Pennsylvania Governor Tom Wolf signed Senate Bill 696 into law (the “Act”), amending Pennsylvania’s breach notification law. 

Time 1 Minute Read

On October 31, 2022, the Consumer Financial Protection Bureau (“CFPB”) announced that it will re-open the public comment period on their October 2021 Orders for six large technology companies operating payments platforms to provide information about their business practices. The October 2021 Orders requested that Amazon, Apple, Facebook, Google, PayPal and Square provide information about their data collection and use, their policies for removing individuals and businesses from their platforms, and their policies and practices for providing consumer protections such as addressing disputes and errors.

Time 3 Minute Read

On November 1, 2022, the Digital Markets Act (the “DMA”) entered into force. The DMA introduces new rules for certain core platforms services acting as “gatekeepers” in the digital sector (including search engines, social networks, online advertising services, cloud computing, video-sharing services, messaging services, operating systems and online intermediation services). The DMA also aims to prevent such platforms from imposing unfair conditions on businesses and consumers, and to ensure the openness of important digital services.

Time 1 Minute Read

SHIFT Counsellors at Law reports from Indonesia that The People’s Representative Council of the Republic of Indonesia has ratified Indonesia’s draft law on personal data protection. The draft law came into effect on October 17, 2022. The law, which is partly modeled on the EU General Data Protection Regulation, is Indonesia’s first “umbrella regulation” on personal data protection. The law will provide certain protections to Indonesian citizens’ data, and provide more legal certainty to parties processing such data.

Read SHIFT Counsellors’ article on the ...

Time 1 Minute Read

On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices. 

Time 2 Minute Read

On October 24, 2022, the Federal Trade Commission announced a proposed consent order with Drizly, an online alcohol ordering and delivery service, and the company’s CEO, for the alleged failure to maintain appropriate security safeguards that led to a data breach that affected 2.5 million consumers’ personal information.

Time 2 Minute Read

On October 9, 2022, TC260 of China issued the Information Security Technology - Basic Security Requirements for Pre-installed App of Smartphones for public comment ending December 6, 2022 (the “Guidelines”). The Guidelines are applicable to smartphone manufacturers and also provide reference to relevant regulators and third-party assessments.

Time 1 Minute Read

On October 18, 2022, the Transportation Security Administration (“TSA”) issued a new cybersecurity directive requiring passenger and freight railroad carriers to create plans for responding to cybersecurity incidents. The new directive is one of many actions taken by the Biden Administration to strengthen the cybersecurity posture of the U.S.’s critical infrastructure following a significant ransomware attack on a major U.S. pipeline in 2021.

Time 2 Minute Read

On October 20, 2022, Texas Attorney General Ken Paxton brought suit against Google alleging various violations of Texas’s biometric privacy law, including that the company unlawfully collected and used the biometric data of millions of Texans without obtaining proper consent. The lawsuit alleges that, since 2015, Google has collected millions of biometric identifiers of Texas consumers, such as voiceprints and records of face geometry, through Google’s various products, including Google Photos, Google Assistant and Nest Hub Max, in violation of Texas’s biometric privacy law. Texas’s biometric privacy law prohibits the collection of biometric identifiers for a commercial purpose unless the individual whose biometric identifiers are collected is informed of the collection and provides consent. The law also requires companies to destroy biometric identifiers within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the biometric identifier expires (except in limited circumstances).

Time 2 Minute Read

On October 24, 2022, the UK Information Commissioner’s Office (“ICO”) issued a £4.4 million fine to Interserve Group Limited for failing to keep employee personal data secure, which violates Article 5(1)(f) and Article 32 of the EU General Data Protection Regulation (“GDPR”), during the period of March 2019 to December 2020. The ICO determined that such violations rendered Interserve vulnerable to the cyber attack which took place between March 2020 and May 2020, affecting the personal data of up to 113,000 Interserve employees. The compromised data included contact details, national insurance numbers and bank account details, as well as special category data, including ethnic origin, religion, details of any disabilities, sexual orientation and health information.

Time 1 Minute Read

On October 19, 2022, Bloomberg Law reported that the White House is planning to introduce a system to label Internet of Things (“IoT”) devices with information related to the devices’ cybersecurity risk.

Time 2 Minute Read

On October 12, 2022, a federal jury found BNSF Railway, operator of one of the largest freight railroad networks in North America, violated the Illinois Biometric Information Privacy Act (“BIPA”) in the first ever BIPA case to go to trial. In Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), truck drivers’ fingerprints were scanned for identity verification purposes when visiting BNSF rail yards to pick up and drop off loads. The jury found that BNSF recklessly or intentionally violated the law 45,600 times when it collected such fingerprint scans without written, informed permission or notice.

Time 2 Minute Read

On October 12, 2022, New York Attorney General Letitia James announced that her office had secured a $1.9 million penalty from e-commerce retailer Zoetop, owner of SHEIN and ROMWE, following an improperly handled data breach. The Office of the Attorney General of the State of New York (“NYAG”) alleged in its Assurance of Discontinuance that Zoetop failed to properly handle the breach and lied about its scope to consumers.

Time 1 Minute Read

On October 14, 2022, the Federal Trade Commission announced it is extending the deadline by one month to submit comments on its Advance Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and lax data security practices.

The FTC launched the ANPR in August and has sought public comment on it, including through a virtual public forum held in September.

Comments now must be filed by November 21, 2022.

Time 1 Minute Read

On September 27, 2022, California Governor Gavin Newsom signed into law a pair of bills designed to prevent medical information and other data held by California entities from being used in out-of-state abortion prosecutions. 

Time 3 Minute Read

On October 4, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper outlining 10 key recommendations for regulating artificial intelligence (“AI”) in Brazil (the "White Paper"). CIPL prepared the White Paper to assist the special committee of legal experts established by Federal Senate of Brazil (the “Senate Committee”) as it works towards an AI framework in Brazil.

Time 2 Minute Read

On October 7, 2022, President Biden signed Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which provides a new framework for legal data transfers between the European Union and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020, when the European Court of Justice (“ECJ”) declared the previous framework, the EU-U.S. Privacy Shield, invalid under EU law. 

Time 2 Minute Read

On October 5, 2022, former Uber security chief Joe Sullivan was found guilty by a jury in U.S. federal court for his alleged failure to disclose a breach of Uber customer and driver data to the FTC in the midst of an ongoing FTC investigation into the company. Sullivan was charged with one count of obstructing an FTC investigation and one count of misprision, the act of concealing a felony from authorities.

Time 2 Minute Read

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:

Time 3 Minute Read

On September 15, 2022, the Federal Trade Commission released a report analyzing “dark patterns,” or “design practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm.” The report, titled “Bringing Dark Patterns to Light,” highlights dark patterns used across industries and different contexts, such as e-commerce, cookie consent banners, children’s apps and subscription sales. The report identifies four common types of dark patterns and provides examples of each:

Time 2 Minute Read

On September 9, 2022, the National Highway Traffic Safety Administration (NHTSA) announced its publication of final Cybersecurity Best Practices for the Safety of Modern Vehicles (the “2022 Best Practices”). The 2022 Best Practices reflect the agency’s final, non-binding vehicle cybersecurity guidance following its release of draft guidance in January 2021. The 2022 Best Practices also is an update to NHTSA’s first cybersecurity best practices document, which was issued in 2016

Time 2 Minute Read

On September 20, 2022, Indonesia’s parliament ratified the Personal Data Protection Act (the “Act”). The Act is the first comprehensive data protection law to be enacted in Indonesia and will come into effect on a date set by the Minister of State Secretariat. Organizations subject to the Act will have two years to come into compliance with the Act’s requirements.

Time 1 Minute Read

On September 20, 2022, the U.S. Securities and Exchange Commission announced that Morgan Stanley Smith Barney agreed to pay a $35 million fine for the firm’s alleged failure to adequately protect the personal information of approximately 15 million customers. Morgan Stanley settled the SEC’s claims without agreeing to or denying the agency’s findings. 

Time 2 Minute Read

On August 29, 2022, the Federal Trade Commission announced a civil action against digital marketing data broker Kochava Inc. for “selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” The lawsuit seeks a permanent injunction to stop Kochava’s sale of geolocation data and to require the company to delete the geolocation data it has collected.  

Time 1 Minute Read

On September 6, 2022, the California legislature presented Assembly Bill 2392 to Governor Gavin Newsom. AB-2392, which has not yet been signed by Governor Newsom, would allow Internet-connected device manufacturers to satisfy existing device labeling requirements by complying with National Institute of Standards and Technology (“NIST”) standards for consumer Internet of Things (“IoT”) products.

Time 2 Minute Read

On September 8, 2022, the Federal Trade Commission hosted a virtual public forum on its Advanced Notice of Proposed Rulemaking (“ANPR”) concerning “commercial surveillance and lax data security.” The forum featured remarks from FTC Chair Lina Kahn, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya, as well as panels with industry leaders and consumer advocates.

Time 10 Minute Read

On July 7, 2022, the Cyberspace Administration of China (the “CAC”) issued the Measures on Security Assessment on Cross-border Transfer (the “Measures”), which became effective on September 1, 2022, and provide a six-month grace period to the relevant data handlers. On August 31, 2022, the CAC issued the Guidelines on Application for Security Assessment on Cross-border Transfer (the “Guidelines”), which further clarify certain issues and provide specific application documents for security assessments (including templates of application forms for security assessment on cross-border transfer and self-assessments report for risks of cross-border transfer).

Time 3 Minute Read

On July 26, 2022, the attorneys general of New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida and Washington D.C. announced an $8 million multistate settlement with Wawa Inc. that resolves the states’ investigation into a 2019 data breach that compromised approximately 34 million payment cards used by consumers at Wawa stores and fueling locations. 

Time 1 Minute Read

On August 29, 2022, the Federal Trade Commission released the agenda for its virtual public forum on the Commercial Surveillance and Data Security Advanced Notice of Public Rulemaking. The forum, to be held on September 8, 2022, seeks “public comment on the harms stemming from commercial surveillance and lax data security practices and whether new rules are needed to protect people’s privacy and information.” As we previously reported, the forum intends to discuss to what extent commercial surveillance practices or lax security measures harm consumers, including children and teenagers; how the FTC should balance the costs and benefits of existing or emergent commercial surveillance and data security practices and rules that would address them; and how, if at all, the FTC should regulate harmful commercial surveillance or data security practices.

Time 2 Minute Read

On June 10, 2022, New York became the first state to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education (“CLE”) requirements. The new requirement will take effect July 1, 2023.

Time 3 Minute Read

On August 11, 2022, the Federal Trade Commission announced it is seeking public comment regarding its advance notice of proposed rulemaking (“ANPR”) on commercial surveillance and data security, on which we previously reported. The FTC defines “commercial surveillance” as the business of collecting, analyzing and profiting from consumer data.

Time 1 Minute Read

On July 21, 2022, the National Institute of Standards and Technology (“NIST”) released an updated draft of its HIPAA Security Rule guidance. The draft guidance, titled “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide” (NIST Special Publication 800-66, Revision 2), is designed to assist HIPAA regulated entities “maintain the confidentiality, integrity and availability of electronic protected health information (ePHI).” NIST issued the updated draft guidance to align it with other NIST cybersecurity guidance documents that have been published since the original HIPAA Security Rule guidance was issued in 2008.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page