On December 18, 2019, the House Energy and Commerce Committee released a bipartisan staff-level draft privacy bill (“the bill”). While comprehensive in scope, much of the key language in the bill was left in brackets, meaning the two sides have not yet reached a compromise on final language.
On December 9, 2019, the Federal Communications Commission (“FCC”) announced that online fax services do not fall under legal prohibitions against junk faxes. In a petition filed in 2017 for declaratory judgement brought by AmeriFactors Financial Group, LLC pursuant to the Telephone Consumer Protection Act (“TCPA”) and the Junk Fax Protection Act (“JFPA”), the petitioner sought clarification regarding the status of online cloud-based fax services.
On December 6, 2019, the Federal Trade Commission announced its Final Order and Opinion in the matter of Cambridge Analytica, LLC, finding that Cambridge Analytica violated the FTC Act’s Section 5 prohibition against “unfair or deceptive acts or practices” when harvesting personal information through its “GSRApp” Facebook application.
On December 3, 2019, the Federal Trade Commission announced that it had reached settlements in four separate Privacy Shield cases. Specifically, the FTC alleged that Click Labs, Inc., Incentive Services, Inc., Global Data Vault, LLC, and TDARX, Inc. each falsely claimed to participate in the EU-U.S. Privacy Shield framework. The FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework and that Global Data and TDARX continued to claim participation in the EU-U.S. Privacy Shield after their Privacy Shield certifications lapsed. The complaints further alleged that Global Data and TDARX failed to comply with the Privacy Shield framework, including by failing to (1) verify annually that statements about their Privacy Shield practices were accurate, and (2) affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.
On November 29, 2019, Senator Roger Wicker (MS), Chairman of the Senate Commerce Committee, circulated a draft of a comprehensive federal privacy bill entitled the United States Consumer Data Privacy Act of 2019 (“the Bill”).
On November 26, 2019, Senate Commerce Committee Ranking Member Maria Cantwell (WA), alongside Senators Brian Schatz (HI), Amy Klobuchar (MN) and Ed Markey (MA), unveiled a new comprehensive federal privacy bill entitled the Consumer Online Privacy Rights Act (“COPRA”).
The bill would create a new bureau within the Federal Trade Commission focusing on privacy and data security to enforce the law and promulgate new rules and regulations in the space. It also would provide enforcement authority for state attorneys general as well as a private right of action. It would preempt only state laws that “directly conflict with the provisions of the Act,” and specifically notes that state laws that afford a “greater level of protection to individuals” would not be considered in direct conflict.
On November 18, 2019, the ranking members from four Senate Committees (Senator Maria Cantwell (WA) from Commerce, Senator Dianne Feinstein (CA) from Judiciary, Senator Sherrod Brown (OH), and Senator Patty Murray (WA) from Health, Education, Labor and Pensions) released a set of “core principles” for federal privacy legislation.
On November 19, 2019, the Federal Trade Commission announced that Medable, Inc. (“Medable”) agreed to settle allegations that the company had misrepresented its participation in the EU-U.S. Privacy Shield program. The FTC alleged that, from December 2017 to October 2018, Medable falsely claimed in its online privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the framework’s principles. According to the complaint, although Medable did initiate an application with the Department of Commerce in December 2017, the company never completed the steps necessary to participate in the framework.
On November 7, 2019, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced a $1.6 million civil penalty imposed against the Texas Health and Human Services Commission (“TX HHSC”), a state agency, for violations of HIPAA Privacy and Security Rules in connection with the unauthorized disclosure of electronic protected health information (“ePHI”). The ePHI breach – which exposed names, addresses, Social Security numbers, and treatment information of at least 6,617 individuals – was first reported to OCR on June 11, 2015, by Texas’s Department of Aging and Disability Services (“DADS”).
On November 5, 2019, Representatives Anna G. Eshoo (CA) and Zoe Lofgren (CA) introduced the Online Privacy Act (the “Act”), which proposes sweeping legislation that would create federal privacy rights for individuals, require companies to adhere to data minimization and establish a federal Digital Privacy Agency (“DPA”).
On October 22, 2019, the Federal Trade Commission announced that, for the first time, it has brought a case against a developer of “Stalking” Apps. The agency alleges that Retina-X Studios, and its owner, James N. Johns, Jr., developed and marketed three apps that allowed purchasers to surreptitiously monitor the movements and online activities of users of devices on which the apps were installed without the knowledge or permission of the device’s user. The FTC also alleges that the app developer took steps to ensure that a device user would not be aware that the app had been installed, bypassing mobile device manufacturers’ security restrictions and leaving the device vulnerable to cybersecurity risks. The apps were marketed as tools for monitoring the behavior of employees and children. The FTC further alleges that the app developer issued policies that made inaccurate representations regarding the security of their online systems, which were recently found to have been hacked twice during earlier incidents.
On September 6, 2019, the National Institute of Standards and Technology (“NIST”) released a preliminary draft of its Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (“Privacy Framework”).
The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP is pleased to announce Matthew Starr and Giovanna Carloni have joined CIPL, adding to its expertise in global privacy and data protection policy.
As an update to our previous blog posts, the FTC announced that it and the New York Attorney General reached a $170 million agreement with Google to resolve allegations that the company violated COPPA through its YouTube platform. Under the agreement, Google will pay $136 million to the FTC and $34 million to New York. The FTC voted 3-2 to authorize the action.
As an update to our previous blog post, according to media reports, Google has reached a settlement with the FTC in the range of $150 to $200 million over the agency’s investigation into the company’s alleged violations of COPPA through its YouTube platform. The settlement has not been announced by the FTC or Google, and the details of the settlement have not been made publicly available. These reports follow Google’s announcement earlier this week that it has created a separate YouTube Kids site, which will include different content for different age groups. This news also ...
On August 8, 2019, the FTC announced that Unrollme Inc. (“Unrollme”), an email management company, agreed to settle allegations the company deceived consumers about how it accesses and uses their personal emails. Unrollme offered users a service whereby the company would help unsubscribe users from unwanted subscription emails. In connection with this service, Unrollme required users to provide the company with access to their email accounts. The FTC alleged that Unrollme falsely told consumers it would not “touch” their personal emails. In fact, the FTC alleged, Unrollme shared its users’ email receipts (“e-receipts”) (i.e., emails sent to consumers following a completed transaction) with its parent company, Slice Technologies, Inc. The FTC’s complaint alleged that the parent company used information from the e-receipts (such as the user’s name, address, and information about products or services the individual purchased) for purposes of its own market research analytics products.
On August 8, 2019, the United States Court of Appeals for the Ninth Circuit allowed a class action brought by Illinois residents to proceed against Facebook under the Illinois Biometric Information Privacy Act (“BIPA”) (740 ICLS 14/1, et seq.).
In addition to Facebook’s record-breaking Federal Trade Commission penalty and settlement order, on July 24, 2019, the Securities and Exchange Commission announced charges against Facebook for inadequate and misleading disclosures over its privacy practices. Facebook, without admitting or denying the SEC’s allegations, has agreed to the entry of a final judgment ordering a fine of $100 million.
As previously reported on July 12, 2019, Facebook will pay a $5 billion penalty to the Federal Trade Commission to resolve a privacy probe into whether Facebook violated a prior FTC consent decree requiring the company to better protect user privacy. The $5 billion penalty is the largest imposed on any company for violating consumers’ privacy – nearly 20 times the largest privacy or data security penalty to date.
According to media reports, the Federal Trade Commission has approved a multimillion dollar fine as part of a settlement with Google related to the FTC’s investigation into YouTube’s children’s data privacy practices. The FTC found that, in violation of COPPA, Google had failed to adequately protect children under 13 who used the video-streaming service and improperly collected their data.
On July 17, 2019, the Federal Trade Commission published a notice in the Federal Register announcing an accelerated review of its Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”), seeking feedback on the effectiveness of the 2013 amendments to the Rule, and soliciting input on whether additional changes are needed. Citing questions regarding the Rule’s application to the educational technology sector, voice-enabled connected devices, and general audience platforms that host child-directed content, the FTC indicated that it was moving up its review from a standard 10-year timeframe. The Commission vote to conduct the Rule review was unanimous, 5-0.
The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a Q&A document on organizational accountability in data protection (the “Q&A”).
While CIPL has written extensively about the concept of organizational accountability over many years, the Q&A is designed to clarify frequently raised questions about accountability and provide greater context and understanding of the concept, including for law and policy makers considering data privacy legislation around the globe.
The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a white paper on Organizational Accountability’s Existence in U.S. Regulatory Compliance and its Relevance for a Federal Data Privacy Law (the “White Paper”).
According to media reports, the Federal Trade Commission has approved a roughly $5 billion settlement with Facebook, Inc. to resolve a privacy probe investigating whether Facebook had violated a prior FTC consent decree requiring the company to better protect user privacy. The investigation followed reports that Cambridge Analytica improperly accessed the personal data of 87 million Facebook users.
On June 14, 2019, the Federal Trade Commission announced that it has taken action against a number of companies that allegedly misrepresented their compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, the “Privacy Shield”) and other international privacy agreements.
Arizona Attorney General Mark Brnovich recently announced a settlement with healthcare software provider Medical Informatics Engineering Inc. (“MIE”) and its wholly owned subsidiary NoMoreClipboard, LLC. The settlement resolves a multistate litigation arising out of a May 2015 data breach in which hackers infiltrated WebChart, a web application run by MIE, and stole the electronic Protected Health Information (“ePHI”) of over 3.9 million individuals. Arizona and 15 other states (the “Multistate AGs”) filed the suit in December 2018, asserting claims under the federal Health Insurance Portability and Accountability (“HIPAA”) as well as various applicable state data protection laws. Notably, the lawsuit was the first-ever multistate litigation alleging claims under HIPAA.
On June 4, 2019, Hunton hosted a webinar with partners Lisa Sotto, Aaron Simpson, Brittany Bacon and Fred Eames on the evolving U.S. privacy landscape. The past year has seen highly consequential legislative developments in U.S. privacy law affecting compliance obligations for businesses that have or use consumer data. Various states and the U.S. Congress are considering bills that could transform privacy in the United States. In this program, our speakers discuss the California Consumer Privacy Act of 2018 (“CCPA”) and other significant state and federal privacy legislation.
On May 6, 2019, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had entered into a resolution agreement and $3 million settlement with Touchstone Medical Imaging (“Touchstone”). The settlement is the first OCR HIPAA enforcement action in 2019, following an all-time record year of HIPAA enforcement in 2018.
On May 6, 2019, the Federal Trade Commission announced that Meet24, FastMeet and Meet4U—three dating apps owned by Ukrainian-based company Wildec LLC—were removed from the Apple App Store and Google Play Store following an FTC letter alleging that the apps potentially violated the Children’s Online Privacy Protection Act (“COPPA”) and the Federal Trade Commission Act (“FTC Act”). According to the letter and contrary to what was claimed in their privacy policies, the apps, which collect dates of birth, email addresses, photographs and real-time location date, failed to block users who indicated they were under the age of 13.
On April 24, 2019, the Federal Trade Commission announced two data security cases involving online operators—one, an online rewards website, and the second, a dress-up games website—that were alleged to have failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites.
Earlier this month, the U.S. Department of Justice (“DOJ”) published a white paper entitled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act” (“White Paper”). The Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) was enacted in March 2018 by the U.S. government to aid foreign and U.S. investigators in obtaining access to electronic information related to serious crimes and held by service providers. The CLOUD Act authorizes the U.S. to enter into bilateral agreements with foreign countries that abide by a baseline standard for rule-of-law, privacy and civil liberties protections to streamline processes for obtaining electronic evidence. The CLOUD Act also codifies the principle that a company subject to U.S. jurisdiction “can be required to produce data the company controls, regardless of where it is stored at any point in time.”
On April 12, 2019, Senator Edward J. Markey (MA) introduced the Privacy Bill of Rights Act (the “Act”), comprehensive privacy legislation intended to protect individuals’ “personal information,” defined as “information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, a particular individual.” This definition is substantially similar to the definition of “personal information” contained in the California Consumer Privacy Act of 2018. The Act also includes an enumerated list of examples that constitute “personal information” and specifically excludes certain publicly available information from the term.
During the week of April 1, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP hosted its annual executive retreat in Washington, D.C. (the “Retreat”). During the Retreat, CIPL held a full-day working session on evolving technologies and a new U.S. privacy framework followed by a closed members only half-day roundtable on global privacy trends with special guest Helen Dixon, Data Protection Commissioner of Ireland.
The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP has issued a white paper on Ten Principles for a Revised U.S. Privacy Framework (the “White Paper”). CIPL believes that the use of personal information and privacy can most effectively be regulated at the federal level, and puts forward ten principles that should be included in any new federal privacy framework to ensure appropriate protection for consumers while facilitating the digital economy, innovation and the responsible use of data.
On March 5, 2019, the Federal Trade Commission announced that it is seeking comment on proposed changes to the FTC’s Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act (“GLB”).
The proposed amendments to the Safeguards Rule, which went into effect in 2003 and imposes data security obligations on financial institutions over which the Commission has jurisdiction, are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services and the insurance data security model law issued by the National Association of Insurance Commissioners. The proposed changes would add more detailed requirements on how financial institutions must protect customer information.
On February 25, 2019, the European Data Protection Board (the “EDPB”) issued a statement regarding the transfer of personal data from Europe to the U.S. Internal Revenue Service (the “IRS”) for purposes of the U.S. Foreign Account Tax Compliance Act (“FATCA”).
Enacted in 2010, FATCA requires that foreign financial institutions report information about financial accounts and assets held by their U.S. account holders to the IRS. Such institutions are required to register directly with the IRS to comply with FATCA or comply with intergovernmental agreements signed between the foreign country and the U.S. government. FATCA was designed to combat tax evasion by U.S. persons holding accounts and other financial assets offshore.
On February 27, 2019, the Federal Trade Commission announced a record $5.7 million civil penalty against popular video creation and sharing app Musical.ly (now known as TikTok) for violations of U.S. children’s privacy rules. According to the FTC’s complaint, Musical.ly is designed to appeal to young children (among others), and the company was aware that a significant percentage of Musical.ly users were children under the age of 13. The FTC also alleged that Musical.ly gained actual knowledge of underage use from parents who unsuccessfully sought to have their children’s ...
On February 12, 2019, the Federal Trade Commission announced the completion of the first regulatory review of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) Rule (the “CAN-SPAM Rule” or “Rule”). By a vote of 5-0, the FTC voted to retain the CAN-SPAM rule with no modifications.
On February 27, 2019, the U.S. Senate Committee on Commerce, Science and Transportation will hold a hearing titled “Privacy Principles for a Federal Data Privacy Framework in the United States.” The hearing will focus on potential Congressional action to “address risks to consumers and implement data privacy protections for all Americans.” Committee Chairman Sen. Roger Wicker described the hearing as an opportunity to “help set the stage for meaningful bipartisan legislation.”
In January 2019, Hunton Andrews Kurth celebrates the 10-year anniversary of our award-winning Privacy and Information Security Law Blog. Over the past decade, we have worked hard to provide timely, cutting-edge updates on the ever-evolving global privacy and cybersecurity legal landscape. Ten Years Strong: A Decade of Privacy and Cybersecurity Insights is a compilation of our blog’s top ten most read posts over the decade, and addresses some of the most transformative changes in the privacy and cybersecurity field.
Read Ten Years Strong: A Decade of Privacy and Cybersecurity ...
On November 1, 2018, Senator Ron Wyden (D-Ore.) released a draft bill, the Consumer Data Protection Act, that seeks to “empower consumers to control their personal information.” The draft bill imposes heavy penalties on organizations and their executives, and would require senior executives of companies with more than one billion dollars per year of revenue or data on more than 50 million consumers to file annual data reports with the Federal Trade Commission. The draft bill would subject senior company executives to imprisonment for up to 20 years or fines up to $5 million, or both, for certifying false statements on an annual data report. Additionally, like the EU General Data Protection Regulation, the draft bill proposes a maximum fine of 4% of total annual gross revenue for companies that are found to be in violation of Section 5 of the FTC Act.
Recently, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and record settlement of $16 million with Anthem, Inc. (“Anthem”) following Anthem’s 2015 data breach. That breach, affecting approximately 79 million individuals, was the largest breach of protected health information (“PHI”) in history.
On September 30, 2018, the U.S., Mexico and Canada announced a new trade agreement (the “USMCA”) aimed at replacing the North American Free Trade Agreement. Notably, the USMCA’s chapter on digital trade recognizes “the economic and social benefits of protecting the personal information of users of digital trade” and will require the U.S., Canada and Mexico (the “Parties”) to each “adopt or maintain a legal framework that provides for the protection of the personal information of the users[.]” The frameworks should include key principles such as: limitations on collection, choice, data quality, purpose specification, use limitation, security safeguards, transparency, individual participation and accountability.
On September 27, 2018, the Federal Trade Commission announced a settlement agreement with four companies - IDmission, LLC, (“IDmission”) mResource LLC (doing business as Loop Works, LLC) (“mResource”), SmartStart Employment Screening, Inc. (“SmartStart”), and VenPath, Inc. (“VenPath”) - over allegations that each company had falsely claimed to have valid certifications under the EU-U.S. Privacy Shield framework. The FTC alleged that SmartStart, VenPath and mResource continued to post statements on their websites about their participation in the Privacy Shield after allowing their certifications to lapse. IDmission had applied for a Privacy Shield certification but never completed the necessary steps to be certified.
On September 26, 2018, the U.S. Senate Committee on Commerce, Science, and Transportation convened a hearing on Examining Consumer Privacy Protections with representatives of major technology and communications firms to discuss approaches to protecting consumer privacy, how the U.S. might craft a federal privacy law, and companies’ experiences in implementing the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”).
Effective September 21, 2018, Section 301 of the Economic Growth, Regulatory Relief, and Consumer Protection Act (the “Act”) requires consumer reporting agencies to provide free credit freezes and year-long fraud alerts to consumers throughout the country. Under the Act, consumer reporting agencies must each set up a webpage designed to enable consumers to request credit freezes, fraud alerts, extended fraud alerts and active duty fraud alerts. The webpage must also give consumers the ability to opt out of the use of information in a consumer report to send the consumer a ...
On August 29, 2018, Bloomberg Law reported that four Senate Commerce Committee members are discussing a potential online privacy bill. The bipartisan group consists of Senators Jerry Moran (R-KS), Roger Wicker (R-MS), Richard Blumenthal (D-CT) and Brian Schatz (D-HI), according to anonymous Senate aides.
On August 28, 2018, plaintiffs filed a class action lawsuit against Nielsen Holdings PLC ("Nielsen") and some of its officers and directors for making allegedly materially false and misleading statements to investors about the impact of privacy regulations and third-party business partners’ privacy policies on the company’s revenues and earnings. The case was filed in the United States District Court for the Southern District of New York.
The Federal Trade Commission announced the opening dates of its Hearings on Competition and Consumer Protection in the 21st Century, a series of public hearings that will discuss whether broad-based changes in the economy, evolving business practices, new technologies or international developments might require adjustments to competition and consumer protection law, enforcement priorities and policy. The FTC and Georgetown University Law Center will co-sponsor two full-day sessions of hearings on September 13 and 14, 2018, to be held at the Georgetown University Law Center facility.
On August 13, 2018, the Federal Trade Commission approved changes to the video game industry’s safe harbor guidelines under the Children’s Online Privacy Protection Act (“COPPA”) Rule. COPPA’s “safe harbor” provision enables industry groups to propose self-regulatory guidelines regarding COPPA compliance for FTC approval.
On August 6, 2018, the Federal Trade Commission published a notice seeking public comment on whether the FTC should expand its enforcement power over corporate privacy and data security practices. The notice, published in the Federal Register, follows FTC Chairman Joseph Simons’ declaration at a July 18 House subcommittee hearing that the FTC’s current authority to do so, under Section 5 of the FTC Act, is inadequate to deal with the privacy and security issues in today’s market.
On August 3, 2018, California-based Unixiz Inc. (“Unixiz”) agreed to shut down its “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.
On July 2, 2018, the Federal Trade Commission announced that California company ReadyTech Corporation (“ReadyTech”) agreed to settle FTC allegations that ReadyTech misrepresented it was in the process of being certified as compliant with the EU-U.S. Privacy Shield (“Privacy Shield”) framework for lawfully transferring consumer data from the European Union to the United States. The FTC finalized this settlement on October 17, 2018.
On June 22, 2018, the United States Supreme Court held in Carpenter v. United States that law enforcement agencies must obtain a warrant supported by probable cause to obtain historical cell-site location information (“CSLI”) from third-party providers. The government argued in Carpenter that it could access historical CSLI through a court order alone under the Stored Communications Act (the “SCA”). Under 18 U.S.C. § 2703(d), obtaining an SCA court order for stored records only requires the government to “offer specific and articulable facts showing that there are reasonable grounds.” However, in a split 5-4 decision, the Supreme Court held that the Fourth Amendment requires law enforcement agencies to obtain a warrant supported by probable cause to obtain historical CSLI.
On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit vacated a 2016 Federal Trade Commission (“FTC”) order compelling LabMD to implement a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The Eleventh Circuit agreed with LabMD that the FTC order was unenforceable because it did not direct the company to stop any “unfair act or practice” within the meaning of Section 5(a) of the Federal Trade Commission Act (the “FTC Act”).
On May 31, 2018, the Federal Trade Commission published on its Business Blog a post addressing the easily missed data deletion requirement under the Children’s Online Privacy Protection Act (“COPPA”).
On May 14, 2018, the Department of Energy (“DOE”) Office of Electricity Delivery & Energy Reliability released its Multiyear Plan for Energy Sector Cybersecurity (the “Plan”). The Plan is significantly guided by DOE’s 2006 Roadmap to Secure Control Systems in the Energy Sector and 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. Taken together with DOE’s recent announcement creating the new Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”), DOE is clearly asserting its position as the energy sector’s Congressionally-recognized sector-specific agency (“SSA”) on cybersecurity.
On May 24, 2018, the Federal Trade Commission granted final approval to a settlement (the “Final Settlement”) with PayPal, Inc., to resolve charges that PayPal’s peer-to-peer payment service, Venmo, misled consumers regarding certain restrictions on the use of its service, as well as the privacy of transactions. The proposed settlement was announced on February 27, 2018. In its complaint, the FTC alleged that Venmo misrepresented its information security practices by stating that it “uses bank-grade security systems and data encryption to protect your financial information.” Instead, the FTC alleged that Venmo violated the Gramm-Leach-Bliley Act’s (“GLBA’s”) Safeguards Rule by failing to (1) have a written information security program; (2) assess the risks to the security, confidentiality and integrity of customer information; and (3) implement basic safeguards such as providing security notifications to users that their passwords were changed. The complaint also alleged that Venmo (1) misled consumers about their ability to transfer funds to external bank accounts, and (2) misrepresented the extent to which consumers could control the privacy of their transactions, in violation of the GLBA Privacy Rule.
On May 8, 2018, Senator Ron Wyden (D–OR) demanded that the Federal Communications Commission investigate the alleged unauthorized tracking of Americans’ locations by Securus Technologies, a company that provides phone services to prisons, jails and other correctional facilities. Securus allegedly purchases real-time location data from a third-party location aggregator and provides the data to law enforcement without obtaining judicial authorization for the disclosure of the data. In turn, the third-party location aggregator obtains the data from wireless carriers. Federal law restricts how and when wireless carriers can share certain customer information with third parties, including law enforcement. Wireless carriers are prohibited from sharing certain customer information, including location data, unless the carrier has obtained the customer’s consent or the sharing is otherwise required by law.
As reported in the Hunton Nickel Report:
Recent press reports indicate that a cyber attack disabled the third-party platform used by oil and gas pipeline company Energy Transfer Partners to exchange documents with other customers. Effects from the attack were largely confined because no other systems were impacted, including, most notably, industrial controls for critical infrastructure. However, the attack comes on the heels of an FBI and Department of Homeland Security (“DHS”) alert warning of Russian attempts to use tactics including spearphishing, watering hole attacks, and credential gathering to target industrial control systems throughout critical infrastructure, as well as an indictment against Iranian nationals who used similar tactics to attack private, education, and government institutions, including the Federal Energy Regulatory Commission (“FERC”). These incidents raise questions about cybersecurity across the U.S. pipeline network.
The U.S. Department of Justice (the “DOJ”) has unsealed an indictment accusing nine Iranian nationals of engaging in a “massive and brazen cyber assault” against at least 176 universities, 47 private companies and 7 government agencies and non-governmental organizations, including the Federal Energy Regulatory Commission (“FERC”). According to the DOJ, the nationals worked for Mabna Institute, an Iranian-based company, as “hackers for hire,” stealing login credentials and other sensitive information to sell within Iran and for the benefit of the Iranian government.
On March 14, 2018, the Department of Justice and the Securities and Exchange Commission (“SEC”) announced insider trading charges against a former chief information officer (“CIO”) of a business unit of Equifax, Inc. According to prosecutors, the CIO exercised options and sold his shares after he learned of a cybersecurity breach and before that breach was publicly announced. Equifax has indicated that approximately 147.9 million consumers had personal information that was compromised.
On February 26, 2018, the United States Court of Appeals for the Ninth Circuit ruled in an en banc decision that the “common carrier” exception in the Federal Trade Commission Act is “activity-based,” and therefore applies only to the extent a common carrier is engaging in common carrier services. The decision has implications for FTC authority over Internet service providers, indicating that the FTC has authority to bring consumer protection actions against such providers to the extent they are engaging in non-common carrier activities. The Federal Communications Commission (“FCC”) has previously ruled that Internet access service is not a common carrier service subject to that agency’s jurisdiction.
On February 27, 2018, the Federal Trade Commission (“FTC”) announced an agreement with PayPal, Inc., to settle charges that its Venmo peer-to-peer payment service misled consumers regarding privacy and the extent to which consumers’ financial accounts were secured. This is the second significant FTC settlement in the past three months that addressed these issues, following the FTC’s action against TaxSlayer, Inc. and signals a renewed focus by the FTC on violations of the Gramm-Leach-Bliley Act’s (“GLBA’s”) Privacy and Safeguards Rules.
On February 13, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it entered into a resolution agreement with the receiver appointed to liquidate the assets of Filefax, Inc. (“Filefax”) in order to settle potential violations of HIPAA. Filefax offered medical record storage, maintenance and delivery services for covered entities, and had gone out of business during the course of OCR’s investigation.
On February 1, 2018, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a settlement with dialysis clinic operator, Fresenius Medical Care (“Fresenius”). Fresenius will pay OCR $3.5 million to settle claims brought under Health Insurance Portability and Accountability Act rules, alleging that lax security practices led to five breaches of electronic protected health information.
Recently, the General Services Administration (“GSA”) announced its plan to upgrade its cybersecurity requirements in an effort to build upon the Department of Defense’s new cybersecurity requirements, DFAR Section 252.204-7012, that became effective on December 31, 2017.
Recently, the Federal Trade Commission released the final agenda for a workshop being held on December 12, 2017, that will address the various consumer injuries that result from the unauthorized access to or misuse of consumers’ personal information.
On November 8, 2017, the United States District Court for the Northern District of California ordered German defendants in an ongoing patent suit, BrightEdge Technologies, Inc. v. Searchmetrics GmbH, to produce a particular database, despite the defendants’ claims that such production would violate German privacy laws.
On August 21, 2017, the United States Court of Appeals for the Eighth Circuit affirmed the dismissal of a putative class action arising from the Scottrade data breach. Notably, however, the Eighth Circuit did not agree with the trial court’s ruling that the plaintiff lacked Article III standing, instead dismissing the case with prejudice for failure to state a claim.
On June 5, 2017, an Illinois federal court ordered satellite television provider Dish Network LLC (“Dish”) to pay a record $280 million in civil penalties for violations of the FTC’s Telemarketing Sales Rule (“TSR”), the Telephone Consumer Protection Act (“TCPA”) and state law. In its complaint, the FTC alleged that Dish initiated, or caused a telemarketer to initiate, outbound telephone calls to phone numbers listed on the Do Not Call Registry, in violation of the TSR. The complaint further alleged that Dish violated the TSR’s prohibition on abandoned calls and assisted and facilitated telemarketers when it knew or consciously avoided knowing that telemarketers were breaking the law.
On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including businesses, hospitals, utilities and government entities around the world.
On May 11, 2017, President Trump signed an executive order (the “Order”) that seeks to improve the federal government’s cybersecurity posture and better protect the nation’s critical infrastructure from cyber attacks. The Order also seeks to establish policies for preventing foreign nations from using cyber attacks to target American citizens.
On May 2, 2017, the United States Court of Appeals for the Second Circuit issued a summary order affirming dismissal of a putative data breach class action against Michaels Stores, Inc. (“Michaels”). The plaintiff’s injury theories were as follows: (1) the plaintiff’s credit card information was stolen and twice used to attempt fraudulent purchases; (2) the risk of future identity fraud and (3) lost time and money resolving the attempted fraudulent charges and monitoring credit. The plaintiff, however, quickly cancelled her card after learning of the unauthorized charges and did not allege that she was held responsible for any of those charges.
On April 24, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had entered into a resolution agreement with CardioNet, Inc. (“CardioNet”) stemming from gaps in policies and procedures uncovered after CardioNet reported breaches of unsecured electronic protected health information (“ePHI”). CardioNet provides patients with an ambulatory cardiac monitoring service, and the settlement is OCR’s first with a wireless health services provider.
On April 12, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Metro Community Provider Network (“MCPN”) that stemmed from MCPN’s lack of a risk analysis and risk management plan that addressed risks and vulnerabilities to protected health information (“PHI”).
On April 3, 2017, President Trump signed a bill which nullifies the Broadband Consumer Privacy Rules (the "Rules") promulgated by the FCC in October 2016. The Rules largely had not yet taken effect. In a statement, FCC Chairman Ajit Pai praised the elimination of the Rules, noting that, “in order to deliver that consistent and comprehensive protection, the Federal Communications Commission will be working with the Federal Trade Commission to restore the FTC’s authority to police Internet service providers’ privacy practices.” ...
On March 17, 2017, the Federal Trade Commission announced that Upromise, Inc., (“Upromise”) agreed to pay $500,000 to settle allegations (the “Settlement”) that it violated the terms of a 2012 consent order (the “2012 Order”) that required Upromise to provide notice to consumers regarding its data collection and use practices, and obtain third-party audits.
On March 1, 2017, the Federal Communications Commission (“FCC”), under the new leadership of Chairman Ajit Pai, voted 2-1 to issue a temporary stay of the data security obligations of the FCC’s Broadband Consumer Privacy Rules (the “Rules”), which were to go into effect March 2, 2017. The temporary stay will remain in place until the FCC is able to act on pending petitions for reconsideration.
On February 22, 2017, the Federal Trade Commission announced that it had reached settlement agreements (“the Proposed Agreements”) with three U.S. companies charged with deceiving consumers about their participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (“APEC CBPR”) system. The three companies are Sentinel Labs, Inc. (which provides endpoint protection software), SpyChatter, Inc. (which markets a private messaging app) and Vir2us, Inc. (which distributes cybersecurity software). In separate complaints, the FTC alleged that each company falsely represented in its online privacy policy that it participated in the APEC CBPR program (“the Program”), when in fact none of the companies have ever been certified as required by the Program. The Program requires participants to undergo a review by an APEC-recognized accountability agent, whose review certifies that participants meet the Program’s standards. The Program is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.
On February 17, 2017, Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) agreed to pay $1.1 million as part of a settlement with the New Jersey Division of Consumer Affairs (the “Division”) regarding allegations that Horizon did not adequately protect the privacy of nearly 690,000 policyholders.
On February 16, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Memorial Healthcare System (“Memorial”) that emphasized the importance of audit controls in preventing breaches of protected health information (“PHI”). The $5.5 million settlement with Memorial is the fourth enforcement action taken by OCR in 2017, and matches the largest civil monetary ever imposed against a single covered entity.
On January 25, 2017, President Trump issued an Executive Order entitled “Enhancing Public Safety in the Interior of the United States.” While the Order is primarily focused on the enforcement of immigration laws in the U.S., Section 14 declares that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This provision has sparked a firestorm of controversy in the international privacy community, raising questions regarding the Order’s impact on the Privacy Shield framework, which facilitates lawful transfers of personal data from the EU to the U.S. While political ramifications are certainly plausible from an EU-U.S. perspective, absent further action from the Trump Administration, Section 14 of the Order should not impact the legal viability of the Privacy Shield framework.
On January 18, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) relating to a breach of protected health information (“PHI”) contained on a portable storage device. This is the second enforcement action taken by OCR in 2017, following the action taken against Presence Health earlier this month for failing to make timely breach notifications.
On January 18, 2017, the Department of Homeland Security (“DHS”) issued an updated National Cyber Incident Response Plan (the “Plan”) as directed by Obama’s Presidential Policy Directive 41, issued this past summer, and the National Cybersecurity Protection Act of 2014.
On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Although ECPA currently requires law enforcement agencies to obtain a warrant to search the contents of electronic communications held by service providers that are less than 180 days old, communications that are more than 180 days old can be obtained with a subpoena.
Last month, the Federal Energy Regulatory Commission (“FERC”) published its final Regulations Implementing FAST Act Section 61003-Critical Electric Infrastructure Security and Amending Critical Energy Infrastructure Information (the “CEII Regulations”). The CEII Regulations, which differ little from the notice of proposed rulemaking that FERC issued in June 2016, were approved unanimously on November 17, 2016, by FERC’s three sitting Commissioners (recent retirements have left the two other FERC seats vacant).
On January 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Presence Health stemming from the entity’s failure to notify affected individuals, the media and OCR within 60 days of discovering a breach. This marks the first OCR settlement of 2017 and the first enforcement action relating to untimely breach reporting by a HIPAA covered entity.
On January 3, 2017, the Office of Management and Budget (“OMB”) issued a memorandum (the “Breach Memorandum”) advising federal agencies on how to prepare for and respond to a breach of personally identifiable information (“PII”). The Breach Memorandum, which is intended for each agency’s Senior Agency Official for Privacy (“SAOP”), updates OMB’s breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (“FISMA”).
On October 25, 2016, the United States Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (the “Advisory”), to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime. The Advisory indicates that SAR reporting is mandatory for cyber events where the financial institution “knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions….” Implementing this new guidance will require increased collaboration between AML and cybersecurity or IT departments in large institutions, and may create challenges for smaller banks that are more likely to outsource their cybersecurity functions.
This post has been updated.
On October 27, 2016, the Federal Communications Commission (“FCC”) announced the adoption of rules that require broadband Internet Service Providers (“ISPs”) to take steps to protect consumer privacy (the “Rules”). According to the FCC’s press release, the Rules are intended to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.”
The National Highway Safety Administration (“NHTSA”) recently issued non-binding guidance that outlines best practices for automobile manufacturers to address automobile cybersecurity. The guidance, entitled Cybersecurity Best Practices for Modern Vehicles (the “Cybersecurity Guidance”), was recently previewed in correspondence with the House of Representatives' Committee on Energy and Commerce (“Energy and Commerce Committee”).
Earlier this month, the Department of Health and Human Services’ Office for Civil Rights issued guidance (the “Guidance”) for HIPAA-covered entities that use cloud computing services involving electronic protected health information (“ePHI”).
On October 19, 2016, the Federal Deposit Insurance Corporation (“FDIC”), the Federal Reserve System (the “Fed”) and Office of the Comptroller of the Currency issued an advance notice of proposed rulemaking suggesting new cybersecurity regulations for banks with assets totaling more than $50 billion (the “Proposed Standards”).
On October 27, 2016, the Federal Communications Commission (“FCC”) will vote on whether to finalize proposed rules (the "Proposed Rules”) concerning new privacy restrictions for Internet Service Providers (“ISPs”). The Proposed Rules, which revise previous versions introduced earlier this year, would require customers’ explicit (or “opt-in”) consent before an ISP can use or share a customer’s personal data, including web browsing and app usage history, geolocation data, children’s information, health information, financial information, email and other message contents and Social Security numbers.
On October 4, 2016, the U.S. Department of Defense (“DoD”) finalized its rule implementing the mandatory cyber incident reporting requirements for defense contractors under 10 U.S.C. §§ 391 and 393 (the “Rule”). The Rule applies to DoD contractors and subcontractors that are targets of any cyber incident with a potential adverse impact on information systems and “covered defense information” on those systems.
As we previously reported, Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, spoke at Bloomberg Law’s Second Annual Big Law Business Summit on changes in the privacy and security legal landscape. In Part 2 of her discussion, Lisa speaks about the evolution of privacy laws over the years. The “hundreds of [privacy laws] at the federal and state level,” as well as data protection laws in countries all over the world, is a far cry from the landscape in 1999 when Lisa started the privacy practice at Hunton & Williams. To keep up ...
The Office of Management and Budget (“OMB”) recently issued updates to Circular A-130 covering the management of federal information resources. OMB revised Circular A-130 “to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy.” The revised policies are intended to transform how privacy is addressed across the branches of the federal government.
Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, recently spoke at Bloomberg Law’s Second Annual Big Law Business Summit. In Part 1 of the panel discussion, Lisa describes the dramatic changes in the legal landscape of privacy over the last 10 to 15 years, discussing the emergence of privacy laws such as “the Gramm-Leach-Bliley Act for the financial sector, HIPAA for the health care sector and…of course, the local implementation of the European Data Protection Directive.” She then continues to note an ...
On August 4, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Advocate Health Care Network (“Advocate”), the largest health care system in Illinois, over alleged HIPAA violations. The $5.5 million settlement with Advocate is the largest settlement to date against a single covered entity.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code